14.3.2. "No NAT" Rules

Sometimes a firewall that is doing NAT should skip translation for some pairs of source and destination addresses. One example when this is necessary is when you have DMZ segment that uses private addresses, so you need to use NAT to provide access to servers in DMZ from outside, but no NAT is needed for access to the same servers from internal network. Here is how it looks:

Figure 14.80. 


Firewall object fw-1 has 4 interfaces:

Table 14.1. 

Interface Network zone Address
eth0 external interface 192.0.2.1/24
eth1 internal interface 172.16.22.1/24
eth2 DMZ 192.168.2.1/24
lo loopback 127.0.0.1

The internal interface eth1 also has IPv6 address but it is not used in this example.

Here is a NAT rule to permit access to the DMZ network (192.168.2.10) from internal network directly without NAT.

Figure 14.81. 


Here is the script generated for iptables:


# 
# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING   -s 172.16.22.0/24 -d 192.168.2.0/24 -j ACCEPT  
$IPTABLES -t nat -A PREROUTING   -s 172.16.22.0/24 -d 192.168.2.0/24 -j ACCEPT  

  

For PF we get this:


# Rule  0 (NAT)
# 
no nat proto {tcp udp icmp} from 172.16.22.0/24 to 192.168.2.0/24 
no rdr proto {tcp udp icmp} from 172.16.22.0/24 to 192.168.2.0/24 

              

For PIX, Firewall Builder generates "nat 0" rule:


! Rule  0 (NAT)
!
access-list nat0.inside permit ip 172.16.22.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nat0.inside
! 

              
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.