The partner company with NAPT model modifies the partner company with NAT model, replacing the NAT device in front of the internal network of each partner company with a NAPT device.
The following statements and concepts are covered in the discussion of this model:
The partner company model assumed a network topology with both partner companies using public IP addresses in their internal networks. The partner company with NAT model modified the partner company model to include private addressing in the private network of each partner company, with a NAT device in front of each private network. Both NAT devices used static one-to-one address mappings.
The partner company with NAPT model modifies the partner company with NAT model, replacing the NAT device in front of the partner company's internal network with a NAPT device. The NAPT device uses many-to-one address and port mappings. The NAT in front of the z/OS® host continues to use static one-to-one address mappings.
Figure 1 shows the partner company with NAPT topology.
The partner company with NAPT model has the same basic security requirements as the partner company with NAT model. One difference is that IPSec protection for Enterprise Extender (EE) traffic has been eliminated from the example. EE traffic is not compatible with the use of NAPT, with or without IPSec protection. For more information, see Enterprise Extender considerations when traversing a NAT.
This example includes only the configuration steps that are impacted by a change from static one-to-one address mappings to NAPT mappings. Configuration statements added or changed for the partner company with NAPT model are shown in bold. The example describes the policy for partner company 1 (PCO1).
For this example, assume you must meet the following requirements to enable network communications from a partner company (PCO2) in an untrusted zone B behind a NAPT (9.4.4.4), over a connected network, to a server on this host that is behind a NAT, using static one-to-one address mapping:
Starting with the partner company with NAT policy, the following changes need to be made to meet these requirements when there is a NAPT in front of the partner company's internal network (Zone B):
A completely configured policy, including all objects and their references, is as follows:
# IpFilterPolicy for secure public server
IpFilterPolicy
{
PreDecap off
IpFilterGroupRef ZoneB
}
KeyExchangePolicy
{
AllowNat Yes
NatKeepAliveInterval 0
KeyExchangeRuleRef ZoneB_KeyExRule1
}
###### All re-usable statements follow #######
IpFilterGroup ZoneB
{
IpFilterRuleRef ZoneB-Permitted-traffic
IpFilterRuleRef FTPServer-ZoneB #IPSec-protected
}
######################################
# IpFilterRules #
# defines: #
# data endpoints #
# Allowed services #
# Actions (permit, deny, ipsec) #
######################################
IpFilterRule ZoneB-Permitted-traffic
{
IpSourceAddrRef PrivateServerAddress
IpDestAddrRef ZoneB
IpServiceRef IKE-local-500
IpServiceRef IKE-local-4500
IpServiceGroupRef SecureFTPServer
IpGenericFilterActionRef permit-nolog
}
IpFilterRule FTPServer-ZoneB
{
IpSourceAddrRef PrivateServerAddress
IpDestAddrRef ZoneB
IpServiceGroupRef FTPServer
IpGenericFilterActionRef ipsec-nolog
IpDynVpnActionRef FTP-vpnaction
}
####################
# IpService groups #
####################
IpServiceGroup FTPServer
{
IpServiceRef FTPServer-Control
IpServiceRef FTPServer-Data-Passive
}
IpServiceGroup SecureFTPServer
{
IpServiceRef SecureFTPServer-Control
IpServiceRef SecureFTPServer-Data-Passive
}
##################################
# Services provided by this host #
##################################
IpService IKE-local-500
{
SourcePortRange 500
DestinationPortRange 0
Protocol UDP
Direction bidirectional
Routing local
SecurityClass 0
}
IpService IKE-local-4500
{
SourcePortRange 4500
DestinationPortRange 0
Protocol UDP
Direction bidirectional
Routing local
SecurityClass 0
}
IpService SecureFTPServer-Control
{
SourcePortRange 990
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService SecureFTPServer-Data-Passive
{
SourcePortRange 50201 50400
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService FTPServer-Control
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService FTPServer-Data-Passive
{
SourcePortRange 50000 50200
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
######################
# Security Endpoints #
######################
LocalSecurityEndpoint Local_IKED
{
Identity Fqdn Server.PCO1.example.com
Location 10.1.1.1
}
RemoteSecurityEndpoint ZoneB_IKED
{
Identity Fqdn *.PCO2.example.com
Location 9.4.4.4
CaLabel CA4PartnerCompany
}
##########################
# Generic filter actions #
##########################
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
IpGenericFilterAction ipsec-nolog
{
IpFilterAction ipsec
IpFilterLogging no
}
##################################
# Key Exchange offers #
# defines: #
# Authentication type #
# Encryption type #
# Peer authentication method #
# Refresh limits #
##################################
KeyExchangeOffer RSA-SHA1-3DES-DH2
{
HowToEncrypt 3DES
HowToAuthMsgs SHA1
HowToAuthPeers RsaSignature
DHGroup Group2
RefreshLifetimeProposed 480
RefreshLifetimeAccepted 240 1440
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
##################################
# Key Exchange Actions #
# defines: #
# Negotiation mode #
# List of Key exchange offers #
##################################
KeyExchangeAction Main-RSA-SHA1-3DES-DH2
{
HowToInitiate main
HowToRespondIKEv1 main
KeyExchangeOfferRef RSA-SHA1-3DES-DH2
}
######################################
# KeyExchangeRules #
# defines: #
# A pair of security endpoints #
# permitted in IKE negotiations #
######################################
KeyExchangeRule ZoneB_KeyExRule1
{
LocalSecurityEndpointRef Local_IKED
RemoteSecurityEndpointRef ZoneB_IKED
KeyExchangeActionRef Main-RSA-SHA1-3DES-DH2
}
############################
# Data Offers #
# defines: #
# Encapsulation mode #
# Authentication type #
# Encryption type #
# Refresh limits #
############################
### Authenticated offer ###
IpDataOffer TRAN-ESPSHA-NOENCR
{
HowToEncap Transport
HowToEncrypt DoNot
HowToAuth ESP HMAC_SHA1
RefreshLifetimeProposed 240
RefreshLifetimeAccepted 120 480
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
##############################
# Dynamic VPN Actions #
# defines: #
# Initiation role #
# Pfs group #
# Lifetime of connection #
# List of Data offers #
##############################
IpDynVpnAction FTP-vpnaction
{
Initiation remoteonly
InitiateWithPfs group2
AcceptablePfs group2
VpnLife 1440
IpDataOfferRef TRAN-ESPSHA-NOENCR
}
################
# IP addresses #
################
IpAddr PrivateServerAddress
{
Addr 10.1.1.1
}
IpAddr ZoneB
{
Addr 9.4.4.4
}