SunScreen 3.1 Configuration Examples

General Mixed-Mode Configuration

The following parameters are used to implement this example:

Mixed-Mode Limitation

Because NAT has a single state table only, NAT cannot be used to translate the IP addresses of the internal network in this mixed-mode configuration. You can, however, use NAT on the routing interfaces and on the stealth interfaces on a mixed-mode Screen provided that the packets only pass through the Screen once.

NAT is not required because the proxies that provide the telnet/ FTP/HTTP connections between the Internet and the internal network use the IP address of the Screen and not the illegal IP address of the host, only the Screen needs to be able to resolve the hosts IP address.

For example, the mail-server can have its address translated when packets pass to the Internet as the packets only pass through the stealth interfaces once. This is true of any host on the private part of the network (192.168.3.0 in this example) or on the 192.156.4.0 network.

Using DYNAMIC NAT

The following steps outline how DYNAMIC NAT is used to translate the source IP addresses of hosts on the network (10.0.3.0 in this example) to a legal address (192.168.3.100 in this example).

  1. Add rules to ALLOW hosts on the 10.0.3.0 network free access to the Internet.

  2. Add rules to only ALLOW SMTP access to mail-server.

  3. Add rules to only ALLOW authenticated telnet and FTP to the qfe2 interface of lon-screen1.


    Note -

    The routing and stealth interfaces must be on different subnets, and separated by an external router.