Network Address Translation (NAT) Rules

---

Note -

You can use NAT with encryption to provide communication in an encrypted tunnel (secure virtual private network). Encryption at the source tunnel address takes place after the NAT mapping; decryption at the destination tunnel address must take place before the NAT translation.

---

NAT Mapping Overview

You use the NAT tab to set up mapping rules that translate IP addresses according to specific rules. These rules interpret the source and destination addresses of incoming IP packets, then translate either the apparent source or the intended destination and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your SunScreen installation.

The map used during the translation of a packet consists of rules. In general, you would translate addresses to:

• Ensure that internal addresses appear as registered addresses on the Internet

• Send traffic for a specific destination to a different, predetermined destination

When defining NAT rules, the first rule (lowest number) that matches a packet applies, and no other rules can apply. Therefore, you might define specific rules first, then broader cases later.

You can define the mappings of internal addresses to external addresses. Use the NAT tab in the Policy Rules area of the Policy Rules page to specify the address that is to be translated to a particular address and to specify static mapping or dynamic mapping. For additional information on NAT, see "Network Address Translation" in SunScreen 3.2 Administrator's Overview.

All network address translations take place before a packet is tested against any of the screening rules. In this way, you can define all screening rules using only internal addresses.

NAT Administration Page

The meanings and uses of the specific fields in the NAT page are described in the following table.

Table 3-5 NAT Page Field Explanations

Field	Use
Rule Index	Use this field to assign a number to a rule. By default, this field displays a number that is one greater than the last rule, which indicates the rule is placed at the end of the list. If you type a specific number, the new rule is inserted into that position in the list, and the rules in the policy are consequently renumbered.
Screen	Use this field to specify the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use Centralized Management and want a rule to apply to a specific Screen. If a Screen isn't specified, the rule applies for all Screens that are defined.  If Centralized Management is in place, each NAT rule must be associated explicitly with the Screen to which it applies.
Mapping	Static Specify static mapping to set up a one-to-one relationship between two addresses. You can use static mapping to set new apparent IP addresses for hosts on your network without having to reconfigure each host. Dynamic Specify dynamic mapping to map source addresses to other addresses in a many-to-one relationship. You can use dynamic mapping to ensure that all traffic leaving the firewall appears to come from a specific address or group of addresses, or to send traffic intended for several different hosts to the same actual IP access.
Source	Specify the source address to map from an untranslated packet. Source addresses are the actual addresses contained in the packet entering the firewall.
Destination	Specify the destination address for the untranslated packet. Destination addresses are the actual addresses contained in the packet entering the firewall.
Translated Source	Specify the translated source address for a packet. The address from which the packet appears to originate is the translated source.
Translated Destination	Specify the translated destination address for a packet. The translated destination is the actual address where the packet goes after it leaves the firewall.  You cannot translate both source and destination addresses; that is, you cannot make packets appear to come from a different IP address and simultaneously direct the packets to a different destination.
Description	Use this field to provide a description of the rule.

All static NAT rules are unidirectional. They work precisely as defined and are not interpreted as also applying in the reverse direction. Thus, if you map an internal source address to an external source address and you want the mapping to apply in the reverse direction, you must use a second rule to map the external destination address to the internal destination address explicitly.

Dynamic NAT requires only one rule.

Your NAT Scenario

When building security policies using NAT, define the security policy rules in terms of internal addresses. All packets that are destined for external addresses used in NAT must be routed to the Screen.

---

Note -

If you use static NAT to map a machine's address, a machine on any other network can initiate traffic to that machine, given a properly defined reverse rule.

---

In routing mode (unlike stealth mode), the Screen does not automatically answer ARP requests for destination address. Consequently, the Screen must either route to a separate network that has a destination address, or a proxy ARP entry must be configured manually.

Static NAT is a one-to-one mapping of the internal address to an external address. Dynamic NAT is many-to-one or many-to-few mapping of internal addresses to an external address.

For more information on NAT and the possible set up, see "Network Address Translation" in SunScreen 3.2 Administrator's Overview. For an example that uses NAT, see SunScreen 3.2 Configuration Examples manual.

---

Note -

In cases where NAT will occur between the Administration station and the Screen, do not include the address of a remote Administration Station in any of your NAT rules.

If Centralized Management is in place, each NAT rule must be associated explicitly with the Screen to which it applies.

---

To Manually Add an ARP Entry

For networks that attach to the Screen on the inside and have NAT mappings applied, use the following command.

This is recommended for any network on which there are addresses to which you want to allow public access.

# arp -s IP_Address ether_address pub

You must add this entry each time you reboot the Screen, so you may want to modify a startup script to do this automatically when you reboot.

---

Note -

This entry is not necessary in stealth mode.

---

The following information describes how to use the administration GUI. Chapter 10, Using the Command Line Interface contains information about the command line interface.

To Define NAT Rules

When you design a static NAT mapping, be sure that the ranges and groups used in the Source and Translated Source fields and the ranges and groups used in the Destination and Translated Destination fields are exactly the same size.

1. Execute the steps in "To Modify Rules".

2. Select the NAT tab in the Policy Rules area.

   The Network Address Translation area is displayed.

   

3. Click Add New Rule below the Network Address Translation area.

   The NAT Definition dialog box is displayed.

   

4. Select the Screen that should use NAT mapping.

   The default is NAT applied to the policies of all Screens.

5. Select all four addresses in the NAT Definition dialog box.

6. Click the OK button.

7. Repeat the previous steps until you have configured all the rules as required.

8. Click the Save Changes button to save the edited mappings.

   You must click the Activate button for the changes take effect.

   In most cases, when you define a static mapping, the internal address and external address are both single addresses.

To Edit the NAT Rules

1. Execute the steps in "To Modify Rules".

2. Select the NAT tab in the Policy Rules area.

   The Network Translation area appears.

   

3. In the Mapping field, select the mapping on the table that you want to edit.

4. Click the Edit button below the Network Address Translation area.

   The NAT Definition dialog box for that mapping appears.

   

5. Select the type of mapping that you want in the Mapping field.

6. Select the address that you want in the Source field.

   The source address in the Source field should match the packet.

7. Select the address that you want in the Destination field

   The destination address in the Destination field should match the packet.

8. Select the translated source that you want.

9. Select the translated destination that you want.

10. Click the OK button of the NAT Definition dialog box to save your edits.

11. Repeat the previous steps until you have edited all the mappings as required.

12. Click the Save Changes button to save the edited mappings to a file.

    You must click the Activate button for the changes take effect.

Example: Static NAT of a Host to a Host

The following example translates the address of laguna to nathost for all destination addresses for all outgoing traffic.

Example: Reverse Rule

The following example translates the address nathost to laguna for all source addresses for all incoming traffic.

---

Note -

Although one-way communication is allowed, and one of these rules may be used without the other, it is more common to use both together.

---

Example: Dynamic Translation of a Range Of Addresses to One Host

In the following example, the translation occurs only when the destinations match what is in the internet address group. If the address is not in this group, the source address cannot be translated.