NAT Rules

The Network Address Translation (NAT) tab allows you to set up mapping rules to translate IP addresses according to specific rules. These rules interpret the source and destination of incoming IP packets, then translate either the apparent source or the intended destination, and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your EFS 3.0 installation. See Address Common Object to define addresses, ranges, or groups of addresses.

In general, you would map addresses to:

• Ensure that internal addresses appear as registered addresses on the Internet, or

• Send traffic for a specific destination to a different, pre-determined destination.

It is not possible to translate both source and destination addresses-- that is, to make packets appear to come from a different IP address and to simultaneously direct the packets to a different destination.

When defining NAT rules, the first rule (lowest number) that matches a packet wins, and no other rules can apply. Therefore, you might define specific rules first, then broader cases later.

The meanings and uses of the specific fields in the NAT screens are as follows:

• Rule Index (No) -- Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed at the end of the list). If you type a specific number, the new rule is inserted into that position in the list, and the rules currently in the configuration are renumbered.

• Screen -- Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

• Mapping

  • Static -- Specify static mapping to set up a one-to-one relationship between two addresses. You could use this to set new apparent IP addresses for hosts on your network without having to reconfigure each host, for example.

  • Dynamic -- Specify dynamic mapping to map source addresses to other addresses in a one-to-many relationship. You could use dynamic mapping to ensure that all traffic leaving the firewall appears to come from a specific address or group of addresses, or to send traffic intended for several different hosts to the same actual IP access.

• Source -- Specify the source address to map from an untranslated packet. Source addresses are the actual addresses contained in the packet entering the firewall.

• Destination -- Specify the untranslated destination address for the source packet. Destination addresses are the actual addresses contained in the packet entering the firewall.

• Translated Source -- Specify the translated source address for a packet. The translated source is the address the packet appears to originate from.

• Translated Destination -- Specify the translated destination packet address. The translated destination is the actual address the packet goes to after it leaves the firewall.

• Description -- Used to provide a description of the mapping defined in this rule.

As you define rules, remember that you cannot translate both source and destination addresses. You must either translate packets so they appear to come from a different source, or translate packets so they go to a specific destination, but not both.

All NAT rules are unidirectional -- that is, they work precisely as defined, and are not interpreted as also applying in the reverse direction. If you want rules to apply in both directions, you must specify two different rules. For example, if you map a source address from internalname.com to the destination of publicip.com, you will also have to map a source of publicip.com to the destination of internalname.com to translate traffic in both directions.