SunScreen 3.1 Administration Guide

NAT Mapping Overview

You use the NAT tab to set up mapping rules that translate IP addresses according to specific rules. These rules interpret the source and destination address of incoming IP packets, then translate either the apparent source or the intended destination, and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your SunScreen installation.

Rules make up the map that is used during the translation of a packet. In general, you would translate addresses to:

When defining NAT rules, the first rule (lowest number) that matches a packet applies, and no other rules can apply. Therefore, you might define specific rules first, then broader cases later.

You can define the mappings of internal addresses to external addresses. Use the NAT tab in the Policy Rules area of the Policy Rules page to specify the address that is to be translated to a particular address, and to select whether you want static mapping or dynamic mapping. Additional information on NAT is in the SunScreen Reference Manual.

All network address translations happen before a packet is tested against any of the screening rules. In this way, you can define all screening rules using only internal addresses. The four addresses NAT supports are: