Guide to Pinholing the Alcatel SpeedTouch Pro

Guide to Pinholing the Alcatel SpeedTouch Pro

Version 0.11

21-August-2001 Nik Kitson

This information has been summarised from the Alcatel SpeedTouch CLI guide. This can be downloaded from http://www.alcatel.com/consumer/dsl/pdf/cli_ref_guide.pdf

1. Telnet to the Alcatel ST Pro by using a standard Telnet client. The default IP address of the ST Pro is 10.0.0.138. There is no password by default. However, if a password has been added via the HTTP interface, this must be entered before you can access the CLI configuration.

2. NAT entries are of the format below. It does not appear that multiple port ranges are supported by the Alcatel, so each port will require a nat entry. Port numbers are only supported for TCP and UDP. By default, the router will not respond to ICMP ping requests.

nat create protocol=[type] inside_addr=[ip.address] inside_port=[port#] outside_addr=[ip.address] outside_port=[port#]

Some examples below are included for a range of different IP services. All of the examples below use an internal host address of 10.0.0.254 and are configured for a dynamic external IP address (outside_addr=0), as shown in Figure 1 below. Vary the internal host and external address as required for your specific network.

Figure 1: Example network with Alcatel SpeedTouch Pro router

HTTP pinhole

nat create protocol=tcp inside_addr=10.0.0.254 inside_port=80 outside_addr=0 outside_port=80

SMTP pinhole
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=25 outside_addr=0 outside_port=25

POP3 pinhole
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=110 outside_addr=0 outside_port=110

SSH pinhole
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=22 outside_addr=0 outside_port=22

FTP pinholes
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=20 outside_addr=0 outside_port=20
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=21 outside_addr=0 outside_port=21

DNS/BIND pinholes

nat create protocol=udp inside_addr=10.0.0.254 inside_port=53 outside_addr=0 outside_port=53
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=53 outside_addr=0 outside_port=53

IPSec-ESP VPN pinholes
nat create protocol=50 inside_addr=10.0.0.254 outside_addr=0

nat create protocol=udp inside_addr=10.0.0.254 inside_port=500 outside_addr=0 outside_port=500

PPTP VPN pinholes
nat create protocol=47 inside_addr=10.0.0.254 outside_addr=0
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=1723 oustide_addr=0 outside_port=1723

H.323 pinholes (incoming calls to a single host)
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=1503 outside_addr=0 outside_port=1503
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=522 outside_addr=0 outside_port=522
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=389 outside_addr=0 outside_port=389
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=1720 outside_addr=0 outside_port=1720
nat create protocol=tcp inside_addr=10.0.0.254 inside_port=1731 outside_addr=0 outside_port=1731

(NOTE: There is no NAT H.323 support in the router firmware as at August 2001. However, the ST Pro manual does have config info for H.323, FTP, IRC and Real Audio. Presumably, H.323 support will be built into the router at a later stage. In the meantime, you will need to configure inbound call support manually as above)

3. Once you have added all of your required pinholes, type "nat save" to make the changes permanent. Resetting the router before entering the "nat save" command will erase all of your changes. To review your current NAT entries, type "nat list".

4. To remove entries, use the "nat delete" command

eg Remove SMTP pinhole to host 10.0.0.254

nat delete protocol=tcp inside_addr=10.0.0.254 inside_port=25 outside_addr=0 outside_port=25

5. The Alcatel has a feature to forward all unknown inbound packets to a specific internal host. This is quite a useful if you would like to log traffic on a firewall, or if you want all requests to come to a single server without the need to configure pinholes/NAPT. The command for this is

nat defserver addr 10.0.0.254

This will forward all unknown packets to the internal host on IP address 10.0.0.254.