idnits 2.17.1 draft-ietf-nat-natmib-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 2100 has weird spacing: '...ce, the suppo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 2001) is 8249 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2571 (ref. '1') (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 (ref. '4') ** Downref: Normative reference to an Historic RFC: RFC 1157 (ref. '8') ** Downref: Normative reference to an Historic RFC: RFC 1901 (ref. '9') ** Obsolete normative reference: RFC 1906 (ref. '10') (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2572 (ref. '11') (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2574 (ref. '12') (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 1905 (ref. '13') (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2573 (ref. '14') (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2575 (ref. '15') (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3022 (ref. '17') ** Downref: Normative reference to an Informational RFC: RFC 2663 (ref. '18') -- Possible downref: Non-RFC (?) normative reference: ref. '19' ** Obsolete normative reference: RFC 2851 (ref. '20') (Obsoleted by RFC 3291) Summary: 18 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 NAT Working Group R. Raghunarayan 2 INTERNET-DRAFT N. Pai 3 Expires March 2002 Cisco Systems, Inc. 4 R. Rohit 5 World Wide Packets, Inc. 6 C. Wang 7 SmartPipes, Inc. 8 September 2001 10 Definitions of Managed Objects for Network Address Translators (NAT) 12 14 Status of this Memo 16 This document is an Internet-Draft and is in full conformance with 17 all provisions of Section 10 of RFC2026 [16]. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six 25 months and may be updated, replaced, or obsoleted by other documents 26 at any time. It is inappropriate to use Internet- Drafts as 27 reference material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 Abstract 37 This memo defines a Management Information Base (MIB) for use with 38 network management protocols in the Internet community. In 39 particular, it describes managed objects used for managing Network 40 Address Translators (NAT). 42 Table of Contents 44 1 Introduction ................................................2 45 2 The Network Management Framework.............................2 46 3 Terminology..................................................3 47 4 Overview.....................................................3 48 5 Definitions .................................................5 49 6 Security Considerations.....................................45 50 7 Future Directions...........................................46 51 8 References .................................................46 52 9 Acknowledgements ...........................................47 53 10 Author's Addresses .........................................48 54 11 Change History .............................................48 56 1. Introduction 58 This memo defines a portion of the Management Information Base 59 (MIB) for use with network management protocols in the Internet 60 community. In particular, it describes objects used for managing 61 Network Address Translators (NAT) [17,19]. 63 2. The Network Management Framework 65 The SNMP Management Framework presently consists of five major 66 components: 68 o An overall architecture, described in RFC 2571 [1]. 70 o Mechanisms for describing and naming objects and events for 71 the purpose of management. The first version of this Structure 72 of Management Information (SMI) is called SMIv1 and described 73 in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 74 [4]. The second version, called SMIv2, is described in STD 58, 75 RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7]. 77 o Message protocols for transferring management information. 78 The first version of the SNMP message protocol is called 79 SNMPv1 and is described in STD 15, RFC 1157 [8]. A second 80 version of the SNMP message protocol, which is not an Internet 81 standards track protocol, is called SNMPv2c and described in 82 RFC 1901 [9] and RFC 1906 [10]. The third version of the 83 message protocol is called SNMPv3 and described in RFC 1906 84 [10], RFC 2572 [11] and RFC 2574 [12]. 86 o Protocol operations for accessing management information. The 87 first set of protocol operations and associated PDU formats is 88 described in STD 15, RFC 1157 [8]. A second set of protocol 89 operations and associated PDU formats is described in RFC 1905 90 [13]. 92 o A set of fundamental applications described in RFC 2573 [14] 93 and the view-based access control mechanism described in RFC 94 2575 [15]. 96 Managed Objects are accessed via virtual information store, termed 97 the Management Information Base or MIB. Objects in the MIB are 98 defined using a subset of Abstract Syntax Notation One (ASN.1) 99 defined in the SMIv2. 101 This memo specifies a MIB module that is compliant to the SMIv2. A 102 MIB conforming to the SMIv1 can be produced through the appropriate 103 translations. The resulting translated MIB must be semantically 104 equivalent, except where objects or events are omitted because no 105 translation is possible (use of Counter64). Some machine readable 106 information in SMIv2 will be converted into textual descriptions in 107 SMIv1 during the translation process. However, this loss of 108 machine readable information is not considered to change the 109 semantics of the MIB. 111 3. Terminology 113 The terminology used throughout this document is mostly as per RFC 114 2663 [18]. 116 The term NAT has been used generically, throughout the document, 117 to represent both NAT and NAPT. In cases, where necessary, NAPT and 118 NAT will be used to mean port translation and address translation 119 respectively, and appropriate usage would be clear from the 120 context. 122 The terms public/private are used throughout the document in the 123 context of networks, while the terms local/global are used when 124 referring to addresses and ports. 126 4. Overview 128 The MIB module has been split into three groups: 130 o the configuration group, 131 o the bind group, and 132 o the statistics group. 134 The configuration group consists of four tables and two scalars: 136 o the generic configuration table, which specifies among other 137 things the type of NAT to be employed and the associated timers. 138 o the static address map table, which is an extension of the 139 generic configuration table, and specifies information required 140 to setup static NAT. 141 o the dynamic address map table, which again is an extension of the 142 generic configuration table, but specifies information required 143 to setup dynamic NAT. 145 o the interfaces table, which holds information regarding 146 interfaces on which NAT is enabled. 147 o the two scalars are used to monitor address thresholds and 148 generate notifications when the thresholds are crossed. 150 The bind group consists of two scalars and three tables: 152 o the scalars, natAddrBindNumberOfEntries and 153 natAddrPortBindNumberOfEntries, hold the number of entries 154 the currently exist in the Address bind and the Address-Port 155 bind tables respectively. 156 o the Address bind table, which holds the currently active 157 address mappings. 158 o the Address-Port bind table, which holds the currently active 159 transport mappings. 160 o the session table, holds information regarding active NAT 161 sessions. 163 And finally, the statistics group consists of three tables: 165 o the Protocol stats table, which holds NAT statistics on a per 166 protocol basis. 167 o the Address Map stats table, which holds NAT statistics on a 168 per address map basis. 169 o the Interface stats table, which holds NAT statistics on a per 170 interface basis 172 There are also two notifications defined in the MIB: 174 o natAddressUseRising notifies the end user/manager of the address 175 usage exceeding a pre-defined threshold. 176 o And finally, natPacketDiscard notifies the end user/manager of 177 packets being discarded due to lack of address mappings. 179 5. Definitions 181 NAT-MIB DEFINITIONS ::= BEGIN 183 IMPORTS 184 MODULE-IDENTITY, 185 OBJECT-TYPE, 186 Integer32, 187 Unsigned32, 188 Gauge32, 189 Counter32, 190 TimeTicks, 191 IpAddress, -- NOTE: To be replaced with 192 -- InetAddress/InetAddressType throughout the MIB. 193 mib-2, 194 NOTIFICATION-TYPE 195 FROM SNMPv2-SMI 196 MODULE-COMPLIANCE, 197 NOTIFICATION-GROUP, 198 OBJECT-GROUP 199 FROM SNMPv2-CONF 200 TEXTUAL-CONVENTION, 201 StorageType, 202 RowStatus 203 FROM SNMPv2-TC 204 InterfaceIndex 205 FROM IF-MIB 206 SnmpAdminString 207 FROM SNMP-FRAMEWORK-MIB; 209 natMIB MODULE-IDENTITY 210 LAST-UPDATED "200109100000Z" 211 ORGANIZATION "IETF NAT Working Group" 212 CONTACT-INFO 213 " Rohit 214 World Wide Packets 215 115 North Sullivan Road 216 Veradale, Spokane, WA 99037 217 Phone: +1 509 242 9320 218 Email: Rohit.Rohit@worldwidepackets.com 220 Nalinaksh Pai 221 Cisco Systems, Inc. 222 Prestige Waterford 223 No. 9, Brunton Road 224 Bangalore - 560 025 225 India 226 Phone: +91 80 532 1300 227 Email: npai@cisco.com 229 Rajiv Raghunarayan 230 Cisco Systems, Inc. 231 Prestige Waterford 232 No. 9, Brunton Road 233 Bangalore - 560 025 234 India 235 Phone: +91 80 532 1300 236 Email: rrajiv@cisco.com 238 Cliff Wang 239 SmartPipes Inc. 240 Suite 300, 565 Metro Place South 241 Dublin, OH 43017 242 Phone: +1 614 923 6241 243 Email: CWang@smartpipes.com 244 " 245 DESCRIPTION 246 "This MIB module defines the generic managed objects 247 for NAT." 248 REVISION "200109100000Z" 249 DESCRIPTION 250 "Notifications added." 251 REVISION "200103010000Z" 252 DESCRIPTION 253 "Initial version of this MIB module." 254 ::= { mib-2 xx } -- xx to be assigned by RFC-editor. 256 natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } 257 -- 258 -- The Groups 259 -- o natConfig - Pertaining to NAT configuration information 260 -- o natBind - Pertaining to the NAT BINDs/sessions. 261 -- o natStatistics - NAT statistics, other than those maintained 262 -- by the Bind and Session tables. 263 -- 265 natConfig OBJECT IDENTIFIER ::= { natMIBObjects 1 } 266 natBind OBJECT IDENTIFIER ::= { natMIBObjects 2 } 267 natStatistics OBJECT IDENTIFIER ::= { natMIBObjects 3 } 269 -- 270 -- Textual Conventions 271 -- 273 NATProtocolType ::= TEXTUAL-CONVENTION 274 STATUS current 275 DESCRIPTION 276 "A list of protocols that are affected by NAT. 277 Inclusion of values is not intended to imply that 278 those protocols need be supported." 279 SYNTAX INTEGER { 280 other (1), -- not specified 281 icmp (2), 282 udp (3), 283 tcp (4) 284 } 286 -- 287 -- The Configuration Group 288 -- The NAT Generic Configuration Table 289 -- 291 natConfTable OBJECT-TYPE 292 SYNTAX SEQUENCE OF NatConfEntry 293 MAX-ACCESS not-accessible 294 STATUS current 295 DESCRIPTION 296 "This table specifies the configuration attributes for a 297 device supporting NAT function." 298 ::= { natConfig 1 } 300 natConfEntry OBJECT-TYPE 301 SYNTAX NatConfEntry 302 MAX-ACCESS not-accessible 303 STATUS current 304 DESCRIPTION 305 "Each entry in the natConfTable holds a set of 306 configuration parameters associated with an instance 307 of NAT. 309 Entries in the natConfTable are created and deleted 310 using the natConfStatus object." 311 INDEX { IMPLIED natConfName } 312 ::= { natConfTable 1 } 314 -- 315 -- NOTE: The protocol specific parameters need to be moved into 316 -- protocol specific tables. 317 -- 319 NatConfEntry ::= SEQUENCE { 320 natConfName SnmpAdminString, 321 natConfServiceType INTEGER, 322 natConfTimeoutIcmpIdle Integer32, 323 natConfTimeoutUdpIdle Integer32, 324 natConfTimeoutTcpIdle Integer32, 325 natConfTimeoutTcpNeg Integer32, 326 natConfTimeoutOther Integer32, 327 natConfMaxBindLeaseTime Integer32, 328 natConfMaxBindIdleTime Integer32, 329 natConfStorageType StorageType, 330 natConfStatus RowStatus 331 } 333 natConfName OBJECT-TYPE 334 SYNTAX SnmpAdminString (SIZE(1..32)) 335 MAX-ACCESS not-accessible 336 STATUS current 337 DESCRIPTION 338 "The locally arbitrary, but unique identifier 339 associated with this natConfEntry." 340 ::= { natConfEntry 1 } 342 natConfServiceType OBJECT-TYPE 343 SYNTAX INTEGER { 344 basicNat (1), 345 napt (2), 346 bidirectionalNat (3), 347 twiceNat (4), 348 multihomedNat (5) 349 } 350 MAX-ACCESS read-create 351 STATUS current 352 DESCRIPTION 353 "An indication of the direction in which new sessions 354 are permitted and the extent of translation done within 355 the IP and transport headers." 356 ::= { natConfEntry 2 } 358 natConfTimeoutIcmpIdle OBJECT-TYPE 359 SYNTAX Integer32 (0..2147483647) 360 UNITS "seconds" 361 MAX-ACCESS read-create 362 STATUS current 363 DESCRIPTION 364 "The interval of time for which an ICMP protocol session, 365 associated with this configuration, is allowed to remain 366 valid without any activity." 367 -- 1 minute 368 DEFVAL { 60 } 369 ::= { natConfEntry 3 } 371 natConfTimeoutUdpIdle OBJECT-TYPE 372 SYNTAX Integer32 (0..2147483647) 373 UNITS "seconds" 374 MAX-ACCESS read-create 375 STATUS current 376 DESCRIPTION 377 "The interval of time for which a UDP protocol session, 378 associated with this configuration, is allowed to remain 379 valid without any activity." 380 -- 5 minutes 381 DEFVAL { 300 } 382 ::= { natConfEntry 4 } 384 natConfTimeoutTcpIdle OBJECT-TYPE 385 SYNTAX Integer32 (0..2147483647) 386 UNITS "seconds" 387 MAX-ACCESS read-create 388 STATUS current 389 DESCRIPTION 390 "The interval of time for which a TCP protocol session, 391 associated with this configuration, is allowed to remain 392 valid without any activity. This timeout value applies 393 to a TCP session during its data transfer phase." 394 -- 24 hours 395 DEFVAL { 86400 } 396 ::= { natConfEntry 5 } 398 natConfTimeoutTcpNeg OBJECT-TYPE 399 SYNTAX Integer32 (0..2147483647) 400 UNITS "seconds" 401 MAX-ACCESS read-create 402 STATUS current 403 DESCRIPTION 404 "The interval of time for which a TCP protocol session, 405 associated with this configuration, is allowed to remain 406 valid without any activity. This timeout value applies 407 to a TCP session during its establishment and termination 408 phases." 410 -- 1 minute 411 DEFVAL { 60 } 412 ::= { natConfEntry 6 } 414 natConfTimeoutOther OBJECT-TYPE 415 SYNTAX Integer32 (0..2147483647) 416 UNITS "seconds" 417 MAX-ACCESS read-create 418 STATUS current 419 DESCRIPTION 420 "The interval of time for which a protocol session 421 other than ICMP, UDP and TCP, associated with this 422 configuration, is allowed to remain valid, without 423 any activity." 424 ::= { natConfEntry 7 } 426 natConfMaxBindLeaseTime OBJECT-TYPE 427 SYNTAX Integer32 (0..2147483647) 428 UNITS "seconds" 429 MAX-ACCESS read-create 430 STATUS current 431 DESCRIPTION 432 "The maximum lease time for the BIND, associated with 433 this configuration. Unless the lease time is renewed, a 434 BIND will not be valid past the lease time. As a special 435 case, a value of 0 may be assumed to indicate no lease 436 time limit. Typically, this attribute is of relevance 437 only in conjunction with Realm-Specific-IP (RSIP) 438 operation." 439 DEFVAL { 0 } 440 ::= { natConfEntry 8 } 442 natConfMaxBindIdleTime OBJECT-TYPE 443 SYNTAX Integer32 (0..2147483647) 444 UNITS "seconds" 445 MAX-ACCESS read-create 446 STATUS current 447 DESCRIPTION 448 "The maximum time, associated with this configuration, 449 to allow a dynamic BIND to remain valid with no NAT 450 session hanging off this BIND. By default for NATIVE 451 NAT maximum Idle time is 0. External agents could 452 control this parameter differently. Static Binds and 453 lease time limited BINDs are not affected by this 454 parameter." 455 DEFVAL { 0 } 456 ::= { natConfEntry 9 } 458 natConfStorageType OBJECT-TYPE 459 SYNTAX StorageType 460 MAX-ACCESS read-create 461 STATUS current 462 DESCRIPTION 463 "The storage type for this conceptual row." 464 REFERENCE 465 "Textual Conventions for SMIv2, Section 2." 466 DEFVAL { nonVolatile } 467 ::= { natConfEntry 10 } 469 natConfStatus OBJECT-TYPE 470 SYNTAX RowStatus 471 MAX-ACCESS read-create 472 STATUS current 473 DESCRIPTION 474 "The status of this conceptual row." 475 ::= { natConfEntry 11 } 477 -- 478 -- The Static Address Map Table 479 -- 481 natConfStaticAddrMapTable OBJECT-TYPE 482 SYNTAX SEQUENCE OF NatConfStaticAddrMapEntry 483 MAX-ACCESS not-accessible 484 STATUS current 485 DESCRIPTION 486 "This table lists configuration for static NAT 487 entries. This table has an expansion dependent 488 relationship on the natConfTable. When an SNMP entity 489 deletes a conceptual row from the natConfTable, then 490 the corresponding entries are deleted from 491 natConfStaticAddrMapTable." 492 ::= { natConfig 2 } 494 natConfStaticAddrMapEntry OBJECT-TYPE 495 SYNTAX NatConfStaticAddrMapEntry 496 MAX-ACCESS not-accessible 497 STATUS current 498 DESCRIPTION 499 "A description of a static NAT entry. This entry 500 contributes to the static NAT table of the device." 501 INDEX { natConfName, natConfStaticAddrMapName } 502 ::= { natConfStaticAddrMapTable 1 } 504 -- 505 -- NOTE: The natConfStaticAddrMapTable to be merged with 506 -- natConfDynamicAddrMapTable. 507 -- 508 NatConfStaticAddrMapEntry ::= SEQUENCE { 509 natConfStaticAddrMapName SnmpAdminString, 510 natConfStaticAddrMapType INTEGER, 511 natConfStaticLocalAddrFrom IpAddress, 512 natConfStaticLocalAddrTo IpAddress, 513 natConfStaticLocalPortFrom Integer32, 514 natConfStaticLocalPortTo Integer32, 515 natConfStaticGlobalAddrFrom IpAddress, 516 natConfStaticGlobalAddrTo IpAddress, 517 natConfStaticGlobalPortFrom Integer32, 518 natConfStaticGlobalPortTo Integer32, 519 natConfStaticProtocol BITS, 520 natConfStaticAddrMapStorageType StorageType, 521 natConfStaticAddrMapStatus RowStatus 522 } 524 natConfStaticAddrMapName OBJECT-TYPE 525 SYNTAX SnmpAdminString (SIZE(1..32)) 526 MAX-ACCESS not-accessible 527 STATUS current 528 DESCRIPTION 529 "An arbitrary, but unique identifier associated with this 530 natConfStaticAddrMapEntry. The value of this object is 531 unique across both the static address map and the dynamic 532 address map tables." 533 ::= { natConfStaticAddrMapEntry 1 } 535 natConfStaticAddrMapType OBJECT-TYPE 536 SYNTAX INTEGER { 537 inbound (1), 538 outbound (2), 539 both (3) 540 } 541 MAX-ACCESS read-create 542 STATUS current 543 DESCRIPTION 544 "Address (and Transport-ID) maps may be defined for both 545 inbound and outbound direction. Outbound address map 546 refers to mapping a selected set of addresses from 547 private realm to a selected set of addresses in external 548 realm; whereas inbound address map refers to mapping a 549 set of addresses from the external realm to private 550 realm." 551 ::= { natConfStaticAddrMapEntry 2 } 553 natConfStaticLocalAddrFrom OBJECT-TYPE 554 SYNTAX IpAddress 555 MAX-ACCESS read-create 556 STATUS current 557 DESCRIPTION 558 "This object specifies the first IP address of the range 559 of IP addresses mapped by this translation entry." 561 ::= { natConfStaticAddrMapEntry 3 } 563 natConfStaticLocalAddrTo OBJECT-TYPE 564 SYNTAX IpAddress 565 MAX-ACCESS read-create 566 STATUS current 567 DESCRIPTION 568 "This object specifies the last IP address of the range of 569 IP addresses mapped by this translation entry. If only 570 a single address being mapped, the value of this object 571 is equal to the value of natConfStaticLocalAddrFrom. The 572 number addresses in the range defined by 573 natConfStaticLocalAddrFrtvpom and natConfStaticLocalAddrTo 574 should be equal to the number of addresses in the range 575 defined by natConfStaticGlobalAddrFrom and 576 natConfStaticGlobalAddrTo." 577 ::= { natConfStaticAddrMapEntry 4 } 579 natConfStaticLocalPortFrom OBJECT-TYPE 580 SYNTAX Integer32 (0..65535) 581 MAX-ACCESS read-create 582 STATUS current 583 DESCRIPTION 584 "If this conceptual row describes a basic NAT, then the 585 value of this object is '0'. If this conceptual row 586 describes NAPT, then the value of this object specifies 587 the first port number in the range of ports being 588 mapped. If the translation specifies a single port, then 589 the value of this object is equal to the value of 590 natConfStaticLocalPortTo." 591 ::= { natConfStaticAddrMapEntry 5 } 593 natConfStaticLocalPortTo OBJECT-TYPE 594 SYNTAX Integer32 (0..65535) 595 MAX-ACCESS read-create 596 STATUS current 597 DESCRIPTION 598 "If this conceptual row describes a basic NAT, then the 599 value of this object is '0'. If this conceptual row 600 describes NAPT, then the value of this object specifies 601 the last port number in the range of ports being mapped. 602 If the translation specifies a single port, then the 603 value of this object is equal to the value of 604 natConfStaticLocalPortFrom." 605 ::= { natConfStaticAddrMapEntry 6 } 607 natConfStaticGlobalAddrFrom OBJECT-TYPE 608 SYNTAX IpAddress 609 MAX-ACCESS read-create 610 STATUS current 611 DESCRIPTION 612 "This object specifies the first IP address of the range of 613 IP addresses being mapped to." 614 ::= { natConfStaticAddrMapEntry 7 } 616 natConfStaticGlobalAddrTo OBJECT-TYPE 617 SYNTAX IpAddress 618 MAX-ACCESS read-create 619 STATUS current 620 DESCRIPTION 621 "This object specifies the last IP address of the range of 622 IP addresses being mapped to. If only a single address is 623 being mapped to, the value of this object is equal to the 624 value of natConfStaticGlobalAddrFrom.The number addresses 625 in the range defined by natConfStaticGlobalAddrFrom and 626 natConfStaticGlobalAddrTo should be equal to the number 627 of addresses in the range defined by 628 natConfStaticLocalAddrFrom and 629 natConfStaticLocalAddrTo. " 630 ::= { natConfStaticAddrMapEntry 8 } 632 natConfStaticGlobalPortFrom OBJECT-TYPE 633 SYNTAX Integer32 (0..65535) 634 MAX-ACCESS read-create 635 STATUS current 636 DESCRIPTION 637 "If this conceptual row describes a basic NAT, then the 638 value of this object is '0'. If this conceptual row 639 describes NAPT, then the value of this object specifies 640 the first port number in the range of ports being mapped 641 to. If the translation specifies a single port, then the 642 value of this object is equal to the value 643 natConfStaticGlobalPortTo." 644 ::= { natConfStaticAddrMapEntry 9 } 646 natConfStaticGlobalPortTo OBJECT-TYPE 647 SYNTAX Integer32 (0..65535) 648 MAX-ACCESS read-create 649 STATUS current 650 DESCRIPTION 651 "If this conceptual row describes a basic NAT, then the 652 value of this object is '0'. If this conceptual describes 653 NAPT, then the value of this object specifies the last 654 port number in the range of ports being to. If the 655 translation specifies a single port, then the value of 656 this object is equal to the value of 657 natConfStaticGlobalPortFrom." 658 ::= { natConfStaticAddrMapEntry 10 } 660 natConfStaticProtocol OBJECT-TYPE 661 SYNTAX BITS { 662 all (0), 663 other (1), 664 icmp (2), 665 udp (3), 666 tcp (4) 667 } 668 MAX-ACCESS read-create 669 STATUS current 670 DESCRIPTION 671 "This object specifies a protocol identifier. If the 672 value of this object is '0', then this basic NAT entry 673 applies to all IP traffic. If the value of this object 674 is non-zero, then this NAT entry only applies to IP 675 traffic with the specified protocol." 676 ::= { natConfStaticAddrMapEntry 11 } 678 natConfStaticAddrMapStorageType OBJECT-TYPE 679 SYNTAX StorageType 680 MAX-ACCESS read-create 681 STATUS current 682 DESCRIPTION 683 "The storage type for this conceptual row." 684 REFERENCE 685 "Textual Conventions for SMIv2, Section 2." 686 DEFVAL { nonVolatile } 687 ::= { natConfStaticAddrMapEntry 12 } 689 natConfStaticAddrMapStatus OBJECT-TYPE 690 SYNTAX RowStatus 691 MAX-ACCESS read-create 692 STATUS current 693 DESCRIPTION 694 "The status of this conceptual row. 696 To create a row in this table, a manager must set this 697 object to either createAndGo(4) or createAndWait(5)." 698 ::= { natConfStaticAddrMapEntry 13 } 700 -- 701 -- The Dynamic Address Map Table 702 -- 704 natConfDynamicAddrMapTable OBJECT-TYPE 705 SYNTAX SEQUENCE OF NatConfDynamicAddrMapEntry 706 MAX-ACCESS not-accessible 707 STATUS current 708 DESCRIPTION 709 "This table lists dynamic NAT entries. This table has an 710 expansion dependent relationship on the natConfTable. 711 When an SNMP entity deletes a conceptual row from the 712 natConfTable, then the corresponding entries are deleted 713 from natConfDynamicAddrMapTable." 714 ::= { natConfig 3 } 716 natConfDynamicAddrMapEntry OBJECT-TYPE 717 SYNTAX NatConfDynamicAddrMapEntry 718 MAX-ACCESS not-accessible 719 STATUS current 720 DESCRIPTION 721 "A description of a dynamic NAT entry. This entry 722 contributes to the dynamic NAT table of the device." 723 INDEX { natConfName, natConfDynamicAddrMapName } 724 ::= { natConfDynamicAddrMapTable 1 } 726 NatConfDynamicAddrMapEntry ::= SEQUENCE { 727 natConfDynamicAddrMapName SnmpAdminString, 728 natConfDynamicAddressMapType INTEGER, 729 natConfDynamicLocalAddrFrom IpAddress, 730 natConfDynamicLocalAddrTo IpAddress, 731 natConfDynamicLocalPortFrom Integer32, 732 natConfDynamicLocalPortTo Integer32, 733 natConfDynamicGlobalAddrFrom IpAddress, 734 natConfDynamicGlobalAddrTo IpAddress, 735 natConfDynamicGlobalPortFrom Integer32, 736 natConfDynamicGlobalPortTo Integer32, 737 natConfDynamicProtocol BITS, 738 natConfDynamicAddrMapStorageType StorageType, 739 natConfDynamicAddrMapStatus RowStatus 740 } 742 natConfDynamicAddrMapName OBJECT-TYPE 743 SYNTAX SnmpAdminString (SIZE(1..32)) 744 MAX-ACCESS not-accessible 745 STATUS current 746 DESCRIPTION 747 "An arbitrary, but unique identifier associated with this 748 natConfDynamicAddrMapEntry. The value of this object is 749 unique across both the static address map and the dynamic 750 address map tables." 751 ::= { natConfDynamicAddrMapEntry 1 } 753 natConfDynamicAddressMapType OBJECT-TYPE 754 SYNTAX INTEGER { 755 inbound (1), 756 outbound (2), 757 both (3) 758 } 759 MAX-ACCESS read-create 760 STATUS current 761 DESCRIPTION 762 "Address (and Transport-ID) maps may be defined for both 763 inbound and outbound direction. Outbound address map 764 refers to mapping a selected set of addresses from 765 private realm to a selected set of addresses in external 766 realm; whereas inbound address map refers to mapping a 767 set of addresses from the external realm to private 768 realm." 769 ::= { natConfDynamicAddrMapEntry 2 } 771 natConfDynamicLocalAddrFrom OBJECT-TYPE 772 SYNTAX IpAddress 773 MAX-ACCESS read-create 774 STATUS current 775 DESCRIPTION 776 "This object specifies the first IP address of the range 777 of IP addresses mapped by this translation entry." 778 ::= { natConfDynamicAddrMapEntry 3 } 780 natConfDynamicLocalAddrTo OBJECT-TYPE 781 SYNTAX IpAddress 782 MAX-ACCESS read-create 783 STATUS current 784 DESCRIPTION 785 "This object specifies the last IP address of the range of 786 IP addresses mapped by this translation entry." 787 ::= { natConfDynamicAddrMapEntry 4 } 789 natConfDynamicLocalPortFrom OBJECT-TYPE 790 SYNTAX Integer32 (0..65535) 791 MAX-ACCESS read-create 792 STATUS current 793 DESCRIPTION 794 "If this conceptual row describes a basic NAT, then the 795 value of this object is '0'. If this conceptual row 796 describes NAPT, then the value of this object specifies 797 the first port number in the range of ports being mapped. 798 If the translation specifies a single port, then the 799 value of this object is equal to the value of 800 natConfDynamicLocalPortTo." 801 ::= { natConfDynamicAddrMapEntry 5 } 803 natConfDynamicLocalPortTo OBJECT-TYPE 804 SYNTAX Integer32 (0..65535) 805 MAX-ACCESS read-only 806 STATUS current 807 DESCRIPTION 808 "If this conceptual row describes a basic NAT, then the 809 value of this object is '0'. If this conceptual row 810 describes NAPT, then the value of this object specifies 811 the last port number in the range of ports being mapped. 812 If the translation specifies a single port, then the 813 value of this object is equal to the value of 814 natConfDynamicLocalPortFrom." 815 ::= { natConfDynamicAddrMapEntry 6 } 817 natConfDynamicGlobalAddrFrom OBJECT-TYPE 818 SYNTAX IpAddress 819 MAX-ACCESS read-create 820 STATUS current 821 DESCRIPTION 822 "This object specifies the first IP address of the range 823 of IP addresses being mapped to." 824 ::= { natConfDynamicAddrMapEntry 7 } 826 natConfDynamicGlobalAddrTo OBJECT-TYPE 827 SYNTAX IpAddress 828 MAX-ACCESS read-create 829 STATUS current 830 DESCRIPTION 831 "This object specifies the last IP address of the range of 832 IP addresses being mapped to." 833 ::= { natConfDynamicAddrMapEntry 8 } 835 natConfDynamicGlobalPortFrom OBJECT-TYPE 836 SYNTAX Integer32 (0..65535) 837 MAX-ACCESS read-create 838 STATUS current 839 DESCRIPTION 840 "If this conceptual row describes a basic NAT, then the 841 value of this object is '0'. If this conceptual row 842 describes NAPT, then the value of this object specifies 843 the first port number in the range of ports being mapped 844 to. If the translation specifies a single port, then the 845 value of this object is equal to the value of 846 natConfDynamicGlobalPortTo." 847 ::= { natConfDynamicAddrMapEntry 9 } 849 natConfDynamicGlobalPortTo OBJECT-TYPE 850 SYNTAX Integer32 (0..65535) 851 MAX-ACCESS read-create 852 STATUS current 853 DESCRIPTION 854 "If this conceptual row describes a basic NAT, then the 855 value of this object is '0'. If this conceptual row 856 describes NAPT, then the value of this object specifies 857 the last port number in the range of ports being mapped 858 to. If the translation specifies a single port, then the 859 value of this object is equal to the value of 860 natConfDynamicGlobalPortFrom." 861 ::= { natConfDynamicAddrMapEntry 10 } 863 natConfDynamicProtocol OBJECT-TYPE 864 SYNTAX BITS { 865 all (0), 866 other (1), 867 icmp (2), 868 udp (3), 869 tcp (4) 870 } 871 MAX-ACCESS read-create 872 STATUS current 873 DESCRIPTION 874 "This object specifies a protocol identifier. If the 875 value of this object is '0', then this basic NAT entry 876 applies to all IP traffic. If the value of this object is 877 non-zero, then this NAT entry only applies to IP traffic 878 with the specified protocol." 879 ::= { natConfDynamicAddrMapEntry 11 } 881 natConfDynamicAddrMapStorageType OBJECT-TYPE 882 SYNTAX StorageType 883 MAX-ACCESS read-create 884 STATUS current 885 DESCRIPTION 886 "The storage type for this conceptual row." 887 REFERENCE 888 "Textual Conventions for SMIv2, Section 2." 889 DEFVAL { nonVolatile } 890 ::= { natConfDynamicAddrMapEntry 12 } 892 natConfDynamicAddrMapStatus OBJECT-TYPE 893 SYNTAX RowStatus 894 MAX-ACCESS read-create 895 STATUS current 896 DESCRIPTION 897 "The status of this conceptual row. 899 To create a row in this table, a manager must set this 900 object to either createAndGo(4) or createAndWait(5)." 902 ::= { natConfDynamicAddrMapEntry 13 } 904 -- 905 -- NAT Interface Table 906 -- 908 natInterfaceTable OBJECT-TYPE 909 SYNTAX SEQUENCE OF NatInterfaceEntry 910 MAX-ACCESS not-accessible 911 STATUS current 912 DESCRIPTION 913 "This table holds information regarding the interface 914 on which NAT is enabled." 915 ::= { natConfig 4 } 917 natInterfaceEntry OBJECT-TYPE 918 SYNTAX NatInterfaceEntry 919 MAX-ACCESS not-accessible 920 STATUS current 921 DESCRIPTION 922 "Each entry in the NAT Interface Table holds 923 information regarding an interface on which NAT is 924 enabled." 925 INDEX { natInterfaceIndex } 926 ::= { natInterfaceTable 1 } 928 NatInterfaceEntry ::= SEQUENCE { 929 natInterfaceIndex InterfaceIndex, 930 natInterfaceRealm INTEGER, 931 natInterfaceStorageType StorageType, 932 natInterfaceStatus RowStatus 933 } 935 natInterfaceIndex OBJECT-TYPE 936 SYNTAX InterfaceIndex 937 MAX-ACCESS not-accessible 938 STATUS current 939 DESCRIPTION 940 "The ifIndex of the interface on which NAT is enabled." 941 ::= { natInterfaceEntry 1 } 943 natInterfaceRealm OBJECT-TYPE 944 SYNTAX INTEGER { 945 private (1), 946 public (2) 947 } 948 MAX-ACCESS read-create 949 STATUS current 950 DESCRIPTION 951 "This object identifies whether this interface is 952 connected to the private or the public realm." 953 DEFVAL { public } 954 ::= { natInterfaceEntry 2 } 956 natInterfaceStorageType OBJECT-TYPE 957 SYNTAX StorageType 958 MAX-ACCESS read-create 959 STATUS current 960 DESCRIPTION 961 "The storage type for this conceptual row." 962 REFERENCE 963 "Textual Conventions for SMIv2, Section 2." 964 DEFVAL { nonVolatile } 965 ::= { natInterfaceEntry 3 } 967 natInterfaceStatus OBJECT-TYPE 968 SYNTAX RowStatus 969 MAX-ACCESS read-create 970 STATUS current 971 DESCRIPTION 972 "Status of NAT on this interface. An active status 973 indicates that NAT is enabled on this interface." 974 ::= { natInterfaceEntry 4 } 976 -- 977 -- Notification thresholds 978 -- 980 natConfAddressRiseThreshold OBJECT-TYPE 981 SYNTAX Unsigned32 (0..100) 982 UNITS "percentage" 983 MAX-ACCESS read-write 984 STATUS current 985 DESCRIPTION 986 "This objects represents the rising threshold value for 987 generation of the natAddressUseRising notification. A 988 notification is generated whenever the usage percentage 989 of the address map is equal to or greater than 990 natConfAddressRiseThreshold. 992 Notifications should not be generated when the value of 993 this object is 0." 994 DEFVAL { 0 } 995 ::= { natConfig 5 } 997 natConfAddressFallThreshold OBJECT-TYPE 998 SYNTAX Unsigned32 (0..100) 999 UNITS "percentage" 1000 MAX-ACCESS read-write 1001 STATUS current 1002 DESCRIPTION 1003 "This object represents the falling threshold value for 1004 generation of the natAddressUseRising notification. 1006 This object only represents the lower end of the 1007 hysteresis curve, and notifications are not generated when 1008 this threshold is crossed." 1009 DEFVAL { 0 } 1010 ::= { natConfig 6 } 1012 -- 1013 -- The BIND Group 1014 -- 1016 -- 1017 -- Address Bind section 1018 -- 1020 natAddrBindNumberOfEntries OBJECT-TYPE 1021 SYNTAX Gauge32 1022 MAX-ACCESS read-only 1023 STATUS current 1024 DESCRIPTION 1025 "This object maintains a count of the number of entries 1026 that currently exist in the natAddrBindTable." 1027 ::= { natBind 1 } 1029 -- 1030 -- The NAT Address BIND Table 1031 -- 1033 natAddrBindTable OBJECT-TYPE 1034 SYNTAX SEQUENCE OF NatAddrBindEntry 1035 MAX-ACCESS not-accessible 1036 STATUS current 1037 DESCRIPTION 1038 "This table holds information about the currently 1039 active NAT BINDs." 1040 ::= { natBind 2 } 1042 natAddrBindEntry OBJECT-TYPE 1043 SYNTAX NatAddrBindEntry 1044 MAX-ACCESS not-accessible 1045 STATUS current 1046 DESCRIPTION 1047 "Each entry in the NAT BIND table holds information 1048 about a NAT BIND that is currently active." 1049 INDEX { natAddrBindLocalAddr } 1050 ::= { natAddrBindTable 1 } 1052 -- 1053 -- NOTE: BIND table may be restructured to attend to conditional NAT. 1054 -- 1055 NatAddrBindEntry ::= SEQUENCE { 1056 natAddrBindLocalAddr IpAddress, 1057 natAddrBindGlobalAddr IpAddress, 1058 natAddrBindId Unsigned32, 1059 natAddrBindDirection INTEGER, 1060 natAddrBindType INTEGER, 1061 natAddrBindConfName SnmpAdminString, 1062 natAddrBindSessionCount Gauge32, 1063 natAddrBindCurrentIdleTime TimeTicks, 1064 natAddrBindInTranslate Counter32, 1065 natAddrBindOutTranslate Counter32 1066 } 1068 natAddrBindLocalAddr OBJECT-TYPE 1069 SYNTAX IpAddress 1070 MAX-ACCESS not-accessible 1071 STATUS current 1072 DESCRIPTION 1073 "This object represents the private-realm specific network 1074 layer address, which maps to the public-realm address 1075 represented by natAddrBindGlobalAddr." 1076 ::= { natAddrBindEntry 1 } 1078 natAddrBindGlobalAddr OBJECT-TYPE 1079 SYNTAX IpAddress 1080 MAX-ACCESS read-only 1081 STATUS current 1082 DESCRIPTION 1083 "This object represents the public-realm network layer 1084 address that maps to the private-realm network layer 1085 address represented by natAddrBindLocalAddr." 1086 ::= { natAddrBindEntry 2 } 1088 natAddrBindId OBJECT-TYPE 1089 SYNTAX Unsigned32 1090 MAX-ACCESS read-only 1091 STATUS current 1092 DESCRIPTION 1093 "This object represents a BIND id that is dynamically 1094 assigned to each BIND by a NAT enabled device. Each 1095 BIND is represented by a unique BIND id across both, 1096 the Address bind and Address-Port bind tables." 1097 ::= { natAddrBindEntry 3 } 1099 natAddrBindDirection OBJECT-TYPE 1100 SYNTAX INTEGER { 1101 uniDirectional (1), 1102 biDirectional (2) 1103 } 1104 MAX-ACCESS read-only 1105 STATUS current 1106 DESCRIPTION 1107 "This object represents the direction of the BIND. A 1108 BIND may be either uni-directional or bi-directional, 1109 same as the orientation of the address map, based on 1110 which this bind is formed. The direction of this bind 1111 is with reference to the private realm." 1112 ::= { natAddrBindEntry 4 } 1114 natAddrBindType OBJECT-TYPE 1115 SYNTAX INTEGER { 1116 static (1), 1117 dynamic (2) 1118 } 1119 MAX-ACCESS read-only 1120 STATUS current 1121 DESCRIPTION 1122 "This object indicates whether the BIND is static or 1123 dynamic." 1124 ::= { natAddrBindEntry 5 } 1126 natAddrBindConfName OBJECT-TYPE 1127 SYNTAX SnmpAdminString (SIZE(1..32)) 1128 MAX-ACCESS read-only 1129 STATUS current 1130 DESCRIPTION 1131 "This object is a pointer to the natConfTable entry (and 1132 the parameters of that entry) which was used in creating 1133 this BIND." 1134 ::= { natAddrBindEntry 6 } 1136 natAddrBindSessionCount OBJECT-TYPE 1137 SYNTAX Gauge32 1138 MAX-ACCESS read-only 1139 STATUS current 1140 DESCRIPTION 1141 "Number of sessions currently using this BIND." 1142 ::= { natAddrBindEntry 7 } 1144 natAddrBindCurrentIdleTime OBJECT-TYPE 1145 SYNTAX TimeTicks 1146 MAX-ACCESS read-only 1147 STATUS current 1148 DESCRIPTION 1149 "At any given instance of time, this object indicates the 1150 time that this BIND has been idle with no sessions 1151 attached to it. The value represented by this object is 1152 of relevance only when the value of Maximum Idle time 1153 (natConfMaxBindIdleTime) is non-zero." 1154 ::= { natAddrBindEntry 8 } 1156 natAddrBindInTranslate OBJECT-TYPE 1157 SYNTAX Counter32 1158 MAX-ACCESS read-only 1159 STATUS current 1160 DESCRIPTION 1161 "The number of inbound packets that were successfully 1162 translated as per this BIND entry." 1163 ::= { natAddrBindEntry 9 } 1165 natAddrBindOutTranslate OBJECT-TYPE 1166 SYNTAX Counter32 1167 MAX-ACCESS read-only 1168 STATUS current 1169 DESCRIPTION 1170 "The number of outbound packets that were successfully 1171 translated as per this BIND entry." 1172 ::= { natAddrBindEntry 10 } 1174 -- 1175 -- Address-Port Bind section 1176 -- 1178 natAddrPortBindNumberOfEntries OBJECT-TYPE 1179 SYNTAX Gauge32 1180 MAX-ACCESS read-only 1181 STATUS current 1182 DESCRIPTION 1183 "This object maintains a count of the number of entries 1184 that currently exist in the natAddrPortBindTable." 1185 ::= { natBind 3 } 1187 -- 1188 -- The NAT Address-Port BIND Table 1189 -- 1191 natAddrPortBindTable OBJECT-TYPE 1192 SYNTAX SEQUENCE OF NatAddrPortBindEntry 1193 MAX-ACCESS not-accessible 1194 STATUS current 1195 DESCRIPTION 1196 "This table holds information about the currently 1197 active NAPT BINDs." 1198 ::= { natBind 4 } 1200 -- 1201 -- NOTE: natAddrPortBindProtocol, a BITS, doesn't make sense as index. 1202 -- This needs to be changed to a INTEGER object (of similar nature). 1203 -- 1205 natAddrPortBindEntry OBJECT-TYPE 1206 SYNTAX NatAddrPortBindEntry 1207 MAX-ACCESS not-accessible 1208 STATUS current 1209 DESCRIPTION 1210 "Each entry in the this table holds information 1211 a NAPT BIND that is currently active." 1212 INDEX { natAddrPortBindLocalAddr, natAddrPortBindLocalPort, 1213 natAddrPortBindProtocol } 1214 ::= { natAddrPortBindTable 1 } 1216 NatAddrPortBindEntry ::= SEQUENCE { 1217 natAddrPortBindLocalAddr IpAddress, 1218 natAddrPortBindLocalPort Integer32, 1219 natAddrPortBindProtocol BITS, 1220 natAddrPortBindGlobalAddr IpAddress, 1221 natAddrPortBindGlobalPort Integer32, 1222 natAddrPortBindId Unsigned32, 1223 natAddrPortBindDirection INTEGER, 1224 natAddrPortBindType INTEGER, 1225 natAddrPortBindConfName SnmpAdminString, 1226 natAddrPortBindSessionCount Gauge32, 1227 natAddrPortBindCurrentIdleTime TimeTicks, 1228 natAddrPortBindInTranslate Counter32, 1229 natAddrPortBindOutTranslate Counter32 1230 } 1231 natAddrPortBindLocalAddr OBJECT-TYPE 1232 SYNTAX IpAddress 1233 MAX-ACCESS not-accessible 1234 STATUS current 1235 DESCRIPTION 1236 "This object represents the private-realm specific network 1237 layer address which, in conjunction with 1238 natAddrPortBindLocalPort, maps to the public-realm 1239 network layer address and transport id represented by 1240 natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort 1241 respectively." 1242 ::= { natAddrPortBindEntry 1 } 1244 natAddrPortBindLocalPort OBJECT-TYPE 1245 SYNTAX Integer32(0..65535) 1246 MAX-ACCESS not-accessible 1247 STATUS current 1248 DESCRIPTION 1249 "This object represents the private-realm specific port 1250 number (or query ID in case of ICMP messages) which, in 1251 conjunction with natAddrPortBindLocalAddr, maps to the 1252 public-realm network layer address and transport id 1253 represented by natAddrPortBindGlobalAddr and 1254 natAddrPortBindGlobalPort respectively." 1255 ::= { natAddrPortBindEntry 2 } 1257 natAddrPortBindProtocol OBJECT-TYPE 1258 SYNTAX BITS { 1259 all (0), 1260 other (1), 1261 icmp (2), 1262 udp (3), 1263 tcp (4) 1264 } 1265 MAX-ACCESS not-accessible 1266 STATUS current 1267 DESCRIPTION 1268 "This object specifies a protocol identifier. If the 1269 value of this object is '0', then this BIND entry 1270 applies to all IP traffic. If the value of this object is 1271 non-zero, then this NAT entry only applies to IP traffic 1272 with the specified protocol." 1273 ::= { natAddrPortBindEntry 3 } 1275 natAddrPortBindGlobalAddr OBJECT-TYPE 1276 SYNTAX IpAddress 1277 MAX-ACCESS read-only 1278 STATUS current 1279 DESCRIPTION 1280 "This object represents the public-realm specific network 1281 layer address that, in conjunction with 1282 natAddrPortBindGlobalPort, maps to the private-realm 1283 network layer address and transport id represented by 1284 natAddrPortBindLocalAddr and natAddrPortBindLocalPort 1285 respectively." 1286 ::= { natAddrPortBindEntry 4 } 1288 natAddrPortBindGlobalPort OBJECT-TYPE 1289 SYNTAX Integer32(0..65535) 1290 MAX-ACCESS read-only 1291 STATUS current 1292 DESCRIPTION 1293 "This object represents the port number (or query id in 1294 case of ICMP) that, in conjunction with 1295 natAddrPortBindGlobalAddr, maps to the private-realm 1296 network layer address and transport id represented by 1297 natAddrPortBindLocalAddr and natAddrPortBindLocalPort 1298 respectively." 1299 ::= { natAddrPortBindEntry 5 } 1301 natAddrPortBindId OBJECT-TYPE 1302 SYNTAX Unsigned32 1303 MAX-ACCESS read-only 1304 STATUS current 1305 DESCRIPTION 1306 "This object represents a BIND id that is dynamically 1307 assigned to each BIND by a NAT enabled device. Each 1308 BIND is represented by a unique BIND id across both, 1309 the Address Bind and Address-Port Bind tables." 1310 ::= { natAddrPortBindEntry 6 } 1312 natAddrPortBindDirection OBJECT-TYPE 1313 SYNTAX INTEGER { 1314 uniDirectional (1), 1315 biDirectional (2) 1316 } 1317 MAX-ACCESS read-only 1318 STATUS current 1319 DESCRIPTION 1320 "This object represents the direction of the BIND. A 1321 BIND may be either uni-directional or bi-directional, 1322 same as the orientation of the address map, based on 1323 which this bind is formed. The direction of this bind 1324 is with reference to the private realm." 1325 ::= { natAddrPortBindEntry 7 } 1327 natAddrPortBindType OBJECT-TYPE 1328 SYNTAX INTEGER { 1329 static (1), 1330 dynamic (2) 1331 } 1332 MAX-ACCESS read-only 1333 STATUS current 1334 DESCRIPTION 1335 "This object indicates whether the BIND is static or 1336 dynamic." 1337 ::= { natAddrPortBindEntry 8 } 1339 natAddrPortBindConfName OBJECT-TYPE 1340 SYNTAX SnmpAdminString 1341 MAX-ACCESS read-only 1342 STATUS current 1343 DESCRIPTION 1344 "This object is a pointer to the natConfTable entry (and 1345 the parameters of that entry) which was used in creating 1346 this BIND." 1347 ::= { natAddrPortBindEntry 9 } 1349 natAddrPortBindSessionCount OBJECT-TYPE 1350 SYNTAX Gauge32 1351 MAX-ACCESS read-only 1352 STATUS current 1353 DESCRIPTION 1354 "Number of sessions currently using this BIND." 1355 ::= { natAddrPortBindEntry 10 } 1357 natAddrPortBindCurrentIdleTime OBJECT-TYPE 1358 SYNTAX TimeTicks 1359 MAX-ACCESS read-only 1360 STATUS current 1361 DESCRIPTION 1362 "At any given instance of time, this object indicates the 1363 time that this BIND has been idle with no sessions 1364 attached to it. The value represented by this object is 1365 of relevance only when the value of Maximum Idle time 1366 (natConfMaxBindIdleTime) is non-zero." 1367 ::= { natAddrPortBindEntry 11 } 1369 natAddrPortBindInTranslate OBJECT-TYPE 1370 SYNTAX Counter32 1371 MAX-ACCESS read-only 1372 STATUS current 1373 DESCRIPTION 1374 "The number of inbound packets that were translated as per 1375 this BIND entry." 1376 ::= { natAddrPortBindEntry 12 } 1378 natAddrPortBindOutTranslate OBJECT-TYPE 1379 SYNTAX Counter32 1380 MAX-ACCESS read-only 1381 STATUS current 1382 DESCRIPTION 1383 "The number of outbound packets that were translated as per 1384 this BIND entry." 1385 ::= { natAddrPortBindEntry 13 } 1387 -- 1388 -- The Session Table 1389 -- 1391 natSessionTable OBJECT-TYPE 1392 SYNTAX SEQUENCE OF NatSessionEntry 1393 MAX-ACCESS not-accessible 1394 STATUS current 1395 DESCRIPTION 1396 "The (conceptual) table containing one entry for each 1397 NAT session currently active on this NAT device." 1398 ::= { natBind 5 } 1400 natSessionEntry OBJECT-TYPE 1401 SYNTAX NatSessionEntry 1402 MAX-ACCESS not-accessible 1403 STATUS current 1404 DESCRIPTION 1405 "An entry (conceptual row) containing information 1406 about an active NAT session on this NAT device." 1407 INDEX { natSessionBindId, natSessionId } 1408 ::= { natSessionTable 1 } 1410 NatSessionEntry ::= SEQUENCE { 1411 natSessionBindId Unsigned32, 1412 natSessionId Unsigned32, 1413 natSessionDirection INTEGER, 1414 natSessionUpTime TimeTicks, 1415 natSessionProtocolType NATProtocolType, 1416 natSessionOrigPrivateAddr IpAddress, 1417 natSessionTransPrivateAddr IpAddress, 1418 natSessionOrigPrivatePort Integer32, 1419 natSessionTransPrivatePort Integer32, 1420 natSessionOrigPublicAddr IpAddress, 1421 natSessionTransPublicAddr IpAddress, 1422 natSessionOrigPublicPort Integer32, 1423 natSessionTransPublicPort Integer32, 1424 natSessionCurrentIdletime TimeTicks, 1425 natSessionSecondBindId Unsigned32, 1426 natSessionInTranslate Counter32, 1427 natSessionOutTranslate Counter32 1428 } 1429 natSessionBindId OBJECT-TYPE 1430 SYNTAX Unsigned32 1431 MAX-ACCESS not-accessible 1432 STATUS current 1433 DESCRIPTION 1434 "This object represents a BIND id that is dynamically 1435 assigned to each BIND by a NAT enabled device. This 1436 bind id is that same as represented by the BindId 1437 objects in the Address bind and Address-Port bind 1438 tables." 1439 ::= { natSessionEntry 1 } 1441 natSessionId OBJECT-TYPE 1442 SYNTAX Unsigned32 1443 MAX-ACCESS not-accessible 1444 STATUS current 1445 DESCRIPTION 1446 "The session ID for this NAT session." 1447 ::= { natSessionEntry 2 } 1449 natSessionDirection OBJECT-TYPE 1450 SYNTAX INTEGER { 1451 inbound (1), 1452 outbound (2) 1453 } 1454 MAX-ACCESS read-only 1455 STATUS current 1456 DESCRIPTION 1457 "The direction of this session with respect to the 1458 local network. 'inbound' indicates that this session 1459 was initiated from the public network into the private 1460 network. 'outbound' indicates that this session was 1461 initiated from the private network into the public 1462 network." 1463 ::= { natSessionEntry 3 } 1465 natSessionUpTime OBJECT-TYPE 1466 SYNTAX TimeTicks 1467 MAX-ACCESS read-only 1468 STATUS current 1469 DESCRIPTION 1470 "The up time of this session in one-hundredths of a 1471 second." 1472 ::= { natSessionEntry 4 } 1474 natSessionProtocolType OBJECT-TYPE 1475 SYNTAX NATProtocolType 1476 MAX-ACCESS read-only 1477 STATUS current 1478 DESCRIPTION 1479 "The protocol type of this session. 1481 TCP and UDP sessions are uniquely identified by the 1482 tuple of (source IP address, source UDP/TCP port, 1483 destination IP address, destination TCP/UCP port). 1484 ICMP query sessions are identified by the tuple of 1485 (source IP address, ICMP query ID, destination IP 1486 address)." 1487 ::= { natSessionEntry 5 } 1489 natSessionOrigPrivateAddr OBJECT-TYPE 1490 SYNTAX IpAddress 1491 MAX-ACCESS read-only 1492 STATUS current 1493 DESCRIPTION 1494 "The original IP address of the session endpoint that 1495 lies in the private network." 1496 ::= { natSessionEntry 6 } 1498 natSessionTransPrivateAddr OBJECT-TYPE 1499 SYNTAX IpAddress 1500 MAX-ACCESS read-only 1501 STATUS current 1502 DESCRIPTION 1503 "The translated IP address of the session endpoint that 1504 lies in the private network. The value of this object 1505 is equal to that of the original public IP Address 1506 (natSessionOrigPrivateAddr) when there is no 1507 translation." 1508 ::= { natSessionEntry 7 } 1510 natSessionOrigPrivatePort OBJECT-TYPE 1511 SYNTAX Integer32 (0..65535) 1512 MAX-ACCESS read-only 1513 STATUS current 1514 DESCRIPTION 1515 "The original transport port of the session endpoint that 1516 belongs to the private network. If this is an ICMP session 1517 then the value is the ICMP request ID." 1518 ::= { natSessionEntry 8 } 1520 natSessionTransPrivatePort OBJECT-TYPE 1521 SYNTAX Integer32 (0..65535) 1522 MAX-ACCESS read-only 1523 STATUS current 1524 DESCRIPTION 1525 "The translated transport port of the session that lies in 1526 the private network. The value of this object is equal to 1527 that of the original transport port 1528 (natSessionOrigPrivatePort) when there is no translation." 1529 ::= { natSessionEntry 9 } 1531 natSessionOrigPublicAddr OBJECT-TYPE 1532 SYNTAX IpAddress 1533 MAX-ACCESS read-only 1534 STATUS current 1535 DESCRIPTION 1536 "The original IP address of the session endpoint that lies 1537 in the public network." 1538 ::= { natSessionEntry 10 } 1540 natSessionTransPublicAddr OBJECT-TYPE 1541 SYNTAX IpAddress 1542 MAX-ACCESS read-only 1543 STATUS current 1544 DESCRIPTION 1545 "The translated IP address of the session endpoint that 1546 belongs to the public network. The value of this object 1547 is equal to that of the original public IP Address 1548 (natSessionOrigPublicAddr) when there is no 1549 translation." 1550 ::= { natSessionEntry 11 } 1552 natSessionOrigPublicPort OBJECT-TYPE 1553 SYNTAX Integer32 (0..65535) 1554 MAX-ACCESS read-only 1555 STATUS current 1556 DESCRIPTION 1557 "The original transport port of the session endpoint that 1558 belongs to the public network. If this is an ICMP 1559 session then the value contains the ICMP request ID." 1560 ::= { natSessionEntry 12 } 1562 natSessionTransPublicPort OBJECT-TYPE 1563 SYNTAX Integer32 (0..65535) 1564 MAX-ACCESS read-only 1565 STATUS current 1566 DESCRIPTION 1567 "The translated transport port of the session endpoint 1568 that belongs to the public network. The value of this 1569 object is equal to that of the original transport port 1570 (natSessionOrigPublicPort) when there is no 1571 translation." 1573 ::= { natSessionEntry 13 } 1575 natSessionCurrentIdletime OBJECT-TYPE 1576 SYNTAX TimeTicks 1577 MAX-ACCESS read-only 1578 STATUS current 1579 DESCRIPTION 1580 "The time in one-hundredths of a second since a packet 1581 belonging to this session was last detected." 1582 ::= { natSessionEntry 14 } 1584 natSessionSecondBindId OBJECT-TYPE 1585 SYNTAX Unsigned32 1586 MAX-ACCESS read-only 1587 STATUS current 1588 DESCRIPTION 1589 "The natBindId of the 'other' NAT binding incase of Twice 1590 NAT. An instance of this object contains a valid value 1591 only if the binding type for this session is TwiceNAT." 1592 ::= { natSessionEntry 15 } 1594 natSessionInTranslate OBJECT-TYPE 1595 SYNTAX Counter32 1596 MAX-ACCESS read-only 1597 STATUS current 1598 DESCRIPTION 1599 "The number of inbound packets that were translated by 1600 this session." 1601 ::= { natSessionEntry 16 } 1603 natSessionOutTranslate OBJECT-TYPE 1604 SYNTAX Counter32 1605 MAX-ACCESS read-only 1606 STATUS current 1607 DESCRIPTION 1608 "The number of outbound packets that were translated by 1609 this session." 1610 ::= { natSessionEntry 17 } 1612 -- 1613 -- natStatistics Group 1614 -- 1616 -- 1617 -- The Protocol Stats table 1618 -- 1620 natProtocolStatsTable OBJECT-TYPE 1621 SYNTAX SEQUENCE OF NatProtocolStatsEntry 1622 MAX-ACCESS not-accessible 1623 STATUS current 1624 DESCRIPTION 1625 "The (conceptual) table containing per protocol NAT 1626 statistics." 1627 ::= { natStatistics 1 } 1629 natProtocolStatsEntry OBJECT-TYPE 1630 SYNTAX NatProtocolStatsEntry 1631 MAX-ACCESS not-accessible 1632 STATUS current 1633 DESCRIPTION 1634 "An entry (conceptual row) containing NAT statistics 1635 pertaining to a particular protocol." 1636 INDEX { natProtocolStatsName } 1637 ::= { natProtocolStatsTable 1 } 1639 NatProtocolStatsEntry ::= SEQUENCE { 1640 natProtocolStatsName NATProtocolType, 1641 natProtocolStatsInTranslate Counter32, 1642 natProtocolStatsOutTranslate Counter32, 1643 natProtocolStatsRejectCount Counter32 1644 } 1646 natProtocolStatsName OBJECT-TYPE 1647 SYNTAX NATProtocolType 1648 MAX-ACCESS not-accessible 1649 STATUS current 1650 DESCRIPTION 1651 "This object represents the protocol pertaining to which 1652 statistics are reported." 1653 ::= { natProtocolStatsEntry 1 } 1655 natProtocolStatsInTranslate OBJECT-TYPE 1656 SYNTAX Counter32 1657 MAX-ACCESS read-only 1658 STATUS current 1659 DESCRIPTION 1660 "The number of inbound packets, pertaining to the protocol 1661 identified by natProtocolStatsName, that underwent NAT." 1662 ::= { natProtocolStatsEntry 2 } 1664 natProtocolStatsOutTranslate OBJECT-TYPE 1665 SYNTAX Counter32 1666 MAX-ACCESS read-only 1667 STATUS current 1668 DESCRIPTION 1669 "The number of outbound packets, pertaining to the protocol 1670 identified by natProtocolStatsName, that underwent NAT." 1671 ::= { natProtocolStatsEntry 3 } 1673 natProtocolStatsRejectCount OBJECT-TYPE 1674 SYNTAX Counter32 1675 MAX-ACCESS read-only 1676 STATUS current 1677 DESCRIPTION 1678 "The number of packets, pertaining to the protocol 1679 identified by natProtocolStatsName, that had to be 1680 rejected/dropped due to lack of resources. These 1681 rejections could be due to session timeout, resource 1682 unavailability etc." 1683 ::= { natProtocolStatsEntry 4 } 1685 -- 1686 -- The Address Map Stats table 1687 -- 1689 natAddrMapStatsTable OBJECT-TYPE 1690 SYNTAX SEQUENCE OF NatAddrMapStatsEntry 1691 MAX-ACCESS not-accessible 1692 STATUS current 1693 DESCRIPTION 1694 "The (conceptual) table containing per address map NAT 1695 statistics." 1696 ::= { natStatistics 2 } 1698 natAddrMapStatsEntry OBJECT-TYPE 1699 SYNTAX NatAddrMapStatsEntry 1700 MAX-ACCESS not-accessible 1701 STATUS current 1702 DESCRIPTION 1703 "An entry (conceptual row) containing NAT statistics per 1704 address map." 1705 INDEX { natAddrMapStatsConfName, natAddrMapStatsMapName } 1706 ::= { natAddrMapStatsTable 1 } 1708 NatAddrMapStatsEntry ::= SEQUENCE { 1709 natAddrMapStatsConfName SnmpAdminString, 1710 natAddrMapStatsMapName SnmpAdminString, 1711 natAddrMapStatsInTranslate Counter32, 1712 natAddrMapStatsOutTranslate Counter32, 1713 natAddrMapStatsNoResource Counter32, 1714 natAddrMapStatsAddrUsed Gauge32 1715 } 1716 natAddrMapStatsConfName OBJECT-TYPE 1717 SYNTAX SnmpAdminString (SIZE(1..32)) 1718 MAX-ACCESS not-accessible 1719 STATUS current 1720 DESCRIPTION 1721 "The name of the configuration (from the natConfTable), 1722 regarding which statistics are being reported. The 1723 configuration name along with Map name uniquely 1724 identifies an entry across both (static and dynamic) 1725 Address Map tables." 1726 ::= { natAddrMapStatsEntry 1 } 1728 natAddrMapStatsMapName OBJECT-TYPE 1729 SYNTAX SnmpAdminString (SIZE(1..32)) 1730 MAX-ACCESS not-accessible 1731 STATUS current 1732 DESCRIPTION 1733 "The name of the Address Map (from the 1734 natConfStaticAddrMapTable/natConfDynamicAddrMapTable), 1735 regarding which statistics are being reported. The 1736 configuration name along with Map name uniquely 1737 identifies an entry across both (static and dynamic) 1738 Address Map tables." 1739 ::= { natAddrMapStatsEntry 2 } 1741 natAddrMapStatsInTranslate OBJECT-TYPE 1742 SYNTAX Counter32 1743 MAX-ACCESS read-only 1744 STATUS current 1745 DESCRIPTION 1746 "The number of inbound packets, pertaining to this address 1747 map entry, that were translated." 1748 ::= { natAddrMapStatsEntry 3 } 1750 natAddrMapStatsOutTranslate OBJECT-TYPE 1751 SYNTAX Counter32 1752 MAX-ACCESS read-only 1753 STATUS current 1754 DESCRIPTION 1755 "The number of outbound packets, pertaining to this 1756 address map entry, that were translated." 1757 ::= { natAddrMapStatsEntry 4 } 1759 natAddrMapStatsNoResource OBJECT-TYPE 1760 SYNTAX Counter32 1761 MAX-ACCESS read-only 1762 STATUS current 1763 DESCRIPTION 1764 "The number of packets, pertaining to this address map 1765 entry, that were dropped due to lack of addresses in the 1766 address pool identified by this address map. The value of 1767 this object should always be zero in case of static 1768 address map." 1769 ::= { natAddrMapStatsEntry 5 } 1771 natAddrMapStatsAddrUsed OBJECT-TYPE 1772 SYNTAX Gauge32 1773 MAX-ACCESS read-only 1774 STATUS current 1775 DESCRIPTION 1776 "The number of addresses, pertaining to this address map, 1777 that are currently being used from the nat pool. The 1778 value of this object is irrelevant if the address map in 1779 question is a static address map." 1780 ::= { natAddrMapStatsEntry 6 } 1782 -- 1783 -- The Interface Stats table 1784 -- 1786 natInterfaceStatsTable OBJECT-TYPE 1787 SYNTAX SEQUENCE OF NatInterfaceStatsEntry 1788 MAX-ACCESS not-accessible 1789 STATUS current 1790 DESCRIPTION 1791 "This table augments the natInterfaceTable and provides 1792 statistics information pertaining to the specified 1793 interface." 1794 ::= { natStatistics 3 } 1796 natInterfaceStatsEntry OBJECT-TYPE 1797 SYNTAX NatInterfaceStatsEntry 1798 MAX-ACCESS not-accessible 1799 STATUS current 1800 DESCRIPTION 1801 "Each entry of the natInterfaceStatsTable represents stats 1802 pertaining to one interface, which is identified by its 1803 ifIndex." 1804 AUGMENTS { natInterfaceEntry } 1805 ::= { natInterfaceStatsTable 1 } 1807 NatInterfaceStatsEntry ::= SEQUENCE { 1808 natInterfacePktsIn Counter32, 1809 natInterfacePktsOut Counter32 1810 } 1811 natInterfacePktsIn OBJECT-TYPE 1812 SYNTAX Counter32 1813 MAX-ACCESS read-only 1814 STATUS current 1815 DESCRIPTION 1816 "Number of packets received on this interface that 1817 were translated." 1818 ::= { natInterfaceStatsEntry 1 } 1820 natInterfacePktsOut OBJECT-TYPE 1821 SYNTAX Counter32 1822 MAX-ACCESS read-only 1823 STATUS current 1824 DESCRIPTION 1825 "Number of translated packets that were sent out this 1826 interface." 1827 ::= { natInterfaceStatsEntry 2 } 1829 -- 1830 -- Notifications section 1831 -- 1833 natNotificationPrefix OBJECT IDENTIFIER ::= { natMIB 2 } 1834 natNotifications OBJECT IDENTIFIER ::= 1835 { natNotificationPrefix 0 } 1837 -- 1838 -- Notification objects i.e. objects accessible only for notification 1839 -- purpose. 1840 -- 1842 natNotificationObjects OBJECT IDENTIFIER ::= 1843 { natNotificationPrefix 1 } 1845 natAddrMapName OBJECT-TYPE 1846 SYNTAX SnmpAdminString 1847 MAX-ACCESS accessible-for-notify 1848 STATUS current 1849 DESCRIPTION 1850 "This object represent the address map corresponding to 1851 which the addresses/ports have been exhausted, thereby 1852 resulting in a natPacketDiscard notification." 1853 ::= { natNotificationObjects 1 } 1855 natPktDiscardReason OBJECT-TYPE 1856 SYNTAX INTEGER { 1857 other (1), 1858 addressSpaceExhausted (2) 1859 } 1860 MAX-ACCESS accessible-for-notify 1861 STATUS current 1862 DESCRIPTION 1863 "This object represents the reason for which a packet is 1864 discarded by NAT. 1866 addressSpaceExhausted (2) represents a situation wherein 1867 the address space required to do this mapping has been 1868 exhausted (used up by other translations). 1870 other (1) represents a case where the packet was 1871 discarded due to any other reasons." 1872 ::= { natNotificationObjects 2 } 1874 -- 1875 -- Notifications 1876 -- 1878 natAddressUseRising NOTIFICATION-TYPE 1879 OBJECTS { natAddrMapStatsAddrUsed } 1880 STATUS current 1881 DESCRIPTION 1882 "This notification is generated whenever the number of 1883 addresses per address map is equal to or greater than the 1884 configured address rising threshold value. 1886 Note that once this notification is generated, another 1887 notification for the same address map should be generated 1888 only after the address usage falls to/below the defined 1889 falling threshold. 1891 This notification should be generated only for dynamic 1892 address maps, since they do not provide any useful 1893 information for static maps." 1894 ::= { natNotifications 1 } 1896 -- Should natAddrMapStatsNoResource be used instead of natAddrMapName 1897 -- - that will save us one extra object, but if/when the notification 1898 -- is modified to include cases of explicitly packet discard due to 1899 -- reasons other than resource exhaustion.. it might be better to 1900 -- have AddrMap name. So we'll go with AddrMapName for now.. 1902 natPacketDiscard NOTIFICATION-TYPE 1903 OBJECTS { natAddrMapName, natPktDiscardReason } 1904 STATUS current 1905 DESCRIPTION 1906 "This notification is generated whenever packets are 1907 discarded due to lack of mapping space i.e. when we run 1908 out of address/ports in case of NAT/NAPT respectively. 1910 An agent should not generate more than one 1911 natPacketDiscard 'notification-events' in a given time 1912 interval (five seconds is the suggested default). A 1913 'notification-event' is the transmission of a single 1914 trap or inform PDU to a list of notification 1915 destinations. 1917 If additional nat packets are discarded within the 1918 throttling period, then notification-events for these 1919 changes should be suppressed by the agent until the 1920 current throttling period expires. At the end of a 1921 throttling period, one notification-event should be 1922 generated if any NAT packet was discarded since the 1923 start of the throttling period. In such a case, another 1924 throttling period is started right away." 1925 -- 1. Is the 5 sec period OK as a throttling value?? 1926 ::= { natNotifications 2 } 1928 -- 1929 -- Conformance information. 1930 -- NOTE: Will need to revisit this section; leaving this as is for 1931 -- now. 1932 -- 1934 natMIBConformance OBJECT IDENTIFIER ::= { natMIB 3 } 1935 natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 1 } 1936 natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 2 } 1938 -- 1939 -- Compliance statements 1940 -- 1942 natMIBCompliance MODULE-COMPLIANCE 1943 STATUS current 1944 DESCRIPTION 1945 "The compliance statement for devices running NAT." 1946 MODULE -- this module 1947 MANDATORY-GROUPS { natConfigGroup, natBindGroup } 1949 ::= { natMIBCompliances 1 } 1951 -- 1952 -- Units of conformance 1953 -- 1955 natConfigGroup OBJECT-GROUP 1956 OBJECTS { natConfServiceType, 1957 natConfTimeoutIcmpIdle, 1958 natConfTimeoutUdpIdle, 1959 natConfTimeoutTcpIdle, 1960 natConfTimeoutTcpNeg, 1961 natConfTimeoutOther, 1962 natConfMaxBindLeaseTime, 1963 natConfMaxBindIdleTime, 1964 natConfStorageType, 1965 natConfStatus, 1966 natConfStaticAddrMapType, 1967 natConfStaticLocalAddrFrom, 1968 natConfStaticLocalAddrTo, 1969 natConfStaticLocalPortFrom, 1970 natConfStaticLocalPortTo, 1971 natConfStaticGlobalAddrFrom, 1972 natConfStaticGlobalAddrTo, 1973 natConfStaticGlobalPortFrom, 1974 natConfStaticGlobalPortTo, 1975 natConfStaticProtocol, 1976 natConfStaticAddrMapStorageType, 1977 natConfStaticAddrMapStatus, 1978 natConfDynamicAddressMapType, 1979 natConfDynamicLocalAddrFrom, 1980 natConfDynamicLocalAddrTo, 1981 natConfDynamicLocalPortFrom, 1982 natConfDynamicLocalPortTo, 1983 natConfDynamicGlobalAddrFrom, 1984 natConfDynamicGlobalAddrTo, 1985 natConfDynamicGlobalPortFrom, 1986 natConfDynamicGlobalPortTo, 1987 natConfDynamicProtocol, 1988 natConfDynamicAddrMapStorageType, 1989 natConfDynamicAddrMapStatus, 1990 natInterfaceRealm, 1991 natInterfaceStorageType, 1992 natInterfaceStatus } 1993 STATUS current 1994 DESCRIPTION 1995 "A collection of configuration-related information 1996 required to support management of devices supporting 1997 NAT." 1998 ::= { natMIBGroups 1 } 2000 natBindGroup OBJECT-GROUP 2001 OBJECTS { natAddrBindNumberOfEntries, 2002 natAddrBindGlobalAddr, 2003 natAddrBindId, 2004 natAddrBindDirection, 2005 natAddrBindType, 2006 natAddrBindConfName, 2007 natAddrBindSessionCount, 2008 natAddrBindCurrentIdleTime, 2009 natAddrBindInTranslate, 2010 natAddrBindOutTranslate, 2011 natAddrPortBindNumberOfEntries, 2012 natAddrPortBindGlobalAddr, 2013 natAddrPortBindGlobalPort, 2014 natAddrPortBindId, 2015 natAddrPortBindDirection, 2016 natAddrPortBindType, 2017 natAddrPortBindConfName, 2018 natAddrPortBindSessionCount, 2019 natAddrPortBindCurrentIdleTime, 2020 natAddrPortBindInTranslate, 2021 natAddrPortBindOutTranslate, 2022 natSessionDirection, 2023 natSessionUpTime, 2024 natSessionProtocolType, 2025 natSessionOrigPrivateAddr, 2026 natSessionTransPrivateAddr, 2027 natSessionOrigPrivatePort, 2028 natSessionTransPrivatePort, 2029 natSessionOrigPublicAddr, 2030 natSessionTransPublicAddr, 2031 natSessionOrigPublicPort, 2032 natSessionTransPublicPort, 2033 natSessionCurrentIdletime, 2034 natSessionSecondBindId, 2035 natSessionInTranslate, 2036 natSessionOutTranslate } 2037 STATUS current 2038 DESCRIPTION 2039 "A collection of BIND-related objects required to support 2040 management of devices supporting NAT." 2041 ::= { natMIBGroups 2 } 2043 natStatsGroup OBJECT-GROUP 2044 OBJECTS { natProtocolStatsInTranslate, 2045 natProtocolStatsOutTranslate, 2046 natProtocolStatsRejectCount, 2047 natAddrMapStatsInTranslate, 2048 natAddrMapStatsOutTranslate, 2049 natAddrMapStatsNoResource, 2050 natAddrMapStatsAddrUsed, 2051 natInterfacePktsIn, 2052 natInterfacePktsOut } 2053 STATUS current 2054 DESCRIPTION 2055 "A collection of NAT statistics related objects required 2056 to support troubleshooting/monitoring NAT operation." 2057 ::= { natMIBGroups 3 } 2059 natMIBNotifConfigGroup OBJECT-GROUP 2060 OBJECTS { natConfAddressRiseThreshold, 2061 natConfAddressFallThreshold } 2062 STATUS current 2063 DESCRIPTION 2064 "A collection of configuration objects required to support 2065 the threshold-based notifications." 2066 ::= { natMIBGroups 4 } 2068 natMIBNotificationObjectsGroup OBJECT-GROUP 2069 OBJECTS { natAddrMapName, 2070 natPktDiscardReason } 2071 STATUS current 2072 DESCRIPTION 2073 "A collection of objects required to support NAT 2074 notifications." 2075 ::= { natMIBGroups 5 } 2077 natMIBNotificationGroup NOTIFICATION-GROUP 2078 NOTIFICATIONS { natAddressUseRising, 2079 natPacketDiscard } 2080 STATUS current 2081 DESCRIPTION 2082 "A collection of notifications which are generated by 2083 devices supporting this MIB." 2084 ::= { natMIBGroups 6 } 2086 END 2087 6. Security Considerations 2089 This MIB contains readable objects whose values provide information 2090 related to nat binds and sessions. Some of these objects could 2091 contain sensitive information e.g. bind information. There are 2092 a number of management objects defined in this MIB that have a 2093 MAX-ACCESS clause of read-write and/or read-create. Such objects 2094 may be considered sensitive or vulnerable in some network 2095 environments. 2097 While unauthorized access to the readable objects may be relatively 2098 innocuous, unauthorized access to the write-able objects could 2099 cause a denial of service, and/or widespread network 2100 disturbance. Hence, the support for SET operations in a non-secure 2101 environment without proper protection can have a negative effect on 2102 network operations. 2104 SNMPv1 by itself is not a secure environment. Even if the network 2105 itself is secure, there is no control as to who on the secure 2106 network is allowed to access and GET/SET (read/change/create/delete) 2107 the objects in this MIB. 2109 It is recommended that the implementors consider the security 2110 features as provided by the SNMPv3 framework. Specifically, the use 2111 of the User-based Security Model RFC 2574 [12] and the View-based 2112 Access Control Model RFC 2575 [15] is recommended. 2114 It is then a customer/user responsibility to ensure that the SNMP 2115 entity giving access to an instance of this MIB, is properly 2116 configured to give access to the objects only to those 2117 principals (users) that have legitimate rights to indeed GET or 2118 SET (change/create/delete) them. 2120 7. Future Directions 2122 o Support for conditional NAT. 2124 o Provide for protocol specific configuration tables (thereby 2125 providing for extensibility). 2127 o Combine the static and dynamic address map tables (since they 2128 represent similar information). 2130 o The index into the natAddrPortBindProtocol, defined as BITS. 2131 It would make more sense to have this as INTEGER, but that 2132 would require deprecating the existing table and defining a 2133 new one. Further, the BIND table might also require 2134 modifications to support conditional NAT. 2136 o Usage of IpAddress as a datatype in the MIB is no longer 2137 allowed [20]. All occurences of IpAddress need to be replaced 2138 by InetAddressType and InetAddress. 2140 o Revisit the conformance/compliance section to evaluate what's 2141 necessary and what's not. 2143 8. References 2145 [1] Wijnen, B., Harrington, D. and R. Presuhn, "An Architecture 2146 for Describing SNMP Management Frameworks", RFC 2571, April 2147 1999. 2149 [2] Rose, M. and K. McCloghrie, "Structure and Identification of 2150 Management Information for TCP/IP-based Internets", STD 16, 2151 RFC 1155, May 1990. 2153 [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, 2154 RFC 1212, March 1991. 2156 [4] Rose, M., "A Convention for Defining Traps for use with the 2157 SNMP", RFC 1215, March 1991. 2159 [5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2160 Rose, M. and S. Waldbusser, "Structure of Management 2161 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 2163 [6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2164 Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", 2165 STD 58, RFC 2579, April 1999. 2167 [7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2168 Rose, M. and S. Waldbusser, "Conformance Statements for 2169 SMIv2", STD 58, RFC 2580, April 1999. 2171 [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple 2172 Network Management Protocol", STD 15, RFC 1157, May 1990. 2174 [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 2175 "Introduction to Community-based SNMPv2", RFC 1901, January 2176 1996. 2178 [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 2179 "Transport Mappings for Version 2 of the Simple Network 2180 Management Protocol (SNMPv2)", RFC 1906, January 1996. 2182 [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message 2183 Processing and Dispatching for the Simple Network Management 2184 Protocol (SNMP)", RFC 2572, April 1999. 2186 [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) 2187 for version 3 of the Simple Network Management Protocol 2188 (SNMPv3)", RFC 2574, April 1999. 2190 [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 2191 "Protocol Operations for Version 2 of the Simple Network 2192 Management Protocol (SNMPv2)", RFC 1905, January 1996. 2194 [14] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC 2195 2573, April 1999. 2197 [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access 2198 Control Model (VACM) for the Simple Network Management 2199 Protocol (SNMP)", RFC 2575, April 1999. 2201 [16] Bradner, S., "The Internet Standards Process -- Revision 3", 2202 BCP 9, RFC 2026, October 1996. 2204 [17] Srisuresh, P. and Egevang, K., "Traditional IP Network Address 2205 Translator (Traditional NAT)", RFC 3022, January 2001. 2207 [18] Srisuresh, P. and M. Holdrege, "NAT Terminology and 2208 Considerations", RFC 2663, August 1999. 2210 [19] Srisuresh, P., "Framework for interfacing with Network Address 2211 Translator", Work in Progress, November 2000. 2213 [20] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J., 2214 "Textual Conventions for Internet Network Addresses", RFC 2215 2851, June 2000. 2217 9. Acknowledgements 2219 The authors of this memo would like to thank Pyda Srisuresh and 2220 Randy Turner for their valuable contribution to this MIB. 2222 10. Author's Addresses 2224 Rohit R. 2225 World Wide Packets 2226 115 North Sullivan Road 2227 Veradale, Spokane, WA 99037 2228 Phone: +1 509 242 9320 2229 Email: Rohit.Rohit@worldwidepackets.com 2231 Nalinaksh Pai 2232 Cisco Systems, Inc. 2233 Prestige Waterford 2234 No. 9, Brunton Road 2235 Bangalore - 560 025 2236 India 2237 Phone: +91 80 532 1300 extn. 6354 2238 Email: npai@cisco.com 2240 Rajiv Raghunarayan 2241 Cisco Systems, Inc. 2242 Prestige Waterford 2243 No. 9, Brunton Road 2244 Bangalore - 560 025 2245 India 2246 Phone: +91 80 532 1300 extn. 6314 2247 Email: rrajiv@cisco.com 2249 Cliff Wang 2250 SmartPipes Inc. 2251 Suite 300, 565 Metro Place South 2252 Dublin, OH 43017 2253 Phone: +1 614 923 6241 2254 Email: CWang@smartpipes.com 2256 11. Change History 2258 A record of changes which will be removed before publication. 2260 10 September 2001 2262 o Added the following objects to support notifications: 2263 natConfAddressRiseThreshold, natConfAddressFallThreshold, 2264 natAddrMapName and natPktDiscardReason. 2266 o Following notifications were added (there are still some 2267 unclear parameters though): 2268 natAddressUseRising and natPacketDiscard. 2270 Full Copyright Statement 2271 "Copyright (C) The Internet Society (2000). All Rights Reserved. 2272 This document and translations of it may be copied and furnished to 2273 others, and derivative works that comment on or otherwise explain it 2274 or assist in its implementation may be prepared, copied, published 2275 and distributed, in whole or in part, without restriction of any 2276 kind, provided that the above copyright notice and this paragraph 2277 are included on all such copies and derivative works. However, this 2278 document itself may not be modified in any way, such as by removing 2279 the copyright notice or references to the Internet Society or other 2280 Internet organizations, except as needed for the purpose of 2281 developing Internet standards in which case the procedures for 2282 copyrights defined in the Internet Standards process must be 2283 followed, or as required to translate it into languages other than 2284 English. 2286 The limited permissions granted above are perpetual and will not be 2287 revoked by the Internet Society or its successors or assigns. 2289 This document and the information contained herein is provided on an 2290 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 2291 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 2292 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 2293 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 2294 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2296 Acknowledgement 2298 Funding for the RFC Editor function is currently provided by the 2299 Internet Society.