Dynamic NAT Example
Configure Dynamic NAT
SunScreen also supports DYNAMIC NAT. In our example, the remaining hosts on the San Francisco network (those not already translated) need access to the internet. However, they do not need to allow inbound connections from the internet. Their source addresses can be translated to a single external legal addresses for this purpose.
-
Define an Address GROUP object and add all the internal hosts that need to use DYNAMIC NAT to this group.
In our example, we define sf-ten-net as containing sf-host2, sf-host3 and so forth.
-
Define an Address HOST object for the private, unregistered hosts.
In this example sf-host-dynamic is defined as 192.168.2.102.
Note -DYNAMIC NAT can use a group of addresses when needed. The sf-host-dynamic object could be a RANGE or GROUP object in such an instance.
-
Create an Address GROUP object that contains every address that you want to use DYNAMIC NAT but excludes those systems which you do not want to use it.
In this example this object is defined as sf-internal. You would create this object by including sf-ten-net and excluding localhost and sf-host1.
-
Create an Address GROUP object that represent systems outside your internal network.
In this example, you would create an Address group called external that includes * and excludes localhost, sf-ten-net, and sf-host1.
-
Add an ARP entry on the Screen for the legal address, as described in the preceding STATIC example.
Note -If you configured the Screen in stealth mode, this step is not necessary.
In this example, sf-host-dynamic would need an ARP entry.
-
Add a DYNAMIC NAT rule to translate the internal address group to the public, registered IP address.
In this example, sf-internal is translated to sf-host-dynamic. Refer to the following figure.
Figure 3-4 DYNAMIC NAT Rules
-
Save and activate your policy
-
Verify that connections work from the internal host to the internet.
For details, refer to Step 10 in "Static NAT Example".
- © 2010, Oracle Corporation and/or its affiliates