Network address translation gateway for local area networks using local IP addresses and non-translatable port addresses
First Claim
1. A network address translating (“
- NAT”
) gateway for detecting datagrams having process-specific nontranslatable port addresses and passing said datagrams through the NAT gateway without translating their port addresses, said NAT gateway connecting a LAN to an external network, said LAN using local IP addresses said NAT gateway having a local IP address that can be referenced by devices on said LAN and having an external IP address that can be referenced by devices on said external network, said NAT gateway comprising;
said NAT gateway having a plurality of internal tables associating combinations of local IP addresses of local devices on said LAN, external IP addresses of external devices on said external network, security parameter index (“
SPI”
)-In values, SPI-Out values, source port addresses, destination port addresses, and process-specific port addresses;
said NAT gateway maintaining a list of selected process-specific nontranslatable port addresses to which datagrams can be passed without translating their port addresses;
means for performing normal address translation upon datagrams passing from said LAN to said external network and datagrams passing from said external network to said LAN;
means for delivering a datagram from a local device on said LAN to an external device on said external network by receiving a datagram from a local device on said LAN intended for delivery to an external device on said external network, and determining whether the destination port address for said datagram is included in said list of selected process-specific nontranslatable port addresses and, if said destination port address is not included in said list of selected process-specific nontranslatable port addresses, performing normal address translation upon said datagram and passing said datagram to said external network for routing and delivery to said external device;
and if said destination port address is included in said list of selected process-specific nontranslatable port addresses, determining whether said destination port address is bound to a local IP address, and if said destination port address is bound to a local IP address, performing normal address translation upon said datagram and passing said datagram to said external network;
and if said destination port address is not bound to a local IP address, passing said datagram through said NAT gateway without translating said port addresses of said datagram, modifying said source IP address of said datagram to be said external IP address of said NAT gateway, binding said destination port address to the local IP address of said local device and creating an association between said destination port address and the external IP address of said external device, and passing said datagram to said external network for routing and delivery to said external device.
3 Assignments
0 Petitions
Accused Products
Abstract
A network address translation gateway (20) provides normal network translation for IP datagrams traveling from a local area network (10) using local IP addresses to an external network (30), but suspends source service address translation when the port is reserved for a specific protocol, such as the ISAKMP “handshaking” protocol that is part of the IPSec protocol model (FIGS. 2&3). ISAKMP exchanges require both source and target computers to use the same service address. By providing a network interface that does not translate the source service address, this gateway enables the initiation and maintenance of secure, encrypted transmissions using IPSec protocol between a local area network using local IP addresses and servers on the internet.
-
Citations
19 Claims
-
1. A network address translating (“
- NAT”
) gateway for detecting datagrams having process-specific nontranslatable port addresses and passing said datagrams through the NAT gateway without translating their port addresses, said NAT gateway connecting a LAN to an external network, said LAN using local IP addresses said NAT gateway having a local IP address that can be referenced by devices on said LAN and having an external IP address that can be referenced by devices on said external network, said NAT gateway comprising;said NAT gateway having a plurality of internal tables associating combinations of local IP addresses of local devices on said LAN, external IP addresses of external devices on said external network, security parameter index (“
SPI”
)-In values, SPI-Out values, source port addresses, destination port addresses, and process-specific port addresses;said NAT gateway maintaining a list of selected process-specific nontranslatable port addresses to which datagrams can be passed without translating their port addresses; means for performing normal address translation upon datagrams passing from said LAN to said external network and datagrams passing from said external network to said LAN; means for delivering a datagram from a local device on said LAN to an external device on said external network by receiving a datagram from a local device on said LAN intended for delivery to an external device on said external network, and determining whether the destination port address for said datagram is included in said list of selected process-specific nontranslatable port addresses and, if said destination port address is not included in said list of selected process-specific nontranslatable port addresses, performing normal address translation upon said datagram and passing said datagram to said external network for routing and delivery to said external device; and if said destination port address is included in said list of selected process-specific nontranslatable port addresses, determining whether said destination port address is bound to a local IP address, and if said destination port address is bound to a local IP address, performing normal address translation upon said datagram and passing said datagram to said external network; and if said destination port address is not bound to a local IP address, passing said datagram through said NAT gateway without translating said port addresses of said datagram, modifying said source IP address of said datagram to be said external IP address of said NAT gateway, binding said destination port address to the local IP address of said local device and creating an association between said destination port address and the external IP address of said external device, and passing said datagram to said external network for routing and delivery to said external device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- NAT”
-
9. A method of processing IP datagrams from a local device on a LAN using local IP addresses through a network address translating (“
- NAT”
) gateway to an external device on an external network by passing datagrams having process-specific port addresses through said NAT gateway without translating said port addresses, comprising the steps of;maintaining a plurality of tables associating local IP addresses of local devices on said LAN, external IP addresses of external devices on said external network, port addresses of said local devices, port addresses of said external devices, security parameter index (“
SPI”
)-In values, SPI-Out values, and process-specific port addresses, and a list of selected process-specific port addresses to which datagrams can be passed without translating their port addresses;receiving a datagram from said LAN; determining whether the destination port address for said datagram is included in said list of selected process-specific port addresses and, if said destination port address is not included in said list of selected process-specific port addresses, performing normal address translation upon said datagram and passing said datagram to said external network for routing and delivery to said external device; and if said destination port address is included in said list of selected process-specific port addresses, determining whether said destination port address is bound to an IP address, and if said destination port is bound to an IP address, performing normal address translation upon said datagram and passing said datagram to said external network; and if said destination port address is not bound to an IP address, passing said datagram through said NAT gateway without translating the port addresses in said datagram, modifying said source IP address to be said external IP address for said NAT gateway, binding said destination port address to the local IP address of said local device and creating an association between said destination port address and said external IP address of said external device, and passing said datagram to said external network for routing and delivery to said external device. - View Dependent Claims (10, 11, 12, 13)
- NAT”
-
14. A method of processing IP datagrams from an external device on an external network through a network address translating (“
- NAT”
) gateway to a local device on a LAN using local IP addresses, comprising the steps ofmaintaining a plurality of tables associating local IP addresses of local devices on said LAN, external IP addresses of external devices on said external network, port addresses of said local devices, port addresses of said external devices, security parameter index (“
SPI”
)-In values, SPI-Out values, and process-specific port addresses, and a list of selected process-specific port addresses;receiving a datagram from said external network; determining whether said datagram is encrypted and if said datagram is not encrypted, determining whether the destination port address for said datagram is included in said list of selected process-specific port addresses, and if said destination port address is not included in said list of selected process-specific port addresses, performing normal address translation and passing said datagram to said LAN for routing and delivery to said local device, and if said destination port address is included in said list of selected process-specific port addresses, determining whether said destination port address is bound to a local IP address, and if said destination port is not bound to a local IP address, discarding said datagram, and if said destination port address is bound to a local IP address, determining whether said destination port address is associated with the external IP address of said external device, and if said destination port address is associated with said external IP address of said external device, modifying said destination IP address to be the bound local IP address of said local device, unbinding said destination port address from said local IP address, and passing said datagram through said NAT gateway to said LAN for routing and delivery to said local device. - View Dependent Claims (15, 16, 17, 18)
- NAT”
-
19. A machine readable storage, having stored thereon a computer program comprising a plurality of code sections executable by a machine for connecting a LAN to an external network via a network address translating (“
- NAT”
) gateway, said NAT gateway having a local IP address that can be referenced by devices on said LAN and having an external IP address that can be referenced by devices on said external network, and further comprising a plurality of internal tables associating combinations of local IP addresses of local devices on said LAN, external IP addresses of external devices on said external network, source port addresses, destination port addresses, process-specific port addresses, and a list of selected process-specific port addresses including at least port 500, for causing the machine to pass datagrams through without translating port addresses where the port addresses in such datagrams are nontranslatable, said machine performing the steps of;processing a datagram from a local device on said LAN by receiving a datagram from a local device on said LAN intended for delivery to an external device on said external network; determining whether the destination port address for said datagram is included in said list of selected process-specific port addresses and determining whether said destination port address is bound to a local IP address on said LAN; and if said destination port address is not included in said list of selected process-specific port addresses, performing normal address translation upon said datagram and passing said datagram to said external network for routing and delivery to said external device; and if said destination port address is included in said list of selected process-specific port addresses, and said destination port address is bound to a local IP address, performing normal address translation upon said datagram and passing said datagram to said external network; and if said destination port address is not bound to a local IP address on said LAN, modifying said source IP address of said datagram to be said external IP address of said NAT gateway, binding said destination port address to the local IP address of said local device and creating an association between said destination port address and the external IP address of said external device, and passing said datagram to said external network for routing and delivery to said external device without translating said port addresses of said datagram.
- NAT”
Specification