idnits 2.17.1 draft-ietf-behave-nat-mib-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 24, 2014) is 3745 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6674' is defined on line 4271, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 4008 (Obsoleted by RFC 7658) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Perreault 3 Internet-Draft Viagenie 4 Obsoletes: 4008 (if approved) T. Tsou 5 Intended status: Standards Track Huawei Technologies (USA) 6 Expires: July 28, 2014 S. Sivakumar 7 Cisco Systems 8 January 24, 2014 10 Definitions of Managed Objects for Network Address Translators (NAT) 11 draft-ietf-behave-nat-mib-11 13 Abstract 15 This memo defines a portion of the Management Information Base (MIB) 16 for devices implementing Network Address Translator (NAT) function. 17 This MIB module may be used for monitoring of a device capable of NAT 18 function. 20 This document obsoletes RFC 4008. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on July 28, 2014. 39 Copyright Notice 41 Copyright (c) 2014 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. The Internet-Standard Management Framework . . . . . . . . . 2 58 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 60 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4 61 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 86 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 88 66 7.1. Normative References . . . . . . . . . . . . . . . . . . 88 67 7.2. Informative References . . . . . . . . . . . . . . . . . 89 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90 70 1. Introduction 72 This memo defines a portion of the Management Information Base (MIB) 73 for devices implementing NAT function. This MIB module may be used 74 for monitoring of a device capable of NAT function. Using it for 75 configuration is deprecated. NAT types and their characteristics are 76 defined in [RFC2663]. Traditional NAT function, in particular is 77 defined in [RFC3022]. This MIB does not address the firewall 78 functions and must not be used for configuring or monitoring these. 79 Section 2 provides references to the SNMP management framework, which 80 was used as the basis for the MIB module definition. Section 3 81 provides an overview of the MIB features. Lastly, Section 4 has the 82 complete NAT MIB definition. 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 86 "OPTIONAL" in this document are to be interpreted as described in 87 [RFC2119]. 89 2. The Internet-Standard Management Framework 91 For a detailed overview of the documents that describe the current 92 Internet-Standard Management Framework, please refer to section 7 of 93 RFC 3410 [RFC3410]. 95 Managed objects are accessed via a virtual information store, termed 96 the Management Information Base or MIB. MIB objects are generally 97 accessed through the Simple Network Management Protocol (SNMP). 98 Objects in the MIB are defined using the mechanisms defined in the 99 Structure of Management Information (SMI). This memo specifies a MIB 100 module that is compliant to the SMIv2, which is described in STD 58, 101 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 102 [RFC2580]. 104 3. Overview 106 3.1. Deprecated Features 108 All objects defined in [RFC4008] have been marked with "STATUS 109 deprecated" for the following reasons: 111 Writability: Experience with NAT has shown that implementations vary 112 tremendously. The NAT algorithms and data structures have little 113 in common across devices, and this results in wildly incompatible 114 configuration parameters. Therefore, few implementations were 115 ever able to claim full compliance. 117 Lesson learned: the MIB should be read-only as much as possible. 119 Exposing configuration parameters: Even in read-only mode, many 120 configuration parameters were exposed by [RFC4008] (e.g. 121 timeouts). Since implementations vary wildly in their sets of 122 configuration parameters, few implementations could claim even 123 basic compliance. 125 Lesson learned: the NAT MIB's purpose is not to expose 126 configuration parameters. 128 Interfaces: Objects from [RFC4008] tie NAT state with interfaces 129 (e.g. the interface table, the way map entries are grouped by 130 interface). Many NAT implementations either never keep track of 131 the interface or associate a mapping to a set of interfaces. 132 Since interfaces are at the core of [RFC4008], many NAT devices 133 were unable to have a proper implementation. 135 Lesson learned: NAT is a logical function that may be independent 136 of interfaces. Do not tie NAT state with interfaces. 138 NAT service types: [RFC4008] used four categories of NAT service: 139 basicNat, napt, bidirectionalNat, twiceNat. These are ill-defined 140 and many implementations either use different categories or do not 141 use categories at all. 143 Lesson learned: do not try to categorize NAT types. 145 Limited transport protocol set: The set of transport protocols was 146 defined as: other, icmp, udp, tcp. Furthermore, the numeric 147 values corresponding to those labels were arbitrary, without 148 relation to the actual standard protocol numbers. This meant that 149 NAT implementations were limited to those protocols and were 150 unable to expose information about DCCP, SCTP, etc. 152 Lesson learned: use standard transport protocol numbers. 154 3.2. New Features 156 New features in this module are as follows: 158 Counters: Many new counters are introduced. Most of them are 159 available in two variants: global and per-transport protocol. 161 Limits: A few limits on the quantity of state data stored by the NAT 162 device. Some of them can trigger notifications. 164 Address+Port Pools: Pools of external addresses and ports are often 165 used in enterprise and ISP settings. Pools are listed in a table, 166 each with its range of addresses and ports. It is possible to 167 inspect each pool's usage, to set limits, and to receive 168 notifications when thresholds are crossed. 170 Address Mappings: NATs that have an "IP address pooling" behavior of 171 "Paired" [RFC4787] maintain a mapping from internal address to 172 external address. This module allows inspection of this mapping 173 table. 175 Mapping table indexed by external 3-tuple: It is often necessary to 176 determine the internal address that is mapped to a given external 177 address and port. This MIB provides this table with an index to 178 accomplish this efficiently, without having to iterate over all 179 mappings. 181 Realms: See Section 3.3. 183 RFC 4787 terminology: Mapping table entries indicate the mapping 184 behavior, the filtering behavior, and the address pooling behavior 185 that were used to create the mapping. 187 Subscriber awareness: With the advent of CGN deployment, a set of 188 subscriber specific counters, limits and parameters are added. 190 NAT instances: Multiple NAT instances may be managed by a single 191 SNMP agent. All instance-specific objects (counters, limits, 192 etc.) are indexed by NAT instance ID. In addition, NAT instances 193 may be reliably identified using the natInstanceAlias object. 195 3.3. Realms 197 Current NAT devices commonly allow the internal and external parts of 198 a mapping to come from different realms. The meaning of "realm" is 199 implementation-dependent. On some implementations it can be 200 equivalent to the name of a VPN Routing and Forwarding table (VRF). 201 On others it is simply the numeric index of a virtual routing table. 202 Note that this usage of "realm" is completely different from the one 203 in [RFC4008]. 205 This MIB allows the realm to be indicated where it makes sense. The 206 format is an SnmpAdminString. On platforms that identify realms with 207 integers, the string representation of the integer is used instead. 208 The empty string has special meaning: it refers to the default realm. 210 Note that many MIBs implicitly support realms in one form or another 211 by using SNMPv3 contexts. See for example the OSPFv2 MIB [RFC4750]. 212 This method cannot be used for the NAT MIB because mapppings can 213 belong to two realms simultaneously: the internal part can be in one 214 realm while the external part is in another. In such cases the NAT 215 function acts like a "wormhole" between two realms. Using contexts 216 would implicitly impose the restriction that all objects would have 217 to belong to the same realm. 219 4. Definitions 221 This MIB module IMPORTs objects from [RFC2578], [RFC2579], and 222 [RFC4001]. 224 NAT-MIB DEFINITIONS ::= BEGIN 226 IMPORTS 227 MODULE-IDENTITY, 228 OBJECT-TYPE, 229 Integer32, 230 Unsigned32, 231 Gauge32, 232 Counter64, 233 TimeTicks, 234 mib-2, 235 NOTIFICATION-TYPE 236 FROM SNMPv2-SMI 237 TEXTUAL-CONVENTION, 238 DisplayString, 239 StorageType, 240 RowStatus 241 FROM SNMPv2-TC 242 MODULE-COMPLIANCE, 243 NOTIFICATION-GROUP, 244 OBJECT-GROUP 245 FROM SNMPv2-CONF 246 ifIndex, 247 ifCounterDiscontinuityGroup, 248 InterfaceIndex 249 FROM IF-MIB 250 SnmpAdminString 251 FROM SNMP-FRAMEWORK-MIB 252 InetAddressType, 253 InetAddress, 254 InetAddressPrefixLength, 255 InetPortNumber 256 FROM INET-ADDRESS-MIB 257 VPNIdOrZero 258 FROM VPN-TC-STD-MIB; 260 natMIB MODULE-IDENTITY 261 LAST-UPDATED "201304260000Z" 262 -- RFC Ed.: set to publication date 263 ORGANIZATION 264 "IETF Behavior Engineering for Hindrance Avoidance 265 (BEHAVE) Working Group" 266 CONTACT-INFO 267 "Working Group Email: behave@ietf.org 269 Simon Perreault 270 Viagenie 271 246 Aberdeen 272 Quebec, QC G1R 2E1 273 Canada 275 Phone: +1 418 656 9254 276 Email: simon.perreault@viagenie.ca 277 URI: http://viagenie.ca 279 Tina Tsou 280 Huawei Technologies (USA) 281 2330 Central Expressway 282 Santa Clara, CA 95050 283 USA 284 Phone: +1 408 330 4424 285 Email: tina.tsou.zouting@huawei.com 287 Senthil Sivakumar 288 Cisco Systems 289 7100-8 Kit Creek Road 290 Research Triangle Park, North Carolina 27709 291 USA 293 Phone: +1 919 392 5158 294 Email: ssenthil@cisco.com" 295 DESCRIPTION 296 "This MIB module defines the generic managed objects 297 for NAT. 299 Copyright (C) The Internet Society (2013). This 300 version of this MIB module is part of RFC yyyy; see 301 the RFC itself for full legal notices." 302 -- RFC Ed.: replace yyyy with actual RFC number & remove this note" 303 REVISION "201304260000Z" 304 -- RFC Ed.: set to publication date 305 DESCRIPTION 306 "Complete rewrite, published as RFC yyyy." 307 -- RFC Ed.: replace yyyy with actual RFC number & set date" 308 REVISION "200503210000Z" -- 21th March 2005 309 DESCRIPTION 310 "Initial version, published as RFC 4008." 311 ::= { mib-2 123 } 313 natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } 315 NatProtocolType ::= TEXTUAL-CONVENTION 316 STATUS deprecated 317 DESCRIPTION 318 "A list of protocols that support the network 319 address translation. Inclusion of the values is 320 not intended to imply that those protocols 321 need to be supported. Any change in this 322 TEXTUAL-CONVENTION should also be reflected in 323 the definition of NatProtocolMap, which is a 324 BITS representation of this." 325 SYNTAX INTEGER { 326 none (1), -- not specified 327 other (2), -- none of the following 328 icmp (3), 329 udp (4), 330 tcp (5) 332 } 334 NatProtocolMap ::= TEXTUAL-CONVENTION 335 STATUS deprecated 336 DESCRIPTION 337 "A bitmap of protocol identifiers that support 338 the network address translation. Any change 339 in this TEXTUAL-CONVENTION should also be 340 reflected in the definition of NatProtocolType." 341 SYNTAX BITS { 342 other (0), 343 icmp (1), 344 udp (2), 345 tcp (3) 346 } 348 NatAddrMapId ::= TEXTUAL-CONVENTION 349 DISPLAY-HINT "d" 350 STATUS deprecated 351 DESCRIPTION 352 "A unique id that is assigned to each address map 353 by a NAT enabled device." 354 SYNTAX Unsigned32 (1..4294967295) 356 NatBindIdOrZero ::= TEXTUAL-CONVENTION 357 DISPLAY-HINT "d" 358 STATUS deprecated 359 DESCRIPTION 360 "A unique id that is assigned to each bind by 361 a NAT enabled device. The bind id will be zero 362 in the case of a Symmetric NAT." 363 SYNTAX Unsigned32 (0..4294967295) 365 NatBindId ::= TEXTUAL-CONVENTION 366 DISPLAY-HINT "d" 367 STATUS deprecated 368 DESCRIPTION 369 "A unique id that is assigned to each bind by 370 a NAT enabled device." 371 SYNTAX Unsigned32 (1..4294967295) 373 NatSessionId ::= TEXTUAL-CONVENTION 374 DISPLAY-HINT "d" 375 STATUS deprecated 376 DESCRIPTION 377 "A unique id that is assigned to each session by 378 a NAT enabled device." 379 SYNTAX Unsigned32 (1..4294967295) 381 NatBindMode ::= TEXTUAL-CONVENTION 382 STATUS deprecated 383 DESCRIPTION 384 "An indication of whether the bind is 385 an address bind or an address port bind." 386 SYNTAX INTEGER { 387 addressBind (1), 388 addressPortBind (2) 389 } 391 NatAssociationType ::= TEXTUAL-CONVENTION 392 STATUS deprecated 393 DESCRIPTION 394 "An indication of whether the association is 395 static or dynamic." 396 SYNTAX INTEGER { 397 static (1), 398 dynamic (2) 399 } 401 NatTranslationEntity ::= TEXTUAL-CONVENTION 402 STATUS deprecated 403 DESCRIPTION 404 "An indication of a) the direction of a session for 405 which an address map entry, address bind or port 406 bind is applicable, and b) the entity (source or 407 destination) within the session that is subject to 408 translation." 409 SYNTAX BITS { 410 inboundSrcEndPoint (0), 411 outboundDstEndPoint(1), 412 inboundDstEndPoint (2), 413 outboundSrcEndPoint(3) 414 } 416 -- 417 -- Default Values for the Bind and NAT Protocol Timers 418 -- 420 natDefTimeouts OBJECT IDENTIFIER ::= { natMIBObjects 1 } 422 natNotifCtrl OBJECT IDENTIFIER ::= { natMIBObjects 2 } 424 -- 425 -- Address Bind and Port Bind related NAT configuration 426 -- 427 natBindDefIdleTimeout OBJECT-TYPE 428 SYNTAX Unsigned32 (0..4294967295) 429 UNITS "seconds" 430 MAX-ACCESS read-write 431 STATUS deprecated 432 DESCRIPTION 433 "The default Bind (Address Bind or Port Bind) idle 434 timeout parameter. 436 If the agent is capable of storing non-volatile 437 configuration, then the value of this object must be 438 restored after a re-initialization of the management 439 system." 440 DEFVAL { 0 } 441 ::= { natDefTimeouts 1 } 443 -- 444 -- UDP related NAT configuration 445 -- 447 natUdpDefIdleTimeout OBJECT-TYPE 448 SYNTAX Unsigned32 (1..4294967295) 449 UNITS "seconds" 450 MAX-ACCESS read-write 451 STATUS deprecated 452 DESCRIPTION 453 "The default UDP idle timeout parameter. 455 If the agent is capable of storing non-volatile 456 configuration, then the value of this object must be 457 restored after a re-initialization of the management 458 system." 459 DEFVAL { 300 } 460 ::= { natDefTimeouts 2 } 462 -- 463 -- ICMP related NAT configuration 464 -- 466 natIcmpDefIdleTimeout OBJECT-TYPE 467 SYNTAX Unsigned32 (1..4294967295) 468 UNITS "seconds" 469 MAX-ACCESS read-write 470 STATUS deprecated 471 DESCRIPTION 472 "The default ICMP idle timeout parameter. 474 If the agent is capable of storing non-volatile 475 configuration, then the value of this object must be 476 restored after a re-initialization of the management 477 system." 478 DEFVAL { 300 } 479 ::= { natDefTimeouts 3 } 481 -- 482 -- Other protocol parameters 483 -- 485 natOtherDefIdleTimeout OBJECT-TYPE 486 SYNTAX Unsigned32 (1..4294967295) 487 UNITS "seconds" 488 MAX-ACCESS read-write 489 STATUS deprecated 490 DESCRIPTION 491 "The default idle timeout parameter for protocols 492 represented by the value other (2) in 493 NatProtocolType. 495 If the agent is capable of storing non-volatile 496 configuration, then the value of this object must be 497 restored after a re-initialization of the management 498 system." 499 DEFVAL { 60 } 500 ::= { natDefTimeouts 4 } 502 -- 503 -- TCP related NAT Timers 504 -- 506 natTcpDefIdleTimeout OBJECT-TYPE 507 SYNTAX Unsigned32 (1..4294967295) 508 UNITS "seconds" 509 MAX-ACCESS read-write 510 STATUS deprecated 511 DESCRIPTION 512 "The default time interval that a NAT session for an 513 established TCP connection is allowed to remain 514 valid without any activity on the TCP connection. 516 If the agent is capable of storing non-volatile 517 configuration, then the value of this object must be 518 restored after a re-initialization of the management 519 system." 520 DEFVAL { 86400 } 521 ::= { natDefTimeouts 5 } 523 natTcpDefNegTimeout OBJECT-TYPE 524 SYNTAX Unsigned32 (1..4294967295) 525 UNITS "seconds" 526 MAX-ACCESS read-write 527 STATUS deprecated 528 DESCRIPTION 529 "The default time interval that a NAT session for a TCP 530 connection that is not in the established state 531 is allowed to remain valid without any activity on 532 the TCP connection. 534 If the agent is capable of storing non-volatile 535 configuration, then the value of this object must be 536 restored after a re-initialization of the management 537 system." 538 DEFVAL { 60 } 539 ::= { natDefTimeouts 6 } 541 natNotifThrottlingInterval OBJECT-TYPE 542 SYNTAX Integer32 (0 | 5..3600) 543 UNITS "seconds" 544 MAX-ACCESS read-write 545 STATUS deprecated 546 DESCRIPTION 547 "This object controls the generation of the 548 natPacketDiscard notification. 550 If this object has a value of zero, then no 551 natPacketDiscard notifications will be transmitted by 552 the agent. 554 If this object has a non-zero value, then the agent must 555 not generate more than one natPacketDiscard 556 'notification-event' in the indicated period, where a 557 'notification-event' is the generation of a single 558 notification PDU type to a list of notification 559 destinations. If additional NAT packets are discarded 560 within the throttling period, then notification-events 561 for these changes must be suppressed by the agent until 562 the current throttling period expires. 564 If natNotifThrottlingInterval notification generation 565 is enabled, the suggested default throttling period is 566 60 seconds, but generation of the natPacketDiscard 567 notification should be disabled by default. 569 If the agent is capable of storing non-volatile 570 configuration, then the value of this object must be 571 restored after a re-initialization of the management 572 system. 574 The actual transmission of notifications is controlled 575 via the MIB modules in RFC 3413." 576 DEFVAL { 0 } 577 ::= { natNotifCtrl 1 } 579 -- 580 -- The NAT Interface Table 581 -- 583 natInterfaceTable OBJECT-TYPE 584 SYNTAX SEQUENCE OF NatInterfaceEntry 585 MAX-ACCESS not-accessible 586 STATUS deprecated 587 DESCRIPTION 588 "This table specifies the attributes for interfaces on a 589 device supporting NAT function." 590 ::= { natMIBObjects 3 } 592 natInterfaceEntry OBJECT-TYPE 593 SYNTAX NatInterfaceEntry 594 MAX-ACCESS not-accessible 595 STATUS deprecated 596 DESCRIPTION 597 "Each entry in the natInterfaceTable holds a set of 598 parameters for an interface, instantiated by 599 ifIndex. Therefore, the interface index must have been 600 assigned, according to the applicable procedures, 601 before it can be meaningfully used. 602 Generally, this means that the interface must exist. 604 When natStorageType is of type nonVolatile, however, 605 this may reflect the configuration for an interface 606 whose ifIndex has been assigned but for which the 607 supporting implementation is not currently present." 608 INDEX { ifIndex } 609 ::= { natInterfaceTable 1 } 611 NatInterfaceEntry ::= SEQUENCE { 612 natInterfaceRealm INTEGER, 613 natInterfaceServiceType BITS, 614 natInterfaceInTranslates Counter64, 615 natInterfaceOutTranslates Counter64, 616 natInterfaceDiscards Counter64, 617 natInterfaceStorageType StorageType, 618 natInterfaceRowStatus RowStatus 619 } 621 natInterfaceRealm OBJECT-TYPE 622 SYNTAX INTEGER { 623 private (1), 624 public (2) 625 } 626 MAX-ACCESS read-create 627 STATUS deprecated 628 DESCRIPTION 629 "This object identifies whether this interface is 630 connected to the private or the public realm." 631 DEFVAL { public } 632 ::= { natInterfaceEntry 1 } 634 natInterfaceServiceType OBJECT-TYPE 635 SYNTAX BITS { 636 basicNat (0), 637 napt (1), 638 bidirectionalNat (2), 639 twiceNat (3) 640 } 641 MAX-ACCESS read-create 642 STATUS deprecated 643 DESCRIPTION 644 "An indication of the direction in which new sessions 645 are permitted and the extent of translation done within 646 the IP and transport headers." 647 ::= { natInterfaceEntry 2 } 649 natInterfaceInTranslates OBJECT-TYPE 650 SYNTAX Counter64 651 MAX-ACCESS read-only 652 STATUS deprecated 653 DESCRIPTION 654 "Number of packets received on this interface that 655 were translated. 656 Discontinuities in the value of this counter can occur 657 at reinitialization of the management system and at 658 other times as indicated by the value of 659 ifCounterDiscontinuityTime on the relevant interface." 660 ::= { natInterfaceEntry 3 } 662 natInterfaceOutTranslates OBJECT-TYPE 663 SYNTAX Counter64 664 MAX-ACCESS read-only 665 STATUS deprecated 666 DESCRIPTION 667 "Number of translated packets that were sent out this 668 interface. 670 Discontinuities in the value of this counter can occur 671 at reinitialization of the management system and at 672 other times as indicated by the value of 673 ifCounterDiscontinuityTime on the relevant interface." 674 ::= { natInterfaceEntry 4 } 676 natInterfaceDiscards OBJECT-TYPE 677 SYNTAX Counter64 678 MAX-ACCESS read-only 679 STATUS deprecated 680 DESCRIPTION 681 "Number of packets that had to be rejected/dropped due to 682 a lack of resources for this interface. 684 Discontinuities in the value of this counter can occur 685 at reinitialization of the management system and at 686 other times as indicated by the value of 687 ifCounterDiscontinuityTime on the relevant interface." 688 ::= { natInterfaceEntry 5 } 690 natInterfaceStorageType OBJECT-TYPE 691 SYNTAX StorageType 692 MAX-ACCESS read-create 693 STATUS deprecated 694 DESCRIPTION 695 "The storage type for this conceptual row. 696 Conceptual rows having the value 'permanent' 697 need not allow write-access to any columnar objects 698 in the row." 699 REFERENCE 700 "Textual Conventions for SMIv2, Section 2." 701 DEFVAL { nonVolatile } 702 ::= { natInterfaceEntry 6 } 704 natInterfaceRowStatus OBJECT-TYPE 705 SYNTAX RowStatus 706 MAX-ACCESS read-create 707 STATUS deprecated 708 DESCRIPTION 709 "The status of this conceptual row. 711 Until instances of all corresponding columns are 712 appropriately configured, the value of the 713 corresponding instance of the natInterfaceRowStatus 714 column is 'notReady'. 716 In particular, a newly created row cannot be made 717 active until the corresponding instance of 718 natInterfaceServiceType has been set. 720 None of the objects in this row may be modified 721 while the value of this object is active(1)." 722 REFERENCE 723 "Textual Conventions for SMIv2, Section 2." 724 ::= { natInterfaceEntry 7 } 726 -- 727 -- The Address Map Table 728 -- 730 natAddrMapTable OBJECT-TYPE 731 SYNTAX SEQUENCE OF NatAddrMapEntry 732 MAX-ACCESS not-accessible 733 STATUS deprecated 734 DESCRIPTION 735 "This table lists address map parameters for NAT." 736 ::= { natMIBObjects 4 } 738 natAddrMapEntry OBJECT-TYPE 739 SYNTAX NatAddrMapEntry 740 MAX-ACCESS not-accessible 741 STATUS deprecated 742 DESCRIPTION 743 "This entry represents an address map to be used for 744 NAT and contributes to the dynamic and/or static 745 address mapping tables of the NAT device." 746 INDEX { ifIndex, natAddrMapIndex } 747 ::= { natAddrMapTable 1 } 749 NatAddrMapEntry ::= SEQUENCE { 750 natAddrMapIndex NatAddrMapId, 751 natAddrMapName SnmpAdminString, 752 natAddrMapEntryType NatAssociationType, 753 natAddrMapTranslationEntity NatTranslationEntity, 754 natAddrMapLocalAddrType InetAddressType, 755 natAddrMapLocalAddrFrom InetAddress, 756 natAddrMapLocalAddrTo InetAddress, 757 natAddrMapLocalPortFrom InetPortNumber, 758 natAddrMapLocalPortTo InetPortNumber, 759 natAddrMapGlobalAddrType InetAddressType, 760 natAddrMapGlobalAddrFrom InetAddress, 761 natAddrMapGlobalAddrTo InetAddress, 762 natAddrMapGlobalPortFrom InetPortNumber, 763 natAddrMapGlobalPortTo InetPortNumber, 764 natAddrMapProtocol NatProtocolMap, 765 natAddrMapInTranslates Counter64, 766 natAddrMapOutTranslates Counter64, 767 natAddrMapDiscards Counter64, 768 natAddrMapAddrUsed Gauge32, 769 natAddrMapStorageType StorageType, 770 natAddrMapRowStatus RowStatus 771 } 773 natAddrMapIndex OBJECT-TYPE 774 SYNTAX NatAddrMapId 775 MAX-ACCESS not-accessible 776 STATUS deprecated 777 DESCRIPTION 778 "Along with ifIndex, this object uniquely 779 identifies an entry in the natAddrMapTable. 780 Address map entries are applied in the order 781 specified by natAddrMapIndex." 782 ::= { natAddrMapEntry 1 } 784 natAddrMapName OBJECT-TYPE 785 SYNTAX SnmpAdminString (SIZE(1..32)) 786 MAX-ACCESS read-create 787 STATUS deprecated 788 DESCRIPTION 789 "Name identifying all map entries in the table associated 790 with the same interface. All map entries with the same 791 ifIndex MUST have the same map name." 792 ::= { natAddrMapEntry 2 } 794 natAddrMapEntryType OBJECT-TYPE 795 SYNTAX NatAssociationType 796 MAX-ACCESS read-create 797 STATUS deprecated 798 DESCRIPTION 799 "This parameter can be used to set up static 800 or dynamic address maps." 801 ::= { natAddrMapEntry 3 } 803 natAddrMapTranslationEntity OBJECT-TYPE 804 SYNTAX NatTranslationEntity 805 MAX-ACCESS read-create 806 STATUS deprecated 807 DESCRIPTION 808 "The end-point entity (source or destination) in 809 inbound or outbound sessions (i.e., first packets) that 810 may be translated by an address map entry. 812 Session direction (inbound or outbound) is 813 derived from the direction of the first packet 814 of a session traversing a NAT interface. 815 NAT address (and Transport-ID) maps may be defined 816 to effect inbound or outbound sessions. 818 Traditionally, address maps for Basic NAT and NAPT are 819 configured on a public interface for outbound sessions, 820 effecting translation of source end-point. The value of 821 this object must be set to outboundSrcEndPoint for 822 those interfaces. 824 Alternately, if address maps for Basic NAT and NAPT were 825 to be configured on a private interface, the desired 826 value for this object for the map entries 827 would be inboundSrcEndPoint (i.e., effecting translation 828 of source end-point for inbound sessions). 830 If TwiceNAT were to be configured on a private 831 interface, the desired value for this object for the map 832 entries would be a bitmask of inboundSrcEndPoint and 833 inboundDstEndPoint." 834 ::= { natAddrMapEntry 4 } 836 natAddrMapLocalAddrType OBJECT-TYPE 837 SYNTAX InetAddressType 838 MAX-ACCESS read-create 839 STATUS deprecated 840 DESCRIPTION 841 "This object specifies the address type used for 842 natAddrMapLocalAddrFrom and natAddrMapLocalAddrTo." 843 ::= { natAddrMapEntry 5 } 845 natAddrMapLocalAddrFrom OBJECT-TYPE 846 SYNTAX InetAddress 847 MAX-ACCESS read-create 848 STATUS deprecated 849 DESCRIPTION 850 "This object specifies the first IP address of the range 851 of IP addresses mapped by this translation entry. The 852 value of this object must be less than or equal to the 853 value of the natAddrMapLocalAddrTo object. 855 The type of this address is determined by the value of 856 the natAddrMapLocalAddrType object." 858 ::= { natAddrMapEntry 6 } 860 natAddrMapLocalAddrTo OBJECT-TYPE 861 SYNTAX InetAddress 862 MAX-ACCESS read-create 863 STATUS deprecated 864 DESCRIPTION 865 "This object specifies the last IP address of the range 866 of IP addresses mapped by this translation entry. If 867 only a single address is being mapped, the value of this 868 object is equal to the value of natAddrMapLocalAddrFrom. 869 For a static NAT, the number of addresses in the range 870 defined by natAddrMapLocalAddrFrom and 871 natAddrMapLocalAddrTo must be equal to the number of 872 addresses in the range defined by 873 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo. 874 The value of this object must be greater than or equal 875 to the value of the natAddrMapLocalAddrFrom object. 877 The type of this address is determined by the value of 878 the natAddrMapLocalAddrType object." 879 ::= { natAddrMapEntry 7 } 881 natAddrMapLocalPortFrom OBJECT-TYPE 882 SYNTAX InetPortNumber 883 MAX-ACCESS read-create 884 STATUS deprecated 885 DESCRIPTION 886 "If this conceptual row describes a Basic NAT address 887 mapping, then the value of this object must be zero. If 888 this conceptual row describes NAPT, then the value of 889 this object specifies the first port number in the range 890 of ports being mapped. 892 The value of this object must be less than or equal to 893 the value of the natAddrMapLocalPortTo object. If the 894 translation specifies a single port, then the value of 895 this object is equal to the value of 896 natAddrMapLocalPortTo." 897 DEFVAL { 0 } 898 ::= { natAddrMapEntry 8 } 900 natAddrMapLocalPortTo OBJECT-TYPE 901 SYNTAX InetPortNumber 902 MAX-ACCESS read-create 903 STATUS deprecated 904 DESCRIPTION 905 "If this conceptual row describes a Basic NAT address 906 mapping, then the value of this object must be zero. If 907 this conceptual row describes NAPT, then the value of 908 this object specifies the last port number in the range 909 of ports being mapped. 911 The value of this object must be greater than or equal 912 to the value of the natAddrMapLocalPortFrom object. If 913 the translation specifies a single port, then the value 914 of this object is equal to the value of 915 natAddrMapLocalPortFrom." 916 DEFVAL { 0 } 917 ::= { natAddrMapEntry 9 } 919 natAddrMapGlobalAddrType OBJECT-TYPE 920 SYNTAX InetAddressType 921 MAX-ACCESS read-create 922 STATUS deprecated 923 DESCRIPTION 924 "This object specifies the address type used for 925 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo." 926 ::= { natAddrMapEntry 10 } 928 natAddrMapGlobalAddrFrom OBJECT-TYPE 929 SYNTAX InetAddress 930 MAX-ACCESS read-create 931 STATUS deprecated 932 DESCRIPTION 933 "This object specifies the first IP address of the range 934 of IP addresses being mapped to. The value of this 935 object must be less than or equal to the value of the 936 natAddrMapGlobalAddrTo object. 938 The type of this address is determined by the value of 939 the natAddrMapGlobalAddrType object." 940 ::= { natAddrMapEntry 11 } 942 natAddrMapGlobalAddrTo OBJECT-TYPE 943 SYNTAX InetAddress 944 MAX-ACCESS read-create 945 STATUS deprecated 946 DESCRIPTION 947 "This object specifies the last IP address of the range 948 of IP addresses being mapped to. If only a single 949 address is being mapped to, the value of this object is 950 equal to the value of natAddrMapGlobalAddrFrom. For a 951 static NAT, the number of addresses in the range defined 952 by natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo 953 must be equal to the number of addresses in the range 954 defined by natAddrMapLocalAddrFrom and 955 natAddrMapLocalAddrTo. The value of this object must be 956 greater than or equal to the value of the 957 natAddrMapGlobalAddrFrom object. 959 The type of this address is determined by the value of 960 the natAddrMapGlobalAddrType object." 961 ::= { natAddrMapEntry 12 } 963 natAddrMapGlobalPortFrom OBJECT-TYPE 964 SYNTAX InetPortNumber 965 MAX-ACCESS read-create 966 STATUS deprecated 967 DESCRIPTION 968 "If this conceptual row describes a Basic NAT address 969 mapping, then the value of this object must be zero. If 970 this conceptual row describes NAPT, then the value of 971 this object specifies the first port number in the range 972 of ports being mapped to. 974 The value of this object must be less than or equal to 975 the value of the natAddrMapGlobalPortTo object. If the 976 translation specifies a single port, then the value of 977 this object is equal to the value 978 natAddrMapGlobalPortTo." 979 DEFVAL { 0 } 980 ::= { natAddrMapEntry 13 } 982 natAddrMapGlobalPortTo OBJECT-TYPE 983 SYNTAX InetPortNumber 984 MAX-ACCESS read-create 985 STATUS deprecated 986 DESCRIPTION 987 "If this conceptual row describes a Basic NAT address 988 mapping, then the value of this object must be zero. If 989 this conceptual row describes NAPT, then the value of 990 this object specifies the last port number in the range 991 of ports being mapped to. 993 The value of this object must be greater than or equal 994 to the value of the natAddrMapGlobalPortFrom object. If 995 the translation specifies a single port, then the value 996 of this object is equal to the value of 997 natAddrMapGlobalPortFrom." 998 DEFVAL { 0 } 999 ::= { natAddrMapEntry 14 } 1001 natAddrMapProtocol OBJECT-TYPE 1002 SYNTAX NatProtocolMap 1003 MAX-ACCESS read-create 1004 STATUS deprecated 1005 DESCRIPTION 1006 "This object specifies a bitmap of protocol identifiers." 1007 ::= { natAddrMapEntry 15 } 1009 natAddrMapInTranslates OBJECT-TYPE 1010 SYNTAX Counter64 1011 MAX-ACCESS read-only 1012 STATUS deprecated 1013 DESCRIPTION 1014 "The number of inbound packets pertaining to this address 1015 map entry that were translated. 1017 Discontinuities in the value of this counter can occur 1018 at reinitialization of the management system and at 1019 other times, as indicated by the value of 1020 ifCounterDiscontinuityTime on the relevant interface." 1021 ::= { natAddrMapEntry 16 } 1023 natAddrMapOutTranslates OBJECT-TYPE 1024 SYNTAX Counter64 1025 MAX-ACCESS read-only 1026 STATUS deprecated 1027 DESCRIPTION 1028 "The number of outbound packets pertaining to this 1029 address map entry that were translated. 1031 Discontinuities in the value of this counter can occur 1032 at reinitialization of the management system and at 1033 other times, as indicated by the value of 1034 ifCounterDiscontinuityTime on the relevant interface." 1035 ::= { natAddrMapEntry 17 } 1037 natAddrMapDiscards OBJECT-TYPE 1038 SYNTAX Counter64 1039 MAX-ACCESS read-only 1040 STATUS deprecated 1041 DESCRIPTION 1042 "The number of packets pertaining to this address map 1043 entry that were dropped due to lack of addresses in the 1044 address pool identified by this address map. The value 1045 of this object must always be zero in case of static 1046 address map. 1048 Discontinuities in the value of this counter can occur 1049 at reinitialization of the management system and at 1050 other times, as indicated by the value of 1051 ifCounterDiscontinuityTime on the relevant interface." 1052 ::= { natAddrMapEntry 18 } 1054 natAddrMapAddrUsed OBJECT-TYPE 1055 SYNTAX Gauge32 1056 MAX-ACCESS read-only 1057 STATUS deprecated 1058 DESCRIPTION 1059 "The number of addresses pertaining to this address map 1060 that are currently being used from the NAT pool. 1061 The value of this object must always be zero in the case 1062 of a static address map." 1063 ::= { natAddrMapEntry 19 } 1065 natAddrMapStorageType OBJECT-TYPE 1066 SYNTAX StorageType 1067 MAX-ACCESS read-create 1068 STATUS deprecated 1069 DESCRIPTION 1070 "The storage type for this conceptual row. 1071 Conceptual rows having the value 'permanent' 1072 need not allow write-access to any columnar objects 1073 in the row." 1074 REFERENCE 1075 "Textual Conventions for SMIv2, Section 2." 1076 DEFVAL { nonVolatile } 1077 ::= { natAddrMapEntry 20 } 1079 natAddrMapRowStatus OBJECT-TYPE 1080 SYNTAX RowStatus 1081 MAX-ACCESS read-create 1082 STATUS deprecated 1083 DESCRIPTION 1084 "The status of this conceptual row. 1086 Until instances of all corresponding columns are 1087 appropriately configured, the value of the 1088 corresponding instance of the natAddrMapRowStatus 1089 column is 'notReady'. 1091 None of the objects in this row may be modified 1092 while the value of this object is active(1)." 1093 REFERENCE 1094 "Textual Conventions for SMIv2, Section 2." 1095 ::= { natAddrMapEntry 21 } 1097 -- 1098 -- Address Bind section 1099 -- 1101 natAddrBindNumberOfEntries OBJECT-TYPE 1102 SYNTAX Gauge32 1103 MAX-ACCESS read-only 1104 STATUS deprecated 1105 DESCRIPTION 1106 "This object maintains a count of the number of entries 1107 that currently exist in the natAddrBindTable." 1108 ::= { natMIBObjects 5 } 1110 -- 1111 -- The NAT Address BIND Table 1112 -- 1114 natAddrBindTable OBJECT-TYPE 1115 SYNTAX SEQUENCE OF NatAddrBindEntry 1116 MAX-ACCESS not-accessible 1117 STATUS deprecated 1118 DESCRIPTION 1119 "This table holds information about the currently 1120 active NAT BINDs." 1121 ::= { natMIBObjects 6 } 1123 natAddrBindEntry OBJECT-TYPE 1124 SYNTAX NatAddrBindEntry 1125 MAX-ACCESS not-accessible 1126 STATUS deprecated 1127 DESCRIPTION 1128 "Each entry in this table holds information about 1129 an active address BIND. These entries are lost 1130 upon agent restart. 1132 This row has indexing which may create variables with 1133 more than 128 subidentifiers. Implementers of this 1134 table must be careful not to create entries that would 1135 result in OIDs which exceed the 128 subidentifier limit. 1136 Otherwise, the information cannot be accessed using 1137 SNMPv1, SNMPv2c or SNMPv3." 1139 INDEX { ifIndex, 1140 natAddrBindLocalAddrType, 1141 natAddrBindLocalAddr } 1142 ::= { natAddrBindTable 1 } 1144 NatAddrBindEntry ::= SEQUENCE { 1145 natAddrBindLocalAddrType InetAddressType, 1146 natAddrBindLocalAddr InetAddress, 1147 natAddrBindGlobalAddrType InetAddressType, 1148 natAddrBindGlobalAddr InetAddress, 1149 natAddrBindId NatBindId, 1150 natAddrBindTranslationEntity NatTranslationEntity, 1151 natAddrBindType NatAssociationType, 1152 natAddrBindMapIndex NatAddrMapId, 1153 natAddrBindSessions Gauge32, 1154 natAddrBindMaxIdleTime TimeTicks, 1155 natAddrBindCurrentIdleTime TimeTicks, 1156 natAddrBindInTranslates Counter64, 1157 natAddrBindOutTranslates Counter64 1158 } 1160 natAddrBindLocalAddrType OBJECT-TYPE 1161 SYNTAX InetAddressType 1162 MAX-ACCESS not-accessible 1163 STATUS deprecated 1164 DESCRIPTION 1165 "This object specifies the address type used for 1166 natAddrBindLocalAddr." 1167 ::= { natAddrBindEntry 1 } 1169 natAddrBindLocalAddr OBJECT-TYPE 1170 SYNTAX InetAddress (SIZE (4|16)) 1171 MAX-ACCESS not-accessible 1172 STATUS deprecated 1173 DESCRIPTION 1174 "This object represents the private-realm specific 1175 network layer address, which maps to the public-realm 1176 address represented by natAddrBindGlobalAddr. 1178 The type of this address is determined by the value of 1179 the natAddrBindLocalAddrType object." 1180 ::= { natAddrBindEntry 2 } 1182 natAddrBindGlobalAddrType OBJECT-TYPE 1183 SYNTAX InetAddressType 1184 MAX-ACCESS read-only 1185 STATUS deprecated 1186 DESCRIPTION 1187 "This object specifies the address type used for 1188 natAddrBindGlobalAddr." 1189 ::= { natAddrBindEntry 3 } 1191 natAddrBindGlobalAddr OBJECT-TYPE 1192 SYNTAX InetAddress 1193 MAX-ACCESS read-only 1194 STATUS deprecated 1195 DESCRIPTION 1196 "This object represents the public-realm network layer 1197 address that maps to the private-realm network layer 1198 address represented by natAddrBindLocalAddr. 1200 The type of this address is determined by the value of 1201 the natAddrBindGlobalAddrType object." 1202 ::= { natAddrBindEntry 4 } 1204 natAddrBindId OBJECT-TYPE 1205 SYNTAX NatBindId 1206 MAX-ACCESS read-only 1207 STATUS deprecated 1208 DESCRIPTION 1209 "This object represents a bind id that is dynamically 1210 assigned to each bind by a NAT enabled device. Each 1211 bind is represented by a bind id that is 1212 unique across both, the natAddrBindTable and the 1213 natAddrPortBindTable." 1214 ::= { natAddrBindEntry 5 } 1216 natAddrBindTranslationEntity OBJECT-TYPE 1217 SYNTAX NatTranslationEntity 1218 MAX-ACCESS read-only 1219 STATUS deprecated 1220 DESCRIPTION 1221 "This object represents the direction of sessions 1222 for which this bind is applicable and the endpoint 1223 entity (source or destination) within the sessions that 1224 is subject to translation using the BIND. 1226 Orientation of the bind can be a superset of 1227 translationEntity of the address map entry which 1228 forms the basis for this bind. 1230 For example, if the translationEntity of an 1231 address map entry is outboundSrcEndPoint, the 1232 translationEntity of a bind derived from this 1233 map entry may either be outboundSrcEndPoint or 1234 it may be bidirectional (a bitmask of 1235 outboundSrcEndPoint and inboundDstEndPoint)." 1236 ::= { natAddrBindEntry 6 } 1238 natAddrBindType OBJECT-TYPE 1239 SYNTAX NatAssociationType 1240 MAX-ACCESS read-only 1241 STATUS deprecated 1242 DESCRIPTION 1243 "This object indicates whether the bind is static or 1244 dynamic." 1245 ::= { natAddrBindEntry 7 } 1247 natAddrBindMapIndex OBJECT-TYPE 1248 SYNTAX NatAddrMapId 1249 MAX-ACCESS read-only 1250 STATUS deprecated 1251 DESCRIPTION 1252 "This object is a pointer to the natAddrMapTable entry 1253 (and the parameters of that entry) which was used in 1254 creating this BIND. This object, in conjunction with 1255 the ifIndex (which identifies a unique addrMapName) 1256 points to a unique entry in the natAddrMapTable." 1257 ::= { natAddrBindEntry 8 } 1259 natAddrBindSessions OBJECT-TYPE 1260 SYNTAX Gauge32 1261 MAX-ACCESS read-only 1262 STATUS deprecated 1263 DESCRIPTION 1264 "Number of sessions currently using this BIND." 1265 ::= { natAddrBindEntry 9 } 1267 natAddrBindMaxIdleTime OBJECT-TYPE 1268 SYNTAX TimeTicks 1269 MAX-ACCESS read-only 1270 STATUS deprecated 1271 DESCRIPTION 1272 "This object indicates the maximum time for 1273 which this bind can be idle with no sessions 1274 attached to it. 1276 The value of this object is of relevance only for 1277 dynamic NAT." 1278 ::= { natAddrBindEntry 10 } 1280 natAddrBindCurrentIdleTime OBJECT-TYPE 1281 SYNTAX TimeTicks 1282 MAX-ACCESS read-only 1283 STATUS deprecated 1284 DESCRIPTION 1285 "At any given instance, this object indicates the 1286 time that this bind has been idle without any sessions 1287 attached to it. 1289 The value of this object is of relevance only for 1290 dynamic NAT." 1291 ::= { natAddrBindEntry 11 } 1293 natAddrBindInTranslates OBJECT-TYPE 1294 SYNTAX Counter64 1295 MAX-ACCESS read-only 1296 STATUS deprecated 1297 DESCRIPTION 1298 "The number of inbound packets that were successfully 1299 translated by using this bind entry. 1301 Discontinuities in the value of this counter can occur 1302 at reinitialization of the management system and at 1303 other times, as indicated by the value of 1304 ifCounterDiscontinuityTime on the relevant interface." 1305 ::= { natAddrBindEntry 12 } 1307 natAddrBindOutTranslates OBJECT-TYPE 1308 SYNTAX Counter64 1309 MAX-ACCESS read-only 1310 STATUS deprecated 1311 DESCRIPTION 1312 "The number of outbound packets that were successfully 1313 translated using this bind entry. 1315 Discontinuities in the value of this counter can occur 1316 at reinitialization of the management system and at 1317 other times as indicated by the value of 1318 ifCounterDiscontinuityTime on the relevant interface." 1319 ::= { natAddrBindEntry 13 } 1321 -- 1322 -- Address Port Bind section 1323 -- 1325 natAddrPortBindNumberOfEntries OBJECT-TYPE 1326 SYNTAX Gauge32 1327 MAX-ACCESS read-only 1328 STATUS deprecated 1329 DESCRIPTION 1330 "This object maintains a count of the number of entries 1331 that currently exist in the natAddrPortBindTable." 1332 ::= { natMIBObjects 7 } 1334 -- 1335 -- The NAT Address Port Bind Table 1336 -- 1337 natAddrPortBindTable OBJECT-TYPE 1338 SYNTAX SEQUENCE OF NatAddrPortBindEntry 1339 MAX-ACCESS not-accessible 1340 STATUS deprecated 1341 DESCRIPTION 1342 "This table holds information about the currently 1343 active NAPT BINDs." 1344 ::= { natMIBObjects 8 } 1346 natAddrPortBindEntry OBJECT-TYPE 1347 SYNTAX NatAddrPortBindEntry 1348 MAX-ACCESS not-accessible 1349 STATUS deprecated 1350 DESCRIPTION 1351 "Each entry in the this table holds information 1352 about a NAPT bind that is currently active. 1353 These entries are lost upon agent restart. 1355 This row has indexing which may create variables with 1356 more than 128 subidentifiers. Implementers of this 1357 table must be careful not to create entries which would 1358 result in OIDs that exceed the 128 subidentifier limit. 1359 Otherwise, the information cannot be accessed using 1360 SNMPv1, SNMPv2c or SNMPv3." 1361 INDEX { ifIndex, natAddrPortBindLocalAddrType, 1362 natAddrPortBindLocalAddr, natAddrPortBindLocalPort, 1363 natAddrPortBindProtocol } 1364 ::= { natAddrPortBindTable 1 } 1366 NatAddrPortBindEntry ::= SEQUENCE { 1367 natAddrPortBindLocalAddrType InetAddressType, 1368 natAddrPortBindLocalAddr InetAddress, 1369 natAddrPortBindLocalPort InetPortNumber, 1370 natAddrPortBindProtocol NatProtocolType, 1371 natAddrPortBindGlobalAddrType InetAddressType, 1372 natAddrPortBindGlobalAddr InetAddress, 1373 natAddrPortBindGlobalPort InetPortNumber, 1374 natAddrPortBindId NatBindId, 1375 natAddrPortBindTranslationEntity NatTranslationEntity, 1376 natAddrPortBindType NatAssociationType, 1377 natAddrPortBindMapIndex NatAddrMapId, 1378 natAddrPortBindSessions Gauge32, 1379 natAddrPortBindMaxIdleTime TimeTicks, 1380 natAddrPortBindCurrentIdleTime TimeTicks, 1381 natAddrPortBindInTranslates Counter64, 1382 natAddrPortBindOutTranslates Counter64 1383 } 1384 natAddrPortBindLocalAddrType OBJECT-TYPE 1385 SYNTAX InetAddressType 1386 MAX-ACCESS not-accessible 1387 STATUS deprecated 1388 DESCRIPTION 1389 "This object specifies the address type used for 1390 natAddrPortBindLocalAddr." 1391 ::= { natAddrPortBindEntry 1 } 1393 natAddrPortBindLocalAddr OBJECT-TYPE 1394 SYNTAX InetAddress (SIZE(4|16)) 1395 MAX-ACCESS not-accessible 1396 STATUS deprecated 1397 DESCRIPTION 1398 "This object represents the private-realm specific 1399 network layer address which, in conjunction with 1400 natAddrPortBindLocalPort, maps to the public-realm 1401 network layer address and transport id represented by 1402 natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort 1403 respectively. 1405 The type of this address is determined by the value of 1406 the natAddrPortBindLocalAddrType object." 1407 ::= { natAddrPortBindEntry 2 } 1409 natAddrPortBindLocalPort OBJECT-TYPE 1410 SYNTAX InetPortNumber 1411 MAX-ACCESS not-accessible 1412 STATUS deprecated 1413 DESCRIPTION 1414 "For a protocol value TCP or UDP, this object represents 1415 the private-realm specific port number. On the other 1416 hand, for ICMP a bind is created only for query/response 1417 type ICMP messages such as ICMP echo, Timestamp, and 1418 Information request messages, and this object represents 1419 the private-realm specific identifier in the ICMP 1420 message, as defined in RFC 792 for ICMPv4 and in RFC 1421 2463 for ICMPv6. 1423 This object, together with natAddrPortBindProtocol, 1424 natAddrPortBindLocalAddrType, and 1425 natAddrPortBindLocalAddr, constitutes a session endpoint 1426 in the private realm. A bind entry binds a private 1427 realm specific endpoint to a public realm specific 1428 endpoint, as represented by the tuple of 1429 (natAddrPortBindGlobalPort, natAddrPortBindProtocol, 1430 natAddrPortBindGlobalAddrType, and 1431 natAddrPortBindGlobalAddr)." 1432 ::= { natAddrPortBindEntry 3 } 1434 natAddrPortBindProtocol OBJECT-TYPE 1435 SYNTAX NatProtocolType 1436 MAX-ACCESS not-accessible 1437 STATUS deprecated 1438 DESCRIPTION 1439 "This object specifies a protocol identifier. If the 1440 value of this object is none(1), then this bind entry 1441 applies to all IP traffic. Any other value of this 1442 object specifies the class of IP traffic to which this 1443 BIND applies." 1444 ::= { natAddrPortBindEntry 4 } 1446 natAddrPortBindGlobalAddrType OBJECT-TYPE 1447 SYNTAX InetAddressType 1448 MAX-ACCESS read-only 1449 STATUS deprecated 1450 DESCRIPTION 1451 "This object specifies the address type used for 1452 natAddrPortBindGlobalAddr." 1453 ::= { natAddrPortBindEntry 5 } 1455 natAddrPortBindGlobalAddr OBJECT-TYPE 1456 SYNTAX InetAddress 1457 MAX-ACCESS read-only 1458 STATUS deprecated 1459 DESCRIPTION 1460 "This object represents the public-realm specific network 1461 layer address that, in conjunction with 1462 natAddrPortBindGlobalPort, maps to the private-realm 1464 network layer address and transport id represented by 1465 natAddrPortBindLocalAddr and natAddrPortBindLocalPort, 1466 respectively. 1468 The type of this address is determined by the value of 1469 the natAddrPortBindGlobalAddrType object." 1470 ::= { natAddrPortBindEntry 6 } 1472 natAddrPortBindGlobalPort OBJECT-TYPE 1473 SYNTAX InetPortNumber 1474 MAX-ACCESS read-only 1475 STATUS deprecated 1476 DESCRIPTION 1477 "For a protocol value TCP or UDP, this object represents 1478 the public-realm specific port number. On the other 1479 hand, for ICMP a bind is created only for query/response 1480 type ICMP messages such as ICMP echo, Timestamp, and 1481 Information request messages, and this object represents 1482 the public-realm specific identifier in the ICMP 1483 message, as defined in RFC 792 for ICMPv4 and in RFC 1484 2463 for ICMPv6. 1486 This object, together with natAddrPortBindProtocol, 1487 natAddrPortBindGlobalAddrType, and 1488 natAddrPortBindGlobalAddr, constitutes a session 1489 endpoint in the public realm. A bind entry binds a 1490 public realm specific endpoint to a private realm 1491 specific endpoint, as represented by the tuple of 1492 (natAddrPortBindLocalPort, natAddrPortBindProtocol, 1493 natAddrPortBindLocalAddrType, and 1494 natAddrPortBindLocalAddr)." 1495 ::= { natAddrPortBindEntry 7 } 1497 natAddrPortBindId OBJECT-TYPE 1498 SYNTAX NatBindId 1499 MAX-ACCESS read-only 1500 STATUS deprecated 1501 DESCRIPTION 1502 "This object represents a bind id that is dynamically 1503 assigned to each bind by a NAT enabled device. Each 1504 bind is represented by a unique bind id across both 1505 the natAddrBindTable and the natAddrPortBindTable." 1506 ::= { natAddrPortBindEntry 8 } 1508 natAddrPortBindTranslationEntity OBJECT-TYPE 1509 SYNTAX NatTranslationEntity 1510 MAX-ACCESS read-only 1511 STATUS deprecated 1512 DESCRIPTION 1513 "This object represents the direction of sessions 1514 for which this bind is applicable and the entity 1515 (source or destination) within the sessions that is 1516 subject to translation with the BIND. 1518 Orientation of the bind can be a superset of the 1519 translationEntity of the address map entry that 1520 forms the basis for this bind. 1522 For example, if the translationEntity of an 1523 address map entry is outboundSrcEndPoint, the 1524 translationEntity of a bind derived from this 1525 map entry may either be outboundSrcEndPoint or 1526 may be bidirectional (a bitmask of 1527 outboundSrcEndPoint and inboundDstEndPoint)." 1528 ::= { natAddrPortBindEntry 9 } 1530 natAddrPortBindType OBJECT-TYPE 1531 SYNTAX NatAssociationType 1532 MAX-ACCESS read-only 1533 STATUS deprecated 1534 DESCRIPTION 1535 "This object indicates whether the bind is static or 1536 dynamic." 1537 ::= { natAddrPortBindEntry 10 } 1539 natAddrPortBindMapIndex OBJECT-TYPE 1540 SYNTAX NatAddrMapId 1541 MAX-ACCESS read-only 1542 STATUS deprecated 1543 DESCRIPTION 1544 "This object is a pointer to the natAddrMapTable entry 1545 (and the parameters of that entry) used in 1546 creating this BIND. This object, in conjunction with 1547 the ifIndex (which identifies a unique addrMapName), 1548 points to a unique entry in the natAddrMapTable." 1549 ::= { natAddrPortBindEntry 11 } 1551 natAddrPortBindSessions OBJECT-TYPE 1552 SYNTAX Gauge32 1553 MAX-ACCESS read-only 1554 STATUS deprecated 1555 DESCRIPTION 1556 "Number of sessions currently using this BIND." 1557 ::= { natAddrPortBindEntry 12 } 1559 natAddrPortBindMaxIdleTime OBJECT-TYPE 1560 SYNTAX TimeTicks 1561 MAX-ACCESS read-only 1562 STATUS deprecated 1564 DESCRIPTION 1565 "This object indicates the maximum time for 1566 which this bind can be idle without any sessions 1567 attached to it. 1568 The value of this object is of relevance 1569 only for dynamic NAT." 1570 ::= { natAddrPortBindEntry 13 } 1572 natAddrPortBindCurrentIdleTime OBJECT-TYPE 1573 SYNTAX TimeTicks 1574 MAX-ACCESS read-only 1575 STATUS deprecated 1576 DESCRIPTION 1577 "At any given instance, this object indicates the 1578 time that this bind has been idle without any sessions 1579 attached to it. 1581 The value of this object is of relevance 1582 only for dynamic NAT." 1583 ::= { natAddrPortBindEntry 14 } 1585 natAddrPortBindInTranslates OBJECT-TYPE 1586 SYNTAX Counter64 1587 MAX-ACCESS read-only 1588 STATUS deprecated 1589 DESCRIPTION 1590 "The number of inbound packets that were translated as 1591 per this bind entry. 1593 Discontinuities in the value of this counter can occur 1594 at reinitialization of the management system and at 1595 other times, as indicated by the value of 1596 ifCounterDiscontinuityTime on the relevant interface." 1597 ::= { natAddrPortBindEntry 15 } 1599 natAddrPortBindOutTranslates OBJECT-TYPE 1600 SYNTAX Counter64 1601 MAX-ACCESS read-only 1602 STATUS deprecated 1603 DESCRIPTION 1604 "The number of outbound packets that were translated as 1605 per this bind entry. 1607 Discontinuities in the value of this counter can occur 1608 at reinitialization of the management system and at 1609 other times, as indicated by the value of 1610 ifCounterDiscontinuityTime on the relevant interface." 1611 ::= { natAddrPortBindEntry 16 } 1613 -- 1614 -- The Session Table 1615 -- 1617 natSessionTable OBJECT-TYPE 1618 SYNTAX SEQUENCE OF NatSessionEntry 1619 MAX-ACCESS not-accessible 1620 STATUS deprecated 1621 DESCRIPTION 1622 "The (conceptual) table containing one entry for each 1623 NAT session currently active on this NAT device." 1624 ::= { natMIBObjects 9 } 1626 natSessionEntry OBJECT-TYPE 1627 SYNTAX NatSessionEntry 1628 MAX-ACCESS not-accessible 1629 STATUS deprecated 1630 DESCRIPTION 1631 "An entry (conceptual row) containing information 1632 about an active NAT session on this NAT device. 1633 These entries are lost upon agent restart." 1634 INDEX { ifIndex, natSessionIndex } 1635 ::= { natSessionTable 1 } 1637 NatSessionEntry ::= SEQUENCE { 1638 natSessionIndex NatSessionId, 1639 natSessionPrivateSrcEPBindId NatBindIdOrZero, 1640 natSessionPrivateSrcEPBindMode NatBindMode, 1641 natSessionPrivateDstEPBindId NatBindIdOrZero, 1642 natSessionPrivateDstEPBindMode NatBindMode, 1643 natSessionDirection INTEGER, 1644 natSessionUpTime TimeTicks, 1645 natSessionAddrMapIndex NatAddrMapId, 1646 natSessionProtocolType NatProtocolType, 1647 natSessionPrivateAddrType InetAddressType, 1648 natSessionPrivateSrcAddr InetAddress, 1649 natSessionPrivateSrcPort InetPortNumber, 1650 natSessionPrivateDstAddr InetAddress, 1651 natSessionPrivateDstPort InetPortNumber, 1652 natSessionPublicAddrType InetAddressType, 1653 natSessionPublicSrcAddr InetAddress, 1654 natSessionPublicSrcPort InetPortNumber, 1655 natSessionPublicDstAddr InetAddress, 1656 natSessionPublicDstPort InetPortNumber, 1657 natSessionMaxIdleTime TimeTicks, 1658 natSessionCurrentIdleTime TimeTicks, 1659 natSessionInTranslates Counter64, 1660 natSessionOutTranslates Counter64 1661 } 1663 natSessionIndex OBJECT-TYPE 1664 SYNTAX NatSessionId 1665 MAX-ACCESS not-accessible 1666 STATUS deprecated 1667 DESCRIPTION 1668 "The session ID for this NAT session." 1669 ::= { natSessionEntry 1 } 1671 natSessionPrivateSrcEPBindId OBJECT-TYPE 1672 SYNTAX NatBindIdOrZero 1673 MAX-ACCESS read-only 1674 STATUS deprecated 1675 DESCRIPTION 1676 "The bind id associated between private and public 1677 source end points. In the case of Symmetric-NAT, 1678 this should be set to zero." 1679 ::= { natSessionEntry 2 } 1681 natSessionPrivateSrcEPBindMode OBJECT-TYPE 1682 SYNTAX NatBindMode 1683 MAX-ACCESS read-only 1684 STATUS deprecated 1685 DESCRIPTION 1686 "This object indicates whether the bind indicated 1687 by the object natSessionPrivateSrcEPBindId 1688 is an address bind or an address port bind." 1689 ::= { natSessionEntry 3 } 1691 natSessionPrivateDstEPBindId OBJECT-TYPE 1692 SYNTAX NatBindIdOrZero 1693 MAX-ACCESS read-only 1694 STATUS deprecated 1695 DESCRIPTION 1696 "The bind id associated between private and public 1697 destination end points." 1698 ::= { natSessionEntry 4 } 1700 natSessionPrivateDstEPBindMode OBJECT-TYPE 1701 SYNTAX NatBindMode 1702 MAX-ACCESS read-only 1703 STATUS deprecated 1704 DESCRIPTION 1705 "This object indicates whether the bind indicated 1706 by the object natSessionPrivateDstEPBindId 1707 is an address bind or an address port bind." 1708 ::= { natSessionEntry 5 } 1710 natSessionDirection OBJECT-TYPE 1711 SYNTAX INTEGER { 1712 inbound (1), 1713 outbound (2) 1714 } 1716 MAX-ACCESS read-only 1717 STATUS deprecated 1718 DESCRIPTION 1719 "The direction of this session with respect to the 1720 local network. 'inbound' indicates that this session 1721 was initiated from the public network into the private 1722 network. 'outbound' indicates that this session was 1723 initiated from the private network into the public 1724 network." 1725 ::= { natSessionEntry 6 } 1727 natSessionUpTime OBJECT-TYPE 1728 SYNTAX TimeTicks 1729 MAX-ACCESS read-only 1730 STATUS deprecated 1731 DESCRIPTION 1732 "The up time of this session in one-hundredths of a 1733 second." 1734 ::= { natSessionEntry 7 } 1736 natSessionAddrMapIndex OBJECT-TYPE 1737 SYNTAX NatAddrMapId 1738 MAX-ACCESS read-only 1739 STATUS deprecated 1740 DESCRIPTION 1741 "This object is a pointer to the natAddrMapTable entry 1742 (and the parameters of that entry) used in 1743 creating this session. This object, in conjunction with 1744 the ifIndex (which identifies a unique addrMapName), 1745 points to a unique entry in the natAddrMapTable." 1746 ::= { natSessionEntry 8 } 1748 natSessionProtocolType OBJECT-TYPE 1749 SYNTAX NatProtocolType 1750 MAX-ACCESS read-only 1751 STATUS deprecated 1752 DESCRIPTION 1753 "The protocol type of this session." 1754 ::= { natSessionEntry 9 } 1756 natSessionPrivateAddrType OBJECT-TYPE 1757 SYNTAX InetAddressType 1758 MAX-ACCESS read-only 1759 STATUS deprecated 1760 DESCRIPTION 1761 "This object specifies the address type used for 1762 natSessionPrivateSrcAddr and natSessionPrivateDstAddr." 1763 ::= { natSessionEntry 10 } 1765 natSessionPrivateSrcAddr OBJECT-TYPE 1766 SYNTAX InetAddress 1767 MAX-ACCESS read-only 1768 STATUS deprecated 1769 DESCRIPTION 1770 "The source IP address of the session endpoint that 1771 lies in the private network. 1773 The value of this object must be zero only when the 1774 natSessionPrivateSrcEPBindId object has a zero value. 1775 When the value of this object is zero, the NAT session 1776 lookup will match any IP address to this field. 1778 The type of this address is determined by the value of 1779 the natSessionPrivateAddrType object." 1780 ::= { natSessionEntry 11 } 1782 natSessionPrivateSrcPort OBJECT-TYPE 1783 SYNTAX InetPortNumber 1784 MAX-ACCESS read-only 1785 STATUS deprecated 1786 DESCRIPTION 1787 "When the value of protocol is TCP or UDP, this object 1788 represents the source port in the first packet of 1789 session while in private-realm. On the other hand, when 1790 the protocol is ICMP, a NAT session is created only for 1791 query/response type ICMP messages such as ICMP echo, 1792 Timestamp, and Information request messages, and this 1793 object represents the private-realm specific identifier 1794 in the ICMP message, as defined in RFC 792 for ICMPv4 1795 and in RFC 2463 for ICMPv6. 1797 The value of this object must be zero when the 1798 natSessionPrivateSrcEPBindId object has zero value 1799 and value of natSessionPrivateSrcEPBindMode is 1800 addressPortBind(2). In such a case, the NAT session 1801 lookup will match any port number to this field. 1803 The value of this object must be zero when the object 1804 is not a representative field (SrcPort, DstPort, or 1805 ICMP identifier) of the session tuple in either the 1806 public realm or the private realm." 1807 ::= { natSessionEntry 12 } 1809 natSessionPrivateDstAddr OBJECT-TYPE 1810 SYNTAX InetAddress 1811 MAX-ACCESS read-only 1812 STATUS deprecated 1813 DESCRIPTION 1814 "The destination IP address of the session endpoint that 1815 lies in the private network. 1817 The value of this object must be zero when the 1818 natSessionPrivateDstEPBindId object has a zero value. 1819 In such a scenario, the NAT session lookup will match 1820 any IP address to this field. 1822 The type of this address is determined by the value of 1823 the natSessionPrivateAddrType object." 1824 ::= { natSessionEntry 13 } 1826 natSessionPrivateDstPort OBJECT-TYPE 1827 SYNTAX InetPortNumber 1828 MAX-ACCESS read-only 1829 STATUS deprecated 1830 DESCRIPTION 1831 "When the value of protocol is TCP or UDP, this object 1832 represents the destination port in the first packet 1833 of session while in private-realm. On the other hand, 1834 when the protocol is ICMP, this object is not relevant 1835 and should be set to zero. 1837 The value of this object must be zero when the 1838 natSessionPrivateDstEPBindId object has a zero 1839 value and natSessionPrivateDstEPBindMode is set to 1840 addressPortBind(2). In such a case, the NAT session 1841 lookup will match any port number to this field. 1843 The value of this object must be zero when the object 1844 is not a representative field (SrcPort, DstPort, or 1845 ICMP identifier) of the session tuple in either the 1846 public realm or the private realm." 1847 ::= { natSessionEntry 14 } 1849 natSessionPublicAddrType OBJECT-TYPE 1850 SYNTAX InetAddressType 1851 MAX-ACCESS read-only 1852 STATUS deprecated 1853 DESCRIPTION 1854 "This object specifies the address type used for 1855 natSessionPublicSrcAddr and natSessionPublicDstAddr." 1856 ::= { natSessionEntry 15 } 1858 natSessionPublicSrcAddr OBJECT-TYPE 1859 SYNTAX InetAddress 1860 MAX-ACCESS read-only 1861 STATUS deprecated 1862 DESCRIPTION 1863 "The source IP address of the session endpoint that 1864 lies in the public network. 1866 The value of this object must be zero when the 1867 natSessionPrivateSrcEPBindId object has a zero value. 1868 In such a scenario, the NAT session lookup will match 1869 any IP address to this field. 1871 The type of this address is determined by the value of 1872 the natSessionPublicAddrType object." 1873 ::= { natSessionEntry 16 } 1875 natSessionPublicSrcPort OBJECT-TYPE 1876 SYNTAX InetPortNumber 1877 MAX-ACCESS read-only 1878 STATUS deprecated 1879 DESCRIPTION 1880 "When the value of protocol is TCP or UDP, this object 1881 represents the source port in the first packet of 1882 session while in public-realm. On the other hand, when 1883 protocol is ICMP, a NAT session is created only for 1884 query/response type ICMP messages such as ICMP echo, 1885 Timestamp, and Information request messages, and this 1886 object represents the public-realm specific identifier 1887 in the ICMP message, as defined in RFC 792 for ICMPv4 1888 and in RFC 2463 for ICMPv6. 1890 The value of this object must be zero when the 1891 natSessionPrivateSrcEPBindId object has a zero value 1892 and natSessionPrivateSrcEPBindMode is set to 1893 addressPortBind(2). In such a scenario, the NAT 1894 session lookup will match any port number to this 1895 field. 1897 The value of this object must be zero when the object 1898 is not a representative field (SrcPort, DstPort or 1899 ICMP identifier) of the session tuple in either the 1900 public realm or the private realm." 1901 ::= { natSessionEntry 17 } 1903 natSessionPublicDstAddr OBJECT-TYPE 1904 SYNTAX InetAddress 1905 MAX-ACCESS read-only 1906 STATUS deprecated 1907 DESCRIPTION 1908 "The destination IP address of the session endpoint that 1909 lies in the public network. 1911 The value of this object must be non-zero when the 1912 natSessionPrivateDstEPBindId object has a non-zero 1913 value. If the value of this object and the 1914 corresponding natSessionPrivateDstEPBindId object value 1915 is zero, then the NAT session lookup will match any IP 1916 address to this field. 1918 The type of this address is determined by the value of 1919 the natSessionPublicAddrType object." 1920 ::= { natSessionEntry 18 } 1922 natSessionPublicDstPort OBJECT-TYPE 1923 SYNTAX InetPortNumber 1924 MAX-ACCESS read-only 1925 STATUS deprecated 1926 DESCRIPTION 1927 "When the value of protocol is TCP or UDP, this object 1928 represents the destination port in the first packet of 1929 session while in public-realm. On the other hand, when 1930 the protocol is ICMP, this object is not relevant for 1931 translation and should be zero. 1933 The value of this object must be zero when the 1934 natSessionPrivateDstEPBindId object has a zero value 1935 and natSessionPrivateDstEPBindMode is 1936 addressPortBind(2). In such a scenario, the NAT 1937 session lookup will match any port number to this 1938 field. 1940 The value of this object must be zero when the object 1941 is not a representative field (SrcPort, DstPort, or 1942 ICMP identifier) of the session tuple in either the 1943 public realm or the private realm." 1944 ::= { natSessionEntry 19 } 1946 natSessionMaxIdleTime OBJECT-TYPE 1947 SYNTAX TimeTicks 1948 MAX-ACCESS read-only 1949 STATUS deprecated 1950 DESCRIPTION 1951 "The max time for which this session can be idle 1952 without detecting a packet." 1953 ::= { natSessionEntry 20 } 1955 natSessionCurrentIdleTime OBJECT-TYPE 1956 SYNTAX TimeTicks 1957 MAX-ACCESS read-only 1958 STATUS deprecated 1959 DESCRIPTION 1960 "The time since a packet belonging to this session was 1961 last detected." 1962 ::= { natSessionEntry 21 } 1964 natSessionInTranslates OBJECT-TYPE 1965 SYNTAX Counter64 1966 MAX-ACCESS read-only 1967 STATUS deprecated 1968 DESCRIPTION 1969 "The number of inbound packets that were translated for 1970 this session. 1972 Discontinuities in the value of this counter can occur 1973 at reinitialization of the management system and at 1974 other times, as indicated by the value of 1975 ifCounterDiscontinuityTime on the relevant interface." 1976 ::= { natSessionEntry 22 } 1978 natSessionOutTranslates OBJECT-TYPE 1979 SYNTAX Counter64 1980 MAX-ACCESS read-only 1981 STATUS deprecated 1982 DESCRIPTION 1983 "The number of outbound packets that were translated for 1984 this session. 1986 Discontinuities in the value of this counter can occur 1987 at reinitialization of the management system and at 1988 other times, as indicated by the value of 1989 ifCounterDiscontinuityTime on the relevant interface." 1990 ::= { natSessionEntry 23 } 1992 -- 1993 -- The Protocol table 1994 -- 1996 natProtocolTable OBJECT-TYPE 1997 SYNTAX SEQUENCE OF NatProtocolEntry 1998 MAX-ACCESS not-accessible 1999 STATUS deprecated 2000 DESCRIPTION 2001 "The (conceptual) table containing per protocol NAT 2002 statistics." 2003 ::= { natMIBObjects 10 } 2005 natProtocolEntry OBJECT-TYPE 2006 SYNTAX NatProtocolEntry 2007 MAX-ACCESS not-accessible 2008 STATUS deprecated 2009 DESCRIPTION 2010 "An entry (conceptual row) containing NAT statistics 2011 pertaining to a particular protocol." 2012 INDEX { natProtocol } 2013 ::= { natProtocolTable 1 } 2015 NatProtocolEntry ::= SEQUENCE { 2016 natProtocol NatProtocolType, 2017 natProtocolInTranslates Counter64, 2018 natProtocolOutTranslates Counter64, 2019 natProtocolDiscards Counter64 2020 } 2022 natProtocol OBJECT-TYPE 2023 SYNTAX NatProtocolType 2024 MAX-ACCESS not-accessible 2025 STATUS deprecated 2026 DESCRIPTION 2027 "This object represents the protocol pertaining to which 2028 parameters are reported." 2029 ::= { natProtocolEntry 1 } 2031 natProtocolInTranslates OBJECT-TYPE 2032 SYNTAX Counter64 2033 MAX-ACCESS read-only 2034 STATUS deprecated 2035 DESCRIPTION 2036 "The number of inbound packets pertaining to the protocol 2037 identified by natProtocol that underwent NAT. 2039 Discontinuities in the value of this counter can occur 2040 at reinitialization of the management system and at 2041 other times, as indicated by the value of 2042 ifCounterDiscontinuityTime on the relevant interface." 2043 ::= { natProtocolEntry 2 } 2045 natProtocolOutTranslates OBJECT-TYPE 2046 SYNTAX Counter64 2047 MAX-ACCESS read-only 2048 STATUS deprecated 2049 DESCRIPTION 2050 "The number of outbound packets pertaining to the 2051 protocol identified by natProtocol that underwent NAT. 2053 Discontinuities in the value of this counter can occur 2054 at reinitialization of the management system and at 2055 other times, as indicated by the value of 2056 ifCounterDiscontinuityTime on the relevant interface." 2057 ::= { natProtocolEntry 3 } 2059 natProtocolDiscards OBJECT-TYPE 2060 SYNTAX Counter64 2061 MAX-ACCESS read-only 2062 STATUS deprecated 2063 DESCRIPTION 2064 "The number of packets pertaining to the protocol 2065 identified by natProtocol that had to be 2066 rejected/dropped due to lack of resources. These 2067 rejections could be due to session timeout, resource 2068 unavailability, lack of address space, etc. 2070 Discontinuities in the value of this counter can occur 2071 at reinitialization of the management system and at 2072 other times, as indicated by the value of 2073 ifCounterDiscontinuityTime on the relevant interface." 2074 ::= { natProtocolEntry 4 } 2076 -- 2077 -- Notifications section 2078 -- 2080 natMIBNotifications OBJECT IDENTIFIER ::= { natMIB 0 } 2082 -- 2083 -- Notifications 2084 -- 2086 natPacketDiscard NOTIFICATION-TYPE 2087 OBJECTS { ifIndex } 2088 STATUS deprecated 2089 DESCRIPTION 2090 "This notification is generated when IP packets are 2091 discarded by the NAT function; e.g., due to lack of 2092 mapping space when NAT is out of addresses or ports. 2094 Note that the generation of natPacketDiscard 2095 notifications is throttled by the agent, as specified 2096 by the 'natNotifThrottlingInterval' object." 2097 ::= { natMIBNotifications 1 } 2099 -- 2100 -- Conformance information. 2102 -- 2104 natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 } 2106 natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 } 2107 natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 } 2109 -- 2110 -- Units of conformance 2111 -- 2113 natConfigGroup OBJECT-GROUP 2114 OBJECTS { natInterfaceRealm, 2115 natInterfaceServiceType, 2116 natInterfaceStorageType, 2117 natInterfaceRowStatus, 2118 natAddrMapName, 2119 natAddrMapEntryType, 2120 natAddrMapTranslationEntity, 2121 natAddrMapLocalAddrType, 2122 natAddrMapLocalAddrFrom, 2123 natAddrMapLocalAddrTo, 2124 natAddrMapLocalPortFrom, 2125 natAddrMapLocalPortTo, 2126 natAddrMapGlobalAddrType, 2127 natAddrMapGlobalAddrFrom, 2128 natAddrMapGlobalAddrTo, 2129 natAddrMapGlobalPortFrom, 2130 natAddrMapGlobalPortTo, 2131 natAddrMapProtocol, 2132 natAddrMapStorageType, 2133 natAddrMapRowStatus, 2134 natBindDefIdleTimeout, 2135 natUdpDefIdleTimeout, 2136 natIcmpDefIdleTimeout, 2137 natOtherDefIdleTimeout, 2138 natTcpDefIdleTimeout, 2139 natTcpDefNegTimeout, 2140 natNotifThrottlingInterval } 2141 STATUS deprecated 2142 DESCRIPTION 2143 "A collection of configuration-related information 2144 required to support management of devices supporting 2145 NAT." 2146 ::= { natMIBGroups 1 } 2148 natTranslationGroup OBJECT-GROUP 2149 OBJECTS { natAddrBindNumberOfEntries, 2150 natAddrBindGlobalAddrType, 2151 natAddrBindGlobalAddr, 2152 natAddrBindId, 2153 natAddrBindTranslationEntity, 2154 natAddrBindType, 2155 natAddrBindMapIndex, 2156 natAddrBindSessions, 2157 natAddrBindMaxIdleTime, 2158 natAddrBindCurrentIdleTime, 2159 natAddrBindInTranslates, 2160 natAddrBindOutTranslates, 2161 natAddrPortBindNumberOfEntries, 2162 natAddrPortBindGlobalAddrType, 2163 natAddrPortBindGlobalAddr, 2164 natAddrPortBindGlobalPort, 2165 natAddrPortBindId, 2166 natAddrPortBindTranslationEntity, 2167 natAddrPortBindType, 2168 natAddrPortBindMapIndex, 2169 natAddrPortBindSessions, 2170 natAddrPortBindMaxIdleTime, 2171 natAddrPortBindCurrentIdleTime, 2172 natAddrPortBindInTranslates, 2173 natAddrPortBindOutTranslates, 2174 natSessionPrivateSrcEPBindId, 2175 natSessionPrivateSrcEPBindMode, 2176 natSessionPrivateDstEPBindId, 2177 natSessionPrivateDstEPBindMode, 2178 natSessionDirection, 2179 natSessionUpTime, 2180 natSessionAddrMapIndex, 2181 natSessionProtocolType, 2182 natSessionPrivateAddrType, 2183 natSessionPrivateSrcAddr, 2184 natSessionPrivateSrcPort, 2185 natSessionPrivateDstAddr, 2186 natSessionPrivateDstPort, 2187 natSessionPublicAddrType, 2188 natSessionPublicSrcAddr, 2189 natSessionPublicSrcPort, 2190 natSessionPublicDstAddr, 2191 natSessionPublicDstPort, 2192 natSessionMaxIdleTime, 2193 natSessionCurrentIdleTime, 2194 natSessionInTranslates, 2195 natSessionOutTranslates } 2196 STATUS deprecated 2197 DESCRIPTION 2198 "A collection of BIND-related objects required to support 2199 management of devices supporting NAT." 2200 ::= { natMIBGroups 2 } 2202 natStatsInterfaceGroup OBJECT-GROUP 2203 OBJECTS { natInterfaceInTranslates, 2204 natInterfaceOutTranslates, 2205 natInterfaceDiscards } 2206 STATUS deprecated 2207 DESCRIPTION 2208 "A collection of NAT statistics associated with the 2209 interface on which NAT is configured, to aid 2210 troubleshooting/monitoring of the NAT operation." 2211 ::= { natMIBGroups 3 } 2213 natStatsProtocolGroup OBJECT-GROUP 2214 OBJECTS { natProtocolInTranslates, 2215 natProtocolOutTranslates, 2216 natProtocolDiscards } 2217 STATUS deprecated 2218 DESCRIPTION 2219 "A collection of protocol specific NAT statistics, 2220 to aid troubleshooting/monitoring of NAT operation." 2221 ::= { natMIBGroups 4 } 2223 natStatsAddrMapGroup OBJECT-GROUP 2224 OBJECTS { natAddrMapInTranslates, 2225 natAddrMapOutTranslates, 2226 natAddrMapDiscards, 2227 natAddrMapAddrUsed } 2228 STATUS deprecated 2229 DESCRIPTION 2230 "A collection of address map specific NAT statistics, 2231 to aid troubleshooting/monitoring of NAT operation." 2232 ::= { natMIBGroups 5 } 2234 natMIBNotificationGroup NOTIFICATION-GROUP 2235 NOTIFICATIONS { natPacketDiscard } 2236 STATUS deprecated 2237 DESCRIPTION 2238 "A collection of notifications generated by 2239 devices supporting this MIB." 2240 ::= { natMIBGroups 6 } 2242 -- 2243 -- Compliance statements 2244 -- 2246 natMIBFullCompliance MODULE-COMPLIANCE 2247 STATUS deprecated 2248 DESCRIPTION 2249 "When this MIB is implemented with support for 2250 read-create, then such an implementation can claim 2251 full compliance. Such devices can then be both 2252 monitored and configured with this MIB. 2254 The following index objects cannot be added as OBJECT 2255 clauses but nevertheless have the compliance 2256 requirements: 2257 " 2258 -- OBJECT natAddrBindLocalAddrType 2259 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2260 -- DESCRIPTION 2261 -- "An implementation is required to support 2262 -- global IPv4 and/or IPv6 addresses, depending 2263 -- on its support for IPv4 and IPv6." 2265 -- OBJECT natAddrBindLocalAddr 2266 -- SYNTAX InetAddress (SIZE(4|16)) 2267 -- DESCRIPTION 2268 -- "An implementation is required to support 2269 -- global IPv4 and/or IPv6 addresses, depending 2270 -- on its support for IPv4 and IPv6." 2272 -- OBJECT natAddrPortBindLocalAddrType 2273 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2274 -- DESCRIPTION 2275 -- "An implementation is required to support 2276 -- global IPv4 and/or IPv6 addresses, depending 2277 -- on its support for IPv4 and IPv6." 2279 -- OBJECT natAddrPortBindLocalAddr 2280 -- SYNTAX InetAddress (SIZE(4|16)) 2281 -- DESCRIPTION 2282 -- "An implementation is required to support 2283 -- global IPv4 and/or IPv6 addresses, depending 2284 -- on its support for IPv4 and IPv6." 2286 MODULE IF-MIB -- The interfaces MIB, RFC2863 2287 MANDATORY-GROUPS { 2288 ifCounterDiscontinuityGroup 2289 } 2291 MODULE -- this module 2292 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2293 natStatsInterfaceGroup } 2295 GROUP natStatsProtocolGroup 2296 DESCRIPTION 2297 "This group is optional." 2298 GROUP natStatsAddrMapGroup 2299 DESCRIPTION 2300 "This group is optional." 2301 GROUP natMIBNotificationGroup 2302 DESCRIPTION 2303 "This group is optional." 2305 OBJECT natAddrMapLocalAddrType 2306 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2307 DESCRIPTION 2308 "An implementation is required to support global IPv4 2309 and/or IPv6 addresses, depending on its support 2310 for IPv4 and IPv6." 2312 OBJECT natAddrMapLocalAddrFrom 2313 SYNTAX InetAddress (SIZE(4|16)) 2314 DESCRIPTION 2315 "An implementation is required to support global IPv4 2316 and/or IPv6 addresses, depending on its support 2317 for IPv4 and IPv6." 2319 OBJECT natAddrMapLocalAddrTo 2320 SYNTAX InetAddress (SIZE(4|16)) 2321 DESCRIPTION 2322 "An implementation is required to support global IPv4 2323 and/or IPv6 addresses, depending on its support 2324 for IPv4 and IPv6." 2326 OBJECT natAddrMapGlobalAddrType 2327 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2328 DESCRIPTION 2329 "An implementation is required to support global IPv4 2330 and/or IPv6 addresses, depending on its support 2331 for IPv4 and IPv6." 2333 OBJECT natAddrMapGlobalAddrFrom 2334 SYNTAX InetAddress (SIZE(4|16)) 2335 DESCRIPTION 2336 "An implementation is required to support global IPv4 2337 and/or IPv6 addresses, depending on its support 2338 for IPv4 and IPv6." 2340 OBJECT natAddrMapGlobalAddrTo 2341 SYNTAX InetAddress (SIZE(4|16)) 2342 DESCRIPTION 2343 "An implementation is required to support global IPv4 2344 and/or IPv6 addresses, depending on its support 2345 for IPv4 and IPv6." 2347 OBJECT natAddrBindGlobalAddrType 2348 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2349 DESCRIPTION 2350 "An implementation is required to support global IPv4 2351 and/or IPv6 addresses, depending on its support 2352 for IPv4 and IPv6." 2354 OBJECT natAddrBindGlobalAddr 2355 SYNTAX InetAddress (SIZE(4|16)) 2356 DESCRIPTION 2357 "An implementation is required to support global IPv4 2358 and/or IPv6 addresses, depending on its support 2359 for IPv4 and IPv6." 2361 OBJECT natAddrPortBindGlobalAddrType 2362 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2363 DESCRIPTION 2364 "An implementation is required to support global IPv4 2365 and/or IPv6 addresses, depending on its support 2366 for IPv4 and IPv6." 2368 OBJECT natAddrPortBindGlobalAddr 2369 SYNTAX InetAddress (SIZE(4|16)) 2370 DESCRIPTION 2371 "An implementation is required to support global IPv4 2372 and/or IPv6 addresses, depending on its support 2373 for IPv4 and IPv6." 2375 OBJECT natSessionPrivateAddrType 2376 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2377 DESCRIPTION 2378 "An implementation is required to support global IPv4 2379 and/or IPv6 addresses, depending on its support 2380 for IPv4 and IPv6." 2382 OBJECT natSessionPrivateSrcAddr 2383 SYNTAX InetAddress (SIZE(4|16)) 2384 DESCRIPTION 2385 "An implementation is required to support global IPv4 2386 and/or IPv6 addresses, depending on its support 2387 for IPv4 and IPv6." 2389 OBJECT natSessionPrivateDstAddr 2390 SYNTAX InetAddress (SIZE(4|16)) 2391 DESCRIPTION 2392 "An implementation is required to support global IPv4 2393 and/or IPv6 addresses, depending on its support 2394 for IPv4 and IPv6." 2396 OBJECT natSessionPublicAddrType 2397 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2398 DESCRIPTION 2399 "An implementation is required to support global IPv4 2400 and/or IPv6 addresses, depending on its support 2401 for IPv4 and IPv6." 2403 OBJECT natSessionPublicSrcAddr 2404 SYNTAX InetAddress (SIZE(4|16)) 2405 DESCRIPTION 2406 "An implementation is required to support global IPv4 2407 and/or IPv6 addresses, depending on its support 2408 for IPv4 and IPv6." 2410 OBJECT natSessionPublicDstAddr 2411 SYNTAX InetAddress (SIZE(4|16)) 2412 DESCRIPTION 2413 "An implementation is required to support global IPv4 2414 and/or IPv6 addresses, depending on its support 2415 for IPv4 and IPv6." 2417 ::= { natMIBCompliances 1 } 2419 natMIBReadOnlyCompliance MODULE-COMPLIANCE 2420 STATUS deprecated 2421 DESCRIPTION 2422 "When this MIB is implemented without support for 2423 read-create (i.e., in read-only mode), then such an 2424 implementation can claim read-only compliance. 2425 Such a device can then be monitored but cannot be 2426 configured with this MIB. 2428 The following index objects cannot be added as OBJECT 2429 clauses but nevertheless have the compliance 2430 requirements: 2431 " 2432 -- OBJECT natAddrBindLocalAddrType 2433 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2434 -- DESCRIPTION 2435 -- "An implementation is required to support 2436 -- global IPv4 and/or IPv6 addresses, depending 2437 -- on its support for IPv4 and IPv6." 2439 -- OBJECT natAddrBindLocalAddr 2440 -- SYNTAX InetAddress (SIZE(4|16)) 2442 -- DESCRIPTION 2443 -- "An implementation is required to support 2444 -- global IPv4 and/or IPv6 addresses, depending 2445 -- on its support for IPv4 and IPv6." 2447 -- OBJECT natAddrPortBindLocalAddrType 2448 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2449 -- DESCRIPTION 2450 -- "An implementation is required to support 2451 -- global IPv4 and/or IPv6 addresses, depending 2452 -- on its support for IPv4 and IPv6." 2453 -- OBJECT natAddrPortBindLocalAddr 2454 -- SYNTAX InetAddress (SIZE(4|16)) 2455 -- DESCRIPTION 2456 -- "An implementation is required to support 2457 -- global IPv4 and/or IPv6 addresses, depending 2458 -- on its support for IPv4 and IPv6." 2460 MODULE IF-MIB -- The interfaces MIB, RFC2863 2461 MANDATORY-GROUPS { 2462 ifCounterDiscontinuityGroup 2463 } 2465 MODULE -- this module 2466 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2467 natStatsInterfaceGroup } 2469 GROUP natStatsProtocolGroup 2470 DESCRIPTION 2471 "This group is optional." 2472 GROUP natStatsAddrMapGroup 2473 DESCRIPTION 2474 "This group is optional." 2475 GROUP natMIBNotificationGroup 2476 DESCRIPTION 2477 "This group is optional." 2478 OBJECT natInterfaceRowStatus 2479 SYNTAX RowStatus { active(1) } 2480 MIN-ACCESS read-only 2481 DESCRIPTION 2482 "Write access is not required, and active is the only 2483 status that needs to be supported." 2485 OBJECT natAddrMapLocalAddrType 2486 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2487 MIN-ACCESS read-only 2488 DESCRIPTION 2489 "Write access is not required. An implementation is 2490 required to support global IPv4 and/or IPv6 addresses, 2491 depending on its support for IPv4 and IPv6." 2493 OBJECT natAddrMapLocalAddrFrom 2494 SYNTAX InetAddress (SIZE(4|16)) 2495 MIN-ACCESS read-only 2496 DESCRIPTION 2497 "Write access is not required. An implementation is 2498 required to support global IPv4 and/or IPv6 addresses, 2499 depending on its support for IPv4 and IPv6." 2501 OBJECT natAddrMapLocalAddrTo 2502 SYNTAX InetAddress (SIZE(4|16)) 2503 MIN-ACCESS read-only 2504 DESCRIPTION 2505 "Write access is not required. An implementation is 2506 required to support global IPv4 and/or IPv6 addresses, 2507 depending on its support for IPv4 and IPv6." 2509 OBJECT natAddrMapGlobalAddrType 2510 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2511 MIN-ACCESS read-only 2512 DESCRIPTION 2513 "Write access is not required. An implementation is 2514 required to support global IPv4 and/or IPv6 addresses, 2515 depending on its support for IPv4 and IPv6." 2517 OBJECT natAddrMapGlobalAddrFrom 2518 SYNTAX InetAddress (SIZE(4|16)) 2519 MIN-ACCESS read-only 2520 DESCRIPTION 2521 "Write access is not required. An implementation is 2522 required to support global IPv4 and/or IPv6 addresses, 2523 depending on its support for IPv4 and IPv6." 2525 OBJECT natAddrMapGlobalAddrTo 2526 SYNTAX InetAddress (SIZE(4|16)) 2527 MIN-ACCESS read-only 2528 DESCRIPTION 2529 "Write access is not required. An implementation is 2530 required to support global IPv4 and/or IPv6 addresses, 2531 depending on its support for IPv4 and IPv6." 2533 OBJECT natAddrMapRowStatus 2534 SYNTAX RowStatus { active(1) } 2535 MIN-ACCESS read-only 2536 DESCRIPTION 2537 "Write access is not required, and active is the only 2538 status that needs to be supported." 2540 OBJECT natAddrBindGlobalAddrType 2541 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2542 DESCRIPTION 2543 "An implementation is required to support global IPv4 2544 and/or IPv6 addresses, depending on its support for 2545 IPv4 and IPv6." 2547 OBJECT natAddrBindGlobalAddr 2548 SYNTAX InetAddress (SIZE(4|16)) 2549 DESCRIPTION 2550 "An implementation is required to support global IPv4 2551 and/or IPv6 addresses, depending on its support for 2552 IPv4 and IPv6." 2554 OBJECT natAddrPortBindGlobalAddrType 2555 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2556 DESCRIPTION 2557 "An implementation is required to support global IPv4 2558 and/or IPv6 addresses, depending on its support for 2559 IPv4 and IPv6." 2561 OBJECT natAddrPortBindGlobalAddr 2562 SYNTAX InetAddress (SIZE(4|16)) 2563 DESCRIPTION 2564 "An implementation is required to support global IPv4 2565 and/or IPv6 addresses, depending on its support for 2566 IPv4 and IPv6." 2568 OBJECT natSessionPrivateAddrType 2569 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2570 DESCRIPTION 2571 "An implementation is required to support global IPv4 2572 and/or IPv6 addresses, depending on its support for 2573 IPv4 and IPv6." 2575 OBJECT natSessionPrivateSrcAddr 2576 SYNTAX InetAddress (SIZE(4|16)) 2577 DESCRIPTION 2578 "An implementation is required to support global IPv4 2579 and/or IPv6 addresses, depending on its support for 2580 IPv4 and IPv6." 2582 OBJECT natSessionPrivateDstAddr 2583 SYNTAX InetAddress (SIZE(4|16)) 2584 DESCRIPTION 2585 "An implementation is required to support global IPv4 2586 and/or IPv6 addresses, depending on its support for 2587 IPv4 and IPv6." 2589 OBJECT natSessionPublicAddrType 2590 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2591 DESCRIPTION 2592 "An implementation is required to support global IPv4 2593 and/or IPv6 addresses, depending on its support for 2594 IPv4 and IPv6." 2596 OBJECT natSessionPublicSrcAddr 2597 SYNTAX InetAddress (SIZE(4|16)) 2598 DESCRIPTION 2599 "An implementation is required to support global IPv4 2600 and/or IPv6 addresses, depending on its support for 2601 IPv4 and IPv6." 2603 OBJECT natSessionPublicDstAddr 2604 SYNTAX InetAddress (SIZE(4|16)) 2605 DESCRIPTION 2606 "An implementation is required to support global IPv4 2607 and/or IPv6 addresses, depending on its support for 2608 IPv4 and IPv6." 2610 ::= { natMIBCompliances 2 } 2612 --=================================================================== 2613 -- END OF DEPRECATED OBJECTS. CURRENT OBJECTS FOLLOW. 2615 -- textual conventions 2617 ProtocolNumber ::= TEXTUAL-CONVENTION 2618 DISPLAY-HINT "d" 2619 STATUS current 2620 DESCRIPTION 2621 "A transport protocol number, from the 'protocol-numbers' 2622 IANA registry." 2623 SYNTAX Unsigned32 (0..255) 2625 NatPoolId ::= TEXTUAL-CONVENTION 2626 DISPLAY-HINT "d" 2627 STATUS current 2628 DESCRIPTION 2629 "A unique ID that is assigned to each pool." 2630 SYNTAX Unsigned32 (1..4294967295) 2632 NatBehaviorType ::= TEXTUAL-CONVENTION 2633 STATUS current 2634 DESCRIPTION 2635 "Behavior type as described in [RFC4787] sections 4.1 and 5." 2636 SYNTAX INTEGER { 2637 endpointIndependent (0), 2638 addressDependent (1), 2639 addressAndPortDependent (2) 2640 } 2642 NatPoolingType ::= TEXTUAL-CONVENTION 2643 STATUS current 2644 DESCRIPTION 2645 "Pooling type as described in [RFC4787] sections 4.1." 2646 SYNTAX INTEGER { 2647 arbitrary (0), 2648 paired (1) 2649 } 2651 VlanIndexOrZero ::= TEXTUAL-CONVENTION 2652 DISPLAY-HINT "d" 2653 STATUS current 2654 DESCRIPTION 2655 "A value used to index per-VLAN tables: a value of 4095 is 2656 not permitted. A value of 0 indicates no index is present. 2657 If the value is between 1 and 4094 inclusive, it represents 2658 an IEEE 802.1Q VLAN-ID with global scope within a given 2659 bridged domain (see VlanId textual convention in 2660 [RFC4363]). If the value is greater than 4095, then it 2661 represents a VLAN with scope local to the particular agent, 2662 i.e., one without a global VLAN-ID assigned to it. Such 2663 VLANs are outside the scope of IEEE 802.1Q, but it is 2664 convenient to be able to manage them in the same way using 2665 this MIB." 2666 SYNTAX Unsigned32 2668 SubscriberIndex ::= TEXTUAL-CONVENTION 2669 DISPLAY-HINT "d" 2670 STATUS current 2671 DESCRIPTION 2672 "A unique ID that is assigned to each subscriber." 2673 SYNTAX Unsigned32 (1..4294967295) 2675 SubscriberIdentifierType ::= TEXTUAL-CONVENTION 2676 STATUS current 2677 DESCRIPTION 2678 "Type of additional classifying information used by the NAT 2679 to identify the subscriber from an incoming packet, when 2680 the packet source address is not sufficient to do so 2681 unambiguously. 2683 null(0) 2685 No additional information is needed. 2687 interfaces(1) 2689 A set of one or more ingress interface indexes specified 2690 by the [RFC2863] InterfaceIndex textual convention. 2692 vlan(2) 2694 An ingress VLAN index using the VlanIndexOrZero textual 2695 convention, which is the [RFC4363] VlanIndex textual 2696 convention modified for local use in this MIB. 2698 vpn(3) 2700 An ingress layer 3 VPN identifier using the [RFC4265] 2701 VPNIdOrZero textual convention. 2703 ipencaps(4) 2705 Incoming source address of an encapsulating IPv4 or IPv6 2706 tunnel (e.g., IPv6 as used in DS-Lite, [RFC6333]) as 2707 defined by the InetAddressType and InetAddress textual 2708 conventions. 2710 other(5) 2712 The implementation supports other classifiers and/or 2713 combinations of classifier types. In the latter case the 2714 implementation MUST specify the semantics of the 2715 combination ('OR' or 'AND')." 2717 SYNTAX INTEGER { 2718 null(0), 2719 interfaces(1), 2720 vlan(2), 2721 vpn(3), 2722 ipencaps(4), 2723 other(5) 2725 } 2727 SubsInterfaceIdRowIndex ::= TEXTUAL-CONVENTION 2728 DISPLAY-HINT "d" 2729 STATUS current 2730 DESCRIPTION 2731 "A unique ID that is assigned to each row in the 2732 natSubsInterfaceIdentifierTable." 2733 SYNTAX Unsigned32 (1..4294967295) 2735 -- notifications 2737 natNotifPoolWatermarkLow NOTIFICATION-TYPE 2738 OBJECTS { natPoolWatermarkLow } 2739 STATUS current 2740 DESCRIPTION 2741 "This notification is generated when a pool's usage 2742 percentage becomes lower than or equal to the specified 2743 threshold. The threshold is specified by the 2744 natPoolWatermarkLow object" 2745 ::= { natMIBNotifications 2 } 2747 natNotifPoolWatermarkHigh NOTIFICATION-TYPE 2748 OBJECTS { natPoolWatermarkHigh } 2749 STATUS current 2750 DESCRIPTION 2751 "This notification is generated when a pool's usage 2752 percentage becomes greater than or equal to the specified 2753 threshold. The threshold is specified by the 2754 natPoolWatermarkHigh object" 2755 ::= { natMIBNotifications 3 } 2757 natNotifMappings NOTIFICATION-TYPE 2758 OBJECTS { natMappingCreations, natMappingRemovals } 2759 STATUS current 2760 DESCRIPTION 2761 "This notification is generated when the number of active 2762 mappings exceeds the value of natMappingsNotifyThreshold." 2763 ::= { natMIBNotifications 4 } 2765 natNotifAddrMappings NOTIFICATION-TYPE 2766 OBJECTS { natAddressMappingCreations, natAddressMappingRemovals } 2767 STATUS current 2768 DESCRIPTION 2769 "This notification is generated when the number of active 2770 address mappings exceeds the value of 2771 natAddrMapNotifyThreshold." 2773 ::= { natMIBNotifications 5 } 2775 natNotifSubscriberMappings NOTIFICATION-TYPE 2776 OBJECTS { natSubscriberMappingCreations, 2777 natSubscriberMappingRemovals } 2778 STATUS current 2779 DESCRIPTION 2780 "This notification is generated when the number of active 2781 mappings exceeds the value of natSubscriberMapNotifyThresh, 2782 unless natSubscriberMapNotifyThresh is zero.." 2783 ::= { natMIBNotifications 6 } 2785 -- instance table 2787 natInstanceTable OBJECT-TYPE 2788 SYNTAX SEQUENCE OF NatInstanceEntry 2789 MAX-ACCESS not-accessible 2790 STATUS current 2791 DESCRIPTION 2792 "Table of NAT instances." 2793 ::= { natMIBObjects 11 } 2795 natInstanceEntry OBJECT-TYPE 2796 SYNTAX NatInstanceEntry 2797 MAX-ACCESS not-accessible 2798 STATUS current 2799 DESCRIPTION 2800 "Objects related to a single NAT instance." 2801 INDEX { natInstanceIndex } 2802 ::= { natInstanceTable 1 } 2804 NatInstanceEntry ::= 2805 SEQUENCE { 2806 natInstanceIndex Unsigned32, 2807 natInstanceAlias DisplayString 2808 } 2810 natInstanceIndex OBJECT-TYPE 2811 SYNTAX Unsigned32 2812 MAX-ACCESS not-accessible 2813 STATUS current 2814 DESCRIPTION 2815 "NAT instance index. Semantics of this number are 2816 implementation-specific. This object is used as an index for 2817 many tables defined below." 2818 ::= { natInstanceEntry 1 } 2820 natInstanceAlias OBJECT-TYPE 2821 SYNTAX DisplayString (SIZE (0..64)) 2822 MAX-ACCESS read-write 2823 STATUS current 2824 DESCRIPTION 2825 "This object is an 'alias' name for the NAT instance as 2826 specified by a network manager, and provides a non-volatile 2827 'handle' for the instance. 2829 On the first instantiation of a NAT instance, the value of 2830 natInstanceAlias associated with that instance is the 2831 zero-length string. As and when a value is written into an 2832 instance of natInstanceAlias through a network management 2833 set operation, then the agent must retain the supplied value 2834 in this obejct instance associated with the same interface 2835 for as long as that NAT instance remains instantiated, 2836 including across all re-initializations/reboots of the 2837 network management system, including those which result in a 2838 change of the interface's natInstanceIndex value. 2840 An example of the value which a network manager might store 2841 in this object for a NAT instance is the name/identifier of 2842 the interface that brings in internal traffic for this NAT 2843 instance or the name of the VRF for internal traffic. 2845 An agent may choose to provide read-only access if the agent 2846 itself assigns an identifier for the NAT instance. An agent 2847 which supports write access to this object is required to 2848 keep the value in non-valite storage, but it may limit the 2849 length of new values depending on how much storage is 2850 already occupied by the current values for other 2851 NAT instances." 2852 ::= { natInstanceEntry 2 } 2854 -- counters 2856 natCounters OBJECT IDENTIFIER ::= { natMIBObjects 12 } 2858 natCountersTable OBJECT-TYPE 2859 SYNTAX SEQUENCE OF NatCountersEntry 2860 MAX-ACCESS not-accessible 2861 STATUS current 2862 DESCRIPTION 2863 "Table of counters of a NAT instance. The counters are global 2864 across L4 protocols." 2865 ::= { natCounters 1 } 2867 natCountersEntry OBJECT-TYPE 2868 SYNTAX NatCountersEntry 2869 MAX-ACCESS not-accessible 2870 STATUS current 2871 DESCRIPTION 2872 "Counters related to a single NAT instance." 2873 INDEX { natInstanceIndex } 2874 ::= { natCountersTable 1 } 2876 NatCountersEntry ::= 2877 SEQUENCE { 2878 natTranslations Counter64, 2879 natOutOfPortErrors Counter64, 2880 natResourceErrors Counter64, 2881 natQuotaDrops Counter64, 2882 natMappingCreations Counter64, 2883 natMappingRemovals Counter64, 2884 natAddressMappingCreations Counter64, 2885 natAddressMappingRemovals Counter64 2886 } 2888 natTranslations OBJECT-TYPE 2889 SYNTAX Counter64 2890 MAX-ACCESS read-only 2891 STATUS current 2892 DESCRIPTION 2893 "The number of packets translated." 2894 ::= { natCountersEntry 1 } 2896 natOutOfPortErrors OBJECT-TYPE 2897 SYNTAX Counter64 2898 MAX-ACCESS read-only 2899 STATUS current 2900 DESCRIPTION 2901 "The number of packets not translated because no external 2902 port was available, excluding quota limitations." 2903 ::= { natCountersEntry 2 } 2905 natResourceErrors OBJECT-TYPE 2906 SYNTAX Counter64 2907 MAX-ACCESS read-only 2908 STATUS current 2909 DESCRIPTION 2910 "The number of packets not translated because of resource 2911 constraints (excluding out-of-ports error and quota drops)." 2912 ::= { natCountersEntry 3 } 2914 natQuotaDrops OBJECT-TYPE 2915 SYNTAX Counter64 2916 MAX-ACCESS read-only 2917 STATUS current 2918 DESCRIPTION 2919 "The number of incoming packets not translated because of 2920 quota limitations. Quotas include absolute limits as well 2921 as limits on rate of allocation." 2922 ::= { natCountersEntry 4 } 2924 natMappingCreations OBJECT-TYPE 2925 SYNTAX Counter64 2926 MAX-ACCESS read-only 2927 STATUS current 2928 DESCRIPTION 2929 "Number of mapping creations. This includes static mappings." 2930 ::= { natCountersEntry 5 } 2932 natMappingRemovals OBJECT-TYPE 2933 SYNTAX Counter64 2934 MAX-ACCESS read-only 2935 STATUS current 2936 DESCRIPTION 2937 "Number of mapping removals. This includes static mappings." 2938 ::= { natCountersEntry 6 } 2940 natAddressMappingCreations OBJECT-TYPE 2941 SYNTAX Counter64 2942 MAX-ACCESS read-only 2943 STATUS current 2944 DESCRIPTION 2945 "Number of address mapping creations. This includes static 2946 mappings." 2947 ::= { natCountersEntry 7 } 2949 natAddressMappingRemovals OBJECT-TYPE 2950 SYNTAX Counter64 2951 MAX-ACCESS read-only 2952 STATUS current 2953 DESCRIPTION 2954 "Number of address mapping removals. This includes static 2955 mappings. 2957 The number of active mappings is equal to 2958 natAddressMappingCreations - natAddressMappingRemovals." 2959 ::= { natCountersEntry 8 } 2961 natL4ProtocolTable OBJECT-TYPE 2962 SYNTAX SEQUENCE OF NatL4ProtocolEntry 2963 MAX-ACCESS not-accessible 2964 STATUS current 2965 DESCRIPTION 2966 "Table of protocols with per-protocol counters." 2967 ::= { natCounters 2 } 2969 natL4ProtocolEntry OBJECT-TYPE 2970 SYNTAX NatL4ProtocolEntry 2971 MAX-ACCESS not-accessible 2972 STATUS current 2973 DESCRIPTION 2974 "Per-protocol counters." 2975 INDEX { natInstanceIndex, natL4ProtocolNumber } 2976 ::= { natL4ProtocolTable 1 } 2978 NatL4ProtocolEntry ::= 2979 SEQUENCE { 2980 natL4ProtocolNumber ProtocolNumber, 2981 natL4ProtocolTranslations Counter64, 2982 natL4ProtocolOutOfPortErrors Counter64, 2983 natL4ProtocolResourceErrors Counter64, 2984 natL4ProtocolQuotaDrops Counter64, 2985 natL4ProtocolMappingCreations Counter64, 2986 natL4ProtocolMappingRemovals Counter64 2987 } 2989 natL4ProtocolNumber OBJECT-TYPE 2990 SYNTAX ProtocolNumber 2991 MAX-ACCESS not-accessible 2992 STATUS current 2993 DESCRIPTION 2994 "Counters in this conceptual row apply to packets using the 2995 transport protocol identified by this object's value." 2996 ::= { natL4ProtocolEntry 1 } 2998 natL4ProtocolTranslations OBJECT-TYPE 2999 SYNTAX Counter64 3000 MAX-ACCESS read-only 3001 STATUS current 3002 DESCRIPTION 3003 "The number of packets translated." 3004 ::= { natL4ProtocolEntry 2 } 3006 natL4ProtocolOutOfPortErrors OBJECT-TYPE 3007 SYNTAX Counter64 3008 MAX-ACCESS read-only 3009 STATUS current 3010 DESCRIPTION 3011 "The number of packets not translated because no external 3012 port was available." 3013 ::= { natL4ProtocolEntry 3 } 3015 natL4ProtocolResourceErrors OBJECT-TYPE 3016 SYNTAX Counter64 3017 MAX-ACCESS read-only 3018 STATUS current 3019 DESCRIPTION 3020 "The number of packets not translated because of resource 3021 constraints (excluding out-of-ports errors and quota 3022 drops)." 3023 ::= { natL4ProtocolEntry 4 } 3025 natL4ProtocolQuotaDrops OBJECT-TYPE 3026 SYNTAX Counter64 3027 MAX-ACCESS read-only 3028 STATUS current 3029 DESCRIPTION 3030 "The number of incoming packets not translated because of 3031 exceeded quotas. Quotas include absolute limits as well as 3032 limits on rate of allocation." 3033 ::= { natL4ProtocolEntry 5 } 3035 natL4ProtocolMappingCreations OBJECT-TYPE 3036 SYNTAX Counter64 3037 MAX-ACCESS read-only 3038 STATUS current 3039 DESCRIPTION 3040 "Number of mapping creations. This includes static mappings." 3041 ::= { natL4ProtocolEntry 6 } 3043 natL4ProtocolMappingRemovals OBJECT-TYPE 3044 SYNTAX Counter64 3045 MAX-ACCESS read-only 3046 STATUS current 3047 DESCRIPTION 3048 "Number of mapping removals. This includes static mappings. 3050 The number of active mappings is equal to 3051 natL4ProtocolMappingCreations - 3052 natL4ProtocolMappingRemovals." 3053 ::= { natL4ProtocolEntry 7 } 3055 -- limits 3057 natLimitsTable OBJECT-TYPE 3058 SYNTAX SEQUENCE OF NatLimitsEntry 3059 MAX-ACCESS not-accessible 3060 STATUS current 3061 DESCRIPTION 3062 "Table of limits for a NAT instance." 3063 ::= { natMIBObjects 13 } 3065 natLimitsEntry OBJECT-TYPE 3066 SYNTAX NatLimitsEntry 3067 MAX-ACCESS not-accessible 3068 STATUS current 3069 DESCRIPTION 3070 "Limit related to a single NAT instance." 3071 INDEX { natInstanceIndex } 3072 ::= { natLimitsTable 1 } 3074 NatLimitsEntry ::= 3075 SEQUENCE { 3076 natLimitMappings Unsigned32, 3077 natMappingsNotifyThreshold Unsigned32, 3078 natLimitAddressMappings Unsigned32, 3079 natAddrMapNotifyThreshold Unsigned32, 3080 natLimitFragments Unsigned32, 3081 natLimitSubscribers Unsigned32 3082 } 3084 natLimitMappings OBJECT-TYPE 3085 SYNTAX Unsigned32 3086 MAX-ACCESS read-write 3087 STATUS current 3088 DESCRIPTION 3089 "Global limit on the total number of mappings. Zero means 3090 unlimited." 3091 ::= { natLimitsEntry 1 } 3093 natMappingsNotifyThreshold OBJECT-TYPE 3094 SYNTAX Unsigned32 3095 MAX-ACCESS read-write 3096 STATUS current 3097 DESCRIPTION 3098 "See natNotifMappings." 3099 ::= { natLimitsEntry 2 } 3101 natLimitAddressMappings OBJECT-TYPE 3102 SYNTAX Unsigned32 3103 MAX-ACCESS read-write 3104 STATUS current 3105 DESCRIPTION 3106 "Global limit on the total number of internal-to-external 3107 address mappings. Zero means unlimited. 3109 This limit is only applicable to NATs that have an 'IP 3110 address pooling' behavior of 'Paired' [RFC4787]." 3111 ::= { natLimitsEntry 3 } 3113 natAddrMapNotifyThreshold OBJECT-TYPE 3114 SYNTAX Unsigned32 3115 MAX-ACCESS read-write 3116 STATUS current 3117 DESCRIPTION 3118 "See natNotifAddrMappings." 3119 ::= { natLimitsEntry 4 } 3121 natLimitFragments OBJECT-TYPE 3122 SYNTAX Unsigned32 3123 MAX-ACCESS read-write 3124 STATUS current 3125 DESCRIPTION 3126 "Global limit on the total number of fragments pending 3127 reassembly. Zero means unlimited. 3129 This limit is only applicable to NATs having 'Receive 3130 Fragments Out of Order' behavior [RFC4787]." 3131 ::= { natLimitsEntry 5 } 3133 natLimitSubscribers OBJECT-TYPE 3134 SYNTAX Unsigned32 3135 MAX-ACCESS read-write 3136 STATUS current 3137 DESCRIPTION 3138 "Global limit on the number of subscribers with active 3139 mappings. Zero means unlimited." 3140 ::= { natLimitsEntry 6 } 3142 -- pools 3144 natPoolObjects OBJECT IDENTIFIER ::= { natMIBObjects 14 } 3146 natPoolTable OBJECT-TYPE 3147 SYNTAX SEQUENCE OF NatPoolEntry 3148 MAX-ACCESS not-accessible 3149 STATUS current 3150 DESCRIPTION 3151 "Table of pools." 3152 ::= { natPoolObjects 1 } 3154 natPoolEntry OBJECT-TYPE 3155 SYNTAX NatPoolEntry 3156 MAX-ACCESS not-accessible 3157 STATUS current 3158 DESCRIPTION 3159 "Entry in the table of pools." 3160 INDEX { natInstanceIndex, natPoolIndex } 3161 ::= { natPoolTable 1 } 3163 NatPoolEntry ::= 3164 SEQUENCE { 3165 natPoolIndex NatPoolId, 3166 natPoolRealm SnmpAdminString, 3167 natPoolWatermarkLow Integer32, 3168 natPoolWatermarkHigh Integer32, 3169 natPoolPortMin InetPortNumber, 3170 natPoolPortMax InetPortNumber 3171 } 3173 natPoolIndex OBJECT-TYPE 3174 SYNTAX NatPoolId 3175 MAX-ACCESS not-accessible 3176 STATUS current 3177 DESCRIPTION 3178 "Index of an address pool." 3179 ::= { natPoolEntry 1 } 3181 natPoolRealm OBJECT-TYPE 3182 SYNTAX SnmpAdminString (SIZE (0..32)) 3183 MAX-ACCESS read-only 3184 STATUS current 3185 DESCRIPTION 3186 "Realm to which this pool's addresses belong." 3187 ::= { natPoolEntry 2 } 3189 natPoolWatermarkLow OBJECT-TYPE 3190 SYNTAX Integer32 (-1|0..100) 3191 MAX-ACCESS read-create 3192 STATUS current 3193 DESCRIPTION 3194 "Low watermark on a pool's usage, in percentage of the total 3195 number of ports available. If set to -1, the watermark is 3196 disabled. Otherwise when the usage percentage becomes lower 3197 than or equal to natPoolWatermarkLow, a notification is 3198 sent. The NAT may also start behaving in low usage mode 3199 (this is implementation-defined). 3201 The pool's current usage percentage can be computed by 3202 summing (natPoolRangeAllocations - 3203 natPoolRangeDeallocations) over all address ranges 3204 belonging to this pool, then dividing by the total number of 3205 IP addresses in this pool and by the size of the port range 3206 in this pool (natPoolPortMax - natPoolPortMin + 1)." 3207 ::= { natPoolEntry 3 } 3209 natPoolWatermarkHigh OBJECT-TYPE 3210 SYNTAX Integer32 (-1|0..100) 3211 MAX-ACCESS read-create 3212 STATUS current 3213 DESCRIPTION 3214 "High watermark on a pool's usage, in percentage of the total 3215 number of ports available. If set to -1, the watermark is 3216 disabled. Otherwise, when the usage percentage becomes 3217 higher than or equal to natPoolWatermarkHigh, a notification 3218 is sent. The NAT may also start behaving in high usage mode 3219 (this is implementation-defined)." 3220 ::= { natPoolEntry 4 } 3222 natPoolPortMin OBJECT-TYPE 3223 SYNTAX InetPortNumber 3224 MAX-ACCESS read-create 3225 STATUS current 3226 DESCRIPTION 3227 "Minimal port number to be allocated in this pool." 3228 ::= { natPoolEntry 5 } 3230 natPoolPortMax OBJECT-TYPE 3231 SYNTAX InetPortNumber 3232 MAX-ACCESS read-create 3233 STATUS current 3234 DESCRIPTION 3235 "Maximal port number to be allocated in this pool." 3236 ::= { natPoolEntry 6 } 3238 natPoolRangeTable OBJECT-TYPE 3239 SYNTAX SEQUENCE OF NatPoolRangeEntry 3240 MAX-ACCESS not-accessible 3241 STATUS current 3242 DESCRIPTION 3243 "This table contains address ranges used by pool entries." 3244 ::= { natPoolObjects 2 } 3246 natPoolRangeEntry OBJECT-TYPE 3247 SYNTAX NatPoolRangeEntry 3248 MAX-ACCESS not-accessible 3249 STATUS current 3250 DESCRIPTION 3251 "NAT pool address range." 3252 INDEX { natInstanceIndex, natPoolRangePoolIndex } 3253 ::= { natPoolRangeTable 1 } 3255 NatPoolRangeEntry ::= 3256 SEQUENCE { 3257 natPoolRangePoolIndex NatPoolId, 3258 natPoolRangeType InetAddressType, 3259 natPoolRangeBegin InetAddress, 3260 natPoolRangeEnd InetAddress, 3261 natPoolRangeAllocations Counter64, 3262 natPoolRangeDeallocations Counter64 3263 } 3265 natPoolRangePoolIndex OBJECT-TYPE 3266 SYNTAX NatPoolId 3267 MAX-ACCESS not-accessible 3268 STATUS current 3269 DESCRIPTION 3270 "Index of the address pool to which this address range 3271 belongs. See natPoolIndex." 3272 ::= { natPoolRangeEntry 1 } 3274 natPoolRangeType OBJECT-TYPE 3275 SYNTAX InetAddressType 3276 MAX-ACCESS read-only 3277 STATUS current 3278 DESCRIPTION 3279 "The address type of natPoolRangeBegin and 3280 natPoolRangeEnd." 3281 ::= { natPoolRangeEntry 2 } 3283 natPoolRangeBegin OBJECT-TYPE 3284 SYNTAX InetAddress 3285 MAX-ACCESS read-only 3286 STATUS current 3287 DESCRIPTION 3288 "Lowest address included in this range." 3289 ::= { natPoolRangeEntry 3 } 3291 natPoolRangeEnd OBJECT-TYPE 3292 SYNTAX InetAddress 3293 MAX-ACCESS read-only 3294 STATUS current 3295 DESCRIPTION 3296 "Highest address included in this range." 3298 ::= { natPoolRangeEntry 4 } 3300 natPoolRangeAllocations OBJECT-TYPE 3301 SYNTAX Counter64 3302 MAX-ACCESS read-only 3303 STATUS current 3304 DESCRIPTION 3305 "Number of ports that have been allocated on the addresses in 3306 this range." 3307 ::= { natPoolRangeEntry 5 } 3309 natPoolRangeDeallocations OBJECT-TYPE 3310 SYNTAX Counter64 3311 MAX-ACCESS read-only 3312 STATUS current 3313 DESCRIPTION 3314 "Number of ports that have been allocated and then 3315 deallocated on the addresses in this range. 3317 The number of ports currently allocated on the addresses in 3318 this range can be computed by subtracting 3319 natPoolRangeDeallocations from natPoolRangeAllocations." 3320 ::= { natPoolRangeEntry 6 } 3322 -- indexed mapping tables 3324 natMapObjects OBJECT IDENTIFIER ::= { natMIBObjects 15 } 3326 natMapIntAddrTable OBJECT-TYPE 3327 SYNTAX SEQUENCE OF NatMapIntAddrEntry 3328 MAX-ACCESS not-accessible 3329 STATUS current 3330 DESCRIPTION 3331 "Table of mappings from internal to external address. 3333 This table is only applicable to NATs that have an 'IP 3334 address pooling' behavior of 'Paired' [RFC4787]." 3335 ::= { natMapObjects 1 } 3337 natMapIntAddrEntry OBJECT-TYPE 3338 SYNTAX NatMapIntAddrEntry 3339 MAX-ACCESS not-accessible 3340 STATUS current 3341 DESCRIPTION 3342 "Mapping from internal to external address." 3343 INDEX { natInstanceIndex, 3344 natMapIntAddrIntRealm, 3345 natMapIntAddrIntType, 3346 natMapIntAddrInt } 3347 ::= { natMapIntAddrTable 1 } 3349 NatMapIntAddrEntry ::= 3350 SEQUENCE { 3351 natMapIntAddrIntRealm SnmpAdminString, 3352 natMapIntAddrExtRealm SnmpAdminString, 3353 natMapIntAddrIntType InetAddressType, 3354 natMapIntAddrInt InetAddress, 3355 natMapIntAddrExtType InetAddressType, 3356 natMapIntAddrExt InetAddress, 3357 natMapIntAddrSubsIndex Unsigned32 3358 } 3360 natMapIntAddrIntRealm OBJECT-TYPE 3361 SYNTAX SnmpAdminString (SIZE(0..32)) 3362 MAX-ACCESS not-accessible 3363 STATUS current 3364 DESCRIPTION 3365 "Realm to which natMapIntAddrInt belongs." 3366 ::= { natMapIntAddrEntry 1 } 3368 natMapIntAddrExtRealm OBJECT-TYPE 3369 SYNTAX SnmpAdminString 3370 MAX-ACCESS read-only 3371 STATUS current 3372 DESCRIPTION 3373 "Realm to which natMapIntAddrExt belongs." 3374 ::= { natMapIntAddrEntry 2 } 3376 natMapIntAddrIntType OBJECT-TYPE 3377 SYNTAX InetAddressType 3378 MAX-ACCESS not-accessible 3379 STATUS current 3380 DESCRIPTION 3381 "Address type for natMapIntAddrInt." 3382 ::= { natMapIntAddrEntry 3 } 3384 natMapIntAddrInt OBJECT-TYPE 3385 SYNTAX InetAddress (SIZE (4|16)) 3386 MAX-ACCESS not-accessible 3387 STATUS current 3388 DESCRIPTION 3389 "Internal address." 3390 ::= { natMapIntAddrEntry 4 } 3392 natMapIntAddrExtType OBJECT-TYPE 3393 SYNTAX InetAddressType 3394 MAX-ACCESS read-only 3395 STATUS current 3396 DESCRIPTION 3397 "Address type for natMapIntAddrExt." 3398 ::= { natMapIntAddrEntry 5 } 3400 natMapIntAddrExt OBJECT-TYPE 3401 SYNTAX InetAddress 3402 MAX-ACCESS read-only 3403 STATUS current 3404 DESCRIPTION 3405 "External address." 3406 ::= { natMapIntAddrEntry 6 } 3408 natMapIntAddrSubsIndex OBJECT-TYPE 3409 SYNTAX Unsigned32 (0|1..4294967295) 3410 MAX-ACCESS read-only 3411 STATUS current 3412 DESCRIPTION 3413 "Subscriber to which this address mapping applies, or zero if 3414 it applies to all subscribers." 3415 ::= { natMapIntAddrEntry 7 } 3417 natMappingTable OBJECT-TYPE 3418 SYNTAX SEQUENCE OF NatMappingEntry 3419 MAX-ACCESS not-accessible 3420 STATUS current 3421 DESCRIPTION 3422 "Table of mappings indexed by external 3-tuple." 3423 ::= { natMapObjects 2 } 3425 natMappingEntry OBJECT-TYPE 3426 SYNTAX NatMappingEntry 3427 MAX-ACCESS not-accessible 3428 STATUS current 3429 DESCRIPTION 3430 "A single NAT mapping." 3431 INDEX { natInstanceIndex, 3432 natMappingProto, 3433 natMappingExtRealm, 3434 natMappingExtAddressType, 3435 natMappingExtAddress, 3436 natMappingExtPort } 3437 ::= { natMappingTable 1 } 3439 NatMappingEntry ::= 3440 SEQUENCE { 3441 natMappingProto ProtocolNumber, 3442 natMappingExtRealm SnmpAdminString, 3443 natMappingExtAddressType InetAddressType, 3444 natMappingExtAddress InetAddress, 3445 natMappingExtPort InetPortNumber, 3446 natMappingIntRealm SnmpAdminString, 3447 natMappingIntAddressType InetAddressType, 3448 natMappingIntAddress InetAddress, 3449 natMappingIntPort InetPortNumber, 3450 natMappingPool Unsigned32, 3451 natMappingMapBehavior NatBehaviorType, 3452 natMappingFilterBehavior NatBehaviorType, 3453 natMappingAddressPooling NatPoolingType, 3454 natMappingSubsIndex SubscriberIndex 3455 } 3457 natMappingProto OBJECT-TYPE 3458 SYNTAX ProtocolNumber 3459 MAX-ACCESS not-accessible 3460 STATUS current 3461 DESCRIPTION 3462 "The mapping's transport protocol number." 3463 ::= { natMappingEntry 1 } 3465 natMappingExtRealm OBJECT-TYPE 3466 SYNTAX SnmpAdminString (SIZE(0..32)) 3467 MAX-ACCESS not-accessible 3468 STATUS current 3469 DESCRIPTION 3470 "The realm to which natMappingExtAddress belongs." 3471 ::= { natMappingEntry 2 } 3473 natMappingExtAddressType OBJECT-TYPE 3474 SYNTAX InetAddressType 3475 MAX-ACCESS not-accessible 3476 STATUS current 3477 DESCRIPTION 3478 "Type of the mapping's external address." 3479 ::= { natMappingEntry 3 } 3481 natMappingExtAddress OBJECT-TYPE 3482 SYNTAX InetAddress (SIZE (4|16)) 3483 MAX-ACCESS not-accessible 3484 STATUS current 3485 DESCRIPTION 3486 "The mapping's external address. If this is the undefined 3487 address, all external addresses are mapped to the internal 3488 address." 3490 ::= { natMappingEntry 4 } 3492 natMappingExtPort OBJECT-TYPE 3493 SYNTAX InetPortNumber 3494 MAX-ACCESS not-accessible 3495 STATUS current 3496 DESCRIPTION 3497 "The mapping's external port number. If this is zero, all 3498 external ports are mapped to the internal port." 3499 ::= { natMappingEntry 5 } 3501 natMappingIntRealm OBJECT-TYPE 3502 SYNTAX SnmpAdminString 3503 MAX-ACCESS read-only 3504 STATUS current 3505 DESCRIPTION 3506 "The realm to which natMappingIntAddress belongs." 3507 ::= { natMappingEntry 6 } 3509 natMappingIntAddressType OBJECT-TYPE 3510 SYNTAX InetAddressType 3511 MAX-ACCESS read-only 3512 STATUS current 3513 DESCRIPTION 3514 "Type of the mapping's internal address." 3515 ::= { natMappingEntry 7 } 3517 natMappingIntAddress OBJECT-TYPE 3518 SYNTAX InetAddress 3519 MAX-ACCESS read-only 3520 STATUS current 3521 DESCRIPTION 3522 "The mapping's internal address. If this is the undefined 3523 address, addresses are not translated." 3524 ::= { natMappingEntry 8 } 3526 natMappingIntPort OBJECT-TYPE 3527 SYNTAX InetPortNumber 3528 MAX-ACCESS read-only 3529 STATUS current 3530 DESCRIPTION 3531 "The mapping's internal port number. If this is zero, ports 3532 are not translated." 3533 ::= { natMappingEntry 9 } 3535 natMappingPool OBJECT-TYPE 3536 SYNTAX Unsigned32 (0|1..4294967295) 3537 MAX-ACCESS read-only 3538 STATUS current 3539 DESCRIPTION 3540 "Index of the pool that contains this mapping's external 3541 address and port. If zero, no pool is associated with this 3542 mapping." 3543 ::= { natMappingEntry 10 } 3545 natMappingMapBehavior OBJECT-TYPE 3546 SYNTAX NatBehaviorType 3547 MAX-ACCESS read-only 3548 STATUS current 3549 DESCRIPTION 3550 "Mapping behavior as described in [RFC4787] section 4.1." 3551 ::= { natMappingEntry 11 } 3553 natMappingFilterBehavior OBJECT-TYPE 3554 SYNTAX NatBehaviorType 3555 MAX-ACCESS read-only 3556 STATUS current 3557 DESCRIPTION 3558 "Filtering behavior as described in [RFC4787] section 5." 3559 ::= { natMappingEntry 12 } 3561 natMappingAddressPooling OBJECT-TYPE 3562 SYNTAX NatPoolingType 3563 MAX-ACCESS read-only 3564 STATUS current 3565 DESCRIPTION 3566 "Type of address pooling behavior that was used to create 3567 this mapping." 3568 ::= { natMappingEntry 13 } 3570 natMappingSubsIndex OBJECT-TYPE 3571 SYNTAX SubscriberIndex 3572 MAX-ACCESS read-only 3573 STATUS current 3574 DESCRIPTION 3575 "Subscriber using this mapping." 3576 ::= { natMappingEntry 14 } 3578 -- subscribers 3580 natSubscribers OBJECT IDENTIFIER ::= { natMIBObjects 16 } 3582 natSubscribersTable OBJECT-TYPE 3583 SYNTAX SEQUENCE OF NatSubscribersEntry 3584 MAX-ACCESS not-accessible 3585 STATUS current 3586 DESCRIPTION 3587 "Table of CGN subscribers." 3588 ::= { natSubscribers 1 } 3590 natSubscribersEntry OBJECT-TYPE 3591 SYNTAX NatSubscribersEntry 3592 MAX-ACCESS not-accessible 3593 STATUS current 3594 DESCRIPTION 3595 "Each entry describes a single CGN subscriber or a host 3596 served by a managed enterprise NAT." 3597 INDEX { natInstanceIndex, 3598 natSubscriberIndex } 3599 ::= { natSubscribersTable 1 } 3601 NatSubscribersEntry ::= 3602 SEQUENCE { 3603 natSubscriberIndex SubscriberIndex, 3604 natSubscriberIdentifierType SubscriberIdentifierType, 3605 natSubscriberIntPrefixType InetAddressType, 3606 natSubscriberIntPrefix InetAddress, 3607 natSubscriberIntPrefixLength InetAddressPrefixLength, 3608 natSubscriberRealm SnmpAdminString, 3609 natSubscriberTranslations Counter64, 3610 natSubscriberOutOfPortErrors Counter64, 3611 natSubscriberResourceErrors Counter64, 3612 natSubscriberQuotaDrops Counter64, 3613 natSubscriberMappingCreations Counter64, 3614 natSubscriberMappingRemovals Counter64, 3615 natSubscriberLimitMappings Unsigned32, 3616 natSubscriberMapNotifyThresh Unsigned32, 3617 natSubscriberVlanIdentifier VlanIndexOrZero, 3618 natSubscriberVpnIdentifier VPNIdOrZero, 3619 natSubscriberIPEncapsIdType InetAddressType, 3620 natSubscriberIPEncapsIdAddr InetAddress 3621 } 3623 natSubscriberIndex OBJECT-TYPE 3624 SYNTAX SubscriberIndex 3625 MAX-ACCESS not-accessible 3626 STATUS current 3627 DESCRIPTION 3628 "Index of the subscriber or host." 3629 ::= { natSubscribersEntry 1 } 3631 natSubscriberIdentifierType OBJECT-TYPE 3632 SYNTAX SubscriberIdentifierType 3633 MAX-ACCESS read-only 3634 STATUS current 3635 DESCRIPTION 3636 "Type of additional information needed to identify the 3637 subscriber or host from incoming packets, when the packet 3638 source address does not do so unambiguously. 3640 The implementation MUST ensure that the type and the 3641 identifier value provided are synchronized, as follows. 3642 Unused identifier values MUST be zero or equivalent. 3644 Type Identifier object 3646 null(0) None. 3647 interfaces(1) natSubsInterfaceIdentifierTable 3648 vlan(2) natSubscriberVlanIdentifier 3649 vpn(3) natSubscriberVpnIdentifier 3650 ipencaps(4) natSubscriberIPEncapsIdType and 3651 natSubscriberIPEncapsIdAddr 3652 other(5) As specified by the implementation" 3653 ::= { natSubscribersEntry 2 } 3655 natSubscriberIntPrefixType OBJECT-TYPE 3656 SYNTAX InetAddressType 3657 MAX-ACCESS read-only 3658 STATUS current 3659 DESCRIPTION 3660 "Subscriber's internal prefix type." 3661 ::= { natSubscribersEntry 3 } 3663 natSubscriberIntPrefix OBJECT-TYPE 3664 SYNTAX InetAddress 3665 MAX-ACCESS read-only 3666 STATUS current 3667 DESCRIPTION 3668 "Prefix assigned to a subscriber's CPE." 3669 ::= { natSubscribersEntry 4 } 3671 natSubscriberIntPrefixLength OBJECT-TYPE 3672 SYNTAX InetAddressPrefixLength 3673 MAX-ACCESS read-only 3674 STATUS current 3675 DESCRIPTION 3676 "Length of the prefix assigned to a subscriber's CPE, in 3677 bits. In case a single address is assigned, this will be 32 3678 for IPv4 and 128 for IPv6." 3679 ::= { natSubscribersEntry 5 } 3681 natSubscriberRealm OBJECT-TYPE 3682 SYNTAX SnmpAdminString 3683 MAX-ACCESS read-only 3684 STATUS current 3685 DESCRIPTION 3686 "The realm to which this subscriber belongs." 3687 ::= { natSubscribersEntry 6 } 3689 natSubscriberTranslations OBJECT-TYPE 3690 SYNTAX Counter64 3691 MAX-ACCESS read-only 3692 STATUS current 3693 DESCRIPTION 3694 "The number of translated packets received from or sent to 3695 this subscriber." 3696 ::= { natSubscribersEntry 7 } 3698 natSubscriberOutOfPortErrors OBJECT-TYPE 3699 SYNTAX Counter64 3700 MAX-ACCESS read-only 3701 STATUS current 3702 DESCRIPTION 3703 "The number of packets received from this subscriber not 3704 translated because no external port was available, excluding 3705 quota limitations." 3706 ::= { natSubscribersEntry 8 } 3708 natSubscriberResourceErrors OBJECT-TYPE 3709 SYNTAX Counter64 3710 MAX-ACCESS read-only 3711 STATUS current 3712 DESCRIPTION 3713 "The number of packets received from this subscriber not 3714 translated because of resource constraints (excluding 3715 out-of-port errors and quota drops)." 3716 ::= { natSubscribersEntry 9 } 3718 natSubscriberQuotaDrops OBJECT-TYPE 3719 SYNTAX Counter64 3720 MAX-ACCESS read-only 3721 STATUS current 3722 DESCRIPTION 3723 "The number of incoming packets received from or destined to 3724 this subscriber not translated because of quota limitations. 3725 Quotas include absolute limits as well as limits on the rate 3726 of allocation." 3727 ::= { natSubscribersEntry 10 } 3729 natSubscriberMappingCreations OBJECT-TYPE 3730 SYNTAX Counter64 3731 MAX-ACCESS read-only 3732 STATUS current 3733 DESCRIPTION 3734 "Number of mappings created by or for this subscriber." 3735 ::= { natSubscribersEntry 11 } 3737 natSubscriberMappingRemovals OBJECT-TYPE 3738 SYNTAX Counter64 3739 MAX-ACCESS read-only 3740 STATUS current 3741 DESCRIPTION 3742 "Number of mappings removed by or for this subscriber." 3743 ::= { natSubscribersEntry 12 } 3745 natSubscriberLimitMappings OBJECT-TYPE 3746 SYNTAX Unsigned32 3747 MAX-ACCESS read-write 3748 STATUS current 3749 DESCRIPTION 3750 "Limit on the number of active mappings created by or for 3751 this subscriber. Zero means unlimited." 3752 ::= { natSubscribersEntry 13 } 3754 natSubscriberMapNotifyThresh OBJECT-TYPE 3755 SYNTAX Unsigned32 3756 MAX-ACCESS read-write 3757 STATUS current 3758 DESCRIPTION 3759 "See natNotifSubscriberMappings." 3760 ::= { natSubscribersEntry 14 } 3762 natSubscriberVlanIdentifier OBJECT-TYPE 3763 SYNTAX VlanIndexOrZero 3764 MAX-ACCESS read-only 3765 STATUS current 3766 DESCRIPTION 3767 "When non-zero, VLAN index used to identify subscriber in 3768 combination with packet source address." 3769 ::= { natSubscribersEntry 15 } 3771 natSubscriberVpnIdentifier OBJECT-TYPE 3772 SYNTAX VPNIdOrZero 3773 MAX-ACCESS read-only 3774 STATUS current 3775 DESCRIPTION 3776 "When non-zero, VPN identifier used to identify subscriber 3777 in combination with packet source address." 3778 ::= { natSubscribersEntry 16 } 3780 natSubscriberIPEncapsIdType OBJECT-TYPE 3781 SYNTAX InetAddressType 3782 MAX-ACCESS read-only 3783 STATUS current 3784 DESCRIPTION 3785 "When not unknown(0), type of address of encapsulating IP 3786 ingress tunnel." 3787 ::= { natSubscribersEntry 17 } 3789 natSubscriberIPEncapsIdAddr OBJECT-TYPE 3790 SYNTAX InetAddress 3791 MAX-ACCESS read-only 3792 STATUS current 3793 DESCRIPTION 3794 "Source address in outer header of packets incoming via IP 3795 tunnel, used to identify subscriber in combination with 3796 inner packet source address." 3797 ::= { natSubscribersEntry 18 } 3799 natSubsInterfaceIdentifierTable OBJECT-TYPE 3800 SYNTAX SEQUENCE OF NatSubsInterfaceIdentifierEntry 3801 MAX-ACCESS not-accessible 3802 STATUS current 3803 DESCRIPTION 3804 "Table of interface indexes. If non-empty, used along with 3805 packet source address to identify the subscriber sending 3806 the packet. 'OR' semantics if multiple interface indexes 3807 are present." 3808 ::= { natSubscribers 2 } 3810 natSubsInterfaceIdentifierEntry OBJECT-TYPE 3811 SYNTAX NatSubsInterfaceIdentifierEntry 3812 MAX-ACCESS not-accessible 3813 STATUS current 3814 DESCRIPTION 3815 "Each entry provides a single interface index." 3816 INDEX { natInstanceIndex, 3817 natSubsInterfaceIdSubsIndex, 3818 natSubsInterfaceIdRowIndex } 3819 ::= { natSubsInterfaceIdentifierTable 1 } 3821 NatSubsInterfaceIdentifierEntry ::= 3822 SEQUENCE { 3823 natSubsInterfaceIdSubsIndex SubscriberIndex, 3824 natSubsInterfaceIdRowIndex SubsInterfaceIdRowIndex, 3825 natSubsInterfaceIndex InterfaceIndex 3826 } 3828 natSubsInterfaceIdSubsIndex OBJECT-TYPE 3829 SYNTAX SubscriberIndex 3830 MAX-ACCESS not-accessible 3831 STATUS current 3832 DESCRIPTION 3833 "Index of the subscriber to which this conceptual table is 3834 related." 3835 ::= { natSubsInterfaceIdentifierEntry 1 } 3837 natSubsInterfaceIdRowIndex OBJECT-TYPE 3838 SYNTAX SubsInterfaceIdRowIndex 3839 MAX-ACCESS not-accessible 3840 STATUS current 3841 DESCRIPTION 3842 "Row index." 3843 ::= { natSubsInterfaceIdentifierEntry 2 } 3845 natSubsInterfaceIndex OBJECT-TYPE 3846 SYNTAX InterfaceIndex 3847 MAX-ACCESS read-only 3848 STATUS current 3849 DESCRIPTION 3850 "Interface index of an ingress interface through which 3851 packets from this subscriber may flow." 3852 ::= { natSubsInterfaceIdentifierEntry 3 } 3854 -- object groups 3856 natGroupStatelessObjects OBJECT-GROUP 3857 OBJECTS { natInstanceAlias, 3858 natTranslations, 3859 natResourceErrors, 3860 natQuotaDrops, 3861 natMappingCreations, 3862 natMappingRemovals, 3863 natL4ProtocolTranslations , 3864 natL4ProtocolResourceErrors, 3865 natL4ProtocolQuotaDrops, 3866 natL4ProtocolMappingCreations, 3867 natL4ProtocolMappingRemovals, 3868 natMappingIntRealm, 3869 natMappingIntAddressType, 3870 natMappingIntAddress, 3871 natMappingIntPort, 3872 natMappingPool, 3873 natMappingMapBehavior, 3874 natMappingFilterBehavior } 3875 STATUS current 3876 DESCRIPTION 3877 "Basic counters, limits, and thresholds that do not require 3878 stateful NAT. That is, they apply to both stateless and 3879 stateful NATs. 3881 For this MIB's purposes, stateless NATs are defined as NATs 3882 that do not create mappings dynamically (either implicitly 3883 or explicitly using, for instance, the Port Control 3884 Protocol). Their mappings are created statically by the NAT 3885 administrator." 3886 ::= { natMIBGroups 7 } 3888 natGroupStatefulObjects OBJECT-GROUP 3889 OBJECTS { natOutOfPortErrors, 3890 natL4ProtocolOutOfPortErrors, 3891 natLimitMappings, 3892 natMappingsNotifyThreshold, 3893 natPoolRealm, 3894 natPoolWatermarkLow, 3895 natPoolWatermarkHigh, 3896 natPoolPortMin, 3897 natPoolPortMax, 3898 natPoolRangeType, 3899 natPoolRangeBegin, 3900 natPoolRangeEnd, 3901 natPoolRangeAllocations, 3902 natPoolRangeDeallocations, 3903 natMappingAddressPooling } 3904 STATUS current 3905 DESCRIPTION 3906 "Basic counters, limits, and thresholds that require stateful 3907 NAT." 3908 ::= { natMIBGroups 8 } 3910 natGroupAddrMapObjects OBJECT-GROUP 3911 OBJECTS { natAddressMappingCreations, 3912 natAddressMappingRemovals, 3913 natLimitAddressMappings, 3914 natAddrMapNotifyThreshold, 3915 natMapIntAddrExtRealm, 3916 natMapIntAddrExtType, 3917 natMapIntAddrExt } 3918 STATUS current 3919 DESCRIPTION 3920 "Objects that require 'Paired IP address pooling' behavior 3921 [RFC4787]." 3922 ::= { natMIBGroups 9 } 3924 natGroupFragmentObjects OBJECT-GROUP 3925 OBJECTS { natLimitFragments } 3926 STATUS current 3927 DESCRIPTION 3928 "Objects that require 'Receive Fragments Out of Order' 3929 behavior [RFC4787]." 3930 ::= { natMIBGroups 10 } 3932 natGroupBasicNotifications NOTIFICATION-GROUP 3933 NOTIFICATIONS { natNotifPoolWatermarkLow, 3934 natNotifPoolWatermarkHigh, 3935 natNotifMappings } 3936 STATUS current 3937 DESCRIPTION 3938 "Basic notifications." 3939 ::= { natMIBGroups 11 } 3941 natGroupAddrMapNotifications NOTIFICATION-GROUP 3942 NOTIFICATIONS { natNotifAddrMappings } 3943 STATUS current 3944 DESCRIPTION 3945 "Notifications about address mappings." 3946 ::= { natMIBGroups 12 } 3948 natGroupSubscriberObjects OBJECT-GROUP 3949 OBJECTS { natMapIntAddrSubsIndex, 3950 natMappingSubsIndex, 3951 natSubscriberIdentifierType, 3952 natSubscriberIntPrefixType, 3953 natSubscriberIntPrefix, 3954 natSubscriberIntPrefixLength, 3955 natSubscriberRealm, 3956 natSubscriberTranslations, 3957 natSubscriberOutOfPortErrors, 3958 natSubscriberResourceErrors, 3959 natSubscriberQuotaDrops, 3960 natSubscriberMappingCreations, 3961 natSubscriberMappingRemovals, 3962 natSubscriberLimitMappings, 3963 natSubscriberVlanIdentifier, 3964 natSubscriberVpnIdentifier, 3965 natSubscriberIPEncapsIdType, 3966 natSubscriberIPEncapsIdAddr, 3967 natSubsInterfaceIndex, 3968 natLimitSubscribers, 3969 natSubscriberMapNotifyThresh } 3970 STATUS current 3971 DESCRIPTION 3972 "Per-subscriber counters, limits, and thresholds." 3973 ::= { natMIBGroups 13 } 3975 natGroupSubscriberNotifications NOTIFICATION-GROUP 3976 NOTIFICATIONS { natNotifSubscriberMappings } 3977 STATUS current 3978 DESCRIPTION 3979 "Subscriber notifications." 3980 ::= { natMIBGroups 14 } 3982 -- compliance statements 3984 natBasicStatelessCompliance MODULE-COMPLIANCE 3985 STATUS current 3986 DESCRIPTION 3987 "Basic stateless compliance with this MIB is attained when 3988 the objects contained in the mandatory groups are 3989 implemented." 3990 MODULE -- this module 3991 MANDATORY-GROUPS { natGroupStatelessObjects } 3993 OBJECT natInstanceAlias 3994 MIN-ACCESS read-only 3995 DESCRIPTION 3996 "Write access is not required." 3998 ::= { natMIBCompliances 3 } 4000 natBasicStatefulCompliance MODULE-COMPLIANCE 4001 STATUS current 4002 DESCRIPTION 4003 "Basic stateful compliance with this MIB is attained when the 4004 objects contained in the mandatory groups are implemented." 4005 MODULE -- this module 4006 MANDATORY-GROUPS { natGroupStatelessObjects, 4007 natGroupStatefulObjects, 4008 natGroupBasicNotifications } 4009 ::= { natMIBCompliances 4 } 4011 natAddrMapCompliance MODULE-COMPLIANCE 4012 STATUS current 4013 DESCRIPTION 4014 "NATs that have 'Paired IP address pooling' behavior 4016 [RFC4787] and implement the objects in this group can claim 4017 this level of compliance." 4018 MODULE -- this module 4019 MANDATORY-GROUPS { natGroupStatelessObjects, 4020 natGroupStatefulObjects, 4021 natGroupBasicNotifications, 4022 natGroupAddrMapObjects, 4023 natGroupAddrMapNotifications } 4024 ::= { natMIBCompliances 5 } 4026 natFragmentsCompliance MODULE-COMPLIANCE 4027 STATUS current 4028 DESCRIPTION 4029 "NATs that have 'Receive Fragments Out of Order' behavior 4030 [RFC4787] and implement the objects in this group can claim 4031 this level of compliance." 4032 MODULE -- this module 4033 MANDATORY-GROUPS { natGroupStatelessObjects, 4034 natGroupStatefulObjects, 4035 natGroupBasicNotifications, 4036 natGroupFragmentObjects } 4037 ::= { natMIBCompliances 6 } 4039 natCGNCompliance MODULE-COMPLIANCE 4040 STATUS current 4041 DESCRIPTION 4042 "NATs that have 'Paired IP address pooling' and 'Receive 4043 Fragments Out of Order' behavior [RFC4787] and implement the 4044 objects in this group can claim this level of compliance. 4046 This level of compliance is to be expected of a CGN 4047 compliant with [RFC6888]." 4048 MODULE -- this module 4049 MANDATORY-GROUPS { natGroupStatelessObjects, 4050 natGroupStatefulObjects, 4051 natGroupBasicNotifications, 4052 natGroupAddrMapObjects, 4053 natGroupAddrMapNotifications, 4054 natGroupFragmentObjects, 4055 natGroupSubscriberObjects, 4056 natGroupSubscriberNotifications } 4057 ::= { natMIBCompliances 7 } 4059 END 4061 5. Security Considerations 4063 There are a number of management objects defined in this MIB module 4064 with a MAX-ACCESS clause of read-write and/or read-create. Such 4065 objects may be considered sensitive or vulnerable in some network 4066 environments. The support for SET operations in a non-secure 4067 environment without proper protection can have a negative effect on 4068 network operations. These are the tables and objects and their 4069 sensitivity/vulnerability: 4071 Limits: An attacker setting a very low or very high limit can easily 4072 cause a denial-of-service situation. 4074 * natLimitMappings 4076 * natLimitAddressMappings 4078 * natLimitFragments 4080 * natLimitSubscribers 4082 * natSubscriberLimitMappings 4084 Notification thresholds: An attacker setting an arbitrarily low 4085 treshold can cause many useless notifications to be generated. 4086 Setting an arbitrarily high threshold can effectively disable 4087 notifications, which could be used to hide another attack. 4089 * natMappingsNotifyThreshold 4091 * natAddrMapNotifyThreshold 4093 * natSubscriberMapNotifyThresh 4095 Some of the readable objects in this MIB module (i.e., objects with a 4096 MAX-ACCESS other than not-accessible) may be considered sensitive or 4097 vulnerable in some network environments. It is thus important to 4098 control even GET and/or NOTIFY access to these objects and possibly 4099 to even encrypt the values of these objects when sending them over 4100 the network via SNMP. These are the tables and objects and their 4101 sensitivity/vulnerability: 4103 Objects that reveal host identities: Various objects can reveal the 4104 identity of private hosts that are engaged in a session with 4105 external end nodes. A curious outsider could monitor these to 4106 assess the number of private hosts being supported by the NAT 4107 device. Further, a disgruntled former employee of an enterprise 4108 could use the information to break into specific private hosts by 4109 intercepting the existing sessions or originating new sessions 4110 into the host. 4112 * natMapIntAddrType 4114 * natMapIntAddrInt 4116 * natMapIntAddrExt 4118 * natMappingIntRealm 4120 * natMappingIntAddressType 4122 * natMappingIntAddress 4124 * natMappingIntPort 4126 * natMappingMapBehavior 4128 * natMappingFilterBehavior 4130 * natMappingAddressPooling 4132 * natSubscriberIntPrefixType 4134 * natSubscriberIntPrefix 4136 * natSubscriberIntPrefixLength 4138 Other objects that reveal NAT state: Other managed objects in this 4139 MIB may contain information that may be sensitive from a business 4140 perspective, in that they may represent NAT state information. 4142 * natCntAddressMappings 4144 * natCntProtocolMappings 4146 * natPoolUsage 4148 * natPoolRangeAllocatedPorts 4150 * natSubscriberCntMappings 4152 There are no objects that are sensitive in their own right, such as 4153 passwords or monetary amounts. 4155 SNMP versions prior to SNMPv3 did not include adequate security. 4156 Even if the network itself is secure (for example by using IPsec), 4157 there is no control as to who on the secure network is allowed to 4158 access and GET/SET (read/change/create/delete) the objects in this 4159 MIB module. 4161 Implementations SHOULD provide the security features described by the 4162 SNMPv3 framework (see [RFC3410]), and implementations claiming 4163 compliance to the SNMPv3 standard MUST include full support for 4164 authentication and privacy via the User-based Security Model (USM) 4165 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 4166 MAY also provide support for the Transport Security Model (TSM) 4167 [RFC5591] in combination with a secure transport such as SSH 4168 [RFC5592] or TLS/DTLS [RFC6353]. 4170 Further, deployment of SNMP versions prior to SNMPv3 is NOT 4171 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 4172 enable cryptographic security. It is then a customer/operator 4173 responsibility to ensure that the SNMP entity giving access to an 4174 instance of this MIB module is properly configured to give access to 4175 the objects only to those principals (users) that have legitimate 4176 rights to indeed GET or SET (change/create/delete) them. 4178 6. IANA Considerations 4180 IANA has assigned object identifier 123 to the natMIB module, with 4181 prefix iso.org.dod.internet.mgmt.mib-2 in the Network Management 4182 Parameters registry [SMI-NUMBERS]. 4184 No IANA actions are required by this document. 4186 7. References 4188 7.1. Normative References 4190 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4191 Requirement Levels", BCP 14, RFC 2119, March 1997. 4193 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 4194 Schoenwaelder, Ed., "Structure of Management Information 4195 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 4197 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 4198 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 4199 58, RFC 2579, April 1999. 4201 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 4202 "Conformance Statements for SMIv2", STD 58, RFC 2580, 4203 April 1999. 4205 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 4206 MIB", RFC 2863, June 2000. 4208 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 4209 (USM) for version 3 of the Simple Network Management 4210 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 4212 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 4213 Advanced Encryption Standard (AES) Cipher Algorithm in the 4214 SNMP User-based Security Model", RFC 3826, June 2004. 4216 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 4217 Schoenwaelder, "Textual Conventions for Internet Network 4218 Addresses", RFC 4001, February 2005. 4220 [RFC4265] Schliesser, B. and T. Nadeau, "Definition of Textual 4221 Conventions for Virtual Private Network (VPN) Management", 4222 RFC 4265, November 2005. 4224 [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed 4225 Objects for Bridges with Traffic Classes, Multicast 4226 Filtering, and Virtual LAN Extensions", RFC 4363, January 4227 2006. 4229 [RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F. 4230 Baker, "OSPF Version 2 Management Information Base", RFC 4231 4750, December 2006. 4233 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 4234 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 4235 RFC 4787, January 2007. 4237 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 4238 for the Simple Network Management Protocol (SNMP)", RFC 4239 5591, June 2009. 4241 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 4242 Shell Transport Model for the Simple Network Management 4243 Protocol (SNMP)", RFC 5592, June 2009. 4245 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 4246 Model for the Simple Network Management Protocol (SNMP)", 4247 RFC 6353, July 2011. 4249 7.2. Informative References 4251 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 4252 Translator (NAT) Terminology and Considerations", RFC 4253 2663, August 1999. 4255 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 4256 Address Translator (Traditional NAT)", RFC 3022, January 4257 2001. 4259 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 4260 "Introduction and Applicability Statements for Internet- 4261 Standard Management Framework", RFC 3410, December 2002. 4263 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and 4264 C. Wang, "Definitions of Managed Objects for Network 4265 Address Translators (NAT)", RFC 4008, March 2005. 4267 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 4268 Stack Lite Broadband Deployments Following IPv4 4269 Exhaustion", RFC 6333, August 2011. 4271 [RFC6674] Brockners, F., Gundavelli, S., Speicher, S., and D. Ward, 4272 "Gateway-Initiated Dual-Stack Lite Deployment", RFC 6674, 4273 July 2012. 4275 [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., 4276 and H. Ashida, "Common Requirements for Carrier-Grade NATs 4277 (CGNs)", BCP 127, RFC 6888, April 2013. 4279 [SMI-NUMBERS] 4280 , "Network Management Parameters registry at IANA", , 4281 . 4283 Authors' Addresses 4285 Simon Perreault 4286 Viagenie 4287 246 Aberdeen 4288 Quebec, QC G1R 2E1 4289 Canada 4291 Phone: +1 418 656 9254 4292 Email: simon.perreault@viagenie.ca 4293 URI: http://viagenie.ca 4294 Tina Tsou 4295 Huawei Technologies (USA) 4296 2330 Central Expressway 4297 Santa Clara, CA 95050 4298 USA 4300 Phone: +1 408 330 4424 4301 Email: tina.tsou.zouting@huawei.com 4303 Senthil Sivakumar 4304 Cisco Systems 4305 7100-8 Kit Creek Road 4306 Research Triangle Park, North Carolina 27709 4307 USA 4309 Phone: +1 919 392 5158 4310 Email: ssenthil@cisco.com