14.3.2. "No NAT" Rules

Sometimes a firewall that is doing NAT should skip translation for some pairs of source and destination addresses. One example when this is necessary is when you have DMZ segment that uses private addresses, so you need to use NAT to provide access to servers in DMZ from outside, but no NAT is needed for access to the same servers from internal network. Here is how it looks:

Figure 14.80. 

Firewall object fw-1 has 4 interfaces:

Table 14.1. 

Interface Network zone Address
eth0 external interface
eth1 internal interface
eth2 DMZ
lo loopback

The internal interface eth1 also has IPv6 address but it is not used in this example.

Here is a NAT rule to permit access to the DMZ network ( from internal network directly without NAT.

Figure 14.81. 

Here is the script generated for iptables:

# Rule 0 (NAT)
$IPTABLES -t nat -A PREROUTING   -s -d -j ACCEPT  


For PF we get this:

# Rule  0 (NAT)
no nat proto {tcp udp icmp} from to 
no rdr proto {tcp udp icmp} from to 


For PIX, Firewall Builder generates "nat 0" rule:

! Rule  0 (NAT)
access-list nat0.inside permit ip
nat (inside) 0 access-list nat0.inside


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.