You can use NAT with SKIP to provide communication in an encrypted tunnel (secure virtual private network). The encryption at the source tunnel address must take place after the NAT mapping and decryption at the destination tunnel address must take place before the NAT translation.
The following information describes using the administration GUI. Appendix A contains information about the command line interface.
You use the NAT tab to set up mapping rules that translate IP addresses according to specific rules. These rules interpret the source and destination address of incoming IP packets, then translate either the apparent source or the intended destination, and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your SunScreen installation.
Rules make up the map that is used during the translation of a packet. In general, you would translate addresses to:
Ensure that internal addresses appear as registered addresses on the Internet
Send traffic for a specific destination to a different, pre-determined destination.
When defining NAT rules, the first rule (lowest number) that matches a packet applies, and no other rules can apply. Therefore, you might define specific rules first, then broader cases later.
You can define the mappings of internal addresses to external addresses. Use the NAT tab in the Policy Rules area of the Policy Rules page to specify the address that is to be translated to a particular address, and to select whether you want static mapping or dynamic mapping. Additional information on NAT is in the SunScreen Reference Manual.
All network address translations happen before a packet is tested against any of the screening rules. In this way, you can define all screening rules using only internal addresses. The four addresses NAT supports are:
Source
Destination
Translated Source
Translated Destination
The meanings and uses of the specific fields in the NAT page are as follows:
Table 4-1 NAT Page Field Explanations
All NAT rules are unidirectional. They work precisely as defined and are not interpreted as also applying in the reverse direction. So, if you map an internal source address to an external source address, and you want the mapping to apply in the reverse direction, you must map the external destination address to the internal destination address with a second rule.
When building security policies using NAT, define the security policy rules in terms of internal addresses. All packets that are destined for external addresses used in NAT must be routed to the Screen.
If you use static NAT to map a machine's address, a machine on any other network can initiate traffic to that machine, given a properly-defined reverse rule.
Because in routing mode (unlike stealth mode), the Screen does not automatically answer ARP requests for destination address, the Screen must either route to a separate network that has a destination address, or an ARP request must be added manually.
Static NAT is a one-to-one mapping of the internal address to an external address, and dynamic NAT is many-to-one or many-to-few mapping of internal addresses to an external address.
For more information on NAT and the possible set up, see the SunScreen Reference Manual.
Do not include the address of a remote Administration Station in any of your NAT rules, where NAT will occur between the Administration station and the Screen.
If Centralized Management is in place, each NAT rule must be associated explicitly with the Screen to which it applies.
Type the following if the networks that attach to the Screen on the inside have NAT mappings applied, including any network on which there are addresses to which you want to allow public access:
# arp -s IP_Address ether_address pub |
You must add this entry each time that you reboot the Screen, so you may want to modify a Startup script to do this automatically when you reboot. This is not necessary in stealth mode.
When defining a static NAT mapping, be sure that:
The ranges and groups used in the Source and Translated Source fields are exactly the same size.
The ranges and groups used in the Destination and Translated Destination fields are exactly the same size.
Select the NAT tab in the Policy Rules area of the Policy Rules page to move to the Network Address Translation area.
Click New... in the Add New... choice list below the Network Address Translation area to display the NAT Definition dialog window.
Select the Screen that should use NAT mapping.
Default is NAT available for all Screens.
Select all four addresses in the NAT Definition dialog window.
Click the OK button.
Repeat the previous steps until you have edited all the rules as required.
Click the Save Changes button to save the edited mappings to a file.
You must click the Activate button for the changes take effect.
In most cases, when defining a static mapping, the internal address and external address are each a single address.
Select the NAT tab in the Policy Rules area of the Policy Rules page to move to the Network Translation area.
Click the Mapping field to choose the mapping on the table that you want to edit.
Click the Edit button below the Network Address Translation area to display the NAT Definition dialog window for that mapping.
Click the down arrow on the Mapping field to display the list of mappings.
Click and highlight the type of mapping that you want.
In most cases when defining a static mapping, the Source Address and Destination Address are each a single address.
Click the down arrow on the Source Address field to display the list of addresses.
Click and highlight the address that you want.
The new source address appears in the Source Address field.
Click the down arrow on the Destination Address field to display the list of addresses.
Click and highlight the address that you want.
Click and highlight the translated source that you want.
Click and highlight the translated destination that you want.
The new destination address appears in the Destination Address field.
Click the OK button of the NAT Definition dialog window to save your edits.
Repeat the previous steps until you have edited all the mappings as required.
Click the Save Changes button to save the edited mappings to a file.
You must click the Activate button for the changes take effect.
The following example translates the address of laguna to nathost for all destination addresses for all outgoing traffic.
The following example translates the address nathost to laguna for all source addresses for all incoming traffic. One-way communication is allowed, so one of these rules may be used without the other.
In the following example, the translation occurs only when the destinations match what is in the internet address group. If the address was not in this group, the source address would not be translated.