Your NAT Scenario

When building security policies using NAT, define the security policy rules in terms of internal addresses. All packets that are destined for external addresses used in NAT must be routed to the Screen.

If you use static NAT to map a machine's address, a machine on any other network can initiate traffic to that machine, given a properly-defined reverse rule.

Because in routing mode (unlike stealth mode), the Screen does not automatically answer ARP requests for destination address, the Screen must either route to a separate network that has a destination address, or an ARP request must be added manually.

Static NAT is a one-to-one mapping of the internal address to an external address, and dynamic NAT is many-to-one or many-to-few mapping of internal addresses to an external address.

For more information on NAT and the possible set up, see the SunScreen Reference Manual.

Do not include the address of a remote Administration Station in any of your NAT rules, where NAT will occur between the Administration station and the Screen.

If Centralized Management is in place, each NAT rule must be associated explicitly with the Screen to which it applies.

To Add ARP Manually on a Screen in Routing Mode

Type the following if the networks that attach to the Screen on the inside have NAT mappings applied, including any network on which there are addresses to which you want to allow public access:

# arp -s IP_Address ether_address pub

---

Note -

You must add this entry each time that you reboot the Screen, so you may want to modify a Startup script to do this automatically when you reboot. This is not necessary in stealth mode.

---

To Define NAT Rules

When defining a static NAT mapping, be sure that:

• The ranges and groups used in the Source and Translated Source fields are exactly the same size.

• The ranges and groups used in the Destination and Translated Destination fields are exactly the same size.

1. Select the NAT tab in the Policy Rules area of the Policy Rules page to move to the Network Address Translation area.

   Figure 4-9 Network Address Translation Area

   
   

2. Click New... in the Add New... choice list below the Network Address Translation area to display the NAT Definition dialog window.

   Figure 4-10 NAT Definition Dialog Window

   
   

3. Select the Screen that should use NAT mapping.

   Default is NAT available for all Screens.

4. Select all four addresses in the NAT Definition dialog window.

5. Click the OK button.

6. Repeat the previous steps until you have edited all the rules as required.

7. Click the Save Changes button to save the edited mappings to a file.

   You must click the Activate button for the changes take effect.

   In most cases, when defining a static mapping, the internal address and external address are each a single address.

To Edit the NAT Rules

1. Select the NAT tab in the Policy Rules area of the Policy Rules page to move to the Network Translation area.

2. Click the Mapping field to choose the mapping on the table that you want to edit.

3. Click the Edit button below the Network Address Translation area to display the NAT Definition dialog window for that mapping.

4. Click the down arrow on the Mapping field to display the list of mappings.

5. Click and highlight the type of mapping that you want.

   In most cases when defining a static mapping, the Source Address and Destination Address are each a single address.

6. Click the down arrow on the Source Address field to display the list of addresses.

7. Click and highlight the address that you want.

   The new source address appears in the Source Address field.

8. Click the down arrow on the Destination Address field to display the list of addresses.

   1. Click and highlight the address that you want.

   2. Click and highlight the translated source that you want.

   3. Click and highlight the translated destination that you want.

   The new destination address appears in the Destination Address field.

9. Click the OK button of the NAT Definition dialog window to save your edits.

10. Repeat the previous steps until you have edited all the mappings as required.

11. Click the Save Changes button to save the edited mappings to a file.

    You must click the Activate button for the changes take effect.