The examples above were "hiding" multiple internal addresses behind just one external address. We had a whole network (potentially 254 hosts) use the same external address to access the Internet. Sometimes it is necessary to do translation where each internal host has a dedicated corresponding address on the outside. This is often called "1-1" NAT. Here is how this is done in Firewall Builder when a whole network of the same dimension is available on the outside:
Network object ext net defines network "192.0.2.0/24", which is the same size as the internal network (this is a hypothetical example). Here is iptables command produced for this rule:
# Rule 0 (NAT) # $IPTABLES -t nat -A POSTROUTING -s 172.16.22.0/24 -j NETMAP --to 192.0.2.0/24
NETMAP target maps a whole network of addresses onto another network of addresses.
In PF the following "nat" command is used:
# Rule 0 (NAT) # nat proto {tcp udp icmp} from 172.16.22.0/24 to any -> 192.0.2.0/24
For PIX, Firewall Builder generates a "global" address pool the size of the 192.0.2.0/24 network:
! Rule 0 (NAT) ! global (outside) 1 192.0.2.0 netmask 255.255.255.0 access-list id54756X30286.0 permit ip 172.16.22.0 255.255.255.0 any nat (inside) 1 access-list id54756X30286.0 tcp 0 0
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.