Configure a NAT discovery to discover NAT environments and to enable Network Manager to manage NAT environments.
You set most of the NAT discovery settings from the Discovery Configuration GUI, except for the following tasks:
v Configure the NATTextFileAgent agent to provides support for any unsupported NAT gateway devices
v Configure the NATGateway agent to correct the potential problem of incorrect connectivity when the NAT gateway is not in the public address space.
Quick reference for NAT discovery configuration:
Use this information as a step-by-step guide to configuring a NAT discovery..
The steps are described in the following table.
Table 15. Quick reference for NAT discovery configuration
Action Using the GUI Using the command line
1. Configure the discovery to use network address translation. You can do this using the Discovery Configuration GUI, or using the command line.
“Configuring NAT translation” on page 33
“Enabling NAT translation”
on page 120
2. Define each NAT gateway device and its
corresponding address space. You can do this using the Discovery Configuration GUI, or using the command line.
“Defining address spaces for NAT gateways” on page 120
Table 15. Quick reference for NAT discovery configuration (continued)
Action Using the GUI Using the command line
3. Seed the Ping finder with the IP address of each NAT gateway device.
“Seeding discovery” on page 20
Guidance for seeding a discovery
“DiscoPingFinderSeeds.cfg configuration file” on page 61
Guidance for seeding a NAT discovery
“Seeding discovery with NAT gateway addresses” on page 122
4. Define a scope zone for each NAT gateway device.
Note: You do not need to define a scope zone for any NAT Gateway devices whose IP address is already within any other scope zones defined for the discovery.
Note: Do not define an address space for the NAT gateway devices or for public subnet scopes. Address space can only be defined for private subnets.
“Scoping discovery” on page 17
Guidance for scoping a discovery
“DiscoScope.cfg
configuration file” on page 64
Example: how to define a scope zone for a private NAT subnet
“Defining a scope zone within a NAT domain” on page 121
5. Define scope zones for the public subnets associated with each NAT address space.
Note: Do not define an address space for the NAT gateway devices or for public subnet scopes. Address space can only be defined for private subnets.
6. Where possible, define scope zones for the private subnet associated with each NAT address space.
Restriction: You can only define a scope zone for a private NAT address space where the subnet and netmask combination of the private subnet is unique within the discovery configuration.
Make the following settings when defining this scope:
1. Uncheck the Add to Ping Seed List option. You must do this because private subnets are not pingable.
2. Define an address space for this private subnet.
The advantages of adding a scope zone for each private NAT address space are as follows:
v This ensures that only addresses in that private space are fed back during the discovery.
v If the NAT Gateway device and the devices within the associated NAT address space are routers. then adding a scope zone for that private NAT address space limits the download of unnecessary routing data.
7. Enable NAT agents as follows:
v For supported NAT Gateway devices, enable the CiscoNATTelnet or NATNetScreen agent.
v For unsupported NAT Gateway devices, create a NAT mapping file and enable the NATTextFileAgent agent
“Activating agents” on page 27
“Enabling agents for supported NAT gateway devices” on page 123
“Enabling agents for unsupported NAT gateway devices” on page 123
Related tasks:
“Example: Configuring a NAT discovery” on page 125
This example illustrates how to define address spaces using the NATTextFileAgent agent and how to set up associated discovery scopes.
Enabling NAT translation:
You can set the discovery system to use NAT translation by editing
$NCHOME/etc/precision/DiscoConfig.cfg to create or amend an insert into disco.NATStatus to set m_UsingNAT to 1 and m_NATStatus to 0.
The completed insert must resemble the following:
insert into disco.NATStatus (
m_UsingNAT, m_NATStatus )
values (
1, 0 );
Related tasks:
“Configuring NAT translation” on page 33
To configure NAT translation to discover NAT environments, map the
address-space identifier for a NAT domain to the IP address of the associated NAT gateway device.
“Enabling NAT translation”
You can set the discovery system to use NAT translation by editing
$NCHOME/etc/precision/DiscoConfig.cfg to create or amend an insert into disco.NATStatus to set m_UsingNAT to 1 and m_NATStatus to 0.
Defining address spaces for NAT gateways:
To specify the IP address of your NAT gateways and the address space identifier you want to use for each associated NAT domain, edit DiscoConfig.cfg to create or amend an insert into translations.NATAddressSpaceIds.
Follow these guidelines when defining address spaces for NAT gateways:
v The IP address must be the public IP address that is accessible from the management server.
v The address space field can be any descriptive string, but avoid special
characters such as quotes. Use the standard rules for DNS names for the address space because the address space might make up part of the name of these devices.
The following example insert configures the discovery system for two NAT gateways.
insert into translations.NATAddressSpaceIds (
m_NATGatewayIP, m_AddressSpaceId )
values (
’172.16.1.112’,
’NATDomain1’
);
insert into translations.NATAddressSpaceIds (
m_NATGatewayIP, m_AddressSpaceId )
values (
’172.16.1.104’,
’NATDomain2’
);
Related tasks:
“Configuring NAT translation” on page 33
To configure NAT translation to discover NAT environments, map the
address-space identifier for a NAT domain to the IP address of the associated NAT gateway device.
“Enabling NAT translation” on page 120
You can set the discovery system to use NAT translation by editing
$NCHOME/etc/precision/DiscoConfig.cfg to create or amend an insert into disco.NATStatus to set m_UsingNAT to 1 and m_NATStatus to 0.
Defining a scope zone within a NAT domain:
You can customize inclusion and exclusion zones for individual NAT domains, using the m_AddressSpace column of the scope.zones table.
The following example insert defines an inclusion zone for a private subnet associated with a NAT domain.
insert into scope.zones (
m_Protocol, m_Action, m_Zones, m_AddressSpace )
values (
1, 1, [
{
m_Subnet="172.16.2.*", }
],
"NATDomain1"
);
The above example defines one inclusion zone. Network Manager discovers any device with an IP address starting with "172.16.2", that is, in the private 172.16.2.0subnet with a mask of 255.255.255.0, and that also belongs to the NAT address space NATDomain1. The protocol is set to 1, that is, IP.
Note: Do not define an address space for the NAT gateway devices or for public subnet scopes. Address space can only be defined for private subnets.
Related tasks:
“Configuring NAT translation” on page 33
To configure NAT translation to discover NAT environments, map the
address-space identifier for a NAT domain to the IP address of the associated NAT gateway device.
“Enabling NAT translation” on page 120
You can set the discovery system to use NAT translation by editing
$NCHOME/etc/precision/DiscoConfig.cfg to create or amend an insert into disco.NATStatus to set m_UsingNAT to 1 and m_NATStatus to 0.
Seeding discovery with NAT gateway addresses:
Seed a NAT discovery by inserting into the Ping finder the IP addresses of the main routers within the system. Also seed the discovery with the IP addresses of the NAT gateway IPs.
In a NAT-based discovery, the discovery must discover the NAT gateways before discovering the rest of the network, so the NAT gateways must first be found with a finder.
Network Manager is configured to trigger the seeding of all the NAT gateways if NAT translation has been enabled. However, the triggering relies on the Ping finder being active. If seeding is done, for example, using only the File finder, then the NAT gateways are not pinged even if NAT translation has been enabled. It is good practice, therefore, to seed the discovery with all the NAT gateways. You can do this using the File finder, Ping finder, or any other method.
You can also seed the discovery with NAT gateways using the Discovery Configuration GUI.
Related tasks:
“Configuring NAT translation” on page 33
To configure NAT translation to discover NAT environments, map the
address-space identifier for a NAT domain to the IP address of the associated NAT gateway device.
“Enabling NAT translation” on page 120
You can set the discovery system to use NAT translation by editing
$NCHOME/etc/precision/DiscoConfig.cfg to create or amend an insert into disco.NATStatus to set m_UsingNAT to 1 and m_NATStatus to 0.
Enabling NAT agents:
If you are running a NetScreen®Firewall or a Cisco®Router as a NAT gateway, you must use either the CiscoNATTelnet agent or the NATNetScreen agent.
Ensure that you enable the appropriate NAT translation agents. These agents must run to discover the NAT gateways. If they are not run, discovery cannot complete as it cannot properly discover the network without first discovering the NAT Gateways.
The NAT agents are currently CiscoNATTelnet, NATNetScreen and
NATTextFileAgent. The CiscoNATTelnet agent works on Cisco IOS routers
providing NAT translation and is not certified for PIX firewalls. The NATNetScreen agent is for NetScreen firewalls.
If you are using a NAT gateway other than a NetScreen Firewall or a Cisco Router, you must use the Perl agent NATTextFileAgent.pl, as described in “Enabling agents for unsupported NAT gateway devices.”
Enabling agents for supported NAT gateway devices:
The CiscoNATTelnet and NATNetScreen agents connect directly to the NAT gateways to download the address mappings. You can configure these agents.
Before running these agents, you must do the following tasks:
v Enable NAT translation v Configure trap handling To configure and run the agents:
1. Enable the agents. There is an insert into the disco.agents table in the DiscoAgents.cfg configuration file for every installed discovery agent. To activate an agent, you must alter the insert so that the m_Valid column for that agent is set to 1. To deactivate an agent, ensure that m_Valid=0.
The following example insert activates the CiscoNATTelnet agent.
insert into disco.agents (
m_AgentName, m_Valid, m_AgentClass, m_IsIndirect, m_Precedence, m_DebugLevel, m_LogFile
) values (
’CiscoNATTelnet’, 1, 8, 0, 2, 4,
"$NCHOME/log/precision/CiscoNatTelnet.log"
);
2. Run a discovery.
Related tasks:
“Activating agents” on page 27
You must enable the appropriate agents for the discovery you want to perform.
You can specify agents for a full discovery or for a partial discovery.
Enabling agents for unsupported NAT gateway devices:
The NATTextFileAgent is provided as a backup if your NAT translation device is unsupported. You can configure this agent.
Before running the NATTextFileAgent agent, you must do the following tasks:
v Enable NAT translation v Configure trap handling
The NATTextFileAgent reads a flat file called NATTranslations.txt that contains the NAT translations present on a particular NAT gateway. This allows the discovery an avenue to support a network containing a currently unsupported NAT gateway.
This agent does not download its information from the NAT gateways, but reads a list of private to public IP address mappings from a flat file.
To configure and run the agent:
1. Install the Perl API. All Perl agents require the API to run. The API is installed by default in Network Manager.
To check whether the API is installed, check that the following file exists:
$NCHOME/precision/bin/ncp_perl
If the file is listed, then the Perl API is installed.
2. Create a NAT mapping file to be read by the agent that contains the public to private address mappings. Your NAT mapping file must be in a format that can be read by the agent, that is, the values must be valid IP addresses specified in columns separated by tabs.
By default, the agent uses the file $NCHOME/etc/precision/
NATTranslations.txt. If you want to create your own mappings, you must back up and edit this default file. To make the agent use the non-default NAT mapping file, edit the following line in $NCHOME/precision/disco/agents/
Perlagents/NATTextFileAgent.pl:
my $natFileName = "$ENV{$NCHOME}/etc/precision/NATTranslations.txt";
3. The NAT mapping file contains the following columns:
v The IP address of the NAT gateway of the NAT domain to which the device belongs. You must specify mappings for all NAT gateways in the same file.
v The outside global address of the device, that is, the public address of the device.
v The inside local address of the device, that is, the private address of the device.
The following example shows a NAT mapping file for two gateways having IP addresses of 1.2.3.4 and 1.2.3.9 respectively.
// NATGatewayIP PublicIP PrivateIP
1.2.3.4 2.3.4.5 10.10.1.1
1.2.3.4 2.3.4.6 10.10.1.2
1.2.3.9 2.3.6.1 10.10.1.1
1.2.3.9 2.3.6.2 10.10.1.2
Note: From the perspective of the management station, the public IP address of a particular gateway translation is not necessarily the same as the public address that the management stations sees. The public address is the IP address that the gateway retrieves from one port and then translates and places on another port. This difference is important to note when you have chained gateways, where an IP address can be translated multiple times. The public IP is effectively the IP address that is closer to the management domain.
4. Enable the agent. There is an insert in the disco.agents table in the DiscoAgents.cfg configuration file for every installed discovery agent. To activate an agent, alter the insert so that the m_Valid column for that agent is set to 1. To deactivate an agent, ensure that m_Valid=0.
The following example insert activates the NATTextFileAgent agent.
insert into disco.agents (
m_AgentName, m_Valid, m_AgentClass, m_IsIndirect, m_Precedence, m_IsPerl )
values (
’NATTextFileAgent’, 1, 8, 0, 2, 1 );
5. Ensure that the NATTimer.stch stitcher has been configured to trigger a rediscovery against the NAT gateways. By default, the NATTimer.stch stitcher runs every hour. You can alter this interval by locating the following line in the stitcher file and changing the integer value:
ActOnTimedTrigger( ( m_Interval ) values ( 1 ) ; ) ; 6. Run a discovery.
Enable agent for NAT gateway devices in private address space:
When the NAT gateway is not in the public address space, you can enable the NATGateway agent to correct the potential problem of incorrect connectivity.
The discovery assumes that the management interface of the NAT gateway is in public address space. If this is not the case, Network Manager cannot identify the address space of interfaces on the NAT gateway device, which might result in incorrect connectivity. For example, when a VPN is used to access the management interface, the NAT gateway management interface is not in the public address space.
The NATGateway agent enables Network Manager to determine whether a given interface on a NAT gateway device is on the public or private side of the NAT gateway, and thereby correctly resolve device connectivity.
To overcome this problem, activate the NATGateway agent and provide Network Manager with a mapping file, NATGateways.txt. In this file, provide a list of all NAT gateway devices together with the interfaces on each device and a field to indicate whether the interface is on the public or private side of the NAT gateway.
This agent works in conjunction with the NATGatewayRetProcessing.stch stitcher and with the NATGateways.txt file in NCHOME/precision/etc
Table 16 provides the format of the NATGateways.txt file by showing an example of the content of this file. Fields in this text file must be separated by tabs.
Table 16. Format of NATGateways.txt file
Base name Inside or outside Interface IP address
1.1.1.4 outside 172.16.4.10
1.1.1.4 inside 10.52.2.10
sca_T1ukP_16 outside 192.168.36.93
sca_T1ukP_16 outside 192.168.36.98
Example: Configuring a NAT discovery:
This example illustrates how to define address spaces using the NATTextFileAgent agent and how to set up associated discovery scopes.
Do the following tasks before running through the steps in this example:
v Configure the discovery to use network address translation.
v Seed the Ping finder with the IP address of each NAT gateway device.
In this example the NAT gateway devices are unsupported. This means that the NATTextFileAgent agent must be used in this NAT discovery.
The NATTextFileAgent agent uses a NAT mapping file, with the following content.
There are three NAT gateway devices, with mappings for each of the devices in the associated address spaces.
//First NAT gateway and mappings
//NATGateway PublicIP Private IP
201.201.201.201 61.61.61.1 192.168.1.1
201.201.201.201 61.61.61.2 192.168.1.2
201.201.201.201 61.61.61.3 192.168.1.3
201.201.201.201 61.61.61.4 192.168.1.4
201.201.201.201 61.61.61.5 192.168.1.5
201.201.201.201 61.61.61.6 192.168.1.6
//Second NAT gateway and mappings
//NATGateway PublicIP Private IP
202.202.202.202 62.62.62.1 192.168.1.1
202.202.202.202 62.62.62.2 192.168.1.2
202.202.202.202 62.62.62.3 192.168.1.3
202.202.202.202 62.62.62.4 192.168.1.4
202.202.202.202 62.62.62.5 192.168.1.5
202.202.202.202 62.62.62.6 192.168.1.6
//Third NAT gateway and mappings
//NATGateway PublicIP Private IP
203.203.203.203 63.63.63.1 192.168.3.1
203.203.203.203 63.63.63.2 192.168.3.2
203.203.203.203 63.63.63.3 192.168.3.3
203.203.203.203 63.63.63.4 192.168.3.4
203.203.203.203 63.63.63.5 192.168.3.5
203.203.203.203 63.63.63.6 192.168.3.6
For the first and second address spaces private IP address space is not unique. For both of these address spaces, the private IP address space is defined by a subnet and netmask combination of 192.168.1.0/29.
Based on this NAT gateway device and address space data, define discovery scopes as follows.
1. Define each NAT gateway device and its corresponding address space. In this example, the names of the three NAT address spaces are RTP1, RTP2, and RTP3. For example, for the third NAT gateway device, the following insert defines the NAT device and its associated address space, RTP3:
insert into translations.NATAddressSpaceIds (
m_NATGatewayIP, m_AddressSpaceId )
values (
"203.203.203.203", "RTP3"
);
2. Define a scope zone for each NAT gateway device.
Note: You do not need to define a scope zone for any NAT Gateway devices whose IP address is already within any other scope zones defined for the discovery.
For example, for the first NAT gateway device, the following insert defines the scope zone:
insert into scope.zones (
m_Protocol, m_Action, m_Zones, m_AddressSpace )
values (
1, 1, [
{
m_Subnet="201.201.201.201", m_NetMask=32
} ],
""
);
3. Define scope zones for the public subnets associated with each NAT address space. For example, for the third public subnet, the following insert defines the scope zone:
insert into scope.zones (
m_Protocol, m_Action, m_Zones, m_AddressSpace )
values (
1, 1, [
{
m_Subnet="63.63.63.0", m_NetMask=29
} ],
""
);
4. Define a scope zone for the private subnet associated with the third NAT address space only.
Restriction: You can only define a scope zone for a private NAT address space where the subnet and netmask combination of the private subnet is unique within the discovery configuration. This excludes the first and second private subnet.
For the third private subnet, the following insert defines the scope zone:
insert into scope.zones (
m_Protocol, m_Action, m_Zones, m_AddressSpace )
values (
1, 1, [
{
m_Subnet="192.168.3.0", m_NetMask=29
} ],
"RTP3"
);
5. Enable the NATTextFileAgent agent.
Now you can launch the NAT discovery.
Related reference:
“Quick reference for NAT discovery configuration” on page 118
Use this information as a step-by-step guide to configuring a NAT discovery..