14.3. Examples of NAT Rules

14.3.1. "1-1" NAT

The examples above were "hiding" multiple internal addresses behind just one external address. We had a whole network (potentially 254 hosts) use the same external address to access the Internet. Sometimes it is necessary to do translation where each internal host has a dedicated corresponding address on the outside. This is often called "1-1" NAT. Here is how this is done in Firewall Builder when a whole network of the same dimension is available on the outside:

Figure 14.79. 

Network object ext net defines network "", which is the same size as the internal network (this is a hypothetical example). Here is iptables command produced for this rule:

# Rule 0 (NAT)
$IPTABLES -t nat -A POSTROUTING   -s -j NETMAP --to 


NETMAP target maps a whole network of addresses onto another network of addresses.

In PF the following "nat" command is used:

# Rule  0 (NAT)
nat proto {tcp udp icmp} from to any -> 


For PIX, Firewall Builder generates a "global" address pool the size of the network:

! Rule  0 (NAT)
global (outside) 1 netmask
access-list id54756X30286.0 permit ip  any 
nat (inside) 1 access-list id54756X30286.0 tcp 0 0


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.