test

SunScreen 3.2 Administration Guide

Network Address Translation (NAT)

Caution - Caution -

If you are using NAT, the when you define a static mapping, be sure that the ranges and groups used in the Source, Destination, Translated Source, and Translated Destination fields are exactly the same size.

To Add ARP Manually

    Use the arp command with the -s flag if the networks that attach to the Screen on the inside have internal addresses (including any network on which there are addresses to which you want to allow external access):


    # arp -s IP_Address ether_address pub

    Note -

    You must either add this entry each time you reboot the Screen or write your own script to automate this function. If you are administering the Screen remotely, you must either go to the Screen to add this entry or have a rule in your policy that allows you to use a command or protocol such as telnet or ssh to access the Screen. See also the arp(1M) man page.

To Define NAT Mappings

For local administration, you can create either a static or a dynamic NAT entry by specifying either the STATIC or DYNAMIC option.

    Use the add subcommand to create a static NAT entry that maps an internal address to an external address: 


    edit> add nat STATIC src dest translated_src translated_dest

    When you define a static mapping, the internal address and external address are both single addresses, but either can be a range or a list. In most cases, you should add a reverse entry for static mapping.

    To create the equivalent dynamic NAT entry, substitute the DYNAMIC option for the STATIC option. 


    edit> add nat DYNAMIC src dest translated_src translated_dest

    Note -

    You can also use a range of addresses or a group of addresses.

    Activate the policy to have the changes take effect.

To Delete NAT Mappings

    Use the del subcommand to delete a NAT entry that maps an internal address to an external address, regardless of whether mapping is static or dynamic:


    edit> del nat 1

    The changes take effect when you activate the policy whose rules you have edited.

To List the NAT Mappings

    Use the list subcommand to list a NAT entry that maps internal address to a external address, regardless of whether mapping is static or dynamic:


    edit> list nat

You will see a listing that shows type of NAT, the internal address, and the external address:


1 STATIC "105-range" "*" "nat-range" "*"