Registered addresses are necessary for advertised kinds of resources, such as publicly accessible servers on your network, because these machines must be at well-known, fixed addresses. Static NAT is frequently used to provide public access to HTTP or FTP servers that use private addresses. These servers must use static NAT reverse rules so that other hosts can use the same registered addresses to reach them, You must generate the reverse rules.
Use static NAT rules to make one-to-one translations between either a single pair or multiple pairs of addresses. Most commonly, static NAT rules are used to translate an advertised address for a public server to a different address.
A static NAT rule translates either the source or destination addresses in a packet. In most cases, this means that you will need to define two NAT rules to:
Translate the source address when the packet is flowing in one direction.
Translate the destination address when packets are flowing in the other direction.
As an example of static NAT rules in one-to-one translation, assume that your public web server has an address of 10.0.0.1 (defined by the address object "private_www") and you want to allow access to this web server through the public address 199.190.177.1 (defined by the address object "public_www"). Assume also that the address Internet represents Internet addresses. To do this requires two static NAT rules, as shown in the table below
The first rule specifies that the destination address public_www (199.190.177.1) is the translated destination address private_www (10.0.0.1). This NAT rule handles packets flowing to the web server.
The second rule specifies that the source address private_www (10.0.0.1) is the translated source address public_www (199.190.177.1). This NAT rule handles packets flowing from the web server.
Table 7-1 Static NAT Rules
Type of NAT Rule |
Source |
Destination |
Translated Source |
Translated Destination |
Comment |
---|---|---|---|---|---|
STATIC |
"Internet" |
"public_www" |
"Internet" |
"private_www" |
Packets to server |
STATIC |
"private_www" |
"Internet" |
"public_www" |
"Internet" |
Packets from server |
You also can use Static translations to translate a range of unregistered addresses to a range of registered addresses. Each range of addresses must contain the same number of addresses.
Example of Static NAT Rule with a Range of Addresses
You can translate the address range containing 199.190.177.1 through 199.190.177.100 to an address range containing 10.0.0.1 through 10.0.0.100 because both ranges contain 100 addresses. In this example, 199.190.177.1 translates to 10.0.0.1, 199.190.177.2 translates to 10.0.0.2, ending with 199.190.177.100 translating to 10.0.0.100.