idnits 2.17.1 draft-ietf-behave-nat-mib-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 14, 2013) is 3815 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 1701 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 4008 (Obsoleted by RFC 7658) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Perreault 3 Internet-Draft Viagenie 4 Obsoletes: 4008 (if approved) T. Tsou 5 Intended status: Standards Track Huawei Technologies (USA) 6 Expires: May 18, 2014 S. Sivakumar 7 Cisco Systems 8 November 14, 2013 10 Definitions of Managed Objects for Network Address Translators (NAT) 11 draft-ietf-behave-nat-mib-10 13 Abstract 15 This memo defines a portion of the Management Information Base (MIB) 16 for devices implementing Network Address Translator (NAT) function. 17 This MIB module may be used for monitoring of a device capable of NAT 18 function. 20 This document obsoletes RFC 4008. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 18, 2014. 39 Copyright Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. The Internet-Standard Management Framework . . . . . . . . . 2 58 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 60 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4 61 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 84 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 86 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 86 66 7.1. Normative References . . . . . . . . . . . . . . . . . . 86 67 7.2. Informative References . . . . . . . . . . . . . . . . . 88 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 88 70 1. Introduction 72 This memo defines a portion of the Management Information Base (MIB) 73 for devices implementing NAT function. This MIB module may be used 74 for monitoring of a device capable of NAT function. Using it for 75 configuration is deprecated. NAT types and their characteristics are 76 defined in [RFC2663]. Traditional NAT function, in particular is 77 defined in [RFC3022]. This MIB does not address the firewall 78 functions and must not be used for configuring or monitoring these. 79 Section 2 provides references to the SNMP management framework, which 80 was used as the basis for the MIB module definition. Section 3 81 provides an overview of the MIB features. Lastly, Section 4 has the 82 complete NAT MIB definition. 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 86 "OPTIONAL" in this document are to be interpreted as described in 87 [RFC2119]. 89 2. The Internet-Standard Management Framework 91 For a detailed overview of the documents that describe the current 92 Internet-Standard Management Framework, please refer to section 7 of 93 RFC 3410 [RFC3410]. 95 Managed objects are accessed via a virtual information store, termed 96 the Management Information Base or MIB. MIB objects are generally 97 accessed through the Simple Network Management Protocol (SNMP). 98 Objects in the MIB are defined using the mechanisms defined in the 99 Structure of Management Information (SMI). This memo specifies a MIB 100 module that is compliant to the SMIv2, which is described in STD 58, 101 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 102 [RFC2580]. 104 3. Overview 106 3.1. Deprecated Features 108 All objects defined in [RFC4008] have been marked with "STATUS 109 deprecated" for the following reasons: 111 Writability: Experience with NAT has shown that implementations vary 112 tremendously. The NAT algorithms and data structures have little 113 in common across devices, and this results in wildly incompatible 114 configuration parameters. Therefore, few implementations were 115 ever able to claim full compliance. 117 Lesson learned: the MIB should be read-only as much as possible. 119 Exposing configuration parameters: Even in read-only mode, many 120 configuration parameters were exposed by [RFC4008] (e.g. 121 timeouts). Since implementations vary wildly in their sets of 122 configuration parameters, few implementations could claim even 123 basic compliance. 125 Lesson learned: the NAT MIB's purpose is not to expose 126 configuration parameters. 128 Interfaces: Objects from [RFC4008] tie NAT state with interfaces 129 (e.g. the interface table, the way map entries are grouped by 130 interface). Many NAT implementations either never keep track of 131 the interface or associate a mapping to a set of interfaces. 132 Since interfaces are at the core of [RFC4008], many NAT devices 133 were unable to have a proper implementation. 135 Lesson learned: NAT is a logical function that may be independent 136 of interfaces. Do not tie NAT state with interfaces. 138 NAT service types: [RFC4008] used four categories of NAT service: 139 basicNat, napt, bidirectionalNat, twiceNat. These are ill-defined 140 and many implementations either use different categories or do not 141 use categories at all. 143 Lesson learned: do not try to categorize NAT types. 145 Limited transport protocol set: The set of transport protocols was 146 defined as: other, icmp, udp, tcp. Furthermore, the numeric 147 values corresponding to those labels were arbitrary, without 148 relation to the actual standard protocol numbers. This meant that 149 NAT implementations were limited to those protocols and were 150 unable to expose information about DCCP, SCTP, etc. 152 Lesson learned: use standard transport protocol numbers. 154 3.2. New Features 156 New features in this module are as follows: 158 Counters: Many new counters are introduced. Most of them are 159 available in two variants: global and per-transport protocol. 161 Limits: A few limits on the quantity of state data stored by the NAT 162 device. Some of them can trigger notifications. 164 Address+Port Pools: Pools of external addresses and ports are often 165 used in enterprise and ISP settings. Pools are listed in a table, 166 each with its range of addresses and ports. It is possible to 167 inspect each pool's usage, to set limits, and to receive 168 notifications when thresholds are crossed. 170 Address Mappings: NATs that have an "IP address pooling" behavior of 171 "Paired" [RFC4787] maintain a mapping from internal address to 172 external address. This module allows inspection of this mapping 173 table. 175 Mapping table indexed by external 3-tuple: It is often necessary to 176 determine the internal address that is mapped to a given external 177 address and port. This MIB provides this table with an index to 178 accomplish this efficiently, without having to iterate over all 179 mappings. 181 Realms: See Section 3.3. 183 RFC 4787 terminology: Mapping table entries indicate the mapping 184 behavior, the filtering behavior, and the address pooling behavior 185 that were used to create the mapping. 187 Subscriber awareness: With the advent of CGN deployment, a set of 188 subscriber specific counters, limits and parameters are added. 190 NAT instances: Multiple NAT instances may be managed by a single 191 SNMP agent. All instance-specific objects (counters, limits, 192 etc.) are indexed by NAT instance ID. In addition, NAT instances 193 may be reliably identified using the natInstanceAlias object. 195 3.3. Realms 197 Current NAT devices commonly allow the internal and external parts of 198 a mapping to come from different realms. The meaning of "realm" is 199 implementation-dependent. On some implementations it can be 200 equivalent to the name of a VPN Routing and Forwarding table (VRF). 201 On others it is simply the numeric index of a virtual routing table. 202 Note that this usage of "realm" is completely different from the one 203 in [RFC4008]. 205 This MIB allows the realm to be indicated where it makes sense. The 206 format is an SnmpAdminString. On platforms that identify realms with 207 integers, the string representation of the integer is used instead. 208 The empty string has special meaning: it refers to the default realm. 210 Note that many MIBs implicitly support realms in one form or another 211 by using SNMPv3 contexts. See for example the OSPFv2 MIB [RFC4750]. 212 This method cannot be used for the NAT MIB because mapppings can 213 belong to two realms simultaneously: the internal part can be in one 214 realm while the external part is in another. In such cases the NAT 215 function acts like a "wormhole" between two realms. Using contexts 216 would implicitly impose the restriction that all objects would have 217 to belong to the same realm. 219 4. Definitions 221 This MIB module IMPORTs objects from [RFC2578], [RFC2579], and 222 [RFC4001]. 224 NAT-MIB DEFINITIONS ::= BEGIN 226 IMPORTS 227 MODULE-IDENTITY, 228 OBJECT-TYPE, 229 Integer32, 230 Unsigned32, 231 Gauge32, 232 Counter64, 233 TimeTicks, 234 mib-2, 235 NOTIFICATION-TYPE 236 FROM SNMPv2-SMI 237 TEXTUAL-CONVENTION, 238 DisplayString, 239 StorageType, 240 RowStatus 241 FROM SNMPv2-TC 242 MODULE-COMPLIANCE, 243 NOTIFICATION-GROUP, 244 OBJECT-GROUP 245 FROM SNMPv2-CONF 246 ifIndex, 247 ifCounterDiscontinuityGroup 248 FROM IF-MIB 249 SnmpAdminString 250 FROM SNMP-FRAMEWORK-MIB 251 InetAddressType, 252 InetAddress, 253 InetAddressIPv4, 254 InetAddressIPv6, 255 InetAddressPrefixLength, 256 InetPortNumber 257 FROM INET-ADDRESS-MIB 258 MplsLabel 259 FROM MPLS-TC-STD-MIB; 261 natMIB MODULE-IDENTITY 262 LAST-UPDATED "201304260000Z" 263 -- RFC Ed.: set to publication date 264 ORGANIZATION 265 "IETF Behavior Engineering for Hindrance Avoidance 266 (BEHAVE) Working Group" 267 CONTACT-INFO 268 "Working Group Email: behave@ietf.org 270 Simon Perreault 271 Viagenie 272 246 Aberdeen 273 Quebec, QC G1R 2E1 274 Canada 276 Phone: +1 418 656 9254 277 Email: simon.perreault@viagenie.ca 278 URI: http://viagenie.ca 280 Tina Tsou 281 Huawei Technologies (USA) 282 2330 Central Expressway 283 Santa Clara, CA 95050 284 USA 285 Phone: +1 408 330 4424 286 Email: tina.tsou.zouting@huawei.com 288 Senthil Sivakumar 289 Cisco Systems 290 7100-8 Kit Creek Road 291 Research Triangle Park, North Carolina 27709 292 USA 294 Phone: +1 919 392 5158 295 Email: ssenthil@cisco.com" 296 DESCRIPTION 297 "This MIB module defines the generic managed objects 298 for NAT. 300 Copyright (C) The Internet Society (2013). This 301 version of this MIB module is part of RFC yyyy; see 302 the RFC itself for full legal notices." 303 -- RFC Ed.: replace yyyy with actual RFC number & remove this note" 304 REVISION "201304260000Z" 305 -- RFC Ed.: set to publication date 306 DESCRIPTION 307 "Complete rewrite, published as RFC yyyy." 308 -- RFC Ed.: replace yyyy with actual RFC number & set date" 309 REVISION "200503210000Z" -- 21th March 2005 310 DESCRIPTION 311 "Initial version, published as RFC 4008." 312 ::= { mib-2 123 } 314 natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } 316 NatProtocolType ::= TEXTUAL-CONVENTION 317 STATUS deprecated 318 DESCRIPTION 319 "A list of protocols that support the network 320 address translation. Inclusion of the values is 321 not intended to imply that those protocols 322 need to be supported. Any change in this 323 TEXTUAL-CONVENTION should also be reflected in 324 the definition of NatProtocolMap, which is a 325 BITS representation of this." 326 SYNTAX INTEGER { 327 none (1), -- not specified 328 other (2), -- none of the following 329 icmp (3), 330 udp (4), 331 tcp (5) 333 } 335 NatProtocolMap ::= TEXTUAL-CONVENTION 336 STATUS deprecated 337 DESCRIPTION 338 "A bitmap of protocol identifiers that support 339 the network address translation. Any change 340 in this TEXTUAL-CONVENTION should also be 341 reflected in the definition of NatProtocolType." 342 SYNTAX BITS { 343 other (0), 344 icmp (1), 345 udp (2), 346 tcp (3) 347 } 349 NatAddrMapId ::= TEXTUAL-CONVENTION 350 DISPLAY-HINT "d" 351 STATUS deprecated 352 DESCRIPTION 353 "A unique id that is assigned to each address map 354 by a NAT enabled device." 355 SYNTAX Unsigned32 (1..4294967295) 357 NatBindIdOrZero ::= TEXTUAL-CONVENTION 358 DISPLAY-HINT "d" 359 STATUS deprecated 360 DESCRIPTION 361 "A unique id that is assigned to each bind by 362 a NAT enabled device. The bind id will be zero 363 in the case of a Symmetric NAT." 364 SYNTAX Unsigned32 (0..4294967295) 366 NatBindId ::= TEXTUAL-CONVENTION 367 DISPLAY-HINT "d" 368 STATUS deprecated 369 DESCRIPTION 370 "A unique id that is assigned to each bind by 371 a NAT enabled device." 372 SYNTAX Unsigned32 (1..4294967295) 374 NatSessionId ::= TEXTUAL-CONVENTION 375 DISPLAY-HINT "d" 376 STATUS deprecated 377 DESCRIPTION 378 "A unique id that is assigned to each session by 379 a NAT enabled device." 380 SYNTAX Unsigned32 (1..4294967295) 382 NatBindMode ::= TEXTUAL-CONVENTION 383 STATUS deprecated 384 DESCRIPTION 385 "An indication of whether the bind is 386 an address bind or an address port bind." 387 SYNTAX INTEGER { 388 addressBind (1), 389 addressPortBind (2) 390 } 392 NatAssociationType ::= TEXTUAL-CONVENTION 393 STATUS deprecated 394 DESCRIPTION 395 "An indication of whether the association is 396 static or dynamic." 397 SYNTAX INTEGER { 398 static (1), 399 dynamic (2) 400 } 402 NatTranslationEntity ::= TEXTUAL-CONVENTION 403 STATUS deprecated 404 DESCRIPTION 405 "An indication of a) the direction of a session for 406 which an address map entry, address bind or port 407 bind is applicable, and b) the entity (source or 408 destination) within the session that is subject to 409 translation." 410 SYNTAX BITS { 411 inboundSrcEndPoint (0), 412 outboundDstEndPoint(1), 413 inboundDstEndPoint (2), 414 outboundSrcEndPoint(3) 415 } 417 -- 418 -- Default Values for the Bind and NAT Protocol Timers 419 -- 421 natDefTimeouts OBJECT IDENTIFIER ::= { natMIBObjects 1 } 423 natNotifCtrl OBJECT IDENTIFIER ::= { natMIBObjects 2 } 425 -- 426 -- Address Bind and Port Bind related NAT configuration 427 -- 428 natBindDefIdleTimeout OBJECT-TYPE 429 SYNTAX Unsigned32 (0..4294967295) 430 UNITS "seconds" 431 MAX-ACCESS read-write 432 STATUS deprecated 433 DESCRIPTION 434 "The default Bind (Address Bind or Port Bind) idle 435 timeout parameter. 437 If the agent is capable of storing non-volatile 438 configuration, then the value of this object must be 439 restored after a re-initialization of the management 440 system." 441 DEFVAL { 0 } 442 ::= { natDefTimeouts 1 } 444 -- 445 -- UDP related NAT configuration 446 -- 448 natUdpDefIdleTimeout OBJECT-TYPE 449 SYNTAX Unsigned32 (1..4294967295) 450 UNITS "seconds" 451 MAX-ACCESS read-write 452 STATUS deprecated 453 DESCRIPTION 454 "The default UDP idle timeout parameter. 456 If the agent is capable of storing non-volatile 457 configuration, then the value of this object must be 458 restored after a re-initialization of the management 459 system." 460 DEFVAL { 300 } 461 ::= { natDefTimeouts 2 } 463 -- 464 -- ICMP related NAT configuration 465 -- 467 natIcmpDefIdleTimeout OBJECT-TYPE 468 SYNTAX Unsigned32 (1..4294967295) 469 UNITS "seconds" 470 MAX-ACCESS read-write 471 STATUS deprecated 472 DESCRIPTION 473 "The default ICMP idle timeout parameter. 475 If the agent is capable of storing non-volatile 476 configuration, then the value of this object must be 477 restored after a re-initialization of the management 478 system." 479 DEFVAL { 300 } 480 ::= { natDefTimeouts 3 } 482 -- 483 -- Other protocol parameters 484 -- 486 natOtherDefIdleTimeout OBJECT-TYPE 487 SYNTAX Unsigned32 (1..4294967295) 488 UNITS "seconds" 489 MAX-ACCESS read-write 490 STATUS deprecated 491 DESCRIPTION 492 "The default idle timeout parameter for protocols 493 represented by the value other (2) in 494 NatProtocolType. 496 If the agent is capable of storing non-volatile 497 configuration, then the value of this object must be 498 restored after a re-initialization of the management 499 system." 500 DEFVAL { 60 } 501 ::= { natDefTimeouts 4 } 503 -- 504 -- TCP related NAT Timers 505 -- 507 natTcpDefIdleTimeout OBJECT-TYPE 508 SYNTAX Unsigned32 (1..4294967295) 509 UNITS "seconds" 510 MAX-ACCESS read-write 511 STATUS deprecated 512 DESCRIPTION 513 "The default time interval that a NAT session for an 514 established TCP connection is allowed to remain 515 valid without any activity on the TCP connection. 517 If the agent is capable of storing non-volatile 518 configuration, then the value of this object must be 519 restored after a re-initialization of the management 520 system." 521 DEFVAL { 86400 } 522 ::= { natDefTimeouts 5 } 524 natTcpDefNegTimeout OBJECT-TYPE 525 SYNTAX Unsigned32 (1..4294967295) 526 UNITS "seconds" 527 MAX-ACCESS read-write 528 STATUS deprecated 529 DESCRIPTION 530 "The default time interval that a NAT session for a TCP 531 connection that is not in the established state 532 is allowed to remain valid without any activity on 533 the TCP connection. 535 If the agent is capable of storing non-volatile 536 configuration, then the value of this object must be 537 restored after a re-initialization of the management 538 system." 539 DEFVAL { 60 } 540 ::= { natDefTimeouts 6 } 542 natNotifThrottlingInterval OBJECT-TYPE 543 SYNTAX Integer32 (0 | 5..3600) 544 UNITS "seconds" 545 MAX-ACCESS read-write 546 STATUS deprecated 547 DESCRIPTION 548 "This object controls the generation of the 549 natPacketDiscard notification. 551 If this object has a value of zero, then no 552 natPacketDiscard notifications will be transmitted by 553 the agent. 555 If this object has a non-zero value, then the agent must 556 not generate more than one natPacketDiscard 557 'notification-event' in the indicated period, where a 558 'notification-event' is the generation of a single 559 notification PDU type to a list of notification 560 destinations. If additional NAT packets are discarded 561 within the throttling period, then notification-events 562 for these changes must be suppressed by the agent until 563 the current throttling period expires. 565 If natNotifThrottlingInterval notification generation 566 is enabled, the suggested default throttling period is 567 60 seconds, but generation of the natPacketDiscard 568 notification should be disabled by default. 570 If the agent is capable of storing non-volatile 571 configuration, then the value of this object must be 572 restored after a re-initialization of the management 573 system. 575 The actual transmission of notifications is controlled 576 via the MIB modules in RFC 3413." 577 DEFVAL { 0 } 578 ::= { natNotifCtrl 1 } 580 -- 581 -- The NAT Interface Table 582 -- 584 natInterfaceTable OBJECT-TYPE 585 SYNTAX SEQUENCE OF NatInterfaceEntry 586 MAX-ACCESS not-accessible 587 STATUS deprecated 588 DESCRIPTION 589 "This table specifies the attributes for interfaces on a 590 device supporting NAT function." 591 ::= { natMIBObjects 3 } 593 natInterfaceEntry OBJECT-TYPE 594 SYNTAX NatInterfaceEntry 595 MAX-ACCESS not-accessible 596 STATUS deprecated 597 DESCRIPTION 598 "Each entry in the natInterfaceTable holds a set of 599 parameters for an interface, instantiated by 600 ifIndex. Therefore, the interface index must have been 601 assigned, according to the applicable procedures, 602 before it can be meaningfully used. 603 Generally, this means that the interface must exist. 605 When natStorageType is of type nonVolatile, however, 606 this may reflect the configuration for an interface 607 whose ifIndex has been assigned but for which the 608 supporting implementation is not currently present." 609 INDEX { ifIndex } 610 ::= { natInterfaceTable 1 } 612 NatInterfaceEntry ::= SEQUENCE { 613 natInterfaceRealm INTEGER, 614 natInterfaceServiceType BITS, 615 natInterfaceInTranslates Counter64, 616 natInterfaceOutTranslates Counter64, 617 natInterfaceDiscards Counter64, 618 natInterfaceStorageType StorageType, 619 natInterfaceRowStatus RowStatus 620 } 622 natInterfaceRealm OBJECT-TYPE 623 SYNTAX INTEGER { 624 private (1), 625 public (2) 626 } 627 MAX-ACCESS read-create 628 STATUS deprecated 629 DESCRIPTION 630 "This object identifies whether this interface is 631 connected to the private or the public realm." 632 DEFVAL { public } 633 ::= { natInterfaceEntry 1 } 635 natInterfaceServiceType OBJECT-TYPE 636 SYNTAX BITS { 637 basicNat (0), 638 napt (1), 639 bidirectionalNat (2), 640 twiceNat (3) 641 } 642 MAX-ACCESS read-create 643 STATUS deprecated 644 DESCRIPTION 645 "An indication of the direction in which new sessions 646 are permitted and the extent of translation done within 647 the IP and transport headers." 648 ::= { natInterfaceEntry 2 } 650 natInterfaceInTranslates OBJECT-TYPE 651 SYNTAX Counter64 652 MAX-ACCESS read-only 653 STATUS deprecated 654 DESCRIPTION 655 "Number of packets received on this interface that 656 were translated. 657 Discontinuities in the value of this counter can occur 658 at reinitialization of the management system and at 659 other times as indicated by the value of 660 ifCounterDiscontinuityTime on the relevant interface." 661 ::= { natInterfaceEntry 3 } 663 natInterfaceOutTranslates OBJECT-TYPE 664 SYNTAX Counter64 665 MAX-ACCESS read-only 666 STATUS deprecated 667 DESCRIPTION 668 "Number of translated packets that were sent out this 669 interface. 671 Discontinuities in the value of this counter can occur 672 at reinitialization of the management system and at 673 other times as indicated by the value of 674 ifCounterDiscontinuityTime on the relevant interface." 675 ::= { natInterfaceEntry 4 } 677 natInterfaceDiscards OBJECT-TYPE 678 SYNTAX Counter64 679 MAX-ACCESS read-only 680 STATUS deprecated 681 DESCRIPTION 682 "Number of packets that had to be rejected/dropped due to 683 a lack of resources for this interface. 685 Discontinuities in the value of this counter can occur 686 at reinitialization of the management system and at 687 other times as indicated by the value of 688 ifCounterDiscontinuityTime on the relevant interface." 689 ::= { natInterfaceEntry 5 } 691 natInterfaceStorageType OBJECT-TYPE 692 SYNTAX StorageType 693 MAX-ACCESS read-create 694 STATUS deprecated 695 DESCRIPTION 696 "The storage type for this conceptual row. 697 Conceptual rows having the value 'permanent' 698 need not allow write-access to any columnar objects 699 in the row." 700 REFERENCE 701 "Textual Conventions for SMIv2, Section 2." 702 DEFVAL { nonVolatile } 703 ::= { natInterfaceEntry 6 } 705 natInterfaceRowStatus OBJECT-TYPE 706 SYNTAX RowStatus 707 MAX-ACCESS read-create 708 STATUS deprecated 709 DESCRIPTION 710 "The status of this conceptual row. 712 Until instances of all corresponding columns are 713 appropriately configured, the value of the 714 corresponding instance of the natInterfaceRowStatus 715 column is 'notReady'. 717 In particular, a newly created row cannot be made 718 active until the corresponding instance of 719 natInterfaceServiceType has been set. 721 None of the objects in this row may be modified 722 while the value of this object is active(1)." 723 REFERENCE 724 "Textual Conventions for SMIv2, Section 2." 725 ::= { natInterfaceEntry 7 } 727 -- 728 -- The Address Map Table 729 -- 731 natAddrMapTable OBJECT-TYPE 732 SYNTAX SEQUENCE OF NatAddrMapEntry 733 MAX-ACCESS not-accessible 734 STATUS deprecated 735 DESCRIPTION 736 "This table lists address map parameters for NAT." 737 ::= { natMIBObjects 4 } 739 natAddrMapEntry OBJECT-TYPE 740 SYNTAX NatAddrMapEntry 741 MAX-ACCESS not-accessible 742 STATUS deprecated 743 DESCRIPTION 744 "This entry represents an address map to be used for 745 NAT and contributes to the dynamic and/or static 746 address mapping tables of the NAT device." 747 INDEX { ifIndex, natAddrMapIndex } 748 ::= { natAddrMapTable 1 } 750 NatAddrMapEntry ::= SEQUENCE { 751 natAddrMapIndex NatAddrMapId, 752 natAddrMapName SnmpAdminString, 753 natAddrMapEntryType NatAssociationType, 754 natAddrMapTranslationEntity NatTranslationEntity, 755 natAddrMapLocalAddrType InetAddressType, 756 natAddrMapLocalAddrFrom InetAddress, 757 natAddrMapLocalAddrTo InetAddress, 758 natAddrMapLocalPortFrom InetPortNumber, 759 natAddrMapLocalPortTo InetPortNumber, 760 natAddrMapGlobalAddrType InetAddressType, 761 natAddrMapGlobalAddrFrom InetAddress, 762 natAddrMapGlobalAddrTo InetAddress, 763 natAddrMapGlobalPortFrom InetPortNumber, 764 natAddrMapGlobalPortTo InetPortNumber, 765 natAddrMapProtocol NatProtocolMap, 766 natAddrMapInTranslates Counter64, 767 natAddrMapOutTranslates Counter64, 768 natAddrMapDiscards Counter64, 769 natAddrMapAddrUsed Gauge32, 770 natAddrMapStorageType StorageType, 771 natAddrMapRowStatus RowStatus 772 } 774 natAddrMapIndex OBJECT-TYPE 775 SYNTAX NatAddrMapId 776 MAX-ACCESS not-accessible 777 STATUS deprecated 778 DESCRIPTION 779 "Along with ifIndex, this object uniquely 780 identifies an entry in the natAddrMapTable. 781 Address map entries are applied in the order 782 specified by natAddrMapIndex." 783 ::= { natAddrMapEntry 1 } 785 natAddrMapName OBJECT-TYPE 786 SYNTAX SnmpAdminString (SIZE(1..32)) 787 MAX-ACCESS read-create 788 STATUS deprecated 789 DESCRIPTION 790 "Name identifying all map entries in the table associated 791 with the same interface. All map entries with the same 792 ifIndex MUST have the same map name." 793 ::= { natAddrMapEntry 2 } 795 natAddrMapEntryType OBJECT-TYPE 796 SYNTAX NatAssociationType 797 MAX-ACCESS read-create 798 STATUS deprecated 799 DESCRIPTION 800 "This parameter can be used to set up static 801 or dynamic address maps." 802 ::= { natAddrMapEntry 3 } 804 natAddrMapTranslationEntity OBJECT-TYPE 805 SYNTAX NatTranslationEntity 806 MAX-ACCESS read-create 807 STATUS deprecated 808 DESCRIPTION 809 "The end-point entity (source or destination) in 810 inbound or outbound sessions (i.e., first packets) that 811 may be translated by an address map entry. 813 Session direction (inbound or outbound) is 814 derived from the direction of the first packet 815 of a session traversing a NAT interface. 816 NAT address (and Transport-ID) maps may be defined 817 to effect inbound or outbound sessions. 819 Traditionally, address maps for Basic NAT and NAPT are 820 configured on a public interface for outbound sessions, 821 effecting translation of source end-point. The value of 822 this object must be set to outboundSrcEndPoint for 823 those interfaces. 825 Alternately, if address maps for Basic NAT and NAPT were 826 to be configured on a private interface, the desired 827 value for this object for the map entries 828 would be inboundSrcEndPoint (i.e., effecting translation 829 of source end-point for inbound sessions). 831 If TwiceNAT were to be configured on a private 832 interface, the desired value for this object for the map 833 entries would be a bitmask of inboundSrcEndPoint and 834 inboundDstEndPoint." 835 ::= { natAddrMapEntry 4 } 837 natAddrMapLocalAddrType OBJECT-TYPE 838 SYNTAX InetAddressType 839 MAX-ACCESS read-create 840 STATUS deprecated 841 DESCRIPTION 842 "This object specifies the address type used for 843 natAddrMapLocalAddrFrom and natAddrMapLocalAddrTo." 844 ::= { natAddrMapEntry 5 } 846 natAddrMapLocalAddrFrom OBJECT-TYPE 847 SYNTAX InetAddress 848 MAX-ACCESS read-create 849 STATUS deprecated 850 DESCRIPTION 851 "This object specifies the first IP address of the range 852 of IP addresses mapped by this translation entry. The 853 value of this object must be less than or equal to the 854 value of the natAddrMapLocalAddrTo object. 856 The type of this address is determined by the value of 857 the natAddrMapLocalAddrType object." 859 ::= { natAddrMapEntry 6 } 861 natAddrMapLocalAddrTo OBJECT-TYPE 862 SYNTAX InetAddress 863 MAX-ACCESS read-create 864 STATUS deprecated 865 DESCRIPTION 866 "This object specifies the last IP address of the range 867 of IP addresses mapped by this translation entry. If 868 only a single address is being mapped, the value of this 869 object is equal to the value of natAddrMapLocalAddrFrom. 870 For a static NAT, the number of addresses in the range 871 defined by natAddrMapLocalAddrFrom and 872 natAddrMapLocalAddrTo must be equal to the number of 873 addresses in the range defined by 874 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo. 875 The value of this object must be greater than or equal 876 to the value of the natAddrMapLocalAddrFrom object. 878 The type of this address is determined by the value of 879 the natAddrMapLocalAddrType object." 880 ::= { natAddrMapEntry 7 } 882 natAddrMapLocalPortFrom OBJECT-TYPE 883 SYNTAX InetPortNumber 884 MAX-ACCESS read-create 885 STATUS deprecated 886 DESCRIPTION 887 "If this conceptual row describes a Basic NAT address 888 mapping, then the value of this object must be zero. If 889 this conceptual row describes NAPT, then the value of 890 this object specifies the first port number in the range 891 of ports being mapped. 893 The value of this object must be less than or equal to 894 the value of the natAddrMapLocalPortTo object. If the 895 translation specifies a single port, then the value of 896 this object is equal to the value of 897 natAddrMapLocalPortTo." 898 DEFVAL { 0 } 899 ::= { natAddrMapEntry 8 } 901 natAddrMapLocalPortTo OBJECT-TYPE 902 SYNTAX InetPortNumber 903 MAX-ACCESS read-create 904 STATUS deprecated 905 DESCRIPTION 906 "If this conceptual row describes a Basic NAT address 907 mapping, then the value of this object must be zero. If 908 this conceptual row describes NAPT, then the value of 909 this object specifies the last port number in the range 910 of ports being mapped. 912 The value of this object must be greater than or equal 913 to the value of the natAddrMapLocalPortFrom object. If 914 the translation specifies a single port, then the value 915 of this object is equal to the value of 916 natAddrMapLocalPortFrom." 917 DEFVAL { 0 } 918 ::= { natAddrMapEntry 9 } 920 natAddrMapGlobalAddrType OBJECT-TYPE 921 SYNTAX InetAddressType 922 MAX-ACCESS read-create 923 STATUS deprecated 924 DESCRIPTION 925 "This object specifies the address type used for 926 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo." 927 ::= { natAddrMapEntry 10 } 929 natAddrMapGlobalAddrFrom OBJECT-TYPE 930 SYNTAX InetAddress 931 MAX-ACCESS read-create 932 STATUS deprecated 933 DESCRIPTION 934 "This object specifies the first IP address of the range 935 of IP addresses being mapped to. The value of this 936 object must be less than or equal to the value of the 937 natAddrMapGlobalAddrTo object. 939 The type of this address is determined by the value of 940 the natAddrMapGlobalAddrType object." 941 ::= { natAddrMapEntry 11 } 943 natAddrMapGlobalAddrTo OBJECT-TYPE 944 SYNTAX InetAddress 945 MAX-ACCESS read-create 946 STATUS deprecated 947 DESCRIPTION 948 "This object specifies the last IP address of the range 949 of IP addresses being mapped to. If only a single 950 address is being mapped to, the value of this object is 951 equal to the value of natAddrMapGlobalAddrFrom. For a 952 static NAT, the number of addresses in the range defined 953 by natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo 954 must be equal to the number of addresses in the range 955 defined by natAddrMapLocalAddrFrom and 956 natAddrMapLocalAddrTo. The value of this object must be 957 greater than or equal to the value of the 958 natAddrMapGlobalAddrFrom object. 960 The type of this address is determined by the value of 961 the natAddrMapGlobalAddrType object." 962 ::= { natAddrMapEntry 12 } 964 natAddrMapGlobalPortFrom OBJECT-TYPE 965 SYNTAX InetPortNumber 966 MAX-ACCESS read-create 967 STATUS deprecated 968 DESCRIPTION 969 "If this conceptual row describes a Basic NAT address 970 mapping, then the value of this object must be zero. If 971 this conceptual row describes NAPT, then the value of 972 this object specifies the first port number in the range 973 of ports being mapped to. 975 The value of this object must be less than or equal to 976 the value of the natAddrMapGlobalPortTo object. If the 977 translation specifies a single port, then the value of 978 this object is equal to the value 979 natAddrMapGlobalPortTo." 980 DEFVAL { 0 } 981 ::= { natAddrMapEntry 13 } 983 natAddrMapGlobalPortTo OBJECT-TYPE 984 SYNTAX InetPortNumber 985 MAX-ACCESS read-create 986 STATUS deprecated 987 DESCRIPTION 988 "If this conceptual row describes a Basic NAT address 989 mapping, then the value of this object must be zero. If 990 this conceptual row describes NAPT, then the value of 991 this object specifies the last port number in the range 992 of ports being mapped to. 994 The value of this object must be greater than or equal 995 to the value of the natAddrMapGlobalPortFrom object. If 996 the translation specifies a single port, then the value 997 of this object is equal to the value of 998 natAddrMapGlobalPortFrom." 999 DEFVAL { 0 } 1000 ::= { natAddrMapEntry 14 } 1002 natAddrMapProtocol OBJECT-TYPE 1003 SYNTAX NatProtocolMap 1004 MAX-ACCESS read-create 1005 STATUS deprecated 1006 DESCRIPTION 1007 "This object specifies a bitmap of protocol identifiers." 1008 ::= { natAddrMapEntry 15 } 1010 natAddrMapInTranslates OBJECT-TYPE 1011 SYNTAX Counter64 1012 MAX-ACCESS read-only 1013 STATUS deprecated 1014 DESCRIPTION 1015 "The number of inbound packets pertaining to this address 1016 map entry that were translated. 1018 Discontinuities in the value of this counter can occur 1019 at reinitialization of the management system and at 1020 other times, as indicated by the value of 1021 ifCounterDiscontinuityTime on the relevant interface." 1022 ::= { natAddrMapEntry 16 } 1024 natAddrMapOutTranslates OBJECT-TYPE 1025 SYNTAX Counter64 1026 MAX-ACCESS read-only 1027 STATUS deprecated 1028 DESCRIPTION 1029 "The number of outbound packets pertaining to this 1030 address map entry that were translated. 1032 Discontinuities in the value of this counter can occur 1033 at reinitialization of the management system and at 1034 other times, as indicated by the value of 1035 ifCounterDiscontinuityTime on the relevant interface." 1036 ::= { natAddrMapEntry 17 } 1038 natAddrMapDiscards OBJECT-TYPE 1039 SYNTAX Counter64 1040 MAX-ACCESS read-only 1041 STATUS deprecated 1042 DESCRIPTION 1043 "The number of packets pertaining to this address map 1044 entry that were dropped due to lack of addresses in the 1045 address pool identified by this address map. The value 1046 of this object must always be zero in case of static 1047 address map. 1049 Discontinuities in the value of this counter can occur 1050 at reinitialization of the management system and at 1051 other times, as indicated by the value of 1052 ifCounterDiscontinuityTime on the relevant interface." 1053 ::= { natAddrMapEntry 18 } 1055 natAddrMapAddrUsed OBJECT-TYPE 1056 SYNTAX Gauge32 1057 MAX-ACCESS read-only 1058 STATUS deprecated 1059 DESCRIPTION 1060 "The number of addresses pertaining to this address map 1061 that are currently being used from the NAT pool. 1062 The value of this object must always be zero in the case 1063 of a static address map." 1064 ::= { natAddrMapEntry 19 } 1066 natAddrMapStorageType OBJECT-TYPE 1067 SYNTAX StorageType 1068 MAX-ACCESS read-create 1069 STATUS deprecated 1070 DESCRIPTION 1071 "The storage type for this conceptual row. 1072 Conceptual rows having the value 'permanent' 1073 need not allow write-access to any columnar objects 1074 in the row." 1075 REFERENCE 1076 "Textual Conventions for SMIv2, Section 2." 1077 DEFVAL { nonVolatile } 1078 ::= { natAddrMapEntry 20 } 1080 natAddrMapRowStatus OBJECT-TYPE 1081 SYNTAX RowStatus 1082 MAX-ACCESS read-create 1083 STATUS deprecated 1084 DESCRIPTION 1085 "The status of this conceptual row. 1087 Until instances of all corresponding columns are 1088 appropriately configured, the value of the 1089 corresponding instance of the natAddrMapRowStatus 1090 column is 'notReady'. 1092 None of the objects in this row may be modified 1093 while the value of this object is active(1)." 1094 REFERENCE 1095 "Textual Conventions for SMIv2, Section 2." 1096 ::= { natAddrMapEntry 21 } 1098 -- 1099 -- Address Bind section 1100 -- 1102 natAddrBindNumberOfEntries OBJECT-TYPE 1103 SYNTAX Gauge32 1104 MAX-ACCESS read-only 1105 STATUS deprecated 1106 DESCRIPTION 1107 "This object maintains a count of the number of entries 1108 that currently exist in the natAddrBindTable." 1109 ::= { natMIBObjects 5 } 1111 -- 1112 -- The NAT Address BIND Table 1113 -- 1115 natAddrBindTable OBJECT-TYPE 1116 SYNTAX SEQUENCE OF NatAddrBindEntry 1117 MAX-ACCESS not-accessible 1118 STATUS deprecated 1119 DESCRIPTION 1120 "This table holds information about the currently 1121 active NAT BINDs." 1122 ::= { natMIBObjects 6 } 1124 natAddrBindEntry OBJECT-TYPE 1125 SYNTAX NatAddrBindEntry 1126 MAX-ACCESS not-accessible 1127 STATUS deprecated 1128 DESCRIPTION 1129 "Each entry in this table holds information about 1130 an active address BIND. These entries are lost 1131 upon agent restart. 1133 This row has indexing which may create variables with 1134 more than 128 subidentifiers. Implementers of this 1135 table must be careful not to create entries that would 1136 result in OIDs which exceed the 128 subidentifier limit. 1137 Otherwise, the information cannot be accessed using 1138 SNMPv1, SNMPv2c or SNMPv3." 1140 INDEX { ifIndex, 1141 natAddrBindLocalAddrType, 1142 natAddrBindLocalAddr } 1143 ::= { natAddrBindTable 1 } 1145 NatAddrBindEntry ::= SEQUENCE { 1146 natAddrBindLocalAddrType InetAddressType, 1147 natAddrBindLocalAddr InetAddress, 1148 natAddrBindGlobalAddrType InetAddressType, 1149 natAddrBindGlobalAddr InetAddress, 1150 natAddrBindId NatBindId, 1151 natAddrBindTranslationEntity NatTranslationEntity, 1152 natAddrBindType NatAssociationType, 1153 natAddrBindMapIndex NatAddrMapId, 1154 natAddrBindSessions Gauge32, 1155 natAddrBindMaxIdleTime TimeTicks, 1156 natAddrBindCurrentIdleTime TimeTicks, 1157 natAddrBindInTranslates Counter64, 1158 natAddrBindOutTranslates Counter64 1159 } 1161 natAddrBindLocalAddrType OBJECT-TYPE 1162 SYNTAX InetAddressType 1163 MAX-ACCESS not-accessible 1164 STATUS deprecated 1165 DESCRIPTION 1166 "This object specifies the address type used for 1167 natAddrBindLocalAddr." 1168 ::= { natAddrBindEntry 1 } 1170 natAddrBindLocalAddr OBJECT-TYPE 1171 SYNTAX InetAddress (SIZE (4|16)) 1172 MAX-ACCESS not-accessible 1173 STATUS deprecated 1174 DESCRIPTION 1175 "This object represents the private-realm specific 1176 network layer address, which maps to the public-realm 1177 address represented by natAddrBindGlobalAddr. 1179 The type of this address is determined by the value of 1180 the natAddrBindLocalAddrType object." 1181 ::= { natAddrBindEntry 2 } 1183 natAddrBindGlobalAddrType OBJECT-TYPE 1184 SYNTAX InetAddressType 1185 MAX-ACCESS read-only 1186 STATUS deprecated 1187 DESCRIPTION 1188 "This object specifies the address type used for 1189 natAddrBindGlobalAddr." 1190 ::= { natAddrBindEntry 3 } 1192 natAddrBindGlobalAddr OBJECT-TYPE 1193 SYNTAX InetAddress 1194 MAX-ACCESS read-only 1195 STATUS deprecated 1196 DESCRIPTION 1197 "This object represents the public-realm network layer 1198 address that maps to the private-realm network layer 1199 address represented by natAddrBindLocalAddr. 1201 The type of this address is determined by the value of 1202 the natAddrBindGlobalAddrType object." 1203 ::= { natAddrBindEntry 4 } 1205 natAddrBindId OBJECT-TYPE 1206 SYNTAX NatBindId 1207 MAX-ACCESS read-only 1208 STATUS deprecated 1209 DESCRIPTION 1210 "This object represents a bind id that is dynamically 1211 assigned to each bind by a NAT enabled device. Each 1212 bind is represented by a bind id that is 1213 unique across both, the natAddrBindTable and the 1214 natAddrPortBindTable." 1215 ::= { natAddrBindEntry 5 } 1217 natAddrBindTranslationEntity OBJECT-TYPE 1218 SYNTAX NatTranslationEntity 1219 MAX-ACCESS read-only 1220 STATUS deprecated 1221 DESCRIPTION 1222 "This object represents the direction of sessions 1223 for which this bind is applicable and the endpoint 1224 entity (source or destination) within the sessions that 1225 is subject to translation using the BIND. 1227 Orientation of the bind can be a superset of 1228 translationEntity of the address map entry which 1229 forms the basis for this bind. 1231 For example, if the translationEntity of an 1232 address map entry is outboundSrcEndPoint, the 1233 translationEntity of a bind derived from this 1234 map entry may either be outboundSrcEndPoint or 1235 it may be bidirectional (a bitmask of 1236 outboundSrcEndPoint and inboundDstEndPoint)." 1237 ::= { natAddrBindEntry 6 } 1239 natAddrBindType OBJECT-TYPE 1240 SYNTAX NatAssociationType 1241 MAX-ACCESS read-only 1242 STATUS deprecated 1243 DESCRIPTION 1244 "This object indicates whether the bind is static or 1245 dynamic." 1246 ::= { natAddrBindEntry 7 } 1248 natAddrBindMapIndex OBJECT-TYPE 1249 SYNTAX NatAddrMapId 1250 MAX-ACCESS read-only 1251 STATUS deprecated 1252 DESCRIPTION 1253 "This object is a pointer to the natAddrMapTable entry 1254 (and the parameters of that entry) which was used in 1255 creating this BIND. This object, in conjunction with 1256 the ifIndex (which identifies a unique addrMapName) 1257 points to a unique entry in the natAddrMapTable." 1258 ::= { natAddrBindEntry 8 } 1260 natAddrBindSessions OBJECT-TYPE 1261 SYNTAX Gauge32 1262 MAX-ACCESS read-only 1263 STATUS deprecated 1264 DESCRIPTION 1265 "Number of sessions currently using this BIND." 1266 ::= { natAddrBindEntry 9 } 1268 natAddrBindMaxIdleTime OBJECT-TYPE 1269 SYNTAX TimeTicks 1270 MAX-ACCESS read-only 1271 STATUS deprecated 1272 DESCRIPTION 1273 "This object indicates the maximum time for 1274 which this bind can be idle with no sessions 1275 attached to it. 1277 The value of this object is of relevance only for 1278 dynamic NAT." 1279 ::= { natAddrBindEntry 10 } 1281 natAddrBindCurrentIdleTime OBJECT-TYPE 1282 SYNTAX TimeTicks 1283 MAX-ACCESS read-only 1284 STATUS deprecated 1285 DESCRIPTION 1286 "At any given instance, this object indicates the 1287 time that this bind has been idle without any sessions 1288 attached to it. 1290 The value of this object is of relevance only for 1291 dynamic NAT." 1292 ::= { natAddrBindEntry 11 } 1294 natAddrBindInTranslates OBJECT-TYPE 1295 SYNTAX Counter64 1296 MAX-ACCESS read-only 1297 STATUS deprecated 1298 DESCRIPTION 1299 "The number of inbound packets that were successfully 1300 translated by using this bind entry. 1302 Discontinuities in the value of this counter can occur 1303 at reinitialization of the management system and at 1304 other times, as indicated by the value of 1305 ifCounterDiscontinuityTime on the relevant interface." 1306 ::= { natAddrBindEntry 12 } 1308 natAddrBindOutTranslates OBJECT-TYPE 1309 SYNTAX Counter64 1310 MAX-ACCESS read-only 1311 STATUS deprecated 1312 DESCRIPTION 1313 "The number of outbound packets that were successfully 1314 translated using this bind entry. 1316 Discontinuities in the value of this counter can occur 1317 at reinitialization of the management system and at 1318 other times as indicated by the value of 1319 ifCounterDiscontinuityTime on the relevant interface." 1320 ::= { natAddrBindEntry 13 } 1322 -- 1323 -- Address Port Bind section 1324 -- 1326 natAddrPortBindNumberOfEntries OBJECT-TYPE 1327 SYNTAX Gauge32 1328 MAX-ACCESS read-only 1329 STATUS deprecated 1330 DESCRIPTION 1331 "This object maintains a count of the number of entries 1332 that currently exist in the natAddrPortBindTable." 1333 ::= { natMIBObjects 7 } 1335 -- 1336 -- The NAT Address Port Bind Table 1337 -- 1338 natAddrPortBindTable OBJECT-TYPE 1339 SYNTAX SEQUENCE OF NatAddrPortBindEntry 1340 MAX-ACCESS not-accessible 1341 STATUS deprecated 1342 DESCRIPTION 1343 "This table holds information about the currently 1344 active NAPT BINDs." 1345 ::= { natMIBObjects 8 } 1347 natAddrPortBindEntry OBJECT-TYPE 1348 SYNTAX NatAddrPortBindEntry 1349 MAX-ACCESS not-accessible 1350 STATUS deprecated 1351 DESCRIPTION 1352 "Each entry in the this table holds information 1353 about a NAPT bind that is currently active. 1354 These entries are lost upon agent restart. 1356 This row has indexing which may create variables with 1357 more than 128 subidentifiers. Implementers of this 1358 table must be careful not to create entries which would 1359 result in OIDs that exceed the 128 subidentifier limit. 1360 Otherwise, the information cannot be accessed using 1361 SNMPv1, SNMPv2c or SNMPv3." 1362 INDEX { ifIndex, natAddrPortBindLocalAddrType, 1363 natAddrPortBindLocalAddr, natAddrPortBindLocalPort, 1364 natAddrPortBindProtocol } 1365 ::= { natAddrPortBindTable 1 } 1367 NatAddrPortBindEntry ::= SEQUENCE { 1368 natAddrPortBindLocalAddrType InetAddressType, 1369 natAddrPortBindLocalAddr InetAddress, 1370 natAddrPortBindLocalPort InetPortNumber, 1371 natAddrPortBindProtocol NatProtocolType, 1372 natAddrPortBindGlobalAddrType InetAddressType, 1373 natAddrPortBindGlobalAddr InetAddress, 1374 natAddrPortBindGlobalPort InetPortNumber, 1375 natAddrPortBindId NatBindId, 1376 natAddrPortBindTranslationEntity NatTranslationEntity, 1377 natAddrPortBindType NatAssociationType, 1378 natAddrPortBindMapIndex NatAddrMapId, 1379 natAddrPortBindSessions Gauge32, 1380 natAddrPortBindMaxIdleTime TimeTicks, 1381 natAddrPortBindCurrentIdleTime TimeTicks, 1382 natAddrPortBindInTranslates Counter64, 1383 natAddrPortBindOutTranslates Counter64 1384 } 1385 natAddrPortBindLocalAddrType OBJECT-TYPE 1386 SYNTAX InetAddressType 1387 MAX-ACCESS not-accessible 1388 STATUS deprecated 1389 DESCRIPTION 1390 "This object specifies the address type used for 1391 natAddrPortBindLocalAddr." 1392 ::= { natAddrPortBindEntry 1 } 1394 natAddrPortBindLocalAddr OBJECT-TYPE 1395 SYNTAX InetAddress (SIZE(4|16)) 1396 MAX-ACCESS not-accessible 1397 STATUS deprecated 1398 DESCRIPTION 1399 "This object represents the private-realm specific 1400 network layer address which, in conjunction with 1401 natAddrPortBindLocalPort, maps to the public-realm 1402 network layer address and transport id represented by 1403 natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort 1404 respectively. 1406 The type of this address is determined by the value of 1407 the natAddrPortBindLocalAddrType object." 1408 ::= { natAddrPortBindEntry 2 } 1410 natAddrPortBindLocalPort OBJECT-TYPE 1411 SYNTAX InetPortNumber 1412 MAX-ACCESS not-accessible 1413 STATUS deprecated 1414 DESCRIPTION 1415 "For a protocol value TCP or UDP, this object represents 1416 the private-realm specific port number. On the other 1417 hand, for ICMP a bind is created only for query/response 1418 type ICMP messages such as ICMP echo, Timestamp, and 1419 Information request messages, and this object represents 1420 the private-realm specific identifier in the ICMP 1421 message, as defined in RFC 792 for ICMPv4 and in RFC 1422 2463 for ICMPv6. 1424 This object, together with natAddrPortBindProtocol, 1425 natAddrPortBindLocalAddrType, and 1426 natAddrPortBindLocalAddr, constitutes a session endpoint 1427 in the private realm. A bind entry binds a private 1428 realm specific endpoint to a public realm specific 1429 endpoint, as represented by the tuple of 1430 (natAddrPortBindGlobalPort, natAddrPortBindProtocol, 1431 natAddrPortBindGlobalAddrType, and 1432 natAddrPortBindGlobalAddr)." 1433 ::= { natAddrPortBindEntry 3 } 1435 natAddrPortBindProtocol OBJECT-TYPE 1436 SYNTAX NatProtocolType 1437 MAX-ACCESS not-accessible 1438 STATUS deprecated 1439 DESCRIPTION 1440 "This object specifies a protocol identifier. If the 1441 value of this object is none(1), then this bind entry 1442 applies to all IP traffic. Any other value of this 1443 object specifies the class of IP traffic to which this 1444 BIND applies." 1445 ::= { natAddrPortBindEntry 4 } 1447 natAddrPortBindGlobalAddrType OBJECT-TYPE 1448 SYNTAX InetAddressType 1449 MAX-ACCESS read-only 1450 STATUS deprecated 1451 DESCRIPTION 1452 "This object specifies the address type used for 1453 natAddrPortBindGlobalAddr." 1454 ::= { natAddrPortBindEntry 5 } 1456 natAddrPortBindGlobalAddr OBJECT-TYPE 1457 SYNTAX InetAddress 1458 MAX-ACCESS read-only 1459 STATUS deprecated 1460 DESCRIPTION 1461 "This object represents the public-realm specific network 1462 layer address that, in conjunction with 1463 natAddrPortBindGlobalPort, maps to the private-realm 1465 network layer address and transport id represented by 1466 natAddrPortBindLocalAddr and natAddrPortBindLocalPort, 1467 respectively. 1469 The type of this address is determined by the value of 1470 the natAddrPortBindGlobalAddrType object." 1471 ::= { natAddrPortBindEntry 6 } 1473 natAddrPortBindGlobalPort OBJECT-TYPE 1474 SYNTAX InetPortNumber 1475 MAX-ACCESS read-only 1476 STATUS deprecated 1477 DESCRIPTION 1478 "For a protocol value TCP or UDP, this object represents 1479 the public-realm specific port number. On the other 1480 hand, for ICMP a bind is created only for query/response 1481 type ICMP messages such as ICMP echo, Timestamp, and 1482 Information request messages, and this object represents 1483 the public-realm specific identifier in the ICMP 1484 message, as defined in RFC 792 for ICMPv4 and in RFC 1485 2463 for ICMPv6. 1487 This object, together with natAddrPortBindProtocol, 1488 natAddrPortBindGlobalAddrType, and 1489 natAddrPortBindGlobalAddr, constitutes a session 1490 endpoint in the public realm. A bind entry binds a 1491 public realm specific endpoint to a private realm 1492 specific endpoint, as represented by the tuple of 1493 (natAddrPortBindLocalPort, natAddrPortBindProtocol, 1494 natAddrPortBindLocalAddrType, and 1495 natAddrPortBindLocalAddr)." 1496 ::= { natAddrPortBindEntry 7 } 1498 natAddrPortBindId OBJECT-TYPE 1499 SYNTAX NatBindId 1500 MAX-ACCESS read-only 1501 STATUS deprecated 1502 DESCRIPTION 1503 "This object represents a bind id that is dynamically 1504 assigned to each bind by a NAT enabled device. Each 1505 bind is represented by a unique bind id across both 1506 the natAddrBindTable and the natAddrPortBindTable." 1507 ::= { natAddrPortBindEntry 8 } 1509 natAddrPortBindTranslationEntity OBJECT-TYPE 1510 SYNTAX NatTranslationEntity 1511 MAX-ACCESS read-only 1512 STATUS deprecated 1513 DESCRIPTION 1514 "This object represents the direction of sessions 1515 for which this bind is applicable and the entity 1516 (source or destination) within the sessions that is 1517 subject to translation with the BIND. 1519 Orientation of the bind can be a superset of the 1520 translationEntity of the address map entry that 1521 forms the basis for this bind. 1523 For example, if the translationEntity of an 1524 address map entry is outboundSrcEndPoint, the 1525 translationEntity of a bind derived from this 1526 map entry may either be outboundSrcEndPoint or 1527 may be bidirectional (a bitmask of 1528 outboundSrcEndPoint and inboundDstEndPoint)." 1529 ::= { natAddrPortBindEntry 9 } 1531 natAddrPortBindType OBJECT-TYPE 1532 SYNTAX NatAssociationType 1533 MAX-ACCESS read-only 1534 STATUS deprecated 1535 DESCRIPTION 1536 "This object indicates whether the bind is static or 1537 dynamic." 1538 ::= { natAddrPortBindEntry 10 } 1540 natAddrPortBindMapIndex OBJECT-TYPE 1541 SYNTAX NatAddrMapId 1542 MAX-ACCESS read-only 1543 STATUS deprecated 1544 DESCRIPTION 1545 "This object is a pointer to the natAddrMapTable entry 1546 (and the parameters of that entry) used in 1547 creating this BIND. This object, in conjunction with 1548 the ifIndex (which identifies a unique addrMapName), 1549 points to a unique entry in the natAddrMapTable." 1550 ::= { natAddrPortBindEntry 11 } 1552 natAddrPortBindSessions OBJECT-TYPE 1553 SYNTAX Gauge32 1554 MAX-ACCESS read-only 1555 STATUS deprecated 1556 DESCRIPTION 1557 "Number of sessions currently using this BIND." 1558 ::= { natAddrPortBindEntry 12 } 1560 natAddrPortBindMaxIdleTime OBJECT-TYPE 1561 SYNTAX TimeTicks 1562 MAX-ACCESS read-only 1563 STATUS deprecated 1565 DESCRIPTION 1566 "This object indicates the maximum time for 1567 which this bind can be idle without any sessions 1568 attached to it. 1569 The value of this object is of relevance 1570 only for dynamic NAT." 1571 ::= { natAddrPortBindEntry 13 } 1573 natAddrPortBindCurrentIdleTime OBJECT-TYPE 1574 SYNTAX TimeTicks 1575 MAX-ACCESS read-only 1576 STATUS deprecated 1577 DESCRIPTION 1578 "At any given instance, this object indicates the 1579 time that this bind has been idle without any sessions 1580 attached to it. 1582 The value of this object is of relevance 1583 only for dynamic NAT." 1584 ::= { natAddrPortBindEntry 14 } 1586 natAddrPortBindInTranslates OBJECT-TYPE 1587 SYNTAX Counter64 1588 MAX-ACCESS read-only 1589 STATUS deprecated 1590 DESCRIPTION 1591 "The number of inbound packets that were translated as 1592 per this bind entry. 1594 Discontinuities in the value of this counter can occur 1595 at reinitialization of the management system and at 1596 other times, as indicated by the value of 1597 ifCounterDiscontinuityTime on the relevant interface." 1598 ::= { natAddrPortBindEntry 15 } 1600 natAddrPortBindOutTranslates OBJECT-TYPE 1601 SYNTAX Counter64 1602 MAX-ACCESS read-only 1603 STATUS deprecated 1604 DESCRIPTION 1605 "The number of outbound packets that were translated as 1606 per this bind entry. 1608 Discontinuities in the value of this counter can occur 1609 at reinitialization of the management system and at 1610 other times, as indicated by the value of 1611 ifCounterDiscontinuityTime on the relevant interface." 1612 ::= { natAddrPortBindEntry 16 } 1614 -- 1615 -- The Session Table 1616 -- 1618 natSessionTable OBJECT-TYPE 1619 SYNTAX SEQUENCE OF NatSessionEntry 1620 MAX-ACCESS not-accessible 1621 STATUS deprecated 1622 DESCRIPTION 1623 "The (conceptual) table containing one entry for each 1624 NAT session currently active on this NAT device." 1625 ::= { natMIBObjects 9 } 1627 natSessionEntry OBJECT-TYPE 1628 SYNTAX NatSessionEntry 1629 MAX-ACCESS not-accessible 1630 STATUS deprecated 1631 DESCRIPTION 1632 "An entry (conceptual row) containing information 1633 about an active NAT session on this NAT device. 1634 These entries are lost upon agent restart." 1635 INDEX { ifIndex, natSessionIndex } 1636 ::= { natSessionTable 1 } 1638 NatSessionEntry ::= SEQUENCE { 1639 natSessionIndex NatSessionId, 1640 natSessionPrivateSrcEPBindId NatBindIdOrZero, 1641 natSessionPrivateSrcEPBindMode NatBindMode, 1642 natSessionPrivateDstEPBindId NatBindIdOrZero, 1643 natSessionPrivateDstEPBindMode NatBindMode, 1644 natSessionDirection INTEGER, 1645 natSessionUpTime TimeTicks, 1646 natSessionAddrMapIndex NatAddrMapId, 1647 natSessionProtocolType NatProtocolType, 1648 natSessionPrivateAddrType InetAddressType, 1649 natSessionPrivateSrcAddr InetAddress, 1650 natSessionPrivateSrcPort InetPortNumber, 1651 natSessionPrivateDstAddr InetAddress, 1652 natSessionPrivateDstPort InetPortNumber, 1653 natSessionPublicAddrType InetAddressType, 1654 natSessionPublicSrcAddr InetAddress, 1655 natSessionPublicSrcPort InetPortNumber, 1656 natSessionPublicDstAddr InetAddress, 1657 natSessionPublicDstPort InetPortNumber, 1658 natSessionMaxIdleTime TimeTicks, 1659 natSessionCurrentIdleTime TimeTicks, 1660 natSessionInTranslates Counter64, 1661 natSessionOutTranslates Counter64 1662 } 1664 natSessionIndex OBJECT-TYPE 1665 SYNTAX NatSessionId 1666 MAX-ACCESS not-accessible 1667 STATUS deprecated 1668 DESCRIPTION 1669 "The session ID for this NAT session." 1670 ::= { natSessionEntry 1 } 1672 natSessionPrivateSrcEPBindId OBJECT-TYPE 1673 SYNTAX NatBindIdOrZero 1674 MAX-ACCESS read-only 1675 STATUS deprecated 1676 DESCRIPTION 1677 "The bind id associated between private and public 1678 source end points. In the case of Symmetric-NAT, 1679 this should be set to zero." 1680 ::= { natSessionEntry 2 } 1682 natSessionPrivateSrcEPBindMode OBJECT-TYPE 1683 SYNTAX NatBindMode 1684 MAX-ACCESS read-only 1685 STATUS deprecated 1686 DESCRIPTION 1687 "This object indicates whether the bind indicated 1688 by the object natSessionPrivateSrcEPBindId 1689 is an address bind or an address port bind." 1690 ::= { natSessionEntry 3 } 1692 natSessionPrivateDstEPBindId OBJECT-TYPE 1693 SYNTAX NatBindIdOrZero 1694 MAX-ACCESS read-only 1695 STATUS deprecated 1696 DESCRIPTION 1697 "The bind id associated between private and public 1698 destination end points." 1699 ::= { natSessionEntry 4 } 1701 natSessionPrivateDstEPBindMode OBJECT-TYPE 1702 SYNTAX NatBindMode 1703 MAX-ACCESS read-only 1704 STATUS deprecated 1705 DESCRIPTION 1706 "This object indicates whether the bind indicated 1707 by the object natSessionPrivateDstEPBindId 1708 is an address bind or an address port bind." 1709 ::= { natSessionEntry 5 } 1711 natSessionDirection OBJECT-TYPE 1712 SYNTAX INTEGER { 1713 inbound (1), 1714 outbound (2) 1715 } 1717 MAX-ACCESS read-only 1718 STATUS deprecated 1719 DESCRIPTION 1720 "The direction of this session with respect to the 1721 local network. 'inbound' indicates that this session 1722 was initiated from the public network into the private 1723 network. 'outbound' indicates that this session was 1724 initiated from the private network into the public 1725 network." 1726 ::= { natSessionEntry 6 } 1728 natSessionUpTime OBJECT-TYPE 1729 SYNTAX TimeTicks 1730 MAX-ACCESS read-only 1731 STATUS deprecated 1732 DESCRIPTION 1733 "The up time of this session in one-hundredths of a 1734 second." 1735 ::= { natSessionEntry 7 } 1737 natSessionAddrMapIndex OBJECT-TYPE 1738 SYNTAX NatAddrMapId 1739 MAX-ACCESS read-only 1740 STATUS deprecated 1741 DESCRIPTION 1742 "This object is a pointer to the natAddrMapTable entry 1743 (and the parameters of that entry) used in 1744 creating this session. This object, in conjunction with 1745 the ifIndex (which identifies a unique addrMapName), 1746 points to a unique entry in the natAddrMapTable." 1747 ::= { natSessionEntry 8 } 1749 natSessionProtocolType OBJECT-TYPE 1750 SYNTAX NatProtocolType 1751 MAX-ACCESS read-only 1752 STATUS deprecated 1753 DESCRIPTION 1754 "The protocol type of this session." 1755 ::= { natSessionEntry 9 } 1757 natSessionPrivateAddrType OBJECT-TYPE 1758 SYNTAX InetAddressType 1759 MAX-ACCESS read-only 1760 STATUS deprecated 1761 DESCRIPTION 1762 "This object specifies the address type used for 1763 natSessionPrivateSrcAddr and natSessionPrivateDstAddr." 1764 ::= { natSessionEntry 10 } 1766 natSessionPrivateSrcAddr OBJECT-TYPE 1767 SYNTAX InetAddress 1768 MAX-ACCESS read-only 1769 STATUS deprecated 1770 DESCRIPTION 1771 "The source IP address of the session endpoint that 1772 lies in the private network. 1774 The value of this object must be zero only when the 1775 natSessionPrivateSrcEPBindId object has a zero value. 1776 When the value of this object is zero, the NAT session 1777 lookup will match any IP address to this field. 1779 The type of this address is determined by the value of 1780 the natSessionPrivateAddrType object." 1781 ::= { natSessionEntry 11 } 1783 natSessionPrivateSrcPort OBJECT-TYPE 1784 SYNTAX InetPortNumber 1785 MAX-ACCESS read-only 1786 STATUS deprecated 1787 DESCRIPTION 1788 "When the value of protocol is TCP or UDP, this object 1789 represents the source port in the first packet of 1790 session while in private-realm. On the other hand, when 1791 the protocol is ICMP, a NAT session is created only for 1792 query/response type ICMP messages such as ICMP echo, 1793 Timestamp, and Information request messages, and this 1794 object represents the private-realm specific identifier 1795 in the ICMP message, as defined in RFC 792 for ICMPv4 1796 and in RFC 2463 for ICMPv6. 1798 The value of this object must be zero when the 1799 natSessionPrivateSrcEPBindId object has zero value 1800 and value of natSessionPrivateSrcEPBindMode is 1801 addressPortBind(2). In such a case, the NAT session 1802 lookup will match any port number to this field. 1804 The value of this object must be zero when the object 1805 is not a representative field (SrcPort, DstPort, or 1806 ICMP identifier) of the session tuple in either the 1807 public realm or the private realm." 1808 ::= { natSessionEntry 12 } 1810 natSessionPrivateDstAddr OBJECT-TYPE 1811 SYNTAX InetAddress 1812 MAX-ACCESS read-only 1813 STATUS deprecated 1814 DESCRIPTION 1815 "The destination IP address of the session endpoint that 1816 lies in the private network. 1818 The value of this object must be zero when the 1819 natSessionPrivateDstEPBindId object has a zero value. 1820 In such a scenario, the NAT session lookup will match 1821 any IP address to this field. 1823 The type of this address is determined by the value of 1824 the natSessionPrivateAddrType object." 1825 ::= { natSessionEntry 13 } 1827 natSessionPrivateDstPort OBJECT-TYPE 1828 SYNTAX InetPortNumber 1829 MAX-ACCESS read-only 1830 STATUS deprecated 1831 DESCRIPTION 1832 "When the value of protocol is TCP or UDP, this object 1833 represents the destination port in the first packet 1834 of session while in private-realm. On the other hand, 1835 when the protocol is ICMP, this object is not relevant 1836 and should be set to zero. 1838 The value of this object must be zero when the 1839 natSessionPrivateDstEPBindId object has a zero 1840 value and natSessionPrivateDstEPBindMode is set to 1841 addressPortBind(2). In such a case, the NAT session 1842 lookup will match any port number to this field. 1844 The value of this object must be zero when the object 1845 is not a representative field (SrcPort, DstPort, or 1846 ICMP identifier) of the session tuple in either the 1847 public realm or the private realm." 1848 ::= { natSessionEntry 14 } 1850 natSessionPublicAddrType OBJECT-TYPE 1851 SYNTAX InetAddressType 1852 MAX-ACCESS read-only 1853 STATUS deprecated 1854 DESCRIPTION 1855 "This object specifies the address type used for 1856 natSessionPublicSrcAddr and natSessionPublicDstAddr." 1857 ::= { natSessionEntry 15 } 1859 natSessionPublicSrcAddr OBJECT-TYPE 1860 SYNTAX InetAddress 1861 MAX-ACCESS read-only 1862 STATUS deprecated 1863 DESCRIPTION 1864 "The source IP address of the session endpoint that 1865 lies in the public network. 1867 The value of this object must be zero when the 1868 natSessionPrivateSrcEPBindId object has a zero value. 1869 In such a scenario, the NAT session lookup will match 1870 any IP address to this field. 1872 The type of this address is determined by the value of 1873 the natSessionPublicAddrType object." 1874 ::= { natSessionEntry 16 } 1876 natSessionPublicSrcPort OBJECT-TYPE 1877 SYNTAX InetPortNumber 1878 MAX-ACCESS read-only 1879 STATUS deprecated 1880 DESCRIPTION 1881 "When the value of protocol is TCP or UDP, this object 1882 represents the source port in the first packet of 1883 session while in public-realm. On the other hand, when 1884 protocol is ICMP, a NAT session is created only for 1885 query/response type ICMP messages such as ICMP echo, 1886 Timestamp, and Information request messages, and this 1887 object represents the public-realm specific identifier 1888 in the ICMP message, as defined in RFC 792 for ICMPv4 1889 and in RFC 2463 for ICMPv6. 1891 The value of this object must be zero when the 1892 natSessionPrivateSrcEPBindId object has a zero value 1893 and natSessionPrivateSrcEPBindMode is set to 1894 addressPortBind(2). In such a scenario, the NAT 1895 session lookup will match any port number to this 1896 field. 1898 The value of this object must be zero when the object 1899 is not a representative field (SrcPort, DstPort or 1900 ICMP identifier) of the session tuple in either the 1901 public realm or the private realm." 1902 ::= { natSessionEntry 17 } 1904 natSessionPublicDstAddr OBJECT-TYPE 1905 SYNTAX InetAddress 1906 MAX-ACCESS read-only 1907 STATUS deprecated 1908 DESCRIPTION 1909 "The destination IP address of the session endpoint that 1910 lies in the public network. 1912 The value of this object must be non-zero when the 1913 natSessionPrivateDstEPBindId object has a non-zero 1914 value. If the value of this object and the 1915 corresponding natSessionPrivateDstEPBindId object value 1916 is zero, then the NAT session lookup will match any IP 1917 address to this field. 1919 The type of this address is determined by the value of 1920 the natSessionPublicAddrType object." 1921 ::= { natSessionEntry 18 } 1923 natSessionPublicDstPort OBJECT-TYPE 1924 SYNTAX InetPortNumber 1925 MAX-ACCESS read-only 1926 STATUS deprecated 1927 DESCRIPTION 1928 "When the value of protocol is TCP or UDP, this object 1929 represents the destination port in the first packet of 1930 session while in public-realm. On the other hand, when 1931 the protocol is ICMP, this object is not relevant for 1932 translation and should be zero. 1934 The value of this object must be zero when the 1935 natSessionPrivateDstEPBindId object has a zero value 1936 and natSessionPrivateDstEPBindMode is 1937 addressPortBind(2). In such a scenario, the NAT 1938 session lookup will match any port number to this 1939 field. 1941 The value of this object must be zero when the object 1942 is not a representative field (SrcPort, DstPort, or 1943 ICMP identifier) of the session tuple in either the 1944 public realm or the private realm." 1945 ::= { natSessionEntry 19 } 1947 natSessionMaxIdleTime OBJECT-TYPE 1948 SYNTAX TimeTicks 1949 MAX-ACCESS read-only 1950 STATUS deprecated 1951 DESCRIPTION 1952 "The max time for which this session can be idle 1953 without detecting a packet." 1954 ::= { natSessionEntry 20 } 1956 natSessionCurrentIdleTime OBJECT-TYPE 1957 SYNTAX TimeTicks 1958 MAX-ACCESS read-only 1959 STATUS deprecated 1960 DESCRIPTION 1961 "The time since a packet belonging to this session was 1962 last detected." 1963 ::= { natSessionEntry 21 } 1965 natSessionInTranslates OBJECT-TYPE 1966 SYNTAX Counter64 1967 MAX-ACCESS read-only 1968 STATUS deprecated 1969 DESCRIPTION 1970 "The number of inbound packets that were translated for 1971 this session. 1973 Discontinuities in the value of this counter can occur 1974 at reinitialization of the management system and at 1975 other times, as indicated by the value of 1976 ifCounterDiscontinuityTime on the relevant interface." 1977 ::= { natSessionEntry 22 } 1979 natSessionOutTranslates OBJECT-TYPE 1980 SYNTAX Counter64 1981 MAX-ACCESS read-only 1982 STATUS deprecated 1983 DESCRIPTION 1984 "The number of outbound packets that were translated for 1985 this session. 1987 Discontinuities in the value of this counter can occur 1988 at reinitialization of the management system and at 1989 other times, as indicated by the value of 1990 ifCounterDiscontinuityTime on the relevant interface." 1991 ::= { natSessionEntry 23 } 1993 -- 1994 -- The Protocol table 1995 -- 1997 natProtocolTable OBJECT-TYPE 1998 SYNTAX SEQUENCE OF NatProtocolEntry 1999 MAX-ACCESS not-accessible 2000 STATUS deprecated 2001 DESCRIPTION 2002 "The (conceptual) table containing per protocol NAT 2003 statistics." 2004 ::= { natMIBObjects 10 } 2006 natProtocolEntry OBJECT-TYPE 2007 SYNTAX NatProtocolEntry 2008 MAX-ACCESS not-accessible 2009 STATUS deprecated 2010 DESCRIPTION 2011 "An entry (conceptual row) containing NAT statistics 2012 pertaining to a particular protocol." 2013 INDEX { natProtocol } 2014 ::= { natProtocolTable 1 } 2016 NatProtocolEntry ::= SEQUENCE { 2017 natProtocol NatProtocolType, 2018 natProtocolInTranslates Counter64, 2019 natProtocolOutTranslates Counter64, 2020 natProtocolDiscards Counter64 2021 } 2023 natProtocol OBJECT-TYPE 2024 SYNTAX NatProtocolType 2025 MAX-ACCESS not-accessible 2026 STATUS deprecated 2027 DESCRIPTION 2028 "This object represents the protocol pertaining to which 2029 parameters are reported." 2030 ::= { natProtocolEntry 1 } 2032 natProtocolInTranslates OBJECT-TYPE 2033 SYNTAX Counter64 2034 MAX-ACCESS read-only 2035 STATUS deprecated 2036 DESCRIPTION 2037 "The number of inbound packets pertaining to the protocol 2038 identified by natProtocol that underwent NAT. 2040 Discontinuities in the value of this counter can occur 2041 at reinitialization of the management system and at 2042 other times, as indicated by the value of 2043 ifCounterDiscontinuityTime on the relevant interface." 2044 ::= { natProtocolEntry 2 } 2046 natProtocolOutTranslates OBJECT-TYPE 2047 SYNTAX Counter64 2048 MAX-ACCESS read-only 2049 STATUS deprecated 2050 DESCRIPTION 2051 "The number of outbound packets pertaining to the 2052 protocol identified by natProtocol that underwent NAT. 2054 Discontinuities in the value of this counter can occur 2055 at reinitialization of the management system and at 2056 other times, as indicated by the value of 2057 ifCounterDiscontinuityTime on the relevant interface." 2058 ::= { natProtocolEntry 3 } 2060 natProtocolDiscards OBJECT-TYPE 2061 SYNTAX Counter64 2062 MAX-ACCESS read-only 2063 STATUS deprecated 2064 DESCRIPTION 2065 "The number of packets pertaining to the protocol 2066 identified by natProtocol that had to be 2067 rejected/dropped due to lack of resources. These 2068 rejections could be due to session timeout, resource 2069 unavailability, lack of address space, etc. 2071 Discontinuities in the value of this counter can occur 2072 at reinitialization of the management system and at 2073 other times, as indicated by the value of 2074 ifCounterDiscontinuityTime on the relevant interface." 2075 ::= { natProtocolEntry 4 } 2077 -- 2078 -- Notifications section 2079 -- 2081 natMIBNotifications OBJECT IDENTIFIER ::= { natMIB 0 } 2083 -- 2084 -- Notifications 2085 -- 2087 natPacketDiscard NOTIFICATION-TYPE 2088 OBJECTS { ifIndex } 2089 STATUS deprecated 2090 DESCRIPTION 2091 "This notification is generated when IP packets are 2092 discarded by the NAT function; e.g., due to lack of 2093 mapping space when NAT is out of addresses or ports. 2095 Note that the generation of natPacketDiscard 2096 notifications is throttled by the agent, as specified 2097 by the 'natNotifThrottlingInterval' object." 2098 ::= { natMIBNotifications 1 } 2100 -- 2101 -- Conformance information. 2103 -- 2105 natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 } 2107 natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 } 2108 natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 } 2110 -- 2111 -- Units of conformance 2112 -- 2114 natConfigGroup OBJECT-GROUP 2115 OBJECTS { natInterfaceRealm, 2116 natInterfaceServiceType, 2117 natInterfaceStorageType, 2118 natInterfaceRowStatus, 2119 natAddrMapName, 2120 natAddrMapEntryType, 2121 natAddrMapTranslationEntity, 2122 natAddrMapLocalAddrType, 2123 natAddrMapLocalAddrFrom, 2124 natAddrMapLocalAddrTo, 2125 natAddrMapLocalPortFrom, 2126 natAddrMapLocalPortTo, 2127 natAddrMapGlobalAddrType, 2128 natAddrMapGlobalAddrFrom, 2129 natAddrMapGlobalAddrTo, 2130 natAddrMapGlobalPortFrom, 2131 natAddrMapGlobalPortTo, 2132 natAddrMapProtocol, 2133 natAddrMapStorageType, 2134 natAddrMapRowStatus, 2135 natBindDefIdleTimeout, 2136 natUdpDefIdleTimeout, 2137 natIcmpDefIdleTimeout, 2138 natOtherDefIdleTimeout, 2139 natTcpDefIdleTimeout, 2140 natTcpDefNegTimeout, 2141 natNotifThrottlingInterval } 2142 STATUS deprecated 2143 DESCRIPTION 2144 "A collection of configuration-related information 2145 required to support management of devices supporting 2146 NAT." 2147 ::= { natMIBGroups 1 } 2149 natTranslationGroup OBJECT-GROUP 2150 OBJECTS { natAddrBindNumberOfEntries, 2151 natAddrBindGlobalAddrType, 2152 natAddrBindGlobalAddr, 2153 natAddrBindId, 2154 natAddrBindTranslationEntity, 2155 natAddrBindType, 2156 natAddrBindMapIndex, 2157 natAddrBindSessions, 2158 natAddrBindMaxIdleTime, 2159 natAddrBindCurrentIdleTime, 2160 natAddrBindInTranslates, 2161 natAddrBindOutTranslates, 2162 natAddrPortBindNumberOfEntries, 2163 natAddrPortBindGlobalAddrType, 2164 natAddrPortBindGlobalAddr, 2165 natAddrPortBindGlobalPort, 2166 natAddrPortBindId, 2167 natAddrPortBindTranslationEntity, 2168 natAddrPortBindType, 2169 natAddrPortBindMapIndex, 2170 natAddrPortBindSessions, 2171 natAddrPortBindMaxIdleTime, 2172 natAddrPortBindCurrentIdleTime, 2173 natAddrPortBindInTranslates, 2174 natAddrPortBindOutTranslates, 2175 natSessionPrivateSrcEPBindId, 2176 natSessionPrivateSrcEPBindMode, 2177 natSessionPrivateDstEPBindId, 2178 natSessionPrivateDstEPBindMode, 2179 natSessionDirection, 2180 natSessionUpTime, 2181 natSessionAddrMapIndex, 2182 natSessionProtocolType, 2183 natSessionPrivateAddrType, 2184 natSessionPrivateSrcAddr, 2185 natSessionPrivateSrcPort, 2186 natSessionPrivateDstAddr, 2187 natSessionPrivateDstPort, 2188 natSessionPublicAddrType, 2189 natSessionPublicSrcAddr, 2190 natSessionPublicSrcPort, 2191 natSessionPublicDstAddr, 2192 natSessionPublicDstPort, 2193 natSessionMaxIdleTime, 2194 natSessionCurrentIdleTime, 2195 natSessionInTranslates, 2196 natSessionOutTranslates } 2197 STATUS deprecated 2198 DESCRIPTION 2199 "A collection of BIND-related objects required to support 2200 management of devices supporting NAT." 2201 ::= { natMIBGroups 2 } 2203 natStatsInterfaceGroup OBJECT-GROUP 2204 OBJECTS { natInterfaceInTranslates, 2205 natInterfaceOutTranslates, 2206 natInterfaceDiscards } 2207 STATUS deprecated 2208 DESCRIPTION 2209 "A collection of NAT statistics associated with the 2210 interface on which NAT is configured, to aid 2211 troubleshooting/monitoring of the NAT operation." 2212 ::= { natMIBGroups 3 } 2214 natStatsProtocolGroup OBJECT-GROUP 2215 OBJECTS { natProtocolInTranslates, 2216 natProtocolOutTranslates, 2217 natProtocolDiscards } 2218 STATUS deprecated 2219 DESCRIPTION 2220 "A collection of protocol specific NAT statistics, 2221 to aid troubleshooting/monitoring of NAT operation." 2222 ::= { natMIBGroups 4 } 2224 natStatsAddrMapGroup OBJECT-GROUP 2225 OBJECTS { natAddrMapInTranslates, 2226 natAddrMapOutTranslates, 2227 natAddrMapDiscards, 2228 natAddrMapAddrUsed } 2229 STATUS deprecated 2230 DESCRIPTION 2231 "A collection of address map specific NAT statistics, 2232 to aid troubleshooting/monitoring of NAT operation." 2233 ::= { natMIBGroups 5 } 2235 natMIBNotificationGroup NOTIFICATION-GROUP 2236 NOTIFICATIONS { natPacketDiscard } 2237 STATUS deprecated 2238 DESCRIPTION 2239 "A collection of notifications generated by 2240 devices supporting this MIB." 2241 ::= { natMIBGroups 6 } 2243 -- 2244 -- Compliance statements 2245 -- 2247 natMIBFullCompliance MODULE-COMPLIANCE 2248 STATUS deprecated 2249 DESCRIPTION 2250 "When this MIB is implemented with support for 2251 read-create, then such an implementation can claim 2252 full compliance. Such devices can then be both 2253 monitored and configured with this MIB. 2255 The following index objects cannot be added as OBJECT 2256 clauses but nevertheless have the compliance 2257 requirements: 2258 " 2259 -- OBJECT natAddrBindLocalAddrType 2260 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2261 -- DESCRIPTION 2262 -- "An implementation is required to support 2263 -- global IPv4 and/or IPv6 addresses, depending 2264 -- on its support for IPv4 and IPv6." 2266 -- OBJECT natAddrBindLocalAddr 2267 -- SYNTAX InetAddress (SIZE(4|16)) 2268 -- DESCRIPTION 2269 -- "An implementation is required to support 2270 -- global IPv4 and/or IPv6 addresses, depending 2271 -- on its support for IPv4 and IPv6." 2273 -- OBJECT natAddrPortBindLocalAddrType 2274 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2275 -- DESCRIPTION 2276 -- "An implementation is required to support 2277 -- global IPv4 and/or IPv6 addresses, depending 2278 -- on its support for IPv4 and IPv6." 2280 -- OBJECT natAddrPortBindLocalAddr 2281 -- SYNTAX InetAddress (SIZE(4|16)) 2282 -- DESCRIPTION 2283 -- "An implementation is required to support 2284 -- global IPv4 and/or IPv6 addresses, depending 2285 -- on its support for IPv4 and IPv6." 2287 MODULE IF-MIB -- The interfaces MIB, RFC2863 2288 MANDATORY-GROUPS { 2289 ifCounterDiscontinuityGroup 2290 } 2292 MODULE -- this module 2293 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2294 natStatsInterfaceGroup } 2296 GROUP natStatsProtocolGroup 2297 DESCRIPTION 2298 "This group is optional." 2299 GROUP natStatsAddrMapGroup 2300 DESCRIPTION 2301 "This group is optional." 2302 GROUP natMIBNotificationGroup 2303 DESCRIPTION 2304 "This group is optional." 2306 OBJECT natAddrMapLocalAddrType 2307 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2308 DESCRIPTION 2309 "An implementation is required to support global IPv4 2310 and/or IPv6 addresses, depending on its support 2311 for IPv4 and IPv6." 2313 OBJECT natAddrMapLocalAddrFrom 2314 SYNTAX InetAddress (SIZE(4|16)) 2315 DESCRIPTION 2316 "An implementation is required to support global IPv4 2317 and/or IPv6 addresses, depending on its support 2318 for IPv4 and IPv6." 2320 OBJECT natAddrMapLocalAddrTo 2321 SYNTAX InetAddress (SIZE(4|16)) 2322 DESCRIPTION 2323 "An implementation is required to support global IPv4 2324 and/or IPv6 addresses, depending on its support 2325 for IPv4 and IPv6." 2327 OBJECT natAddrMapGlobalAddrType 2328 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2329 DESCRIPTION 2330 "An implementation is required to support global IPv4 2331 and/or IPv6 addresses, depending on its support 2332 for IPv4 and IPv6." 2334 OBJECT natAddrMapGlobalAddrFrom 2335 SYNTAX InetAddress (SIZE(4|16)) 2336 DESCRIPTION 2337 "An implementation is required to support global IPv4 2338 and/or IPv6 addresses, depending on its support 2339 for IPv4 and IPv6." 2341 OBJECT natAddrMapGlobalAddrTo 2342 SYNTAX InetAddress (SIZE(4|16)) 2343 DESCRIPTION 2344 "An implementation is required to support global IPv4 2345 and/or IPv6 addresses, depending on its support 2346 for IPv4 and IPv6." 2348 OBJECT natAddrBindGlobalAddrType 2349 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2350 DESCRIPTION 2351 "An implementation is required to support global IPv4 2352 and/or IPv6 addresses, depending on its support 2353 for IPv4 and IPv6." 2355 OBJECT natAddrBindGlobalAddr 2356 SYNTAX InetAddress (SIZE(4|16)) 2357 DESCRIPTION 2358 "An implementation is required to support global IPv4 2359 and/or IPv6 addresses, depending on its support 2360 for IPv4 and IPv6." 2362 OBJECT natAddrPortBindGlobalAddrType 2363 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2364 DESCRIPTION 2365 "An implementation is required to support global IPv4 2366 and/or IPv6 addresses, depending on its support 2367 for IPv4 and IPv6." 2369 OBJECT natAddrPortBindGlobalAddr 2370 SYNTAX InetAddress (SIZE(4|16)) 2371 DESCRIPTION 2372 "An implementation is required to support global IPv4 2373 and/or IPv6 addresses, depending on its support 2374 for IPv4 and IPv6." 2376 OBJECT natSessionPrivateAddrType 2377 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2378 DESCRIPTION 2379 "An implementation is required to support global IPv4 2380 and/or IPv6 addresses, depending on its support 2381 for IPv4 and IPv6." 2383 OBJECT natSessionPrivateSrcAddr 2384 SYNTAX InetAddress (SIZE(4|16)) 2385 DESCRIPTION 2386 "An implementation is required to support global IPv4 2387 and/or IPv6 addresses, depending on its support 2388 for IPv4 and IPv6." 2390 OBJECT natSessionPrivateDstAddr 2391 SYNTAX InetAddress (SIZE(4|16)) 2392 DESCRIPTION 2393 "An implementation is required to support global IPv4 2394 and/or IPv6 addresses, depending on its support 2395 for IPv4 and IPv6." 2397 OBJECT natSessionPublicAddrType 2398 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2399 DESCRIPTION 2400 "An implementation is required to support global IPv4 2401 and/or IPv6 addresses, depending on its support 2402 for IPv4 and IPv6." 2404 OBJECT natSessionPublicSrcAddr 2405 SYNTAX InetAddress (SIZE(4|16)) 2406 DESCRIPTION 2407 "An implementation is required to support global IPv4 2408 and/or IPv6 addresses, depending on its support 2409 for IPv4 and IPv6." 2411 OBJECT natSessionPublicDstAddr 2412 SYNTAX InetAddress (SIZE(4|16)) 2413 DESCRIPTION 2414 "An implementation is required to support global IPv4 2415 and/or IPv6 addresses, depending on its support 2416 for IPv4 and IPv6." 2418 ::= { natMIBCompliances 1 } 2420 natMIBReadOnlyCompliance MODULE-COMPLIANCE 2421 STATUS deprecated 2422 DESCRIPTION 2423 "When this MIB is implemented without support for 2424 read-create (i.e., in read-only mode), then such an 2425 implementation can claim read-only compliance. 2426 Such a device can then be monitored but cannot be 2427 configured with this MIB. 2429 The following index objects cannot be added as OBJECT 2430 clauses but nevertheless have the compliance 2431 requirements: 2432 " 2433 -- OBJECT natAddrBindLocalAddrType 2434 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2435 -- DESCRIPTION 2436 -- "An implementation is required to support 2437 -- global IPv4 and/or IPv6 addresses, depending 2438 -- on its support for IPv4 and IPv6." 2440 -- OBJECT natAddrBindLocalAddr 2441 -- SYNTAX InetAddress (SIZE(4|16)) 2443 -- DESCRIPTION 2444 -- "An implementation is required to support 2445 -- global IPv4 and/or IPv6 addresses, depending 2446 -- on its support for IPv4 and IPv6." 2448 -- OBJECT natAddrPortBindLocalAddrType 2449 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2450 -- DESCRIPTION 2451 -- "An implementation is required to support 2452 -- global IPv4 and/or IPv6 addresses, depending 2453 -- on its support for IPv4 and IPv6." 2454 -- OBJECT natAddrPortBindLocalAddr 2455 -- SYNTAX InetAddress (SIZE(4|16)) 2456 -- DESCRIPTION 2457 -- "An implementation is required to support 2458 -- global IPv4 and/or IPv6 addresses, depending 2459 -- on its support for IPv4 and IPv6." 2461 MODULE IF-MIB -- The interfaces MIB, RFC2863 2462 MANDATORY-GROUPS { 2463 ifCounterDiscontinuityGroup 2464 } 2466 MODULE -- this module 2467 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2468 natStatsInterfaceGroup } 2470 GROUP natStatsProtocolGroup 2471 DESCRIPTION 2472 "This group is optional." 2473 GROUP natStatsAddrMapGroup 2474 DESCRIPTION 2475 "This group is optional." 2476 GROUP natMIBNotificationGroup 2477 DESCRIPTION 2478 "This group is optional." 2479 OBJECT natInterfaceRowStatus 2480 SYNTAX RowStatus { active(1) } 2481 MIN-ACCESS read-only 2482 DESCRIPTION 2483 "Write access is not required, and active is the only 2484 status that needs to be supported." 2486 OBJECT natAddrMapLocalAddrType 2487 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2488 MIN-ACCESS read-only 2489 DESCRIPTION 2490 "Write access is not required. An implementation is 2491 required to support global IPv4 and/or IPv6 addresses, 2492 depending on its support for IPv4 and IPv6." 2494 OBJECT natAddrMapLocalAddrFrom 2495 SYNTAX InetAddress (SIZE(4|16)) 2496 MIN-ACCESS read-only 2497 DESCRIPTION 2498 "Write access is not required. An implementation is 2499 required to support global IPv4 and/or IPv6 addresses, 2500 depending on its support for IPv4 and IPv6." 2502 OBJECT natAddrMapLocalAddrTo 2503 SYNTAX InetAddress (SIZE(4|16)) 2504 MIN-ACCESS read-only 2505 DESCRIPTION 2506 "Write access is not required. An implementation is 2507 required to support global IPv4 and/or IPv6 addresses, 2508 depending on its support for IPv4 and IPv6." 2510 OBJECT natAddrMapGlobalAddrType 2511 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2512 MIN-ACCESS read-only 2513 DESCRIPTION 2514 "Write access is not required. An implementation is 2515 required to support global IPv4 and/or IPv6 addresses, 2516 depending on its support for IPv4 and IPv6." 2518 OBJECT natAddrMapGlobalAddrFrom 2519 SYNTAX InetAddress (SIZE(4|16)) 2520 MIN-ACCESS read-only 2521 DESCRIPTION 2522 "Write access is not required. An implementation is 2523 required to support global IPv4 and/or IPv6 addresses, 2524 depending on its support for IPv4 and IPv6." 2526 OBJECT natAddrMapGlobalAddrTo 2527 SYNTAX InetAddress (SIZE(4|16)) 2528 MIN-ACCESS read-only 2529 DESCRIPTION 2530 "Write access is not required. An implementation is 2531 required to support global IPv4 and/or IPv6 addresses, 2532 depending on its support for IPv4 and IPv6." 2534 OBJECT natAddrMapRowStatus 2535 SYNTAX RowStatus { active(1) } 2536 MIN-ACCESS read-only 2537 DESCRIPTION 2538 "Write access is not required, and active is the only 2539 status that needs to be supported." 2541 OBJECT natAddrBindGlobalAddrType 2542 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2543 DESCRIPTION 2544 "An implementation is required to support global IPv4 2545 and/or IPv6 addresses, depending on its support for 2546 IPv4 and IPv6." 2548 OBJECT natAddrBindGlobalAddr 2549 SYNTAX InetAddress (SIZE(4|16)) 2550 DESCRIPTION 2551 "An implementation is required to support global IPv4 2552 and/or IPv6 addresses, depending on its support for 2553 IPv4 and IPv6." 2555 OBJECT natAddrPortBindGlobalAddrType 2556 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2557 DESCRIPTION 2558 "An implementation is required to support global IPv4 2559 and/or IPv6 addresses, depending on its support for 2560 IPv4 and IPv6." 2562 OBJECT natAddrPortBindGlobalAddr 2563 SYNTAX InetAddress (SIZE(4|16)) 2564 DESCRIPTION 2565 "An implementation is required to support global IPv4 2566 and/or IPv6 addresses, depending on its support for 2567 IPv4 and IPv6." 2569 OBJECT natSessionPrivateAddrType 2570 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2571 DESCRIPTION 2572 "An implementation is required to support global IPv4 2573 and/or IPv6 addresses, depending on its support for 2574 IPv4 and IPv6." 2576 OBJECT natSessionPrivateSrcAddr 2577 SYNTAX InetAddress (SIZE(4|16)) 2578 DESCRIPTION 2579 "An implementation is required to support global IPv4 2580 and/or IPv6 addresses, depending on its support for 2581 IPv4 and IPv6." 2583 OBJECT natSessionPrivateDstAddr 2584 SYNTAX InetAddress (SIZE(4|16)) 2585 DESCRIPTION 2586 "An implementation is required to support global IPv4 2587 and/or IPv6 addresses, depending on its support for 2588 IPv4 and IPv6." 2590 OBJECT natSessionPublicAddrType 2591 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2592 DESCRIPTION 2593 "An implementation is required to support global IPv4 2594 and/or IPv6 addresses, depending on its support for 2595 IPv4 and IPv6." 2597 OBJECT natSessionPublicSrcAddr 2598 SYNTAX InetAddress (SIZE(4|16)) 2599 DESCRIPTION 2600 "An implementation is required to support global IPv4 2601 and/or IPv6 addresses, depending on its support for 2602 IPv4 and IPv6." 2604 OBJECT natSessionPublicDstAddr 2605 SYNTAX InetAddress (SIZE(4|16)) 2606 DESCRIPTION 2607 "An implementation is required to support global IPv4 2608 and/or IPv6 addresses, depending on its support for 2609 IPv4 and IPv6." 2611 ::= { natMIBCompliances 2 } 2613 --=================================================================== 2614 -- END OF DEPRECATED OBJECTS. CURRENT OBJECTS FOLLOW. 2616 -- textual conventions 2618 ProtocolNumber ::= TEXTUAL-CONVENTION 2619 DISPLAY-HINT "d" 2620 STATUS current 2621 DESCRIPTION 2622 "A transport protocol number, from the 'protocol-numbers' 2623 IANA registry." 2624 SYNTAX Unsigned32 (0..255) 2626 NatPoolId ::= TEXTUAL-CONVENTION 2627 DISPLAY-HINT "d" 2628 STATUS current 2629 DESCRIPTION 2630 "A unique ID that is assigned to each pool." 2631 SYNTAX Unsigned32 (1..4294967295) 2633 NatBehaviorType ::= TEXTUAL-CONVENTION 2634 STATUS current 2635 DESCRIPTION 2636 "Behavior type as described in [RFC4787] sections 4.1 and 5." 2637 SYNTAX INTEGER { 2638 endpointIndependent (0), 2639 addressDependent (1), 2640 addressAndPortDependent (2) 2641 } 2643 NatPoolingType ::= TEXTUAL-CONVENTION 2644 STATUS current 2645 DESCRIPTION 2646 "Pooling type as described in [RFC4787] sections 4.1." 2647 SYNTAX INTEGER { 2648 arbitrary (0), 2649 paired (1) 2650 } 2652 NatQuotaId ::= TEXTUAL-CONVENTION 2653 DISPLAY-HINT "d" 2654 STATUS current 2655 DESCRIPTION 2656 "A unique ID that is assigned to each quota." 2657 SYNTAX Unsigned32 (1..4294967295) 2659 GreKeyValue ::= TEXTUAL-CONVENTION 2660 DISPLAY-HINT "d" 2661 STATUS current 2662 DESCRIPTION 2663 "Denotes a GRE Key as defined in [RFC1701]." 2664 SYNTAX Unsigned32 (0..4294967295) 2666 IPv6FlowLabel ::= TEXTUAL-CONVENTION 2667 DISPLAY-HINT "d" 2668 STATUS current 2669 DESCRIPTION 2670 "Denotes an IPv6 Flow Label as defined in [RFC2460]." 2671 SYNTAX Unsigned32 (0..1048575) 2673 SubscriberIdentifierType ::= TEXTUAL-CONVENTION 2674 STATUS current 2675 DESCRIPTION 2676 "A value that represents a type of generalized subscriber 2677 access device identifier. Types 'gre(3)', 'mpls(4)', and 2678 'flow(5)' may be used as context identifiers for some 2679 deployments of Gateway Initiated DS-Lite [RFC6674]. 2681 unknown(0) An unknown address type. This value MUST 2682 be used if the value of the corresponding 2683 SubscriberIdentifier object is a zero-length 2684 string. It may also be used to indicate an 2685 address that is not in one of the formats 2686 defined below. 2688 ipv4(1) An IPv4 address as defined by the 2689 InetAddressIPv4 textual convention. 2691 ipv6(2) An IPv6 address as defined by the 2692 InetAddressIPv6 textual convention. 2694 gre(3) A GRE key as defined by the GreKeyValue textual 2695 convention. 2697 mpls(4) An MPLS label as defined by the MplsLabel 2698 textual convention. 2700 flow(5) An IPv6 flow label as defined by the 2701 IPv6FlowLabel textual convention." 2703 SYNTAX INTEGER { 2704 unknown(0), 2705 ipv4(1), 2706 ipv6(2), 2707 gre(3), 2708 mpls(4), 2709 flow(5) 2710 } 2712 SubscriberIdentifier ::= TEXTUAL-CONVENTION 2713 STATUS current 2714 DESCRIPTION 2715 "Denotes a subscriber identifier. 2717 A SubscriberIdentifier value is always interpreted within 2718 the context of a SubscriberIdentifierType value. Every usage 2719 of the SubscriberIdentifier textual convention is required 2720 to specify the SubscriberIdentifierType object that provides 2721 the context. It is suggested that the 2722 SubscriberIdentifierType object be logically registered 2723 before the object(s) that use the SubscriberIdentifier 2724 textual convention, if they appear in the same logical row. 2726 The value of a SubscriberIdentifier object must always be 2727 consistent with the value of the associated 2728 SubscriberIdentifierType object. Attempts to set a 2729 SubscriberIdentifier object to a value inconsistent with the 2730 associated SubscriberIdentifierType must fail with an 2731 inconsistentValue error. 2733 When this textual convention is used as the syntax of an 2734 index object, there may be issues with the limit of 128 2735 sub-identifiers specified in SMIv2, STD 58. In this case, 2736 the object definition MUST include a 'SIZE' clause to limit 2737 the number of potential instance sub-identifiers; otherwise 2738 the applicable constraints MUST be stated in the appropriate 2739 conceptual row DESCRIPTION clauses, or in the surrounding 2740 documentation if there is no single DESCRIPTION clause that 2741 is appropriate." 2742 SYNTAX OCTET STRING (SIZE (0..255)) 2744 -- notifications 2746 natNotifPoolWatermarkLow NOTIFICATION-TYPE 2747 OBJECTS { natPoolWatermarkLow } 2748 STATUS current 2749 DESCRIPTION 2750 "This notification is generated when a pool's usage 2751 percentage becomes lower than or equal to the specified 2752 threshold. The threshold is specified by the 2753 natPoolWatermarkLow object" 2754 ::= { natMIBNotifications 2 } 2756 natNotifPoolWatermarkHigh NOTIFICATION-TYPE 2757 OBJECTS { natPoolWatermarkHigh } 2758 STATUS current 2759 DESCRIPTION 2760 "This notification is generated when a pool's usage 2761 percentage becomes greater than or equal to the specified 2762 threshold. The threshold is specified by the 2763 natPoolWatermarkHigh object" 2764 ::= { natMIBNotifications 3 } 2766 natNotifMappings NOTIFICATION-TYPE 2767 OBJECTS { natMappingCreations, natMappingRemovals } 2768 STATUS current 2769 DESCRIPTION 2770 "This notification is generated when the number of active 2771 mappings exceeds the value of natMappingsNotifyThreshold." 2772 ::= { natMIBNotifications 4 } 2774 natNotifAddrMappings NOTIFICATION-TYPE 2775 OBJECTS { natAddressMappingCreations, natAddressMappingRemovals } 2776 STATUS current 2777 DESCRIPTION 2778 "This notification is generated when the number of active 2779 address mappings exceeds the value of 2780 natAddrMapNotifyThreshold." 2781 ::= { natMIBNotifications 5 } 2783 natNotifSubscriberMappings NOTIFICATION-TYPE 2784 OBJECTS { natSubscriberMappingCreations, 2785 natSubscriberMappingRemovals } 2786 STATUS current 2787 DESCRIPTION 2788 "This notification is generated when the number of active 2789 mappings exceeds the value of natSubscriberMapNotifyThresh, 2790 unless natSubscriberMapNotifyThresh is zero.." 2791 ::= { natMIBNotifications 6 } 2793 -- instance table 2795 natInstanceTable OBJECT-TYPE 2796 SYNTAX SEQUENCE OF NatInstanceEntry 2797 MAX-ACCESS not-accessible 2798 STATUS current 2799 DESCRIPTION 2800 "Table of NAT instances." 2801 ::= { natMIBObjects 11 } 2803 natInstanceEntry OBJECT-TYPE 2804 SYNTAX NatInstanceEntry 2805 MAX-ACCESS not-accessible 2806 STATUS current 2807 DESCRIPTION 2808 "Objects related to a single NAT instance." 2809 INDEX { natInstanceIndex } 2810 ::= { natInstanceTable 1 } 2812 NatInstanceEntry ::= 2813 SEQUENCE { 2814 natInstanceIndex Unsigned32, 2815 natInstanceAlias DisplayString 2816 } 2818 natInstanceIndex OBJECT-TYPE 2819 SYNTAX Unsigned32 2820 MAX-ACCESS not-accessible 2821 STATUS current 2822 DESCRIPTION 2823 "NAT instance index. Semantics of this number are 2824 implementation-specific. This object is used as an index for 2825 many tables defined below." 2826 ::= { natInstanceEntry 1 } 2828 natInstanceAlias OBJECT-TYPE 2829 SYNTAX DisplayString (SIZE (0..64)) 2830 MAX-ACCESS read-write 2831 STATUS current 2832 DESCRIPTION 2833 "This object is an 'alias' name for the NAT instance as 2834 specified by a network manager, and provides a non-volatile 2835 'handle' for the instance. 2837 On the first instantiation of a NAT instance, the value of 2838 natInstanceAlias associated with that instance is the 2839 zero-length string. As and when a value is written into an 2840 instance of natInstanceAlias through a network management 2841 set operation, then the agent must retain the supplied value 2842 in this obejct instance associated with the same interface 2843 for as long as that NAT instance remains instantiated, 2844 including across all re-initializations/reboots of the 2845 network management system, including those which result in a 2846 change of the interface's natInstanceIndex value. 2848 An example of the value which a network manager might store 2849 in this object for a NAT instance is the name/identifier of 2850 the interface that brings in internal traffic for this NAT 2851 instance or the name of the VRF for internal traffic. 2853 An agent may choose to provide read-only access if the agent 2854 itself assigns an identifier for the NAT instance. An agent 2855 which supports write access to this object is required to 2856 keep the value in non-valite storage, but it may limit the 2857 length of new values depending on how much storage is 2858 already occupied by the current values for other 2859 NAT instances." 2860 ::= { natInstanceEntry 2 } 2862 -- counters 2864 natCounters OBJECT IDENTIFIER ::= { natMIBObjects 12 } 2866 natCountersTable OBJECT-TYPE 2867 SYNTAX SEQUENCE OF NatCountersEntry 2868 MAX-ACCESS not-accessible 2869 STATUS current 2870 DESCRIPTION 2871 "Table of counters of a NAT instance. The counters are global 2872 across L4 protocols." 2873 ::= { natCounters 1 } 2875 natCountersEntry OBJECT-TYPE 2876 SYNTAX NatCountersEntry 2877 MAX-ACCESS not-accessible 2878 STATUS current 2879 DESCRIPTION 2880 "Counters related to a single NAT instance." 2881 INDEX { natInstanceIndex } 2882 ::= { natCountersTable 1 } 2884 NatCountersEntry ::= 2885 SEQUENCE { 2886 natTranslations Counter64, 2887 natOutOfPortErrors Counter64, 2888 natResourceErrors Counter64, 2889 natMappingCreations Counter64, 2890 natMappingRemovals Counter64, 2891 natAddressMappingCreations Counter64, 2892 natAddressMappingRemovals Counter64 2893 } 2895 natTranslations OBJECT-TYPE 2896 SYNTAX Counter64 2897 MAX-ACCESS read-only 2898 STATUS current 2899 DESCRIPTION 2900 "The number of packets translated." 2901 ::= { natCountersEntry 1 } 2903 natOutOfPortErrors OBJECT-TYPE 2904 SYNTAX Counter64 2905 MAX-ACCESS read-only 2906 STATUS current 2907 DESCRIPTION 2908 "The number of packets not translated because no external 2909 port was available, excluding quota limitations." 2910 ::= { natCountersEntry 2 } 2912 natResourceErrors OBJECT-TYPE 2913 SYNTAX Counter64 2914 MAX-ACCESS read-only 2915 STATUS current 2916 DESCRIPTION 2917 "The number of packets not translated because of resource 2918 constraints (excluding out-of-ports error and quota drops)." 2919 ::= { natCountersEntry 3 } 2921 natMappingCreations OBJECT-TYPE 2922 SYNTAX Counter64 2923 MAX-ACCESS read-only 2924 STATUS current 2925 DESCRIPTION 2926 "Number of mapping creations. This includes static mappings." 2927 ::= { natCountersEntry 4 } 2929 natMappingRemovals OBJECT-TYPE 2930 SYNTAX Counter64 2931 MAX-ACCESS read-only 2932 STATUS current 2933 DESCRIPTION 2934 "Number of mapping removals. This includes static mappings." 2935 ::= { natCountersEntry 5 } 2937 natAddressMappingCreations OBJECT-TYPE 2938 SYNTAX Counter64 2939 MAX-ACCESS read-only 2940 STATUS current 2941 DESCRIPTION 2942 "Number of address mapping creations. This includes static 2943 mappings." 2944 ::= { natCountersEntry 6 } 2946 natAddressMappingRemovals OBJECT-TYPE 2947 SYNTAX Counter64 2948 MAX-ACCESS read-only 2949 STATUS current 2950 DESCRIPTION 2951 "Number of address mapping removals. This includes static 2952 mappings. 2954 The number of active mappings is equal to 2955 natAddressMappingCreations - natAddressMappingRemovals." 2956 ::= { natCountersEntry 7 } 2958 natL4ProtocolTable OBJECT-TYPE 2959 SYNTAX SEQUENCE OF NatL4ProtocolEntry 2960 MAX-ACCESS not-accessible 2961 STATUS current 2962 DESCRIPTION 2963 "Table of protocols with per-protocol counters." 2965 ::= { natCounters 2 } 2967 natL4ProtocolEntry OBJECT-TYPE 2968 SYNTAX NatL4ProtocolEntry 2969 MAX-ACCESS not-accessible 2970 STATUS current 2971 DESCRIPTION 2972 "Per-protocol counters." 2973 INDEX { natInstanceIndex, natL4ProtocolNumber } 2974 ::= { natL4ProtocolTable 1 } 2976 NatL4ProtocolEntry ::= 2977 SEQUENCE { 2978 natL4ProtocolNumber ProtocolNumber, 2979 natL4ProtocolTranslations Counter64, 2980 natL4ProtocolOutOfPortErrors Counter64, 2981 natL4ProtocolResourceErrors Counter64, 2982 natL4ProtocolQuotaDrops Counter64, 2983 natL4ProtocolMappingCreations Counter64, 2984 natL4ProtocolMappingRemovals Counter64 2985 } 2987 natL4ProtocolNumber OBJECT-TYPE 2988 SYNTAX ProtocolNumber 2989 MAX-ACCESS not-accessible 2990 STATUS current 2991 DESCRIPTION 2992 "Counters in this conceptual row apply to packets using the 2993 transport protocol identified by this object's value." 2994 ::= { natL4ProtocolEntry 1 } 2996 natL4ProtocolTranslations OBJECT-TYPE 2997 SYNTAX Counter64 2998 MAX-ACCESS read-only 2999 STATUS current 3000 DESCRIPTION 3001 "The number of packets translated." 3002 ::= { natL4ProtocolEntry 2 } 3004 natL4ProtocolOutOfPortErrors OBJECT-TYPE 3005 SYNTAX Counter64 3006 MAX-ACCESS read-only 3007 STATUS current 3008 DESCRIPTION 3009 "The number of packets not translated because no external 3010 port was available." 3011 ::= { natL4ProtocolEntry 3 } 3013 natL4ProtocolResourceErrors OBJECT-TYPE 3014 SYNTAX Counter64 3015 MAX-ACCESS read-only 3016 STATUS current 3017 DESCRIPTION 3018 "The number of packets not translated because of resource 3019 constraints (excluding out-of-ports errors and quota 3020 drops)." 3021 ::= { natL4ProtocolEntry 4 } 3023 natL4ProtocolQuotaDrops OBJECT-TYPE 3024 SYNTAX Counter64 3025 MAX-ACCESS read-only 3026 STATUS current 3027 DESCRIPTION 3028 "The number of incoming packets not translated because of 3029 exceeded quotas. Quotas include absolute limits as well as 3030 limits on rate of allocation." 3031 ::= { natL4ProtocolEntry 5 } 3033 natL4ProtocolMappingCreations OBJECT-TYPE 3034 SYNTAX Counter64 3035 MAX-ACCESS read-only 3036 STATUS current 3037 DESCRIPTION 3038 "Number of mapping creations. This includes static mappings." 3039 ::= { natL4ProtocolEntry 6 } 3041 natL4ProtocolMappingRemovals OBJECT-TYPE 3042 SYNTAX Counter64 3043 MAX-ACCESS read-only 3044 STATUS current 3045 DESCRIPTION 3046 "Number of mapping removals. This includes static mappings. 3048 The number of active mappings is equal to 3049 natL4ProtocolMappingCreations - 3050 natL4ProtocolMappingRemovals." 3051 ::= { natL4ProtocolEntry 7 } 3053 -- limits 3055 natLimitsTable OBJECT-TYPE 3056 SYNTAX SEQUENCE OF NatLimitsEntry 3057 MAX-ACCESS not-accessible 3058 STATUS current 3059 DESCRIPTION 3060 "Table of limits for a NAT instance." 3061 ::= { natMIBObjects 13 } 3063 natLimitsEntry OBJECT-TYPE 3064 SYNTAX NatLimitsEntry 3065 MAX-ACCESS not-accessible 3066 STATUS current 3067 DESCRIPTION 3068 "Limit related to a single NAT instance." 3069 INDEX { natInstanceIndex } 3070 ::= { natLimitsTable 1 } 3072 NatLimitsEntry ::= 3073 SEQUENCE { 3074 natLimitMappings Unsigned32, 3075 natMappingsNotifyThreshold Unsigned32, 3076 natLimitAddressMappings Unsigned32, 3077 natAddrMapNotifyThreshold Unsigned32, 3078 natLimitFragments Unsigned32, 3079 natLimitSubscribers Unsigned32 3080 } 3082 natLimitMappings OBJECT-TYPE 3083 SYNTAX Unsigned32 3084 MAX-ACCESS read-write 3085 STATUS current 3086 DESCRIPTION 3087 "Global limit on the total number of mappings. Zero means 3088 unlimited." 3089 ::= { natLimitsEntry 1 } 3091 natMappingsNotifyThreshold OBJECT-TYPE 3092 SYNTAX Unsigned32 3093 MAX-ACCESS read-write 3094 STATUS current 3095 DESCRIPTION 3096 "See natNotifMappings." 3097 ::= { natLimitsEntry 2 } 3099 natLimitAddressMappings OBJECT-TYPE 3100 SYNTAX Unsigned32 3101 MAX-ACCESS read-write 3102 STATUS current 3103 DESCRIPTION 3104 "Global limit on the total number of internal-to-external 3105 address mappings. Zero means unlimited. 3107 This limit is only applicable to NATs that have an 'IP 3108 address pooling' behavior of 'Paired' [RFC4787]." 3109 ::= { natLimitsEntry 3 } 3111 natAddrMapNotifyThreshold OBJECT-TYPE 3112 SYNTAX Unsigned32 3113 MAX-ACCESS read-write 3114 STATUS current 3115 DESCRIPTION 3116 "See natNotifAddrMappings." 3117 ::= { natLimitsEntry 4 } 3119 natLimitFragments OBJECT-TYPE 3120 SYNTAX Unsigned32 3121 MAX-ACCESS read-write 3122 STATUS current 3123 DESCRIPTION 3124 "Global limit on the total number of fragments pending 3125 reassembly. Zero means unlimited. 3127 This limit is only applicable to NATs having 'Receive 3128 Fragments Out of Order' behavior [RFC4787]." 3129 ::= { natLimitsEntry 5 } 3131 natLimitSubscribers OBJECT-TYPE 3132 SYNTAX Unsigned32 3133 MAX-ACCESS read-write 3134 STATUS current 3135 DESCRIPTION 3136 "Global limit on the number of subscribers with active 3137 mappings. Zero means unlimited." 3138 ::= { natLimitsEntry 6 } 3140 -- quotas 3142 natQuotaTable OBJECT-TYPE 3143 SYNTAX SEQUENCE OF NatQuotaEntry 3144 MAX-ACCESS not-accessible 3145 STATUS current 3146 DESCRIPTION 3147 "Table of quotas applying to NAT. Quotas include absolute 3148 limits as well as limits on rate of allocation. Each quota 3149 in this table is identified by an index whose semantics are 3150 implementation-specific." 3151 ::= { natMIBObjects 14 } 3153 natQuotaEntry OBJECT-TYPE 3154 SYNTAX NatQuotaEntry 3155 MAX-ACCESS not-accessible 3156 STATUS current 3157 DESCRIPTION 3158 "Entry in the table of quotas." 3159 INDEX { natInstanceIndex, natQuotaIndex } 3160 ::= { natQuotaTable 1 } 3162 NatQuotaEntry ::= 3163 SEQUENCE { 3164 natQuotaIndex NatQuotaId, 3165 natQuotaDrops Counter64 3166 } 3168 natQuotaIndex OBJECT-TYPE 3169 SYNTAX NatQuotaId 3170 MAX-ACCESS not-accessible 3171 STATUS current 3172 DESCRIPTION 3173 "Index of a quota." 3174 ::= { natQuotaEntry 1 } 3176 natQuotaDrops OBJECT-TYPE 3177 SYNTAX Counter64 3178 MAX-ACCESS read-only 3179 STATUS current 3180 DESCRIPTION 3181 "The number of incoming packets not translated due to 3182 application of this quota." 3183 ::= { natQuotaEntry 2 } 3185 -- pools 3187 natPoolObjects OBJECT IDENTIFIER ::= { natMIBObjects 15 } 3189 natPoolTable OBJECT-TYPE 3190 SYNTAX SEQUENCE OF NatPoolEntry 3191 MAX-ACCESS not-accessible 3192 STATUS current 3193 DESCRIPTION 3194 "Table of pools." 3195 ::= { natPoolObjects 1 } 3197 natPoolEntry OBJECT-TYPE 3198 SYNTAX NatPoolEntry 3199 MAX-ACCESS not-accessible 3200 STATUS current 3201 DESCRIPTION 3202 "Entry in the table of pools." 3203 INDEX { natInstanceIndex, natPoolIndex } 3204 ::= { natPoolTable 1 } 3206 NatPoolEntry ::= 3207 SEQUENCE { 3208 natPoolIndex NatPoolId, 3209 natPoolRealm SnmpAdminString, 3210 natPoolWatermarkLow Integer32, 3211 natPoolWatermarkHigh Integer32, 3212 natPoolPortMin InetPortNumber, 3213 natPoolPortMax InetPortNumber 3214 } 3216 natPoolIndex OBJECT-TYPE 3217 SYNTAX NatPoolId 3218 MAX-ACCESS not-accessible 3219 STATUS current 3220 DESCRIPTION 3221 "Index of an address pool." 3222 ::= { natPoolEntry 1 } 3224 natPoolRealm OBJECT-TYPE 3225 SYNTAX SnmpAdminString (SIZE (0..32)) 3226 MAX-ACCESS read-only 3227 STATUS current 3228 DESCRIPTION 3229 "Realm to which this pool's addresses belong." 3230 ::= { natPoolEntry 2 } 3232 natPoolWatermarkLow OBJECT-TYPE 3233 SYNTAX Integer32 (-1|0..100) 3234 MAX-ACCESS read-create 3235 STATUS current 3236 DESCRIPTION 3237 "Low watermark on a pool's usage, in percentage of the total 3238 number of ports available. If set to -1, the watermark is 3239 disabled. Otherwise when the usage percentage becomes lower 3240 than or equal to natPoolWatermarkLow, a notification is 3241 sent. The NAT may also start behaving in low usage mode 3242 (this is implementation-defined). 3244 The pool's current usage percentage can be computed by 3245 summing (natPoolRangeAllocations - 3246 natPoolRangeDeallocations) over all address ranges 3247 belonging to this pool, then dividing by the total number of 3248 IP addresses in this pool and by the size of the port range 3249 in this pool (natPoolPortMax - natPoolPortMin + 1)." 3251 ::= { natPoolEntry 3 } 3253 natPoolWatermarkHigh OBJECT-TYPE 3254 SYNTAX Integer32 (-1|0..100) 3255 MAX-ACCESS read-create 3256 STATUS current 3257 DESCRIPTION 3258 "High watermark on a pool's usage, in percentage of the total 3259 number of ports available. If set to -1, the watermark is 3260 disabled. Otherwise, when the usage percentage becomes 3261 higher than or equal to natPoolWatermarkHigh, a notification 3262 is sent. The NAT may also start behaving in high usage mode 3263 (this is implementation-defined)." 3264 ::= { natPoolEntry 4 } 3266 natPoolPortMin OBJECT-TYPE 3267 SYNTAX InetPortNumber 3268 MAX-ACCESS read-create 3269 STATUS current 3270 DESCRIPTION 3271 "Minimal port number to be allocated in this pool." 3272 ::= { natPoolEntry 5 } 3274 natPoolPortMax OBJECT-TYPE 3275 SYNTAX InetPortNumber 3276 MAX-ACCESS read-create 3277 STATUS current 3278 DESCRIPTION 3279 "Maximal port number to be allocated in this pool." 3280 ::= { natPoolEntry 6 } 3282 natPoolRangeTable OBJECT-TYPE 3283 SYNTAX SEQUENCE OF NatPoolRangeEntry 3284 MAX-ACCESS not-accessible 3285 STATUS current 3286 DESCRIPTION 3287 "This table contains address ranges used by pool entries." 3288 ::= { natPoolObjects 2 } 3290 natPoolRangeEntry OBJECT-TYPE 3291 SYNTAX NatPoolRangeEntry 3292 MAX-ACCESS not-accessible 3293 STATUS current 3294 DESCRIPTION 3295 "NAT pool address range." 3296 INDEX { natInstanceIndex, natPoolRangePoolIndex } 3297 ::= { natPoolRangeTable 1 } 3299 NatPoolRangeEntry ::= 3300 SEQUENCE { 3301 natPoolRangePoolIndex NatPoolId, 3302 natPoolRangeType InetAddressType, 3303 natPoolRangeBegin InetAddress, 3304 natPoolRangeEnd InetAddress, 3305 natPoolRangeAllocations Counter64, 3306 natPoolRangeDeallocations Counter64 3307 } 3309 natPoolRangePoolIndex OBJECT-TYPE 3310 SYNTAX NatPoolId 3311 MAX-ACCESS not-accessible 3312 STATUS current 3313 DESCRIPTION 3314 "Index of the address pool to which this address range 3315 belongs. See natPoolIndex." 3316 ::= { natPoolRangeEntry 1 } 3318 natPoolRangeType OBJECT-TYPE 3319 SYNTAX InetAddressType 3320 MAX-ACCESS read-only 3321 STATUS current 3322 DESCRIPTION 3323 "The address type of natPoolRangeBegin and 3324 natPoolRangeEnd." 3325 ::= { natPoolRangeEntry 2 } 3327 natPoolRangeBegin OBJECT-TYPE 3328 SYNTAX InetAddress 3329 MAX-ACCESS read-only 3330 STATUS current 3331 DESCRIPTION 3332 "Lowest address included in this range." 3333 ::= { natPoolRangeEntry 3 } 3335 natPoolRangeEnd OBJECT-TYPE 3336 SYNTAX InetAddress 3337 MAX-ACCESS read-only 3338 STATUS current 3339 DESCRIPTION 3340 "Highest address included in this range." 3341 ::= { natPoolRangeEntry 4 } 3343 natPoolRangeAllocations OBJECT-TYPE 3344 SYNTAX Counter64 3345 MAX-ACCESS read-only 3346 STATUS current 3347 DESCRIPTION 3348 "Number of ports that have been allocated on the addresses in 3349 this range." 3350 ::= { natPoolRangeEntry 5 } 3352 natPoolRangeDeallocations OBJECT-TYPE 3353 SYNTAX Counter64 3354 MAX-ACCESS read-only 3355 STATUS current 3356 DESCRIPTION 3357 "Number of ports that have been allocated and then 3358 deallocated on the addresses in this range. 3360 The number of ports currently allocated on the addresses in 3361 this range can be computed by subtracting 3362 natPoolRangeDeallocations from natPoolRangeAllocations." 3363 ::= { natPoolRangeEntry 6 } 3365 -- indexed mapping tables 3367 natMapObjects OBJECT IDENTIFIER ::= { natMIBObjects 16 } 3369 natMapIntAddrTable OBJECT-TYPE 3370 SYNTAX SEQUENCE OF NatMapIntAddrEntry 3371 MAX-ACCESS not-accessible 3372 STATUS current 3373 DESCRIPTION 3374 "Table of mappings from internal to external address. 3376 This table is only applicable to NATs that have an 'IP 3377 address pooling' behavior of 'Paired' [RFC4787]." 3378 ::= { natMapObjects 1 } 3380 natMapIntAddrEntry OBJECT-TYPE 3381 SYNTAX NatMapIntAddrEntry 3382 MAX-ACCESS not-accessible 3383 STATUS current 3384 DESCRIPTION 3385 "Mapping from internal to external address." 3386 INDEX { natInstanceIndex, 3387 natMapIntAddrIntRealm, 3388 natMapIntAddrIntType, 3389 natMapIntAddrInt } 3390 ::= { natMapIntAddrTable 1 } 3392 NatMapIntAddrEntry ::= 3393 SEQUENCE { 3394 natMapIntAddrIntRealm SnmpAdminString, 3395 natMapIntAddrExtRealm SnmpAdminString, 3396 natMapIntAddrIntType InetAddressType, 3397 natMapIntAddrInt InetAddress, 3398 natMapIntAddrExtType InetAddressType, 3399 natMapIntAddrExt InetAddress 3400 } 3402 natMapIntAddrIntRealm OBJECT-TYPE 3403 SYNTAX SnmpAdminString (SIZE(0..32)) 3404 MAX-ACCESS not-accessible 3405 STATUS current 3406 DESCRIPTION 3407 "Realm to which natMapIntAddrInt belongs." 3408 ::= { natMapIntAddrEntry 1 } 3410 natMapIntAddrExtRealm OBJECT-TYPE 3411 SYNTAX SnmpAdminString 3412 MAX-ACCESS read-only 3413 STATUS current 3414 DESCRIPTION 3415 "Realm to which natMapIntAddrExt belongs." 3416 ::= { natMapIntAddrEntry 2 } 3418 natMapIntAddrIntType OBJECT-TYPE 3419 SYNTAX InetAddressType 3420 MAX-ACCESS not-accessible 3421 STATUS current 3422 DESCRIPTION 3423 "Address type for natMapIntAddrInt." 3424 ::= { natMapIntAddrEntry 3 } 3426 natMapIntAddrInt OBJECT-TYPE 3427 SYNTAX InetAddress (SIZE (4|16)) 3428 MAX-ACCESS not-accessible 3429 STATUS current 3430 DESCRIPTION 3431 "Internal address." 3432 ::= { natMapIntAddrEntry 4 } 3434 natMapIntAddrExtType OBJECT-TYPE 3435 SYNTAX InetAddressType 3436 MAX-ACCESS not-accessible 3437 STATUS current 3438 DESCRIPTION 3439 "Address type for natMapIntAddrExt." 3440 ::= { natMapIntAddrEntry 5 } 3442 natMapIntAddrExt OBJECT-TYPE 3443 SYNTAX InetAddress 3444 MAX-ACCESS read-only 3445 STATUS current 3446 DESCRIPTION 3447 "External address." 3448 ::= { natMapIntAddrEntry 6 } 3450 natMappingTable OBJECT-TYPE 3451 SYNTAX SEQUENCE OF NatMappingEntry 3452 MAX-ACCESS not-accessible 3453 STATUS current 3454 DESCRIPTION 3455 "Table of mappings indexed by external 3-tuple." 3456 ::= { natMapObjects 2 } 3458 natMappingEntry OBJECT-TYPE 3459 SYNTAX NatMappingEntry 3460 MAX-ACCESS not-accessible 3461 STATUS current 3462 DESCRIPTION 3463 "A single NAT mapping." 3464 INDEX { natInstanceIndex, 3465 natMappingProto, 3466 natMappingExtRealm, 3467 natMappingExtAddressType, 3468 natMappingExtAddress, 3469 natMappingExtPort } 3470 ::= { natMappingTable 1 } 3472 NatMappingEntry ::= 3473 SEQUENCE { 3474 natMappingProto ProtocolNumber, 3475 natMappingExtRealm SnmpAdminString, 3476 natMappingExtAddressType InetAddressType, 3477 natMappingExtAddress InetAddress, 3478 natMappingExtPort InetPortNumber, 3479 natMappingIntRealm SnmpAdminString, 3480 natMappingIntAddressType InetAddressType, 3481 natMappingIntAddress InetAddress, 3482 natMappingIntPort InetPortNumber, 3483 natMappingPool Unsigned32, 3484 natMappingMapBehavior NatBehaviorType, 3485 natMappingFilterBehavior NatBehaviorType, 3486 natMappingAddressPooling NatPoolingType 3487 } 3489 natMappingProto OBJECT-TYPE 3490 SYNTAX ProtocolNumber 3491 MAX-ACCESS not-accessible 3492 STATUS current 3493 DESCRIPTION 3494 "The mapping's transport protocol number." 3495 ::= { natMappingEntry 1 } 3497 natMappingExtRealm OBJECT-TYPE 3498 SYNTAX SnmpAdminString (SIZE(0..32)) 3499 MAX-ACCESS not-accessible 3500 STATUS current 3501 DESCRIPTION 3502 "The realm to which natMappingExtAddress belongs." 3503 ::= { natMappingEntry 2 } 3505 natMappingExtAddressType OBJECT-TYPE 3506 SYNTAX InetAddressType 3507 MAX-ACCESS not-accessible 3508 STATUS current 3509 DESCRIPTION 3510 "Type of the mapping's external address." 3511 ::= { natMappingEntry 3 } 3513 natMappingExtAddress OBJECT-TYPE 3514 SYNTAX InetAddress (SIZE (4|16)) 3515 MAX-ACCESS not-accessible 3516 STATUS current 3517 DESCRIPTION 3518 "The mapping's external address. If this is the undefined 3519 address, all external addresses are mapped to the internal 3520 address." 3521 ::= { natMappingEntry 4 } 3523 natMappingExtPort OBJECT-TYPE 3524 SYNTAX InetPortNumber 3525 MAX-ACCESS not-accessible 3526 STATUS current 3527 DESCRIPTION 3528 "The mapping's external port number. If this is zero, all 3529 external ports are mapped to the internal port." 3530 ::= { natMappingEntry 5 } 3532 natMappingIntRealm OBJECT-TYPE 3533 SYNTAX SnmpAdminString 3534 MAX-ACCESS read-only 3535 STATUS current 3536 DESCRIPTION 3537 "The realm to which natMappingIntAddress belongs." 3539 ::= { natMappingEntry 6 } 3541 natMappingIntAddressType OBJECT-TYPE 3542 SYNTAX InetAddressType 3543 MAX-ACCESS read-only 3544 STATUS current 3545 DESCRIPTION 3546 "Type of the mapping's internal address." 3547 ::= { natMappingEntry 7 } 3549 natMappingIntAddress OBJECT-TYPE 3550 SYNTAX InetAddress 3551 MAX-ACCESS read-only 3552 STATUS current 3553 DESCRIPTION 3554 "The mapping's internal address. If this is the undefined 3555 address, addresses are not translated." 3556 ::= { natMappingEntry 8 } 3558 natMappingIntPort OBJECT-TYPE 3559 SYNTAX InetPortNumber 3560 MAX-ACCESS read-only 3561 STATUS current 3562 DESCRIPTION 3563 "The mapping's internal port number. If this is zero, ports 3564 are not translated." 3565 ::= { natMappingEntry 9 } 3567 natMappingPool OBJECT-TYPE 3568 SYNTAX Unsigned32 (0|1..4294967295) 3569 MAX-ACCESS read-only 3570 STATUS current 3571 DESCRIPTION 3572 "Index of the pool that contains this mapping's external 3573 address and port. If zero, no pool is associated with this 3574 mapping." 3575 ::= { natMappingEntry 10 } 3577 natMappingMapBehavior OBJECT-TYPE 3578 SYNTAX NatBehaviorType 3579 MAX-ACCESS read-only 3580 STATUS current 3581 DESCRIPTION 3582 "Mapping behavior as described in [RFC4787] section 4.1." 3583 ::= { natMappingEntry 11 } 3585 natMappingFilterBehavior OBJECT-TYPE 3586 SYNTAX NatBehaviorType 3587 MAX-ACCESS read-only 3588 STATUS current 3589 DESCRIPTION 3590 "Filtering behavior as described in [RFC4787] section 5." 3591 ::= { natMappingEntry 12 } 3593 natMappingAddressPooling OBJECT-TYPE 3594 SYNTAX NatPoolingType 3595 MAX-ACCESS read-only 3596 STATUS current 3597 DESCRIPTION 3598 "Type of address pooling behavior that was used to create 3599 this mapping." 3600 ::= { natMappingEntry 13 } 3602 -- subscribers 3604 natSubscribers OBJECT IDENTIFIER ::= { natMIBObjects 17 } 3606 natSubscribersTable OBJECT-TYPE 3607 SYNTAX SEQUENCE OF NatSubscribersEntry 3608 MAX-ACCESS not-accessible 3609 STATUS current 3610 DESCRIPTION 3611 "Table of CGN subscribers." 3612 ::= { natSubscribers 1 } 3614 natSubscribersEntry OBJECT-TYPE 3615 SYNTAX NatSubscribersEntry 3616 MAX-ACCESS not-accessible 3617 STATUS current 3618 DESCRIPTION 3619 "Each entry describes a single CGN subscriber." 3620 INDEX { natInstanceIndex, 3621 natSubscriberIdentifierType, 3622 natSubscriberIdentifier } 3623 ::= { natSubscribersTable 1 } 3625 NatSubscribersEntry ::= 3626 SEQUENCE { 3627 natSubscriberIdentifierType SubscriberIdentifierType, 3628 natSubscriberIdentifier SubscriberIdentifier, 3629 natSubscriberIntPrefixType InetAddressType, 3630 natSubscriberIntPrefix InetAddress, 3631 natSubscriberIntPrefixLength InetAddressPrefixLength, 3632 natSubscriberRealm SnmpAdminString, 3633 natSubscriberPool Unsigned32, 3634 natSubscriberTranslations Counter64, 3635 natSubscriberOutOfPortErrors Counter64, 3636 natSubscriberResourceErrors Counter64, 3637 natSubscriberQuotaDrops Counter64, 3638 natSubscriberMappingCreations Counter64, 3639 natSubscriberMappingRemovals Counter64, 3640 natSubscriberLimitMappings Unsigned32, 3641 natSubscriberMapNotifyThresh Unsigned32 3642 } 3644 natSubscriberIdentifierType OBJECT-TYPE 3645 SYNTAX SubscriberIdentifierType 3646 MAX-ACCESS not-accessible 3647 STATUS current 3648 DESCRIPTION 3649 "Address type of the subscriber identifier." 3650 ::= { natSubscribersEntry 1 } 3652 natSubscriberIdentifier OBJECT-TYPE 3653 SYNTAX SubscriberIdentifier (SIZE (3|4|16)) 3654 MAX-ACCESS not-accessible 3655 STATUS current 3656 DESCRIPTION 3657 "Address used for uniquely identifying the subscriber. 3659 In traditional NAT, this is the internal address assigned to 3660 the CPE. In case an address range is assigned to a 3661 subscriber, the first address in the range is used as 3662 identifier. For tunnelled connectivity (e.g., DS-Lite 3663 [RFC6333]), the outer address is used as identifier (i.e., 3664 the IPv6 address in the case of DS-Lite)." 3665 ::= { natSubscribersEntry 2 } 3667 natSubscriberIntPrefixType OBJECT-TYPE 3668 SYNTAX InetAddressType 3669 MAX-ACCESS read-only 3670 STATUS current 3671 DESCRIPTION 3672 "Subscriber's internal prefix type." 3673 ::= { natSubscribersEntry 3 } 3675 natSubscriberIntPrefix OBJECT-TYPE 3676 SYNTAX InetAddress 3677 MAX-ACCESS read-only 3678 STATUS current 3679 DESCRIPTION 3680 "Prefix assigned to a subscriber's CPE." 3681 ::= { natSubscribersEntry 4 } 3683 natSubscriberIntPrefixLength OBJECT-TYPE 3684 SYNTAX InetAddressPrefixLength 3685 MAX-ACCESS read-only 3686 STATUS current 3687 DESCRIPTION 3688 "Length of the prefix assigned to a subscriber's CPE, in 3689 bits. In case a single address is assigned, this will be 32 3690 for IPv4 and 128 for IPv6." 3691 ::= { natSubscribersEntry 5 } 3693 natSubscriberRealm OBJECT-TYPE 3694 SYNTAX SnmpAdminString 3695 MAX-ACCESS read-only 3696 STATUS current 3697 DESCRIPTION 3698 "The realm to which this subscriber belongs." 3699 ::= { natSubscribersEntry 6 } 3701 natSubscriberPool OBJECT-TYPE 3702 SYNTAX Unsigned32 (0|1..4294967295) 3703 MAX-ACCESS read-only 3704 STATUS current 3705 DESCRIPTION 3706 "External address pool to which this subscriber belongs, or 3707 zero if the subscriber does not belong to any pool." 3708 ::= { natSubscribersEntry 7 } 3710 natSubscriberTranslations OBJECT-TYPE 3711 SYNTAX Counter64 3712 MAX-ACCESS read-only 3713 STATUS current 3714 DESCRIPTION 3715 "The number of translated packets received from or sent to 3716 this subscriber." 3717 ::= { natSubscribersEntry 8 } 3719 natSubscriberOutOfPortErrors OBJECT-TYPE 3720 SYNTAX Counter64 3721 MAX-ACCESS read-only 3722 STATUS current 3723 DESCRIPTION 3724 "The number of packets received from this subscriber not 3725 translated because no external port was available, excluding 3726 quota limitations." 3727 ::= { natSubscribersEntry 9 } 3729 natSubscriberResourceErrors OBJECT-TYPE 3730 SYNTAX Counter64 3731 MAX-ACCESS read-only 3732 STATUS current 3733 DESCRIPTION 3734 "The number of packets received from this subscriber not 3735 translated because of resource constraints (excluding 3736 out-of-port errors and quota drops)." 3737 ::= { natSubscribersEntry 10 } 3739 natSubscriberQuotaDrops OBJECT-TYPE 3740 SYNTAX Counter64 3741 MAX-ACCESS read-only 3742 STATUS current 3743 DESCRIPTION 3744 "The number of incoming packets received from or destined to 3745 this subscriber not translated because of quota limitations. 3746 Quotas include absolute limits as well as limits on the rate 3747 of allocation." 3748 ::= { natSubscribersEntry 11 } 3750 natSubscriberMappingCreations OBJECT-TYPE 3751 SYNTAX Counter64 3752 MAX-ACCESS read-only 3753 STATUS current 3754 DESCRIPTION 3755 "Number of mappings created by or for this subscriber." 3756 ::= { natSubscribersEntry 12 } 3758 natSubscriberMappingRemovals OBJECT-TYPE 3759 SYNTAX Counter64 3760 MAX-ACCESS read-only 3761 STATUS current 3762 DESCRIPTION 3763 "Number of mappings removed by or for this subscriber." 3764 ::= { natSubscribersEntry 13 } 3766 natSubscriberLimitMappings OBJECT-TYPE 3767 SYNTAX Unsigned32 3768 MAX-ACCESS read-write 3769 STATUS current 3770 DESCRIPTION 3771 "Limit on the number of active mappings created by or for 3772 this subscriber. Zero means unlimited." 3773 ::= { natSubscribersEntry 14 } 3775 natSubscriberMapNotifyThresh OBJECT-TYPE 3776 SYNTAX Unsigned32 3777 MAX-ACCESS read-write 3778 STATUS current 3779 DESCRIPTION 3780 "See natNotifSubscriberMappings." 3781 ::= { natSubscribersEntry 15 } 3783 -- object groups 3785 natGroupStatelessObjects OBJECT-GROUP 3786 OBJECTS { natInstanceAlias, 3787 natTranslations, 3788 natResourceErrors, 3789 natQuotaDrops, 3790 natMappingCreations, 3791 natMappingRemovals, 3792 natL4ProtocolTranslations , 3793 natL4ProtocolResourceErrors, 3794 natL4ProtocolQuotaDrops, 3795 natL4ProtocolMappingCreations, 3796 natL4ProtocolMappingRemovals, 3797 natMappingIntRealm, 3798 natMappingIntAddressType, 3799 natMappingIntAddress, 3800 natMappingIntPort, 3801 natMappingPool, 3802 natMappingMapBehavior, 3803 natMappingFilterBehavior } 3804 STATUS current 3805 DESCRIPTION 3806 "Basic counters, limits, and thresholds that do not require 3807 stateful NAT. That is, they apply to both stateless and 3808 stateful NATs. 3810 For this MIB's purposes, stateless NATs are defined as NATs 3811 that do not create mappings dynamically (either implicitly 3812 or explicitly using, for instance, the Port Control 3813 Protocol). Their mappings are created statically by the NAT 3814 administrator." 3815 ::= { natMIBGroups 7 } 3817 natGroupStatefulObjects OBJECT-GROUP 3818 OBJECTS { natOutOfPortErrors, 3819 natL4ProtocolOutOfPortErrors, 3820 natLimitMappings, 3821 natMappingsNotifyThreshold, 3822 natPoolRealm, 3823 natPoolWatermarkLow, 3824 natPoolWatermarkHigh, 3825 natPoolPortMin, 3826 natPoolPortMax, 3827 natPoolRangeType, 3828 natPoolRangeBegin, 3829 natPoolRangeEnd, 3830 natPoolRangeAllocations, 3831 natPoolRangeDeallocations, 3832 natMappingAddressPooling } 3833 STATUS current 3834 DESCRIPTION 3835 "Basic counters, limits, and thresholds that require stateful 3836 NAT." 3837 ::= { natMIBGroups 8 } 3839 natGroupAddrMapObjects OBJECT-GROUP 3840 OBJECTS { natAddressMappingCreations, 3841 natAddressMappingRemovals, 3842 natLimitAddressMappings, 3843 natAddrMapNotifyThreshold, 3844 natMapIntAddrExtRealm, 3845 natMapIntAddrExt } 3846 STATUS current 3847 DESCRIPTION 3848 "Objects that require 'Paired IP address pooling' behavior 3849 [RFC4787]." 3850 ::= { natMIBGroups 9 } 3852 natGroupFragmentObjects OBJECT-GROUP 3853 OBJECTS { natLimitFragments } 3854 STATUS current 3855 DESCRIPTION 3856 "Objects that require 'Receive Fragments Out of Order' 3857 behavior [RFC4787]." 3858 ::= { natMIBGroups 10 } 3860 natGroupBasicNotifications NOTIFICATION-GROUP 3861 NOTIFICATIONS { natNotifPoolWatermarkLow, 3862 natNotifPoolWatermarkHigh, 3863 natNotifMappings } 3864 STATUS current 3865 DESCRIPTION 3866 "Basic notifications." 3867 ::= { natMIBGroups 11 } 3869 natGroupAddrMapNotifications NOTIFICATION-GROUP 3870 NOTIFICATIONS { natNotifAddrMappings } 3871 STATUS current 3872 DESCRIPTION 3873 "Notifications about address mappings." 3875 ::= { natMIBGroups 12 } 3877 natGroupSubscriberObjects OBJECT-GROUP 3878 OBJECTS { natSubscriberIntPrefixType, 3879 natSubscriberIntPrefix, 3880 natSubscriberIntPrefixLength, 3881 natSubscriberRealm, 3882 natSubscriberPool, 3883 natSubscriberTranslations, 3884 natSubscriberOutOfPortErrors, 3885 natSubscriberResourceErrors, 3886 natSubscriberQuotaDrops, 3887 natSubscriberMappingCreations, 3888 natSubscriberMappingRemovals, 3889 natSubscriberLimitMappings, 3890 natLimitSubscribers, 3891 natSubscriberMapNotifyThresh } 3892 STATUS current 3893 DESCRIPTION 3894 "Per-subscriber counters, limits, and thresholds." 3895 ::= { natMIBGroups 13 } 3897 natGroupSubscriberNotifications NOTIFICATION-GROUP 3898 NOTIFICATIONS { natNotifSubscriberMappings } 3899 STATUS current 3900 DESCRIPTION 3901 "Subscriber notifications." 3902 ::= { natMIBGroups 14 } 3904 -- compliance statements 3906 natBasicStatelessCompliance MODULE-COMPLIANCE 3907 STATUS current 3908 DESCRIPTION 3909 "Basic stateless compliance with this MIB is attained when 3910 the objects contained in the mandatory groups are 3911 implemented." 3912 MODULE -- this module 3913 MANDATORY-GROUPS { natGroupStatelessObjects } 3915 OBJECT natInstanceAlias 3916 MIN-ACCESS read-only 3917 DESCRIPTION 3918 "Write access is not required." 3920 ::= { natMIBCompliances 3 } 3922 natBasicStatefulCompliance MODULE-COMPLIANCE 3923 STATUS current 3924 DESCRIPTION 3925 "Basic stateful compliance with this MIB is attained when the 3926 objects contained in the mandatory groups are implemented." 3927 MODULE -- this module 3928 MANDATORY-GROUPS { natGroupStatelessObjects, 3929 natGroupStatefulObjects, 3930 natGroupBasicNotifications } 3931 ::= { natMIBCompliances 4 } 3933 natAddrMapCompliance MODULE-COMPLIANCE 3934 STATUS current 3935 DESCRIPTION 3936 "NATs that have 'Paired IP address pooling' behavior 3937 [RFC4787] and implement the objects in this group can claim 3938 this level of compliance." 3939 MODULE -- this module 3940 MANDATORY-GROUPS { natGroupStatelessObjects, 3941 natGroupStatefulObjects, 3942 natGroupBasicNotifications, 3943 natGroupAddrMapObjects, 3944 natGroupAddrMapNotifications } 3945 ::= { natMIBCompliances 5 } 3947 natFragmentsCompliance MODULE-COMPLIANCE 3948 STATUS current 3949 DESCRIPTION 3950 "NATs that have 'Receive Fragments Out of Order' behavior 3951 [RFC4787] and implement the objects in this group can claim 3952 this level of compliance." 3953 MODULE -- this module 3954 MANDATORY-GROUPS { natGroupStatelessObjects, 3955 natGroupStatefulObjects, 3956 natGroupBasicNotifications, 3957 natGroupFragmentObjects } 3958 ::= { natMIBCompliances 6 } 3960 natCGNCompliance MODULE-COMPLIANCE 3961 STATUS current 3962 DESCRIPTION 3963 "NATs that have 'Paired IP address pooling' and 'Receive 3964 Fragments Out of Order' behavior [RFC4787] and implement the 3965 objects in this group can claim this level of compliance. 3967 This level of compliance is to be expected of a CGN 3968 compliant with [RFC6888]." 3969 MODULE -- this module 3970 MANDATORY-GROUPS { natGroupStatelessObjects, 3971 natGroupStatefulObjects, 3972 natGroupBasicNotifications, 3973 natGroupAddrMapObjects, 3974 natGroupAddrMapNotifications, 3975 natGroupFragmentObjects, 3976 natGroupSubscriberObjects, 3977 natGroupSubscriberNotifications } 3978 ::= { natMIBCompliances 7 } 3980 END 3982 5. Security Considerations 3984 There are a number of management objects defined in this MIB module 3985 with a MAX-ACCESS clause of read-write and/or read-create. Such 3986 objects may be considered sensitive or vulnerable in some network 3987 environments. The support for SET operations in a non-secure 3988 environment without proper protection can have a negative effect on 3989 network operations. These are the tables and objects and their 3990 sensitivity/vulnerability: 3992 Limits: An attacker setting a very low or very high limit can easily 3993 cause a denial-of-service situation. 3995 * natLimitMappings 3997 * natLimitAddressMappings 3999 * natLimitFragments 4001 * natLimitSubscribers 4003 * natSubscriberLimitMappings 4005 Notification thresholds: An attacker setting an arbitrarily low 4006 treshold can cause many useless notifications to be generated. 4007 Setting an arbitrarily high threshold can effectively disable 4008 notifications, which could be used to hide another attack. 4010 * natMappingsNotifyThreshold 4012 * natAddrMapNotifyThreshold 4014 * natSubscriberMapNotifyThresh 4016 Some of the readable objects in this MIB module (i.e., objects with a 4017 MAX-ACCESS other than not-accessible) may be considered sensitive or 4018 vulnerable in some network environments. It is thus important to 4019 control even GET and/or NOTIFY access to these objects and possibly 4020 to even encrypt the values of these objects when sending them over 4021 the network via SNMP. These are the tables and objects and their 4022 sensitivity/vulnerability: 4024 Objects that reveal host identities: Various objects can reveal the 4025 identity of private hosts that are engaged in a session with 4026 external end nodes. A curious outsider could monitor these to 4027 assess the number of private hosts being supported by the NAT 4028 device. Further, a disgruntled former employee of an enterprise 4029 could use the information to break into specific private hosts by 4030 intercepting the existing sessions or originating new sessions 4031 into the host. 4033 * natMapIntAddrType 4035 * natMapIntAddrInt 4037 * natMapIntAddrExt 4039 * natMappingIntRealm 4041 * natMappingIntAddressType 4043 * natMappingIntAddress 4045 * natMappingIntPort 4047 * natMappingMapBehavior 4049 * natMappingFilterBehavior 4051 * natMappingAddressPooling 4053 * natSubscriberIntPrefixType 4055 * natSubscriberIntPrefix 4057 * natSubscriberIntPrefixLength 4059 Other objects that reveal NAT state: Other managed objects in this 4060 MIB may contain information that may be sensitive from a business 4061 perspective, in that they may represent NAT state information. 4063 * natCntAddressMappings 4064 * natCntProtocolMappings 4066 * natPoolUsage 4068 * natPoolRangeAllocatedPorts 4070 * natSubscriberCntMappings 4072 There are no objects that are sensitive in their own right, such as 4073 passwords or monetary amounts. 4075 SNMP versions prior to SNMPv3 did not include adequate security. 4076 Even if the network itself is secure (for example by using IPsec), 4077 there is no control as to who on the secure network is allowed to 4078 access and GET/SET (read/change/create/delete) the objects in this 4079 MIB module. 4081 Implementations SHOULD provide the security features described by the 4082 SNMPv3 framework (see [RFC3410]), and implementations claiming 4083 compliance to the SNMPv3 standard MUST include full support for 4084 authentication and privacy via the User-based Security Model (USM) 4085 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 4086 MAY also provide support for the Transport Security Model (TSM) 4087 [RFC5591] in combination with a secure transport such as SSH 4088 [RFC5592] or TLS/DTLS [RFC6353]. 4090 Further, deployment of SNMP versions prior to SNMPv3 is NOT 4091 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 4092 enable cryptographic security. It is then a customer/operator 4093 responsibility to ensure that the SNMP entity giving access to an 4094 instance of this MIB module is properly configured to give access to 4095 the objects only to those principals (users) that have legitimate 4096 rights to indeed GET or SET (change/create/delete) them. 4098 6. IANA Considerations 4100 IANA has assigned object identifier 123 to the natMIB module, with 4101 prefix iso.org.dod.internet.mgmt.mib-2 in the Network Management 4102 Parameters registry [SMI-NUMBERS]. 4104 No IANA actions are required by this document. 4106 7. References 4108 7.1. Normative References 4110 [RFC1701] Hanks, S., Li, T., Farinacci, D., and P. Traina, "Generic 4111 Routing Encapsulation (GRE)", RFC 1701, October 1994. 4113 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4114 Requirement Levels", BCP 14, RFC 2119, March 1997. 4116 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4117 (IPv6) Specification", RFC 2460, December 1998. 4119 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 4120 Schoenwaelder, Ed., "Structure of Management Information 4121 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 4123 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 4124 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 4125 58, RFC 2579, April 1999. 4127 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 4128 "Conformance Statements for SMIv2", STD 58, RFC 2580, 4129 April 1999. 4131 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 4132 (USM) for version 3 of the Simple Network Management 4133 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 4135 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 4136 Advanced Encryption Standard (AES) Cipher Algorithm in the 4137 SNMP User-based Security Model", RFC 3826, June 2004. 4139 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 4140 Schoenwaelder, "Textual Conventions for Internet Network 4141 Addresses", RFC 4001, February 2005. 4143 [RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F. 4144 Baker, "OSPF Version 2 Management Information Base", RFC 4145 4750, December 2006. 4147 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 4148 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 4149 RFC 4787, January 2007. 4151 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 4152 for the Simple Network Management Protocol (SNMP)", RFC 4153 5591, June 2009. 4155 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 4156 Shell Transport Model for the Simple Network Management 4157 Protocol (SNMP)", RFC 5592, June 2009. 4159 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 4160 Model for the Simple Network Management Protocol (SNMP)", 4161 RFC 6353, July 2011. 4163 7.2. Informative References 4165 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 4166 Translator (NAT) Terminology and Considerations", RFC 4167 2663, August 1999. 4169 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 4170 Address Translator (Traditional NAT)", RFC 3022, January 4171 2001. 4173 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 4174 "Introduction and Applicability Statements for Internet- 4175 Standard Management Framework", RFC 3410, December 2002. 4177 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and 4178 C. Wang, "Definitions of Managed Objects for Network 4179 Address Translators (NAT)", RFC 4008, March 2005. 4181 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 4182 Stack Lite Broadband Deployments Following IPv4 4183 Exhaustion", RFC 6333, August 2011. 4185 [RFC6674] Brockners, F., Gundavelli, S., Speicher, S., and D. Ward, 4186 "Gateway-Initiated Dual-Stack Lite Deployment", RFC 6674, 4187 July 2012. 4189 [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., 4190 and H. Ashida, "Common Requirements for Carrier-Grade NATs 4191 (CGNs)", BCP 127, RFC 6888, April 2013. 4193 [SMI-NUMBERS] 4194 , "Network Management Parameters registry at IANA", , 4195 . 4197 Authors' Addresses 4198 Simon Perreault 4199 Viagenie 4200 246 Aberdeen 4201 Quebec, QC G1R 2E1 4202 Canada 4204 Phone: +1 418 656 9254 4205 Email: simon.perreault@viagenie.ca 4206 URI: http://viagenie.ca 4208 Tina Tsou 4209 Huawei Technologies (USA) 4210 2330 Central Expressway 4211 Santa Clara, CA 95050 4212 USA 4214 Phone: +1 408 330 4424 4215 Email: tina.tsou.zouting@huawei.com 4217 Senthil Sivakumar 4218 Cisco Systems 4219 7100-8 Kit Creek Road 4220 Research Triangle Park, North Carolina 27709 4221 USA 4223 Phone: +1 919 392 5158 4224 Email: ssenthil@cisco.com