[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 RFC 4008

NAT Working Group                                       R. Raghunarayan
INTERNET-DRAFT                                                   N. Pai
Expires March 2004                                  Cisco Systems, Inc.
                                                               R. Rohit
                                                  Mascon Global Limited
                                                                C. Wang
                                                          Bank One Corp
                                                           P. Srisuresh
                                                   Caymas Systems, Inc.
                                                         September 2003


  Definitions of Managed Objects for Network Address Translators (NAT)

                     <draft-ietf-nat-natmib-06.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [16].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Copyright Notice

   Copyright (C), 2003, The Internet Society.  All Rights Reserved.


Abstract

   This memo defines an SMIv2 Management Information Base (MIB) for
   a device implementing NAT function [RFC2663]. Particular emphasis
   was placed on devices implementing traditional NAT function
   [RFC3022]. This MIB may be used for configuration as well as


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 1]


INTERNET-DRAFT                 NAT MIB                 September 2003


   monitoring of a device capable of NAT function. The MIB may also
   be used for dynamic administration of resources on a NAT middlebox.

Table of Contents

   1  Introduction ................................................2
   2  The Internet-Standard Management Framework ..................2
   3  Terminology .................................................2
   4  Overview ....................................................3
   5  Definitions .................................................6
   6  Intellectual Property.......................................51
   7  Change History..............................................51
   8  Acknowledgements ...........................................53
   9  IANA Consideration .........................................53
   10 Security Considerations ....................................54
   11 References .................................................55
   12 Author's Addresses .........................................55
   13 Full Copyright Statement....................................57


1.  Introduction

   This memo defines an SMIv2 Management Information Base (MIB) for
   a device implementing traditional NAT [17] function. This may be
   used for configuration as well as monitoring of a device capable
   of traditional NAT function.

2.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].


3.  Terminology

   The terminology used throughout this document is mostly as per RFC
   2663 [18].





Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 2]


INTERNET-DRAFT                 NAT MIB                  September 2003


   The term NAT has been used, throughout the document, to represent
   traditional NAT. In cases, where necessary, NAPT and Basic NAT will
   be used to represent port translation and address translation
   respectively.

   The terms public and private are used throughout the document in
   the context of networks, while the terms local and global are used
   when referring to addresses and ports.

4.  Overview

   The MIB module has been split into three groups:

   o the configuration group,
   o the translation group, and
   o the statistics group.

   The configuration group consists of four tables and seven scalars:

   o the interface specific configuration table, which specifies the
     nat config parameters for a specific interface.
   o the address map table, which is an extension of the per-interface
     configuration table, and specifies information required to setup
     static/dynamic address and ports maps.
   o five protocol specific scalars, specifying the BIND timeout
     values for the more common protocols, TCP, UDP and ICMP, and a
     generic timeout value that can be used for all other protocols.
   o two scalars used to monitor address thresholds and generate
     notifications when the thresholds are crossed.

   The translation group, monitoring the dynamic activities of the NAT
   device, consists of two scalars and three tables:

   o the scalars, natAddrBindNumberOfEntries and
     natAddrPortBindNumberOfEntries, hold the number of entries
     the currently exist in the Address bind and the Address-Port
     bind tables respectively.
   o the Address bind table, which holds the currently active
     address bindings.
   o the Address-Port bind table, which holds the currently active
     transport bindings.
   o the session table, holds information regarding active NAT
     sessions.

   And finally, the statistics group consists of three tables:

   o the Protocol stats table, indicating translation statistics
     per protocol.
   o the Address Map stats table, indicating translation statistics
     per address map.


Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 3]


INTERNET-DRAFT                 NAT MIB                  September 2003


   o the Interface stats table, indicating translation statistics
     per interface.

   There are also two notifications defined in the MIB:

   o natAddressUseRising notifies the end user/manager of the address
     usage exceeding a pre-defined threshold.
   o And finally, natPacketDiscard notifies the end user/manager of
     packets being discarded due to lack of address mappings.

4.1 Relation between the NAT configuration tables

   The association between the various configuration tables can be
   represented as follows:


     per interface config   (global config parameters)
        |                            |
        |                            |
        |                            |
        |----------------------------|
        |
        |
     address map

   Every interface nat config is associated with a set of global
   (TCP, UDP and ICMP) config parameters, represented by the five
   protocol specific scalars.


4.2 Relation between the translation and the configuration tables

   The association between the configuration and the translation
   tables can be represented as follows.


















Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 4]


INTERNET-DRAFT                 NAT MIB                  September 2003


                        Address map
                             |
                             |
                             |
        ----------------------------------------------
       |                                              |
       |                                              |
       |                                              |
   Address Bind                                Address Port Bind
       |                                              |
       |                                              |
       |                                              |
        ----------------------------------------------
                             |
                             |
                             |
                          Session

   Every bind, address as well as address-port bind, is derived
   from an address map. The natAddrBindAddrMapName and
   natAddrPortBindAddrMapName objects provide the linkage between
   the bind and the address map it has been derived from.

   On the other hand, every NAT session is derived from a bind,
   address or address-port bind. The natSessionBindId and the
   natSessionSecondBindId objects represent this linkage.

4.3 Configuration via the MIB

   Entries in the Address Bind and Address-Port Bind Tables are
   derived from the address map table. Entries MUST, therefore,
   not exist in the Address Bind or a Address-Port Bind Entry
   without an associated entry in the Address Map table.

   Likewise, the session entries are derived from the Binds and
   an entry MUST not exist in the Session table without a
   corresponding Bind table entry. Before deleting a bind entry,
   all the session entries corresponding to the bind entry must
   be deleted.

   A Management station may use the following steps to configure
   entries in the NAT-MIB:

   -  Create an entry in the natConfInterfaceTable specifying the
      the value of natConfInterfaceIndex as the interface index of
      the interface on which nat is being configured. Specify
      appropriate values, as applicable, for the other objects e.g.
      natConfInterfaceRealm, natConfServiceType, in the table.




Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 5]


INTERNET-DRAFT                 NAT MIB                  September 2003


   -  Create an address map entry in the natConfAddrMapTable, and
      set natConfAddrMapConfigName to the name of the address map
      entry created.

   -  To configure NAT for TCP, UDP and ICMP protocols, the
      management station can set the protocol specific scalars.

   -  Setting the natConfRowStatus to 'active'(1) will enable
      nat on the interface. Note that the associated entries in the
      natConfAddrMapTable must also be made active.

   -  The Address Bind and Address-Port Table will have the entries
      created due to this nat configuration. A Management Station may
      also, if deemed necessary, create Address Bind or a  Address-Port
      Bind entry and link those entries to the appropriate
      address map configured.


5.  Definitions

NAT-MIB DEFINITIONS ::= BEGIN

IMPORTS
     MODULE-IDENTITY,
     OBJECT-TYPE,
     Integer32,
     Unsigned32,
     Gauge32,
     Counter64,
     TimeTicks,
     mib-2,
     NOTIFICATION-TYPE
             FROM SNMPv2-SMI
     TEXTUAL-CONVENTION
             FROM SNMPv2-TC
     MODULE-COMPLIANCE,
     NOTIFICATION-GROUP,
     OBJECT-GROUP
             FROM SNMPv2-CONF
     StorageType,
     RowStatus
             FROM SNMPv2-TC
     InterfaceIndex
             FROM IF-MIB
     SnmpAdminString
             FROM SNMP-FRAMEWORK-MIB
     InetAddressType,
     InetAddress,
     InetPortNumber
             FROM INET-ADDRESS-MIB;


Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 6]


INTERNET-DRAFT                 NAT MIB                  September 2003


natMIB MODULE-IDENTITY
     LAST-UPDATED "200309020000Z"
     ORGANIZATION "IETF NAT Working Group"
     CONTACT-INFO
             " Rohit
               Mascon Global Limted
               #59/2 100 ft Ring Road
               Banashankari II Stage
               Bangalore 560 070
               India
               Phone: +91 80 679 6227
               Email: rrohit74@hotmail.com

               Nalinaksh Pai
               Cisco Systems, Inc.
               Prestige Waterford
               No. 9, Brunton Road
               Bangalore - 560 025
               India
               Phone: +91 80 532 1300
               Email: npai@cisco.com

               Rajiv Raghunarayan
               Cisco Systems Inc.
               170 West Tasman Drive
               San Jose, CA 95134
               Phone: +1 408 853 9612
               Email: raraghun@cisco.com

               Cliff Wang
               Information Security
               Bank One Corp
               1111 Polaris Pkwy
               Columbus, OH 43240
               Phone: +1 614 213 6117
               Email: cliffwang2000@yahoo.com

               P. Srisuresh
               Caymas Systems, Inc.
               1179-A North McDowell Blvd.
               Petaluma, CA 94954
               Tel: (707) 283-5063
               Email: srisuresh@yahoo.com
             "
     DESCRIPTION
             "This MIB module defines the generic managed objects
              for NAT."
     REVISION     "200308200000Z"  -- 20th Aug. 2003
     DESCRIPTION
             "This revision removed the protocol extensibility


Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 7]


INTERNET-DRAFT                 NAT MIB                  September 2003


              and correct the naming inconsistency."
     REVISION     "200211030000Z"  -- 3rd Nov. 2002
     DESCRIPTION
             "This revision addresses the comments raised by the
              MIDCOM Working Group."
     REVISION     "200206140000Z"  -- 14th June 2002
     DESCRIPTION
             "This MIB module addresses the smilint warnings found
              in the IETF MIB Module Validation."
     REVISION     "200202070000Z"  -- 7th Feb. 2002
     DESCRIPTION
             "Merged the Config and Interface specific Tables.
              Added the ability for the Management Station to
              create/destroy nat address binds and sessions."
     REVISION     "200111090000Z"  -- 9th Nov. 2001
     DESCRIPTION
             "Merged the Static and Dynamic addr Tables.
              Protocol specific extensibility added."
     REVISION     "200109100000Z"  -- 10th Sep. 2001
     DESCRIPTION
             "Notifications added."
     REVISION     "200103010000Z"  -- 1st Mar. 2001
     DESCRIPTION
             "Initial version of this MIB module."
     ::= { mib-2 XXX } -- RFC Ed.: replace XXX with IANA-assigned
                       -- number & remove this note


natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 }

--
-- The Groups
-- o natConfig - Pertaining to NAT configuration information
-- o natTranslation - Pertaining to the NAT BINDs/sessions.
-- o natStatistics - NAT statistics, other than those maintained
--                   by the Bind and Session tables.
--

natConfig OBJECT IDENTIFIER ::= { natMIBObjects 1 }
natTranslation OBJECT IDENTIFIER ::= { natMIBObjects 2 }
natStatistics OBJECT IDENTIFIER ::= { natMIBObjects 3 }


NATProtocolType ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION
               "A list of protocols that support
                the network address translation. Inclusion of




Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 8]


INTERNET-DRAFT                 NAT MIB                  September 2003


                values is not intended to imply that those
                protocols need to be supported. Any change
                in this TEXTUAL-CONVENTION should also be
                reflected in the definition of natConfProtocol
                object which is a BITS representation of this
                TEXTUAL-CONVENTION."
       SYNTAX   INTEGER {
                     none (1),  -- not specified
                     other (2), -- none of the following
                     icmp (3),
                     udp (4),
                     tcp (5)
                  }


--
-- UDP related NAT configuration
--

natConfUdpDefIdleTimeout OBJECT-TYPE
    SYNTAX     Integer32 (0..2147483647)
    UNITS      "seconds"
    MAX-ACCESS read-write
    STATUS     current
    DESCRIPTION
            "The default UDP idle timeout parameter."
    DEFVAL { 300 }
    ::= { natConfig 1 }

--
-- ICMP related NAT configuration
--

natConfIcmpDefIdleTimeout OBJECT-TYPE
    SYNTAX     Integer32 (0..2147483647)
    UNITS      "seconds"
    MAX-ACCESS read-write
    STATUS     current
    DESCRIPTION
            "The default ICMP idle timeout parameter."
    DEFVAL { 300 }
    ::= { natConfig 2 }

--
-- Other protocol parameters
--

natConfOtherDefIdleTimeout OBJECT-TYPE
    SYNTAX     Integer32 (0..2147483647)
    UNITS      "seconds"


Rohit, Pai, Raghunarayan, Wang, Srisuresh                     [Page 9]


INTERNET-DRAFT                 NAT MIB                  September 2003


    MAX-ACCESS read-write
    STATUS     current
    DESCRIPTION
            "The default idle timeout parameter for protocols
             represented by the value other (2) in
             NATProtocolType."
    DEFVAL { 60 }
    ::= { natConfig 3 }

--
-- TCP related NAT configuration
--

natConfTcpDefIdleTimeout OBJECT-TYPE
    SYNTAX     Integer32 (0..2147483647)
    UNITS      "seconds"
    MAX-ACCESS read-write
    STATUS     current
    DESCRIPTION
            "The default TCP idle timeout parameter."
    DEFVAL { 86400 }
    ::= { natConfig 4 }

natConfTcpDefNegTimeout OBJECT-TYPE
    SYNTAX     Integer32 (0..2147483647)
    UNITS      "seconds"
    MAX-ACCESS read-write
    STATUS     current
    DESCRIPTION
            "The default interval of time for which a TCP protocol
             session, is allowed to remain valid without any
             activity. This timeout value applies to a TCP session
             during its establishment and termination phases."
    DEFVAL { 60 }
    ::= { natConfig 5 }

--
-- Notification thresholds
--

natConfAddrRiseThreshold OBJECT-TYPE
    SYNTAX     Unsigned32 (0..100)
    UNITS      "percentage"
    MAX-ACCESS read-write
    STATUS     current
    DESCRIPTION
            "This objects represents the rising threshold value for
             generation of the natAddressUseRising notification. A
             notification is generated whenever the usage percentage
             of the address map is equal to or greater than
             natConfAddrRiseThreshold.

Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 10]


INTERNET-DRAFT                 NAT MIB                  September 2003


             Notifications should not be generated when the value of
             this object is 0."
    DEFVAL  { 0 }
    ::= { natConfig 6 }

natConfAddrFallThreshold OBJECT-TYPE
   SYNTAX     Unsigned32 (0..100)
   UNITS      "percentage"
   MAX-ACCESS read-write
   STATUS     current
   DESCRIPTION
           "This object represents the falling threshold value for
            generation of the natAddressUseRising notification.
            This object only represents the lower end of the
            hysteresis curve, and notifications are not generated
            when this threshold is crossed."
    DEFVAL  { 0 }
    ::= { natConfig 7 }

--
-- The Configuration Groupn
-- The per-interface NAT Configuration Table
--

natConfInterfaceTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF NatConfInterfaceEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This table specifies the configuration attributes for a
             device supporting NAT function."
    ::= { natConfig 8 }


natConfInterfaceEntry OBJECT-TYPE
    SYNTAX      NatConfInterfaceEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry in the natConfInterfaceTable holds a set of
             configuration parameters regarding the interface
             on which NAT is enabled."
    INDEX   { natConfInterfaceIndex }
    ::= { natConfInterfaceTable 1 }

NatConfInterfaceEntry ::= SEQUENCE {
    natConfInterfaceIndex       InterfaceIndex,
    natConfInterfaceRealm       INTEGER,
    natConfServiceType          BITS,
    natConfAddrMapConfigName    SnmpAdminString,


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 11]


INTERNET-DRAFT                 NAT MIB                  September 2003


    natConfStorageType          StorageType,
    natConfRowStatus            RowStatus
}

natConfInterfaceIndex OBJECT-TYPE
    SYNTAX     InterfaceIndex
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "The ifIndex of the interface on which NAT is enabled."
    ::= { natConfInterfaceEntry 1 }

natConfInterfaceRealm OBJECT-TYPE
    SYNTAX     INTEGER {
                   private (1),
                   public (2)
               }
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object identifies whether this interface is
             connected to the private or the public realm."
    DEFVAL     { public }
    ::= { natConfInterfaceEntry 2 }

natConfServiceType OBJECT-TYPE
    SYNTAX  BITS {
                basicNat (0),
                napt (1),
                bidirectionalNat (2),
                twiceNat (3)
            }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "An indication of the direction in which new sessions
             are permitted and the extent of translation done within
             the IP and transport headers."
    ::= { natConfInterfaceEntry 3 }

natConfAddrMapConfigName OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(0..32))
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object selects a set of address maps defined in
             the natConfAddrMapTable.The selected set of addr maps
             are defined by entries in the natConfAddrMapTable whose
             index value (natConfAddrMapName) is equal to this object."
    DEFVAL { ''H }
    ::= { natConfInterfaceEntry 4 }

Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 12]


INTERNET-DRAFT                 NAT MIB                  September 2003


natConfStorageType OBJECT-TYPE
    SYNTAX      StorageType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The storage type for this conceptual row."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    DEFVAL { nonVolatile }
    ::= { natConfInterfaceEntry 5 }

natConfRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             None of the objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    ::= { natConfInterfaceEntry 6 }

--
-- The Address Map Table
--

natConfAddrMapTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF NatConfAddrMapEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This table lists address map configuration for NAT."
    ::= { natConfig 9 }

natConfAddrMapEntry OBJECT-TYPE
    SYNTAX      NatConfAddrMapEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This entry represents an address map to be used for
             NAT, and contributes to the dynamic and/or static
             address mapping tables of the NAT device."
    INDEX   { natConfAddrMapName, natConfAddrMapIndex }
    ::= { natConfAddrMapTable 1 }

NatConfAddrMapEntry ::= SEQUENCE {
    natConfAddrMapName                SnmpAdminString,
    natConfAddrMapIndex               Unsigned32,



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 13]


INTERNET-DRAFT                 NAT MIB                  September 2003


    natConfAddrMapOwnerId             Unsigned32,
    natConfAddrMapGroupId             Unsigned32,
    natConfAddrMapEntryType           INTEGER,
    natConfAddrMapTranslationEntity   INTEGER,
    natConfLocalAddrType              InetAddressType,
    natConfLocalAddrFrom              InetAddress,
    natConfLocalAddrTo                InetAddress,
    natConfLocalPortFrom              InetPortNumber,
    natConfLocalPortTo                InetPortNumber,
    natConfGlobalAddrType             InetAddressType,
    natConfGlobalAddrFrom             InetAddress,
    natConfGlobalAddrTo               InetAddress,
    natConfGlobalPortFrom             InetPortNumber,
    natConfGlobalPortTo               InetPortNumber,
    natConfProtocol                   BITS,
    natConfAddrMapStorageType         StorageType,
    natConfAddrMapRowStatus           RowStatus
}

natConfAddrMapName OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(1..32))
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Name identifying a set of entries in this table.
             The combination of natConfAddrMapName and
             natConfAddrMapIndex uniquely identifies
             an entry in this table."
    ::= { natConfAddrMapEntry 1 }

natConfAddrMapIndex  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Along with natConfAddrMapName, this object uniquely
             identifies an entry in the natConfAddrMapTable.
             Address map entries are applied in the order
             specified by natConfAddrMapIndex."
    ::= { natConfAddrMapEntry 2 }

natConfAddrMapOwnerId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current







Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 14]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "The identifier of the entity that owns this entry.
             This object is a unique Identifier and is generated by
             the NAT middlebox. The owner of the entry may be the
             NAT middledbox itself or one of the MIDCOM agents that
             engage in a MIDCOM session with the NAT middlebox."
    ::= { natConfAddrMapEntry 3 }

natConfAddrMapGroupId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of a group to which this entry belongs.
             This ojbect is a unique identifier and is generated by
             the NAT middlebox."
    ::= { natConfAddrMapEntry 4 }

natConfAddrMapEntryType OBJECT-TYPE
    SYNTAX  INTEGER {
                static (1),
                dynamic (2)
            }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This config parameter can be used to set up static
             or dynamic address maps."
    ::= { natConfAddrMapEntry 5 }

natConfAddrMapTranslationEntity OBJECT-TYPE
    SYNTAX  INTEGER {
                inboundSrcAddr (1),
                inboundDstAddr (2),
                outboundSrcAddr (3),
                outboundDstAddr (4)
            }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The end-point entity (Source or desitnation) in
             inbound or outbound sessions (i.e, first packets) that
             may be translated by an address map entry.

             Session direction (inbound or outbound) is
             derived from the direction of the first packet
             of a session traversing a NAT interface.





Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 15]


INTERNET-DRAFT                 NAT MIB                  September 2003


             NAT address (and Transport-ID) maps may be defined
             to effect inbound or outbound sessions. Further, the
             translation entity on the first packet (of a session)
             may be source end-point (i.e., source IP address and
             source port) or destination end-point (i.e., destination
             address and destination port).

             Traditionally, address map for Basic NAT and NAPT are
             configured on a public interface for outbound sessions,
             effecting translation of source end-point.
             The value of this object must be set to outboundSrcAddr
             for those interfaces.

             Alternately, if address map for Basic NAT and NAPT were
             to be configured on a private interface, the desired
             value for this object for the map entries
             would be inboundSrcAddr. I.e., effecting translation of
             source end-point for inbound sessions.

             If TwiceNAT were to be configured on a private interface,
             there will be two address map entries. one  effecting
             translation of source end-point for inbound sessions
             (i.e., inboundSrcAddr) and another effecting transaltion
             of destination end-point for inbound sessions
             (i.e., inboundDstAddr)."
    ::= { natConfAddrMapEntry 6 }


natConfLocalAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natConfLocalAddrFrom and natConfLocalAddrTo."
    ::= { natConfAddrMapEntry 7 }

natConfLocalAddrFrom OBJECT-TYPE
    SYNTAX      InetAddress (SIZE (0..20))
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the first IP address of the range
             of IP addresses mapped by this translation entry."
    ::= { natConfAddrMapEntry 8 }

natConfLocalAddrTo OBJECT-TYPE
    SYNTAX      InetAddress (SIZE (0..20))
    MAX-ACCESS  read-create
    STATUS      current


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 16]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "This object specifies the last IP address of the range of
             IP addresses mapped by this translation entry. If only
             a single address is being mapped, the value of this object
             is equal to the value of natConfLocalAddrFrom. For a
             static NAT, the number of addresses in the range defined
             by natConfLocalAddrFrom and natConfLocalAddrTo must be
             equal to the number of addresses in the range defined by
             natConfGlobalAddrFrom and natConfGlobalAddrTo."
    ::= { natConfAddrMapEntry 9 }

natConfLocalPortFrom OBJECT-TYPE
    SYNTAX      InetPortNumber
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If this conceptual row describes a Basic NAT address
             mapping, then the value of this object must be 0. If
             this conceptual row describes NAPT, then the value of
             this object specifies the first port number in the range
             of ports being mapped.

             If the translation specifies a single port, then
             the value of this object is equal to the value of
             natConfLocalPortTo."
    ::= { natConfAddrMapEntry 10 }

natConfLocalPortTo OBJECT-TYPE
    SYNTAX      InetPortNumber
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If this conceptual row describes a Basic NAT address
             mapping, then the value of this object must be 0. If
             this conceptual row describes NAPT, then the value of
             this object specifies the last port number in the range
             of ports being mapped.

             If the translation specifies a single port, then the
             value of this object is equal to the value of
             natConfLocalPortFrom."
    ::= { natConfAddrMapEntry 11 }

natConfGlobalAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natConfGlobalAddrFrom and natConfGlobalAddrTo."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 17]


INTERNET-DRAFT                 NAT MIB                  September 2003


    ::= { natConfAddrMapEntry 12 }

natConfGlobalAddrFrom OBJECT-TYPE
    SYNTAX      InetAddress (SIZE (0..20))
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the first IP address of the range of
             IP addresses being mapped to."
    ::= { natConfAddrMapEntry 13 }

natConfGlobalAddrTo OBJECT-TYPE
    SYNTAX      InetAddress (SIZE (0..20))
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the last IP address of the range of
             IP addresses being mapped to. If only a single address is
             being mapped to, the value of this object is equal to the
             value of natConfGlobalAddrFrom. For a static NAT, the
             number of addresses in the range defined by
             natConfGlobalAddrFrom and natConfGlobalAddrTo must be
             equal to the number of addresses in the range defined by
             natConfLocalAddrFrom and natConfLocalAddrTo."
    ::= { natConfAddrMapEntry 14 }

natConfGlobalPortFrom OBJECT-TYPE
    SYNTAX      InetPortNumber
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If this conceptual row describes a Basic NAT address
             mapping, then the value of this object must be 0. If
             this conceptual row describes NAPT, then the value of
             this object specifies the first port number in the range
             of ports being mapped to. If the translation specifies a
             single port, then the value of this object is equal to
             the value natConfGlobalPortTo."
    ::= { natConfAddrMapEntry 15 }

natConfGlobalPortTo OBJECT-TYPE
    SYNTAX      InetPortNumber
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If this conceptual row describes a Basic NAT address
             mapping, then the value of this object must be 0. If
             this conceptual row describes NAPT, then the value of this
             object specifies the last port number in the range of



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 18]


INTERNET-DRAFT                 NAT MIB                  September 2003


             ports being mapped to. If the translation specifies a
             single port, then the value of this object is equal to
             the value of natConfGlobalPortFrom."
    ::= { natConfAddrMapEntry 16 }

natConfProtocol OBJECT-TYPE
    SYNTAX      BITS {
                  other (0),
                  icmp (1),
                  udp (2),
                  tcp (3)
                }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies a bitmap of protocol identifiers.
             This object is a BITS representation for the
             NATProtocolType, hence any change in the NATProtocolType
             should also be reflected here."
    ::= { natConfAddrMapEntry 17 }

natConfAddrMapStorageType OBJECT-TYPE
    SYNTAX      StorageType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The storage type for this conceptual row."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    DEFVAL { nonVolatile }
    ::= { natConfAddrMapEntry 18 }

natConfAddrMapRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             None of the objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    ::= { natConfAddrMapEntry 19 }









Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 19]


INTERNET-DRAFT                 NAT MIB                  September 2003


--
-- The Translation Group
--

--
-- Address Bind section
--

natAddrBindNumberOfEntries OBJECT-TYPE
    SYNTAX     Gauge32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "This object maintains a count of the number of entries
             that currently exist in the natAddrBindTable."
    ::= { natTranslation 1 }

--
-- The NAT Address BIND Table
--

natAddrBindTable OBJECT-TYPE
    SYNTAX     SEQUENCE OF NatAddrBindEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This table holds information about the currently
             active NAT BINDs."
    ::= { natTranslation 2 }

natAddrBindEntry OBJECT-TYPE
    SYNTAX     NatAddrBindEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "Each entry in this table holds information about
             an active address BIND."
    INDEX   { natAddrBindLocalAddrType, natAddrBindLocalAddr }
    ::= { natAddrBindTable 1 }

NatAddrBindEntry ::= SEQUENCE {
    natAddrBindLocalAddrType        InetAddressType,
    natAddrBindLocalAddr            InetAddress,
    natAddrBindOwnerId              Unsigned32,
    natAddrBindGroupId              Unsigned32,
    natAddrBindGlobalAddrType       InetAddressType,
    natAddrBindGlobalAddr           InetAddress,
    natAddrBindId                   Unsigned32,
    natAddrBindDirection            INTEGER,



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 20]


INTERNET-DRAFT                 NAT MIB                  September 2003


    natAddrBindType                 INTEGER,
    natAddrBindAddrMapName          SnmpAdminString,
    natAddrBindSessionCount         Gauge32,
    natAddrBindMaxIdleTime          TimeTicks,
    natAddrBindCurrentIdleTime      TimeTicks,
    natAddrBindInTranslate          Counter64,
    natAddrBindOutTranslate         Counter64,
    natAddrBindRowStatus            RowStatus
}

natAddrBindLocalAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natAddrBindLocalAddr."
    ::= { natAddrBindEntry 1 }

natAddrBindLocalAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents the private-realm specific network
             layer address, which maps to the public-realm address
             represented by natAddrBindGlobalAddr."
    ::= { natAddrBindEntry 2 }

natAddrBindOwnerId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of the entity that owns this entry.
             This object is a unique Identifier and is generated by
             the NAT middlebox. The owner of the entry may be the
             NAT middledbox itself or one of the MIDCOM agents that
             engage in a MIDCOM session with the NAT middlebox."
    ::= { natAddrBindEntry 3 }

natAddrBindGroupId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of a group to which this entry belongs.





Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 21]


INTERNET-DRAFT                 NAT MIB                  September 2003


             This ojbect is a unique identifier and is generated by
             the NAT middlebox."
    ::= { natAddrBindEntry 4 }

natAddrBindGlobalAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natAddrBindGlobalAddr."
    ::= { natAddrBindEntry 5 }

natAddrBindGlobalAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object represents the public-realm network layer
             address that maps to the private-realm network layer
             address represented by natAddrBindLocalAddr."
    ::= { natAddrBindEntry 6 }

natAddrBindId OBJECT-TYPE
    SYNTAX     Unsigned32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "This object represents a BIND id that is dynamically
             assigned to each BIND by a NAT enabled device. Each
             BIND is represented by a BIND id that is
             unique across both, the Address bind and the
             Address-Port bind tables."
    ::= { natAddrBindEntry 7 }

natAddrBindDirection OBJECT-TYPE
    SYNTAX     INTEGER {
                   uniDirectional (1),
                   biDirectional (2)
               }
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object represents the direction of the BIND.
             A BIND may be either uni-directional or bi-directional,
             same as the orientation of the address map, based on
             which this bind is formed."
    ::= { natAddrBindEntry 8 }




Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 22]


INTERNET-DRAFT                 NAT MIB                  September 2003


natAddrBindType OBJECT-TYPE
    SYNTAX     INTEGER {
                   static (1),
                   dynamic (2)
               }
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object indicates whether the BIND is static or
             dynamic."
    ::= { natAddrBindEntry 9 }

natAddrBindAddrMapName OBJECT-TYPE
    SYNTAX     SnmpAdminString (SIZE(1..32))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object is a pointer to the natConfAddrMapTable entry
             (and the parameters of that entry) which was used in
             creating this BIND. If the bind is being created by the
             Management Station, then it should set the value for this
             object to an existing addrMapName. An attempt to set this
             object to a nonExistent addrMapName will result in
             a error."
    ::= { natAddrBindEntry 10 }

natAddrBindSessionCount OBJECT-TYPE
    SYNTAX     Gauge32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "Number of sessions currently using this BIND."
    ::= { natAddrBindEntry 11 }

natAddrBindMaxIdleTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object indicates the maximum time for
             which this BIND can be idle with no sessions
             attached to it.

             The value of this object is of relevance only for
             dynamic NAT."
    ::= { natAddrBindEntry 12 }






Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 23]


INTERNET-DRAFT                 NAT MIB                  September 2003


natAddrBindCurrentIdleTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "At any given instance of time, this object indicates the
             time that this BIND has been idle with no sessions
             attached to it.

             The value of this object is of relevance only for
             dynamic NAT."
    ::= { natAddrBindEntry 13 }

natAddrBindInTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of inbound packets that were successfully
             translated using this BIND entry."
    ::= { natAddrBindEntry 14 }

natAddrBindOutTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of outbound packets that were successfully
             translated using this BIND entry."
    ::= { natAddrBindEntry 15 }

natAddrBindRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             None of the writable objects except
             natAddrBindMaxIdleTime in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    ::= { natAddrBindEntry 16 }









Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 24]


INTERNET-DRAFT                 NAT MIB                  September 2003


--
-- Address-Port Bind section
--

natAddrPortBindNumberOfEntries OBJECT-TYPE
    SYNTAX     Gauge32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "This object maintains a count of the number of entries
             that currently exist in the natAddrPortBindTable."
    ::= { natTranslation 3 }

--
-- The NAT Address-Port BIND Table
--

natAddrPortBindTable OBJECT-TYPE
    SYNTAX     SEQUENCE OF NatAddrPortBindEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This table holds information about the currently
             active NAPT BINDs."
    ::= { natTranslation 4 }

natAddrPortBindEntry OBJECT-TYPE
    SYNTAX     NatAddrPortBindEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "Each entry in the this table holds information
             about a NAPT BIND that is currently active."
    INDEX   { natAddrPortBindLocalAddrType, natAddrPortBindLocalAddr,
              natAddrPortBindLocalPort, natAddrPortBindProtocol }
::= { natAddrPortBindTable 1 }


NatAddrPortBindEntry ::= SEQUENCE {
    natAddrPortBindLocalAddrType        InetAddressType,
    natAddrPortBindLocalAddr            InetAddress,
    natAddrPortBindLocalPort            InetPortNumber,
    natAddrPortBindProtocol             NATProtocolType,
    natAddrPortBindOwnerId              Unsigned32,
    natAddrPortBindGroupId              Unsigned32,
    natAddrPortBindGlobalAddrType       InetAddressType,
    natAddrPortBindGlobalAddr           InetAddress,
    natAddrPortBindGlobalPort           InetPortNumber,
    natAddrPortBindId                   Unsigned32,
    natAddrPortBindDirection            INTEGER,


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 25]


INTERNET-DRAFT                 NAT MIB                  September 2003


    natAddrPortBindType                 INTEGER,
    natAddrPortBindAddrMapName          SnmpAdminString,
    natAddrPortBindSessionCount         Gauge32,
    natAddrPortBindMaxIdleTime          TimeTicks,
    natAddrPortBindCurrentIdleTime      TimeTicks,
    natAddrPortBindInTranslate          Counter64,
    natAddrPortBindOutTranslate         Counter64,
    natAddrPortBindRowStatus            RowStatus
}

natAddrPortBindLocalAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natAddrPortBindLocalAddr."
    ::= { natAddrPortBindEntry 1 }

natAddrPortBindLocalAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents the private-realm specific network
             layer address which, in conjunction with
             natAddrPortBindLocalPort, maps to the public-realm
             network layer address and transport id represented by
             natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort
             respectively."
    ::= { natAddrPortBindEntry 2 }

natAddrPortBindLocalPort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents the private-realm specific port
             number (or query ID in case of ICMP messages) which, in
             conjunction with natAddrPortBindLocalAddr, maps to the
             public-realm network layer address and transport id
             represented by natAddrPortBindGlobalAddr and
             natAddrPortBindGlobalPort respectively."
    ::= { natAddrPortBindEntry 3 }

natAddrPortBindProtocol OBJECT-TYPE
    SYNTAX      NATProtocolType
    MAX-ACCESS  not-accessible
    STATUS      current



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 26]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "This object specifies a protocol identifier. If the
             value of this object is none(1), then this BIND entry
             applies to all IP traffic. Any other value of this object
             specifies the class of IP traffic to which this BIND
             applies."
    ::= { natAddrPortBindEntry 4 }

natAddrPortBindOwnerId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of the entity that owns this entry.
             This object is a unique Identifier and is generated by
             the NAT middlebox. The owner of the entry may be the
             NAT middledbox itself or one of the MIDCOM agents that
             engage in a MIDCOM session with the NAT middlebox."
    ::= { natAddrPortBindEntry 5 }

natAddrPortBindGroupId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of a group to which this entry belongs.
             This ojbect is a unique identifier and is generated by
             the NAT middlebox."
    ::= { natAddrPortBindEntry 6 }

natAddrPortBindGlobalAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natAddrPortBindGlobalAddr."
    ::= { natAddrPortBindEntry 7 }

natAddrPortBindGlobalAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object represents the public-realm specific network
             layer address that, in conjunction with
             natAddrPortBindGlobalPort, maps to the private-realm
             network layer address and transport id represented by
             natAddrPortBindLocalAddr and natAddrPortBindLocalPort
             respectively."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 27]


INTERNET-DRAFT                 NAT MIB                  September 2003


         ::= { natAddrPortBindEntry 8 }

natAddrPortBindGlobalPort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object represents the port number (or query id in
             case of ICMP) that, in conjunction with
             natAddrPortBindGlobalAddr, maps to the private-realm
             network layer address and transport id represented by
             natAddrPortBindLocalAddr and natAddrPortBindLocalPort
             respectively."
    ::= { natAddrPortBindEntry 9 }

natAddrPortBindId OBJECT-TYPE
    SYNTAX     Unsigned32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "This object represents a BIND id that is dynamically
             assigned to each BIND by a NAT enabled device. Each
             BIND is represented by a unique BIND id across both,
             the Address Bind and Address-Port Bind tables."
    ::= { natAddrPortBindEntry 10 }

natAddrPortBindDirection OBJECT-TYPE
    SYNTAX     INTEGER {
                   uniDirectional (1),
                   biDirectional (2)
               }
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object represents the direction of the BIND. A
             BIND may be either uni-directional or bi-directional,
             same as the orientation of the address map, based on
             which this bind is formed."
    ::= { natAddrPortBindEntry 11 }

natAddrPortBindType OBJECT-TYPE
    SYNTAX     INTEGER {
                   static (1),
                   dynamic (2)
               }
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object indicates whether the BIND is static or
             dynamic."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 28]


INTERNET-DRAFT                 NAT MIB                  September 2003


    ::= { natAddrPortBindEntry 12 }

natAddrPortBindAddrMapName OBJECT-TYPE
    SYNTAX     SnmpAdminString
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object is a pointer to the NatConfAddrMapEntry entry
             (and the parameters of that entry) which was used in
             creating this BIND. If the bind is being created by the
             Management Station, then it should set the value for
             this object as well. An attempt to set this object to a
             nonExistent addrMapName will result in a error."
    ::= { natAddrPortBindEntry 13 }

natAddrPortBindSessionCount OBJECT-TYPE
    SYNTAX     Gauge32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "Number of sessions currently using this BIND."
    ::= { natAddrPortBindEntry 14 }

natAddrPortBindMaxIdleTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object indicates the maximum time for
             which this BIND can be idle with no sessions
             attached to it.
             The value of this object is of relevance
             only for dynamic NAT."
    ::= { natAddrPortBindEntry 15 }

natAddrPortBindCurrentIdleTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "At any given instance of time, this object indicates the
             time that this BIND has been idle with no sessions
             attached to it.

             The value of this object is of relevance
             only for dynamic NAT."
    ::= { natAddrPortBindEntry 16 }





Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 29]


INTERNET-DRAFT                 NAT MIB                  September 2003


natAddrPortBindInTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of inbound packets that were translated as per
             this BIND entry."
    ::= { natAddrPortBindEntry 17 }

natAddrPortBindOutTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of outbound packets that were translated as per
             this BIND entry."
    ::= { natAddrPortBindEntry 18 }

natAddrPortBindRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             None of the writable objects except
             natAddrPortBindMaxIdleTime in this row may be
             modified while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    ::= { natAddrPortBindEntry 20 }

--
-- The Session Table
--

natSessionTable OBJECT-TYPE
    SYNTAX     SEQUENCE OF NatSessionEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "The (conceptual) table containing one entry for each
             NAT session currently active on this NAT device."
    ::= { natTranslation 5 }

natSessionEntry OBJECT-TYPE
    SYNTAX     NatSessionEntry
    MAX-ACCESS not-accessible
    STATUS     current




Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 30]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "An entry (conceptual row) containing information
             about an active NAT session on this NAT device."
    INDEX   { natSessionBindId, natSessionId }
    ::= { natSessionTable 1 }

NatSessionEntry ::= SEQUENCE {
    natSessionBindId               Unsigned32,
    natSessionId                   Unsigned32,
    natSessionOwnerId              Unsigned32,
    natSessionGroupId              Unsigned32,
    natSessionDirection            INTEGER,
    natSessionUpTime               TimeTicks,
    natSessionProtocolType         NATProtocolType,
    natSessionOrigPrivateAddrType  InetAddressType,
    natSessionOrigPrivateAddr      InetAddress,
    natSessionTransPrivateAddrType InetAddressType,
    natSessionTransPrivateAddr     InetAddress,
    natSessionOrigPrivatePort      InetPortNumber,
    natSessionTransPrivatePort     InetPortNumber,
    natSessionOrigPublicAddrType   InetAddressType,
    natSessionOrigPublicAddr       InetAddress,
    natSessionTransPublicAddrType  InetAddressType,
    natSessionTransPublicAddr      InetAddress,
    natSessionOrigPublicPort       InetPortNumber,
    natSessionTransPublicPort      InetPortNumber,
    natSessionMaxIdleTime          TimeTicks,
    natSessionCurrentIdleTime      TimeTicks,
    natSessionSecondBindId         Unsigned32,
    natSessionInTranslate          Counter64,
    natSessionOutTranslate         Counter64,
    natSessionRowStatus            RowStatus
}

natSessionBindId OBJECT-TYPE
    SYNTAX     Unsigned32
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents a BIND id that is dynamically
             assigned to each BIND by a NAT enabled device. This
             bind id is that same as represented by the BindId
             objects in the Address bind and Address-Port bind
             tables."
    ::= { natSessionEntry 1 }

natSessionId OBJECT-TYPE
    SYNTAX     Unsigned32
    MAX-ACCESS not-accessible
    STATUS     current


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 31]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "The session ID for this NAT session."
    ::= { natSessionEntry 2 }

natSessionOwnerId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of the entity that owns this entry.
             This object is a unique Identifier and is generated by
             the NAT middlebox. The owner of the entry may be the
             NAT middledbox itself or one of the MIDCOM agents that
             engage in a MIDCOM session with the NAT middlebox."
    ::= { natSessionEntry 3 }

natSessionGroupId  OBJECT-TYPE
    SYNTAX      Unsigned32  (1..4294967295)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The identifier of a group to which this entry belongs.
             This ojbect is a unique identifier and is generated by
             the NAT middlebox."
    ::= { natSessionEntry 4 }

natSessionDirection OBJECT-TYPE
    SYNTAX     INTEGER {
                   inbound (1),
                   outbound (2)
               }
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The direction of this session with respect to the
             local network. 'inbound' indicates that this session
             was initiated from the public network into the private
             network. 'outbound' indicates that this session was
             initiated from the private network into the public
             network."
    ::= { natSessionEntry 5 }

natSessionUpTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The up time of this session in one-hundredths of a
             second."
    ::= { natSessionEntry 6 }


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 32]


INTERNET-DRAFT                 NAT MIB                  September 2003


natSessionProtocolType OBJECT-TYPE
    SYNTAX     NATProtocolType
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The protocol type of this session."
    ::= { natSessionEntry 7 }

natSessionOrigPrivateAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natSessionOrigPrivateAddr."
    ::= { natSessionEntry 8 }

natSessionOrigPrivateAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The original IP address of the session endpoint that
             lies in the private network."
    ::= { natSessionEntry 9 }

natSessionTransPrivateAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natSessionTransPrivateAddr."
    ::= { natSessionEntry 10 }

natSessionTransPrivateAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The translated IP address of the session endpoint that
             lies in the private network. The value of this object
             is equal to that of the original private IP Address
             (natSessionOrigPrivateAddr) when there is no
             translation."
    ::= { natSessionEntry 11 }






Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 33]


INTERNET-DRAFT                 NAT MIB                  September 2003


natSessionOrigPrivatePort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The original transport port of the session endpoint that
             belongs to the private network. If this is an ICMP
             session then the value is the ICMP request ID. The value
             of this object must be 0 when ports are not involved
             in the translation."
    ::= { natSessionEntry 12 }

natSessionTransPrivatePort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The translated transport port of the session that lies in
             the private network.The value of this object is equal to
             that of the original transport port
             (natSessionOrigPrivatePort) when there is no
             translation."
    ::= { natSessionEntry 13 }

natSessionOrigPublicAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natSessionOrigPublicAddr."
    ::= { natSessionEntry 14 }

natSessionOrigPublicAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The original IP address of the session endpoint that lies
             in the public network."
    ::= { natSessionEntry 15 }

natSessionTransPublicAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             natSessionTransPublicAddr."
    ::= { natSessionEntry 16 }


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 34]


INTERNET-DRAFT                 NAT MIB                  September 2003


natSessionTransPublicAddr OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The translated IP address of the session endpoint that
             belongs to the public network. The value of this object
             is equal to that of the original public IP Address
             (natSessionOrigPublicAddr) when there is no
             translation."
    ::= { natSessionEntry 17 }

natSessionOrigPublicPort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The original transport port of the session endpoint that
             belongs to the public network. If this is an ICMP
             session then the value contains the ICMP request ID.
             The value of this object must be 0 when ports are
             not involved in the translation."
    ::= { natSessionEntry 18 }

natSessionTransPublicPort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The translated transport port of the session endpoint
             that belongs to the public network. The value of this
             object is equal to that of the original transport port
             (natSessionOrigPublicPort) when there is no
             translation."
    ::= { natSessionEntry 19 }

natSessionMaxIdleTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The max time for which this session can be idle
             without detecting a packet."
    ::= { natSessionEntry 20 }

natSessionCurrentIdleTime OBJECT-TYPE
    SYNTAX     TimeTicks
    MAX-ACCESS read-only
    STATUS     current



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 35]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "The time since a packet belonging to this session was
            last detected."
    ::= { natSessionEntry 21 }

natSessionSecondBindId OBJECT-TYPE
    SYNTAX     Unsigned32
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "The natBindId of the 'other' NAT binding incase of Twice
             NAT.
             An instance of this object contains a valid value
             only if the binding type for this session is TwiceNAT.
             This object may not be modified while the value of
             natSessionStatus is active(1).  An attempt to set this
             object while the value of natSessionStatus is active(1)
             will result in an inconsistentValue error.

             The value of this object MUST point to a valid bind id,
             in case of TwiceNAT."
    ::= { natSessionEntry 22 }

natSessionInTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of inbound packets that were translated for
             this session."
    ::= { natSessionEntry 23 }

natSessionOutTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of outbound packets that were translated for
             this session."
    ::= { natSessionEntry 24 }

natSessionRowStatus OBJECT-TYPE
    SYNTAX       RowStatus
    MAX-ACCESS   read-create
    STATUS       current







Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 36]


INTERNET-DRAFT                 NAT MIB                  September 2003


    DESCRIPTION
            "The status of this conceptual row.
             For a TwiceNAT session, until instance of
             natSessionSecondBindId column has an appropriate (valid)
             value, the value of the corresponding instance of the
             natSessionStatus column must be 'notReady'.
             None of the writable objects except
             natSessionMaxIdleTime in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    ::= { natSessionEntry 25 }

--
-- natStatistics Group
--

--
-- The Protocol Stats table
--

natStatsProtocolTable OBJECT-TYPE
    SYNTAX     SEQUENCE OF NatStatsProtocolEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "The (conceptual) table containing per protocol NAT
             statistics."
    ::= { natStatistics 1 }

natStatsProtocolEntry OBJECT-TYPE
    SYNTAX     NatStatsProtocolEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "An entry (conceptual row) containing NAT statistics
             pertaining to a particular protocol."
    INDEX   { natStatsProtocol }
    ::= { natStatsProtocolTable 1 }

NatStatsProtocolEntry ::= SEQUENCE {
    natStatsProtocol              NATProtocolType,
    natStatsProtocolInTranslate   Counter64,
    natStatsProtocolOutTranslate  Counter64,
    natStatsProtocolRejectCount   Counter64
}






Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 37]


INTERNET-DRAFT                 NAT MIB                  September 2003


natStatsProtocol OBJECT-TYPE
    SYNTAX     NATProtocolType
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents the protocol pertaining to which
             statistics are reported."
    ::= { natStatsProtocolEntry 1 }

natStatsProtocolInTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of inbound packets, pertaining to the protocol
             identified by natStatsProtocol, that underwent NAT."
    ::= { natStatsProtocolEntry 2 }

natStatsProtocolOutTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of outbound packets, pertaining to the protocol
             identified by natStatsProtocol, that underwent NAT."
    ::= { natStatsProtocolEntry 3 }

natStatsProtocolRejectCount OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of packets, pertaining to the protocol
             identified by natStatsProtocol, that had to be
             rejected/dropped due to lack of resources. These
             rejections could be due to session timeout, resource
             unavailability, lack of address space etc."
     ::= { natStatsProtocolEntry 4 }

--
-- The Address Map Stats table
--

natStatsAddrMapTable OBJECT-TYPE
    SYNTAX     SEQUENCE OF NatStatsAddrMapEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "The (conceptual) table containing per address map NAT
             statistics."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 38]


INTERNET-DRAFT                 NAT MIB                  September 2003


    ::= { natStatistics 2 }

natStatsAddrMapEntry OBJECT-TYPE
    SYNTAX     NatStatsAddrMapEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "An entry (conceptual row) containing NAT statistics per
             address map."
    AUGMENTS   { natConfAddrMapEntry }
    ::= { natStatsAddrMapTable 1 }

NatStatsAddrMapEntry ::= SEQUENCE {
    natStatsAddrMapInTranslate   Counter64,
    natStatsAddrMapOutTranslate  Counter64,
    natStatsAddrMapNoResource    Counter64,
    natStatsAddrMapAddrUsed      Gauge32
}

natStatsAddrMapInTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of inbound packets, pertaining to this address
             map entry, that were translated."
    ::= { natStatsAddrMapEntry 3 }

natStatsAddrMapOutTranslate OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of outbound packets, pertaining to this
             address map entry, that were translated."
    ::= { natStatsAddrMapEntry 4 }

natStatsAddrMapNoResource OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of packets, pertaining to this address map
             entry, that were dropped due to lack of addresses in the
             address pool identified by this address map. The value of
             this object must always be zero in case of static
             address map."
    ::= { natStatsAddrMapEntry 5 }




Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 39]


INTERNET-DRAFT                 NAT MIB                  September 2003


natStatsAddrMapAddrUsed OBJECT-TYPE
    SYNTAX     Gauge32
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "The number of addresses, pertaining to this address map,
             that are currently being used from the nat pool. The
             value of this object is irrelevant if the address map in
             question is a static address map."
    ::= { natStatsAddrMapEntry 6 }

--
-- The Stats Interface table
--

natStatsInterfaceTable OBJECT-TYPE
    SYNTAX     SEQUENCE OF NatStatsInterfaceEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This table provides statistics information per
             interface."
    ::= { natStatistics 3 }

natStatsInterfaceEntry OBJECT-TYPE
    SYNTAX     NatStatsInterfaceEntry
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "Each entry of the natStatsInterfaceTable represents stats
             pertaining to one interface, which is identified by its
             ifIndex."
    AUGMENTS { natConfInterfaceEntry }
    ::= { natStatsInterfaceTable 1 }

NatStatsInterfaceEntry ::= SEQUENCE {
    natStatsInterfacePktsIn   Counter64,
    natStatsInterfacePktsOut  Counter64
}

natStatsInterfacePktsIn OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "Number of packets received on this interface that
             were translated."
    ::= { natStatsInterfaceEntry 1 }




Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 40]


INTERNET-DRAFT                 NAT MIB                  September 2003


natStatsInterfacePktsOut OBJECT-TYPE
    SYNTAX     Counter64
    MAX-ACCESS read-only
    STATUS     current
    DESCRIPTION
            "Number of translated packets that were sent out this
             interface."
    ::= { natStatsInterfaceEntry 2 }

--
-- Notifications section
--

natNotificationPrefix  OBJECT IDENTIFIER ::= { natMIB 2 }
natNotifications       OBJECT IDENTIFIER ::=
                       { natNotificationPrefix 0 }

--
-- Notification objects i.e. objects accessible only for notification
-- purpose.
--

natNotificationObjects OBJECT IDENTIFIER ::=
                       { natNotificationPrefix 1 }

natAddrMapName OBJECT-TYPE
    SYNTAX     SnmpAdminString
    MAX-ACCESS accessible-for-notify
    STATUS     current
    DESCRIPTION
            "This object represent the address map corresponding to
             which the addresses/ports have been exhausted, thereby
             resulting in a natPacketDiscard notification."
    ::= { natNotificationObjects 1 }

natPktDiscardReason OBJECT-TYPE
    SYNTAX      INTEGER {
                    other (1),
                    addressSpaceExhausted (2)
                }
    MAX-ACCESS accessible-for-notify
    STATUS     current
    DESCRIPTION
            "This object represents the reason for which a packet is
             discarded by NAT.

             addressSpaceExhausted (2) represents a situation wherein
             the address space required to do this mapping has been
             exhausted (used up by other translations).



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 41]


INTERNET-DRAFT                 NAT MIB                  September 2003


             other (1) represents a case where the packet was
             discarded due to any other reasons."
    ::= { natNotificationObjects 2 }

--
-- Notifications
--

natAddressUseRising NOTIFICATION-TYPE
    OBJECTS { natStatsAddrMapAddrUsed }
    STATUS  current
    DESCRIPTION
            "This notification is generated whenever the number of
             addresses per address map is equal to or greater than the
             configured address rising threshold value.

             Note that once this notification is generated, another
             notification for the same address map should be generated
             only after the address usage falls to/below the defined
             falling threshold.
             This notification should be generated only for dynamic
             address maps, since they do not provide any useful
             information for static maps."
    ::= { natNotifications 1 }

natPacketDiscard NOTIFICATION-TYPE
    OBJECTS { natAddrMapName, natPktDiscardReason }
    STATUS  current
    DESCRIPTION
            "This notification is generated whenever packets are
             discarded e.g. due to lack of mapping space when we run
             out of address/ports in case of Basic NAT/NAPT
             respectively.

             An agent should not generate more than one
             natPacketDiscard 'notification-events' in a given time
             interval (five seconds is the suggested default). A
             'notification-event' is the transmission of a single
             trap or inform PDU to a list of notification
             destinations.

             If additional nat packets are discarded within the
             throttling period, then notification-events for these
             changes should be suppressed by the agent until the
             current throttling period expires.  At the end of a
             throttling period, one notification-event should be
             generated if any NAT packet was discarded since the
             start of the throttling period. In such a case, another
             throttling period is started right away."
    ::= { natNotifications 2 }


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 42]


INTERNET-DRAFT                 NAT MIB                  September 2003


--
-- Conformance information.
--

natMIBConformance OBJECT IDENTIFIER ::= { natMIB 3 }

natMIBGroups      OBJECT IDENTIFIER ::= { natMIBConformance 1 }
natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 }

--
-- Units of conformance
--

natConfigGroup OBJECT-GROUP
    OBJECTS { natConfInterfaceRealm,
              natConfServiceType,
              natConfAddrMapConfigName,
              natConfStorageType,
              natConfRowStatus,
              natConfAddrMapOwnerId,
              natConfAddrMapGroupId,
              natConfAddrMapEntryType,
              natConfAddrMapTranslationEntity,
              natConfLocalAddrType,
              natConfLocalAddrFrom,
              natConfLocalAddrTo,
              natConfLocalPortFrom,
              natConfLocalPortTo,
              natConfGlobalAddrType,
              natConfGlobalAddrFrom,
              natConfGlobalAddrTo,
              natConfGlobalPortFrom,
              natConfGlobalPortTo,
              natConfProtocol,
              natConfAddrMapStorageType,
              natConfAddrMapRowStatus,
              natConfUdpDefIdleTimeout,
              natConfIcmpDefIdleTimeout,
              natConfOtherDefIdleTimeout,
              natConfTcpDefIdleTimeout,
              natConfTcpDefNegTimeout }
    STATUS  current
    DESCRIPTION
            "A collection of configuration-related information
             required to support management of devices supporting
             NAT."
    ::= { natMIBGroups 1 }





Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 43]


INTERNET-DRAFT                 NAT MIB                  September 2003


natTranslationGroup OBJECT-GROUP
    OBJECTS { natAddrBindNumberOfEntries,
              natAddrBindOwnerId,
              natAddrBindGroupId,
              natAddrBindGlobalAddrType,
              natAddrBindGlobalAddr,
              natAddrBindId,
              natAddrBindDirection,
              natAddrBindType,
              natAddrBindAddrMapName,
              natAddrBindSessionCount,
              natAddrBindMaxIdleTime,
              natAddrBindCurrentIdleTime,
              natAddrBindInTranslate,
              natAddrBindOutTranslate,
              natAddrBindRowStatus,
              natAddrPortBindNumberOfEntries,
              natAddrPortBindOwnerId,
              natAddrPortBindGroupId,
              natAddrPortBindGlobalAddrType,
              natAddrPortBindGlobalAddr,
              natAddrPortBindGlobalPort,
              natAddrPortBindId,
              natAddrPortBindDirection,
              natAddrPortBindType,
              natAddrPortBindAddrMapName,
              natAddrPortBindSessionCount,
              natAddrPortBindMaxIdleTime,
              natAddrPortBindCurrentIdleTime,
              natAddrPortBindInTranslate,
              natAddrPortBindOutTranslate,
              natAddrPortBindRowStatus,
              natSessionOwnerId,
              natSessionGroupId,
              natSessionDirection,
              natSessionUpTime,
              natSessionProtocolType,
              natSessionOrigPrivateAddrType,
              natSessionOrigPrivateAddr,
              natSessionTransPrivateAddrType,
              natSessionTransPrivateAddr,
              natSessionOrigPrivatePort,
              natSessionTransPrivatePort,
              natSessionOrigPublicAddrType,
              natSessionOrigPublicAddr,
              natSessionTransPublicAddrType,
              natSessionTransPublicAddr,
              natSessionOrigPublicPort,
              natSessionTransPublicPort,
              natSessionMaxIdleTime,


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 44]


INTERNET-DRAFT                 NAT MIB                  September 2003


              natSessionCurrentIdleTime,
              natSessionSecondBindId,
              natSessionInTranslate,
              natSessionOutTranslate,
              natSessionRowStatus }
    STATUS  current
    DESCRIPTION
            "A collection of BIND-related objects required to support
             management of devices supporting NAT."
    ::= { natMIBGroups 2 }

natStatsInterfaceGroup OBJECT-GROUP
    OBJECTS { natStatsInterfacePktsIn,
              natStatsInterfacePktsOut }
    STATUS  current
    DESCRIPTION
            "A collection of NAT statistics associated with the
             interface on which NAT is configured, to aid
             troubleshooting/monitoring of the NAT operation."
    ::= { natMIBGroups 3 }

natStatsProtocolGroup OBJECT-GROUP
    OBJECTS { natStatsProtocolInTranslate,
              natStatsProtocolOutTranslate,
              natStatsProtocolRejectCount }
    STATUS  current
    DESCRIPTION
            "A collection of protocol specific NAT statistics,
             to aid troubleshooting/monitoring of NAT operation."
    ::= { natMIBGroups 4 }

natStatsAddrMapGroup OBJECT-GROUP
    OBJECTS { natStatsAddrMapInTranslate,
              natStatsAddrMapOutTranslate,
              natStatsAddrMapNoResource,
              natStatsAddrMapAddrUsed }
    STATUS  current
    DESCRIPTION
            "A collection of address map specific NAT statistics,
             to aid troubleshooting/monitoring of NAT operation."
    ::= { natMIBGroups 5 }

natMIBNotifConfigGroup OBJECT-GROUP
    OBJECTS { natConfAddrRiseThreshold,
              natConfAddrFallThreshold }
    STATUS  current
    DESCRIPTION
            "A collection of configuration objects required to support
             the threshold-based notifications."
    ::= { natMIBGroups 6 }


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 45]


INTERNET-DRAFT                 NAT MIB                  September 2003


natMIBNotificationObjectsGroup OBJECT-GROUP
    OBJECTS { natAddrMapName,
              natPktDiscardReason }
    STATUS  current
    DESCRIPTION
            "A collection of objects required to support NAT
             notifications."
    ::= { natMIBGroups 7 }

natMIBNotificationGroup NOTIFICATION-GROUP
    NOTIFICATIONS { natAddressUseRising,
                    natPacketDiscard }
    STATUS        current
    DESCRIPTION
            "A collection of notifications which are generated by
            devices supporting this MIB."
    ::= { natMIBGroups 8 }

--
-- Compliance statements
--

natMIBFullCompliance MODULE-COMPLIANCE
    STATUS  current
    DESCRIPTION
            "When this MIB is implemented with support for
             read-create,then such an implementation can claim
             full or MIDCOM compliance. Such devices can then be both
             monitored and configured with this MIB."
    MODULE  -- this module
      MANDATORY-GROUPS { natConfigGroup, natTranslationGroup,
                         natStatsInterfaceGroup }
      GROUP       natStatsAddrMapGroup
      DESCRIPTION
               "This group is optional."
      GROUP       natMIBNotifConfigGroup
      DESCRIPTION
               "This group is optional."
      GROUP       natMIBNotificationObjectsGroup
      DESCRIPTION
               "This group is optional."
      GROUP       natMIBNotificationGroup
      DESCRIPTION
               "This group is optional."

      GROUP       natTranslationGroup
      DESCRIPTION
               "Write access to this group is mandatory for
                MIDCOM compliance."



Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 46]


INTERNET-DRAFT                 NAT MIB                  September 2003


      OBJECT      natConfInterfaceRealm
      MIN-ACCESS  read-only
      DESCRIPTION
              "Write access is not required."

      OBJECT natConfRowStatus
      SYNTAX RowStatus { active(1) }
      WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) }
      DESCRIPTION
              "Support for createAndWait and notInService is
               not required."

      OBJECT      natConfAddrMapOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natConfAddrMapGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT natConfAddrMapRowStatus
      SYNTAX RowStatus { active(1) }
      WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) }
      DESCRIPTION
              "Support for createAndWait and notInService is
               not required."

      OBJECT      natAddrBindOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natAddrBindGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT natAddrBindRowStatus
      SYNTAX RowStatus { active(1) }
      WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) }
      DESCRIPTION
              "Support for createAndWait and notInService is
               not required."

      OBJECT      natAddrPortBindOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 47]


INTERNET-DRAFT                 NAT MIB                  September 2003


      OBJECT      natAddrPortBindGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT natAddrPortBindRowStatus
      SYNTAX RowStatus { active(1) }
      WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) }
      DESCRIPTION
              "Support for createAndWait and notInService is
               not required."

      OBJECT      natSessionOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natSessionGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT natSessionRowStatus
      SYNTAX RowStatus { active(1) }
      WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) }
      DESCRIPTION
              "Support for createAndWait and notInService is
               not required."

      OBJECT      natConfStorageType
      MIN-ACCESS  read-only
      DESCRIPTION
              "Write Access is not required."

      OBJECT      natConfAddrMapStorageType
      MIN-ACCESS  read-only
      DESCRIPTION
              "Write Access is not required."


    ::= { natMIBCompliances 1 }

natMIBReadOnlyCompliance MODULE-COMPLIANCE
    STATUS  current
    DESCRIPTION
            "When this MIB is implemented without support for
             read-create (i.e. in read-only mode), then such an
             implementation can claim read-only compliance.
             Such a device can then be monitored but can not be
             configured with this MIB."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 48]


INTERNET-DRAFT                 NAT MIB                  September 2003


    MODULE  -- this module
      MANDATORY-GROUPS { natConfigGroup, natTranslationGroup,
                         natStatsInterfaceGroup }
      GROUP       natStatsAddrMapGroup
      DESCRIPTION
               "This group is optional."
      GROUP       natMIBNotifConfigGroup
      DESCRIPTION
               "This group is optional."
      GROUP       natMIBNotificationObjectsGroup
      DESCRIPTION
               "This group is optional."
      GROUP       natMIBNotificationGroup
      DESCRIPTION
               "This group is optional."

      OBJECT      natConfAddrMapOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natConfAddrMapGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natAddrBindOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natAddrBindGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natAddrPortBindOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natAddrPortBindGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

      OBJECT      natSessionOwnerId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 49]


INTERNET-DRAFT                 NAT MIB                  September 2003


      OBJECT      natSessionGroupId
      MIN-ACCESS  read-only
      DESCRIPTION
              "Object is only required for MIDCOM compliance."

    ::= { natMIBCompliances 2 }


END











































Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 50]


INTERNET-DRAFT                 NAT MIB                  September 2003


6. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.




7. Change History

   A record of changes which will be removed before publication.

   10  September 2001

   o Added the following objects to support notifications:
     natConfAddrRiseThreshold, natConfAddrFallThreshold,
     natAddrMapName and natPktDiscardReason.

   o Following notifications were added (there are still some
     unclear parameters though):
     natAddressUseRising and natPacketDiscard.

   10  November 2001

   o Dynamic and Static Address Map tables are Merged.

   o Protocol Extensibility added.

   o Rearrangement of OIDs done to get things in proper sequence.





Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 51]


INTERNET-DRAFT                 NAT MIB                  September 2003


   07  February 2002

   o Config and Interface Specific tables are Merged.

   o MAX-ACCESS for the bind and session entry objects are
     changed to be read-create.

   o natConfAddrMapType renamed to natConfAddrMapDirection.

   14 June 2002

   o Changed the syntax of natConfServiceType to BITS and renumbered
     the enumeration to start with 0.

   o Addressed the warning raised by smilint - all InetAddress values
     now restricted to the size range (0..20) i.e. valid InetAddress
     types are now ipv4, ipv6, ipv4z and ipv6z.

   o MIN-ACCESS for natConfInterfaceRealm restricted to read-only.

   o Changed the natConfIcmpDefIdleTimeout default value to be 300.

   o natConfProtConfigName made a part of the optional
     natConfProtGroup.

   o RFC 3291 now referred to instead of RFC 2578

   2 Nov 2002

   o Added the Bind Origin Objects.

   o Updated the description of natSessionSecondBindId.

   o Interface specific statistics made mandatory.

   o New sections, 4.1, 4.2 and 4.3 added indicating relationship
     between tables and configuration guidelines.


   02 Sep 2003

   o Removed the protocol extensibility.

   o Incorporated other comments.








Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 52]


INTERNET-DRAFT                 NAT MIB                  September 2003


8.  Acknowledgements

   The authors of this memo would like to thank Randy Turner, Ashwini
   S T, Kevin Luehrs, Sam Sankoorikal and Juergen Quittek for their
   valuable feedback.



9.  IANA Considerations

   Several specific values for MIB objects require completion before
   this memo can advance to RFC status.  These are:

   o  OID value for "natMib" see MODULE-IDENTITY






































Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 53]


INTERNET-DRAFT                 NAT MIB                  September 2003


10.  Security Considerations

   This MIB contains readable objects whose values provide information
   related to nat binds and sessions. Some of these objects could
   contain sensitive information e.g. bind information. There are
   a number of management objects defined in this MIB that have a
   MAX-ACCESS clause of read-write and/or read-create. Such objects
   may be considered sensitive or vulnerable in some network
   environments.

   While unauthorized access to the readable objects may be relatively
   innocuous, unauthorized access to the write-able objects could
   cause a denial of service, and/or widespread network
   disturbance. Hence, the  support for SET operations in a non-secure
   environment without proper protection can have a negative effect on
   network operations.

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPSec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB.

   It is recommended that the implementers consider the security
   features as provided by the SNMPv3 framework (see [RFC3410], section
   8), including full support for the SNMPv3 cryptographic mechanisms
   (for authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

















Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 54]


INTERNET-DRAFT                 NAT MIB                  September 2003


11.  References

   11.1. Normative References

   [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
             Rose, M. and S. Waldbusser, "Structure of Management
             Information Version 2 (SMIv2)", STD 58, RFC 2578, April
             1999.

   [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
             Rose, M. and S. Waldbusser, "Textual Conventions for
             SMIv2", STD 58, RFC 2579, April 1999.

   [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
             Rose, M. and S. Waldbusser, "Conformance Statements for
             SMIv2", STD 58, RFC 2580, April 1999.

   [RFC3022] Srisuresh, P. and Egevang, K., "Traditional IP Network
             Address Translator (Traditional NAT)", RFC 3022,
             January 2001.

   [RFC2663] Srisuresh, P. and M. Holdrege, "NAT Terminology and
             Considerations", RFC 2663, August 1999.

   [RFC3291] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder,
             J., "Textual Conventions for Internet Network Addresses",
             RFC 3291, May 2002.

   11.2. Informative References

   [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
             "Introduction and Applicability Statements for Internet-
             Standard Management Framework", RFC 3410, December 2002.


12.  Author's Addresses

   R. Rohit
   Mascon Global Limted
   #59/2 100 ft Ring Road
   Banashankari II Stage
   Bangalore 560 070
   India
   Phone: +91 80 679 6227
   Email: rrohit74@hotmail.com

   Nalinaksh Pai
   Cisco Systems, Inc.
   Prestige Waterford
   No. 9, Brunton Road


Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 55]


INTERNET-DRAFT                 NAT MIB                  September 2003



   Bangalore - 560 025
   India
   Phone: +91 80 532 1300 extn. 6354
   Email: npai@cisco.com

   Rajiv Raghunarayan
   Cisco Systems Inc.
   170 West Tasman Drive
   San Jose, CA 95134
   Phone: +1 408 853 9612
   Email: raraghun@cisco.com

   Cliff Wang
   Information Security
   Bank One Corp
   1111 Polaris Pkwy
   Columbus, OH 43240
   Phone: +1 614 213 6117
   Email: cliffwang2000@yahoo.com

   P. Srisuresh
   Caymas Systems, Inc.
   1179-A North McDowell Blvd.
   Petaluma, CA 94954
   Tel: (707) 283-5063
   Email: srisuresh@yahoo.com

























Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 56]


INTERNET-DRAFT                 NAT MIB                  September 2003


13. Full Copyright Statement
   "Copyright (C) The Internet Society (2003). All Rights Reserved.
   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

   Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.






















Rohit, Pai, Raghunarayan, Wang, Srisuresh                    [Page 57]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/