NAT Tab
Use the Network Address Translation (NAT) tab, shown in FIGURE 5-48,
to set up mapping rules to translate IP addresses according to specific rules.
These rules interpret the source and destination of incoming IP packets, then
translate either the apparent source or the intended destination, and send
the packets on. You can map hosts, lists of addresses, ranges of addresses,
or specific groups, depending on what you have configured in your SunScreen
installation. See "Address" for information on defining addresses,
ranges, or groups of addresses.
Figure 5-48 NAT Tab
In general, you map addresses to:
-
Ensure that internal addresses appear as registered addresses
on the Internet, or
-
Send traffic for a specific destination to a different, predetermined
destination.
Translating both source and destination addresses is not possible--that
is, making packets appear to come from a different IP address and directing
the packets to a different destination simultaneously is not possible.
When defining NAT rules, the first rule (lowest number) that matches
a packet is the one that applies, and no other rules can apply; define specific
rules first, then broader cases later.
FIGURE 5-49 shows the NAT Definition dialog box.
Figure 5-49 NAT Definition Dialog Box
TABLE 5-44 describes the controls for the NAT Definition dialog
box.
Table 5-44 Controls for the NAT Dialog Box
|
Control
|
Description
|
|
Rule Index
|
Assigns a number to a rule. By default,
this field displays a number one greater than the last rule (indicating this
rule will be placed at the end of the list). If you type a specific number,
the new rule is inserted into that position in the list, and the rules currently
in the configuration are renumbered.
|
|
Screen
|
(Optional) Specifies the Screen for
which you want the rule to apply. Type a specific Screen name in this field
if you use centralized management and want a rule to apply to a specific Screen.
The default All applies to all Screens.
|
|
Mapping
|
-
Static - Specify static mapping to set up a one-to-one
relationship between two addresses. You could use this to set new apparent
IP addresses for hosts on your network without having to reconfigure each
host, for example.
-
Dynamic - Specify dynamic mapping to map source addresses
to other addresses in a many-to-few relationship. You could use dynamic mapping
to ensure that all traffic leaving the firewall appears to come from a specific
address or group of addresses, or to send traffic intended for several different
hosts to the same actual IP access.
|
|
Source
|
Specify the source address to map from
an untranslated packet. Source addresses are the actual addresses contained
in the packet entering the firewall.
|
|
Destination
|
Specify the untranslated destination
address for the source packet. Destination addresses are the actual addresses
contained in the packet entering the firewall.
|
|
Translated Source
|
Specify the translated
source address for a packet. The translated source is the address the packet
appears to originate from.
|
|
Translated Destination
|
Specify the translated
destination packet address. The translated destination is the actual address
the packet goes to after it leaves the firewall.
|
|
Description
|
Used to provide a description of the
mapping defined in this rule.
|
|
Add New
|
Allows adding a new NAT rule.
|
|
Edit
|
Allows you to edit the NAT rule that
you highlighted in the NAT tab.
|
|
Move
|
Allows you assign a new rule index
number for the rule that you highlighted in the NAT tab.
|
|
Delete
|
Deletes the access rule that you highlighted
in the NAT tab.
|
|
Help
|
Displays the online help.
|
When defining rules, remember that translating both source and destination
addresses is not possible. Either translate packets so they appear to come
from a different source, or translate packets so they go to a specific destination,
but not both.
All static NAT rules are unidirectional--that is, they work precisely
as defined, and are not interpreted as also applying in the reverse direction.
For rules to apply in both directions, specify two different rules. For example,
if you map the source address internalname.com to the destination publicip.com, you will also have to map the source publicip.com to the destination internalname.com to translate
traffic in both directions.
