nat: edit format and indentation

Convert a note into subsection and adjust texts to 72 columns.
2025-10-26 08:41:46 +01:00 · 2020-04-02 06:36:57 +02:00 · 2020-04-02 06:36:57 +02:00 · 3ad0b3e1e7
commit 3ad0b3e1e7
parent 2bf266ce3b
1 changed files with 219 additions and 192 deletions
--- a/docs/nat.rst
+++ b/docs/nat.rst
@ -4,60 +4,65 @@
 NAT
 ###
-:abbr:`NAT (Network Address Translation)` is a common method of remapping one
+:abbr:`NAT (Network Address Translation)` is a common method of
-IP address space into another by modifying network address information in the
+remapping one IP address space into another by modifying network address
-IP header of packets while they are in transit across a traffic routing device.
+information in the IP header of packets while they are in transit across
-The technique was originally used as a shortcut to avoid the need to readdress
+a traffic routing device. The technique was originally used as a
-every host when a network was moved. It has become a popular and essential tool
+shortcut to avoid the need to readdress every host when a network was
-in conserving global address space in the face of IPv4 address exhaustion. One
+moved. It has become a popular and essential tool in conserving global
-Internet-routable IP address of a NAT gateway can be used for an entire private
+address space in the face of IPv4 address exhaustion. One
-network.
+Internet-routable IP address of a NAT gateway can be used for an entire
 private network.
-IP masquerading is a technique that hides an entire IP address space, usually
+IP masquerading is a technique that hides an entire IP address space,
-consisting of private IP addresses, behind a single IP address in another,
+usually consisting of private IP addresses, behind a single IP address
-usually public address space. The hidden addresses are changed into a single
+in another, usually public address space. The hidden addresses are
-(public) IP address as the source address of the outgoing IP packets so they
+changed into a single (public) IP address as the source address of the
-appear as originating not from the hidden host but from the routing device
+outgoing IP packets so they appear as originating not from the hidden
-itself. Because of the popularity of this technique to conserve IPv4 address
+host but from the routing device itself. Because of the popularity of
-space, the term NAT has become virtually synonymous with IP masquerading.
+this technique to conserve IPv4 address space, the term NAT has become
 virtually synonymous with IP masquerading.
-As network address translation modifies the IP address information in packets,
+As network address translation modifies the IP address information in
-NAT implementations may vary in their specific behavior in various addressing
+packets, NAT implementations may vary in their specific behavior in
-cases and their effect on network traffic. The specifics of NAT behavior are
+various addressing cases and their effect on network traffic. The
-not commonly documented by vendors of equipment containing NAT implementations.
+specifics of NAT behavior are not commonly documented by vendors of
 equipment containing NAT implementations.
-The computers on an internal network can use any of the addresses set aside by
+The computers on an internal network can use any of the addresses set
-the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing
+aside by the :abbr:`IANA (Internet Assigned Numbers Authority)` for
-(see :rfc:`1918`). These reserved IP addresses are not in use on the Internet,
+private addressing (see :rfc:`1918`). These reserved IP addresses are
-so an external machine will not directly route to them. The following addresses
+not in use on the Internet, so an external machine will not directly
-are reserved for private use:
+route to them. The following addresses are reserved for private use:
 * 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8)
 * 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)
 * 192.168.0.0 to 192.168.255.255 (CIDR: 192.168.0.0/16)
-If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918`
+If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses
-address space to number customer gateways, the risk of address collision, and
+:rfc:`1918` address space to number customer gateways, the risk of
-therefore routing failures, arises when the customer network already uses an
+address collision, and therefore routing failures, arises when the
-:rfc:`1918` address space.
+customer network already uses an :rfc:`1918` address space.
-This prompted some ISPs to develop a policy within the :abbr:`ARIN (American
+This prompted some ISPs to develop a policy within the :abbr:`ARIN
-Registry for Internet Numbers)` to allocate new private address space for CGNs,
+(American Registry for Internet Numbers)` to allocate new private
-but ARIN deferred to the IETF before implementing the policy indicating that
+address space for CGNs, but ARIN deferred to the IETF before
-the matter was not a typical allocation issue but a reservation of addresses
+implementing the policy indicating that the matter was not a typical
-for technical purposes (per :rfc:`2860`).
+allocation issue but a reservation of addresses for technical purposes
 (per :rfc:`2860`).
-IETF published :rfc:`6598`, detailing a shared address space for use in ISP
+IETF published :rfc:`6598`, detailing a shared address space for use in
-CGN deployments that can handle the same network prefixes occurring both on
+ISP CGN deployments that can handle the same network prefixes occurring
-inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA
+both on inbound and outbound interfaces. ARIN returned address space to
-(Internet Assigned Numbers Authority)` for this allocation.
+the :abbr:`IANA (Internet Assigned Numbers Authority)` for this
 allocation.
 The allocated address block is 100.64.0.0/10.
 Devices evaluating whether an IPv4 address is public must be updated to
-recognize the new address space. Allocating more private IPv4 address space for
+recognize the new address space. Allocating more private IPv4 address
-NAT devices might prolong the transition to IPv6.
+space for NAT devices might prolong the transition to IPv6.
 Overview
 ========
@ -70,26 +75,28 @@ Different NAT Types
 SNAT
 ^^^^
-:abbr:`SNAT (Source Network Address Translation)` is the most common form of
+:abbr:`SNAT (Source Network Address Translation)` is the most common
-:abbr:`NAT (Network Address Translation)` and is typically referred to simply
+form of :abbr:`NAT (Network Address Translation)` and is typically
-as NAT. To be more correct, what most people refer to as :abbr:`NAT (Network
+referred to simply as NAT. To be more correct, what most people refer
-Address Translation)` is actually the process of :abbr:`PAT (Port Address
+to as :abbr:`NAT (Network Address Translation)` is actually the process
-Translation)`, or NAT overload. SNAT is typically used by internal users/private
+of :abbr:`PAT (Port Address Translation)`, or NAT overload. SNAT is
-hosts to access the Internet - the source address is translated and thus kept
+typically used by internal users/private hosts to access the Internet
-private.
+- the source address is translated and thus kept private.
 .. _destination-nat:
 DNAT
 ^^^^
-:abbr:`DNAT (Destination Network Address Translation)` changes the destination
+:abbr:`DNAT (Destination Network Address Translation)` changes the
-address of packets passing through the router, while :ref:`source-nat` changes
+destination address of packets passing through the router, while
-the source address of packets. DNAT is typically used when an external (public)
+:ref:`source-nat` changes the source address of packets. DNAT is
-host needs to initiate a session with an internal (private) host. A customer
+typically used when an external (public) host needs to initiate a
-needs to access a private service behind the routers public IP. A connection is
+session with an internal (private) host. A customer needs to access a
-established with the routers public IP address on a well known port and thus all
+private service behind the routers public IP. A connection is
-traffic for this port is rewritten to address the internal (private) host.
+established with the routers public IP address on a well known port and
 thus all traffic for this port is rewritten to address the internal
 (private) host.
 .. _bidirectional-nat:
@ -97,33 +104,35 @@ Bidirectional NAT
 ^^^^^^^^^^^^^^^^^
 This is a common scenario where both :ref:`source-nat` and
-:ref:`destination-nat` are configured at the same time. It's commonly used then
+:ref:`destination-nat` are configured at the same time. It's commonly
-internal (private) hosts need to establish a connection with external resources
+used then internal (private) hosts need to establish a connection with
-and external systems need to access internal (private) resources.
+external resources and external systems need to access internal
 (private) resources.
 NAT, Routing, Firewall Interaction
 ----------------------------------
-There is a very nice picture/explanation in the Vyatta documentation which
+There is a very nice picture/explanation in the Vyatta documentation
-should be rewritten here.
+which should be rewritten here.
 NAT Ruleset
 -----------
-:abbr:`NAT (Network Address Translation)` is configured entirely on a series
+:abbr:`NAT (Network Address Translation)` is configured entirely on a
-of so called `rules`. Rules are numbered and evaluated by the underlying OS
+series of so called `rules`. Rules are numbered and evaluated by the
-in numerical order! The rule numbers can be changes by utilizing the
+underlying OS in numerical order! The rule numbers can be changes by
-:cfgcmd:`rename` and :cfgcmd:`copy` commands.
+utilizing the :cfgcmd:`rename` and :cfgcmd:`copy` commands.
-.. note:: Changes to the NAT system only affect newly established connections.
+.. note:: Changes to the NAT system only affect newly established
-   Already establiushed ocnnections are not affected.
+   connections. Already established connections are not affected.
-.. hint:: When designing your NAT ruleset leave some space between consecutive
+.. hint:: When designing your NAT ruleset leave some space between
-   rules for later extension. Your ruleset could start with numbers 10, 20, 30.
+   consecutive rules for later extension. Your ruleset could start with
-   You thus can later extend the ruleset and place new rules between existing
+   numbers 10, 20, 30. You thus can later extend the ruleset and place
-   ones.
+   new rules between existing ones.
-Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`.
+Rules will be created for both :ref:`source-nat` and
 :ref:`destination-nat`.
 For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and
 :ref:`destination-nat` needs to be created.
@ -133,12 +142,13 @@ For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and
 Traffic Filters
 ---------------
-Traffic Filters are used to control which packets will have the defined NAT
+Traffic Filters are used to control which packets will have the defined
-rules applied. Five different filters can be applied within a NAT rule
+NAT rules applied. Five different filters can be applied within a NAT
 rule.
-* **outbound-interface** - applicable only to :ref:`source-nat`. It configures
+* **outbound-interface** - applicable only to :ref:`source-nat`. It
-  the interface which is used for the outside traffic that this translation rule
+  configures the interface which is used for the outside traffic that
-  applies to.
+  this translation rule applies to.
  Example:
@ -156,8 +166,8 @@ rules applied. Five different filters can be applied within a NAT rule
    set nat destination rule 20 inbound-interface eth1
-* **protocol** - specify which types of protocols this translation rule applies
+* **protocol** - specify which types of protocols this translation rule
-  to. Only packets matching the specified protocol are NATed. By default this
+  applies to. Only packets matching the specified protocol are NATed. By default this
  applies to `all` protocols.
  Example:
@ -170,15 +180,16 @@ rules applied. Five different filters can be applied within a NAT rule
    set nat source rule 20 protocol tcp_udp
    set nat destination rule 20 protocol udp
-* **source** - specifies which packets the NAT translation rule applies to
+* **source** - specifies which packets the NAT translation rule applies
-  based on the packets source IP address and/or source port. Only matching
+  to based on the packets source IP address and/or source port. Only
-  packets are considered for NAT.
+  matching packets are considered for NAT.
  Example:
-  * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network
+  * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24
-  * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24 network
+    network
-    with a source port of 80 and 443
+  * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24
    network with a source port of 80 and 443
  .. code-block:: none
@ -187,16 +198,17 @@ rules applied. Five different filters can be applied within a NAT rule
    set nat source rule 30 source port 80,443
-* **destination** - specify which packets the translation will be applied to,
+* **destination** - specify which packets the translation will be
-  only based on the destination address and/or port number configured.
+  applied to, only based on the destination address and/or port number
  configured.
  .. note:: If no destination is specified the rule will match on any
     destination address and port.
  Example:
-  * Configure SNAT rule (40) to only NAT packets with a destination address of
+  * Configure SNAT rule (40) to only NAT packets with a destination
-    192.0.2.1.
+    address of 192.0.2.1.
  .. code-block:: none
@ -206,34 +218,36 @@ rules applied. Five different filters can be applied within a NAT rule
 Address Conversion
 ------------------
-Every NAT rule has a translation command defined. The address defined for the
+Every NAT rule has a translation command defined. The address defined
-translation is the address used when the address information in a packet is
+for the translation is the address used when the address information in
-replaced.
+a packet is replaced.
 Source Address
 ^^^^^^^^^^^^^^
-For :ref:`source-nat` rules the packets source address will be replaced with
+For :ref:`source-nat` rules the packets source address will be replaced
-the address specified in the translation command. A port translation can also
+with the address specified in the translation command. A port
-be specified and is part of the translation address.
+translation can also be specified and is part of the translation
 address.
-.. note:: The translation address must be set to one of the available addresses
+.. note:: The translation address must be set to one of the available
-   on the configured `outbound-interface` or it must be set to `masquerade`
+   addresses on the configured `outbound-interface` or it must be set to
-   which will use the primary IP address of the `outbound-interface` as its
+   `masquerade` which will use the primary IP address of the
-   translation address.
+   `outbound-interface` as its translation address.
-.. note:: When using NAT for a large number of host systems it recommended that
+.. note:: When using NAT for a large number of host systems it
-   a minimum of 1 IP address is used to NAT every 256 private host systems.
+   recommended that a minimum of 1 IP address is used to NAT every 256
-   This is due to the limit of 65,000 port numbers available for unique
+   private host systems. This is due to the limit of 65,000 port numbers
-   translations and a reserving an average of 200-300 sessions per host system.
+   available for unique translations and a reserving an average of
   200-300 sessions per host system.
 Example:
 * Define a discrete source IP address of 100.64.0.1 for SNAT rule 20
 * Use address `masquerade` (the interfaces primary address) on rule 30
-* For a large amount of private machines behind the NAT your address pool might
+* For a large amount of private machines behind the NAT your address
-  to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT
+  pool might to be bigger. Use any address in the range 100.64.0.10 -
-  rule 40 when doing the translation
+  100.64.0.20 on SNAT rule 40 when doing the translation
 .. code-block:: none
@ -251,8 +265,8 @@ replaced by the specified address in the `translation address` command.
 Example:
-* DNAT rule 10 replaces the destination address of an inbound packet with
+* DNAT rule 10 replaces the destination address of an inbound packet
-  192.0.2.10
+  with 192.0.2.10
 .. code-block:: none
@ -268,8 +282,8 @@ To setup SNAT, we need to know:
 * The outgoing interface to perform the translation on
 * The external IP address to translate to
-In the example used for the Quick Start configuration above, we demonstrate
+In the example used for the Quick Start configuration above, we
-the following configuration:
+demonstrate the following configuration:
 .. code-block:: none
@ -291,76 +305,84 @@ Which generates the following configuration:
      }
  }
-In this example, we use **masquerade** as the translation address instead of
+In this example, we use **masquerade** as the translation address
-an IP address. The **masquerade** target is effectively an alias to say "use
+instead of an IP address. The **masquerade** target is effectively an
-whatever IP address is on the outgoing interface", rather than a statically
+alias to say "use whatever IP address is on the outgoing interface",
-configured IP address. This is useful if you use DHCP for your outgoing
+rather than a statically configured IP address. This is useful if you
-interface and do not know what the external address will be.
+use DHCP for your outgoing interface and do not know what the external
 address will be.
 When using NAT for a large number of host systems it recommended that a
-minimum of 1 IP address is used to NAT every 256 host systems. This is due to
+minimum of 1 IP address is used to NAT every 256 host systems. This is
-the limit of 65,000 port numbers available for unique translations and a
+due to the limit of 65,000 port numbers available for unique
-reserving an average of 200-300 sessions per host system.
+translations and a reserving an average of 200-300 sessions per host
 system.
-Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is
+Example: For an ~8,000 host network a source NAT pool of 32 IP addresses
-recommended.
+is recommended.
-A pool of addresses can be defined by using a **-** in the
+A pool of addresses can be defined by using a hyphen between two IP
-`set nat source rule [n] translation address` statement.
+addresses:
 .. code-block:: none
  set nat source rule 100 translation address '203.0.113.32-203.0.113.63'
-.. note:: Avoiding "leaky" NAT
+.. _avoidng_leaky_nat:
-Linux netfilter will not NAT traffic marked as INVALID. This often confuses
+Avoiding "leaky" NAT
-people into thinking that Linux (or specifically VyOS) has a broken NAT
+--------------------
 implementation because non-NATed traffic is seen leaving an external interface.
 This is actually working as intended, and a packet capture of the "leaky"
 traffic should reveal that the traffic is either an additional TCP "RST",
 "FIN,ACK", or "RST,ACK" sent by client systems after Linux netfilter considers
 the connection closed. The most common is the additional TCP RST some host
 implementations send after terminating a connection (which is implementation-
 specific).
-In other words, connection tracking has already observed the connection be
+Linux netfilter will not NAT traffic marked as INVALID. This often
-closed and has transition the flow to INVALID to prevent attacks from
+confuses people into thinking that Linux (or specifically VyOS) has a
 broken NAT implementation because non-NATed traffic is seen leaving an
 external interface. This is actually working as intended, and a packet
 capture of the "leaky" traffic should reveal that the traffic is either
 an additional TCP "RST", "FIN,ACK", or "RST,ACK" sent by client systems
 after Linux netfilter considers the connection closed. The most common
 is the additional TCP RST some host implementations send after
 terminating a connection (which is implementation-specific).
 In other words, connection tracking has already observed the connection
 be closed and has transition the flow to INVALID to prevent attacks from
 attempting to reuse the connection.
 You can avoid the "leaky" behavior by using a firewall policy that drops
 "invalid" state packets.
-Having control over the matching of INVALID state traffic, e.g. the ability to
+Having control over the matching of INVALID state traffic, e.g. the
-selectively log, is an important troubleshooting tool for observing broken
+ability to selectively log, is an important troubleshooting tool for
-protocol behavior. For this reason, VyOS does not globally drop invalid state
+observing broken protocol behavior. For this reason, VyOS does not
-traffic, instead allowing the operator to make the determination on how the
+globally drop invalid state traffic, instead allowing the operator to
-traffic is handled.
+make the determination on how the traffic is handled.
 .. _hairpin_nat_reflection:
 Hairpin NAT/NAT Reflection
 --------------------------
-A typical problem with using NAT and hosting public servers is the ability for
+A typical problem with using NAT and hosting public servers is the
-internal systems to reach an internal server using it's external IP address.
+ability for internal systems to reach an internal server using it's
-The solution to this is usually the use of split-DNS to correctly point host
+external IP address. The solution to this is usually the use of
-systems to the internal address when requests are made internally. Because
+split-DNS to correctly point host systems to the internal address when
-many smaller networks lack DNS infrastructure, a work-around is commonly
+requests are made internally. Because many smaller networks lack DNS
-deployed to facilitate the traffic by NATing the request from internal hosts
+infrastructure, a work-around is commonly deployed to facilitate the
-to the source address of the internal interface on the firewall.
+traffic by NATing the request from internal hosts to the source address
 of the internal interface on the firewall.
 This technique is commonly referred to as NAT Reflection or Hairpin NAT.
 Example:
-* Redirect Microsoft RDP traffic from the outside (WAN, external) world via
+* Redirect Microsoft RDP traffic from the outside (WAN, external) world
-  :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40.
+  via :ref:`destination-nat` in rule 100 to the internal, private host
  192.0.2.40.
-* Redirect Microsoft RDP traffic from the internal (LAN, private) network via
+* Redirect Microsoft RDP traffic from the internal (LAN, private)
-  :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40.
+  network via :ref:`destination-nat` in rule 110 to the internal,
-  We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic.
+  private host 192.0.2.40. We also need a :ref:`source-nat` rule 110 for
-  The internal network 192.0.2.0/24 is reachable via interface `eth0.10`.
+  the reverse path of the traffic. The internal network 192.0.2.0/24 is
  reachable via interface `eth0.10`.
 .. code-block:: none
@ -433,12 +455,12 @@ Which results in a configuration of:
 Destination NAT
 ---------------
-DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT
+DNAT is typically referred to as a **Port Forward**. When using VyOS as
-router and firewall, a common configuration task is to redirect incoming
+a NAT router and firewall, a common configuration task is to redirect
-traffic to a system behind the firewall.
+incoming traffic to a system behind the firewall.
-In this example, we will be using the example Quick Start configuration above
+In this example, we will be using the example Quick Start configuration
-as a starting point.
+above as a starting point.
 To setup a destination NAT rule we need to gather:
@ -446,9 +468,10 @@ To setup a destination NAT rule we need to gather:
 * The protocol and port we wish to forward;
 * The IP address of the internal system we wish to forward traffic to.
-In our example, we will be forwarding web server traffic to an internal web
+In our example, we will be forwarding web server traffic to an internal
-server on 192.168.0.100. HTTP traffic makes use of the TCP protocol on port 80.
+web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol
-For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
+on port 80. For other common port numbers, see:
 https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
 Our configuration commands would be:
@ -480,19 +503,21 @@ Which would generate the following NAT destination configuration:
      }
  }
-.. note:: If forwarding traffic to a different port than it is arriving on,
+.. note:: If forwarding traffic to a different port than it is arriving
-   you may also configure the translation port using
+   on, you may also configure the translation port using
   `set nat destination rule [n] translation port`.
-This establishes our Port Forward rule, but if we created a firewall policy it
+This establishes our Port Forward rule, but if we created a firewall
-will likely block the traffic.
+policy it will likely block the traffic.
 It is important to note that when creating firewall rules that the DNAT
-translation occurs **before** traffic traverses the firewall. In other words,
+translation occurs **before** traffic traverses the firewall. In other
-the destination address has already been translated to 192.168.0.100.
+words, the destination address has already been translated to
 192.168.0.100.
-So in our firewall policy, we want to allow traffic coming in on the outside
+So in our firewall policy, we want to allow traffic coming in on the
-interface, destined for TCP port 80 and the IP address of 192.168.0.100.
+outside interface, destined for TCP port 80 and the IP address of
 192.168.0.100.
 .. code-block:: none
@ -527,19 +552,19 @@ This would generate the following configuration:
 ----------
 Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT
-configuration, both DNAT and SNAT are used to NAT all traffic from an external
+configuration, both DNAT and SNAT are used to NAT all traffic from an
-IP address to an internal IP address and vice-versa.
+external IP address to an internal IP address and vice-versa.
 Typically, a 1-to-1 NAT rule omits the destination port (all ports) and
 replaces the protocol with either **all** or **ip**.
-Then a corresponding SNAT rule is created to NAT outgoing traffic for the
+Then a corresponding SNAT rule is created to NAT outgoing traffic for
-internal IP to a reserved external IP. This dedicates an external IP address
+the internal IP to a reserved external IP. This dedicates an external IP
-to an internal IP address and is useful for protocols which don't have the
+address to an internal IP address and is useful for protocols which
-notion of ports, such as GRE.
+don't have the notion of ports, such as GRE.
-Here's an extract of a simple 1-to-1 NAT configuration with one internal and
+Here's an extract of a simple 1-to-1 NAT configuration with one internal
-one external interface:
+and one external interface:
 .. code-block:: none
@ -556,24 +581,24 @@ one external interface:
  set nat source rule 2000 source address '192.168.1.10'
  set nat source rule 2000 translation address '192.0.2.30'
-Firewall rules are written as normal, using the internal IP address as the
+Firewall rules are written as normal, using the internal IP address as
-source of outbound rules and the destination of inbound rules.
+the source of outbound rules and the destination of inbound rules.
 NAT before VPN
 --------------
-Some application service providers (ASPs) operate a VPN gateway to provide
+Some application service providers (ASPs) operate a VPN gateway to
-access to their internal resources, and require that a connecting organisation
+provide access to their internal resources, and require that a
-translate all traffic to the service provider network to a source address
+connecting organisation translate all traffic to the service provider
-provided by the ASP.
+network to a source address provided by the ASP.
 Example Network
 ^^^^^^^^^^^^^^^
 Here's one example of a network environment for an ASP.
 The ASP requests that all connections from this company should come from
-172.29.41.89 - an address that is assigned by the ASP and not in use at the
+172.29.41.89 - an address that is assigned by the ASP and not in use at
-customer site.
+the customer site.
 .. figure:: _static/images/nat_before_vpn_topology.png
   :scale: 100 %
@ -596,9 +621,10 @@ The required configuration can be broken down into 4 major pieces:
 Dummy interface
 """""""""""""""
-The dummy interface allows us to have an equivalent of the Cisco IOS Loopback
+The dummy interface allows us to have an equivalent of the Cisco IOS
-interface - a router-internal interface we can use for IP addresses the router
+Loopback interface - a router-internal interface we can use for IP
-must know about, but which are not actually assigned to a real network.
+addresses the router must know about, but which are not actually
 assigned to a real network.
 We only need a single step for this interface:
@ -639,8 +665,8 @@ The ASP has documented their IPSec requirements:
  * DH Group 14
-Additionally, we want to use VPNs only on our eth1 interface (the external
+Additionally, we want to use VPNs only on our eth1 interface (the
-interface in the image above)
+external interface in the image above)
 .. code-block:: none
@ -663,10 +689,11 @@ interface in the image above)
 IPSec VPN Tunnels
 """""""""""""""""
-We'll use the IKE and ESP groups created above for this VPN. Because we need
+We'll use the IKE and ESP groups created above for this VPN. Because we
-access to 2 different subnets on the far side, we will need two different
+need access to 2 different subnets on the far side, we will need two
-tunnels. If you changed the names of the ESP group and IKE group in the previous
+different tunnels. If you changed the names of the ESP group and IKE
-step, make sure you use the correct names here too.
+group in the previous step, make sure you use the correct names here
 too.
 .. code-block:: none
@ -685,8 +712,8 @@ step, make sure you use the correct names here too.
 Testing and Validation
 """"""""""""""""""""""
-If you've completed all the above steps you no doubt want to see if it's all
+If you've completed all the above steps you no doubt want to see if it's
-working.
+all working.
 Start by checking for IPSec SAs (Security Associations) with: