Shortcuts

Search Users Guide

7.3. Network Address Translation Rules
Prev Next

7.3. Network Address Translation Rules

Note

As with access policy rule sets, you can create multiple NAT rule sets. However, in older versions of Firewall Builder, it was not possible to branch between rule sets; only the rule set marked as "top" was used in v3.x. Beginning with Release 4.0, Firewall Builder supports building branches in NAT rule sets.

7.3.1. Basic NAT Rules

Address translation is useful when you need to provide Internet access to machines on the internal network using private address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as defined in RFC 1918). Private addresses are not routable on the Internet, which means clients out on the Internet cannot connect to servers with private addresses. Conversely, machines on the network using one of these addresses cannot connect to servers on the Internet directly. In order to allow internal machines to establish connections with external machines, the firewall must convert the private addresses to public addresses, and vice versa. In other words, the firewall must perform Network Address Translation (NAT). In Firewall Builder, NAT rules are added in the NAT rule set, located under the firewall object in the tree:

Figure 7.11. NAT Rule Set

NAT Rule Set

Figure 7.12. Network Address Translation Rules

Network Address Translation Rules

As in firewall policies, NAT rules are inspected by the firewall in the order they appear in the policy. Each NAT rule consists of the following rule elements:

  • Original Src

    An address object to compare to the the source address of the incoming packet.

  • Original Dst

    An address object to compare to the the destination address of the incoming packet.

  • Original Srv

    One or more service objects to compare to the packet's service.

  • Translated Src

    If the original source, destination, and service all matched, this object becomes the new source address of the packet.

  • Translated Dst

    If the original source, destination, and service all matched, this object becomes the new destination address of the packet.

  • Translated Srv

    If the original source, destination, and service all matched, this object is the new service (port number) of the packet.

  • Interface In

    The inbound interface for the NAT rule. On iptables systems this will result in the "-i" parameter being set. The default is Auto, which means Firewall Builder will attempt to determine the appropriate interface(s) the rule should include.

    This option is available in Firewall Builder Release 4.2 and later.

  • Interface Out

    The outbound interface for the NAT rule. On iptables systems this will result in the "-o" parameter being set. The default is Auto, which means Firewall Builder will attempt to determine the appropriate interface(s) the rule should include.

    This option is available in Firewall Builder Release 4.2 and later.

  • Options

    This field lets you specify platform-specific options for the packet. Right-click in the field and select Rule Options to see options for your platform. Click Help in the Options dialog to see help for available parameters for your platform. See Section 7.2.7 for more information.

  • Comment

Here is how it works:

The original packet is compared with NAT rules, one at a time, starting with the topmost rule. Once a rule that matches a packet's source address, destination address and service is found, the firewall takes parameters from the second half of that rule and makes the indicated substitutions. Some rule elements in the first half of the rule may be set to match "any", which means that that element matches no matter what is in the packet. Some rule elements in the second half of the rule may be set to original, which means that parameter is not changed even if the rule matches. (No substitution happens for that element.)

In addition to making the substitution, the firewall also makes a record in its internal table of the original and modified values. The firewall uses this information to perform a reverse translation when the reply packet comes back.

The NAT rules in the screenshot (Figure 7.12) tell the firewall to do the following:

  • Rule #0:

    If the original packet originated on the internal subnet 192.168.2.0/24 and is destined for the internal subnet 192.168.1.0/24, then there is no need to translate the packet.

  • Rule #1:

    If a packet is headed to the Internet from either the 192.168.2.0/24 or 192.168.1.0/24 subnet, then the source IP address should be set to the IP address of the firewall's "outside" interface.

  • Rule #2:

    If any packet was originally destined for the "outside" interface on the firewall, the destination IP address should be rewritten to be the IP address of the "server on dmz" host IP (in this case, 192.168.2.10).

Some firewall platforms support negation in NAT rules. If it is supported, this feature can be activated by right-clicking the rule element in the NAT rule. Section 7.5.8 shows what firewall platforms support negation in NAT.

You can create NAT rules and edit them using the same methods as described in Section 7.5

Prev  Up  Next
7.2.8. Working with Multiple Policy Rule Sets  Home  7.3.2. Source Address Translation
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.