Sometimes a firewall that is doing NAT should skip translation for some pairs of source and destination addresses. One example when this is necessary is when you have DMZ segment that uses private addresses, so you need to use NAT to provide access to servers in DMZ from outside, but no NAT is needed for access to the same servers from internal network. Here is how it looks:
Firewall object fw-1 has 4 interfaces:
Table 14.1.
Interface | Network zone | Address |
eth0 | external interface | 192.0.2.1/24 |
eth1 | internal interface | 172.16.22.1/24 |
eth2 | DMZ | 192.168.2.1/24 |
lo | loopback | 127.0.0.1 |
The internal interface eth1 also has IPv6 address but it is not used in this example.
Here is a NAT rule to permit access to the DMZ network (192.168.2.10) from internal network directly without NAT.
Here is the script generated for iptables:
# # Rule 0 (NAT) # $IPTABLES -t nat -A POSTROUTING -s 172.16.22.0/24 -d 192.168.2.0/24 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s 172.16.22.0/24 -d 192.168.2.0/24 -j ACCEPT
For PF we get this:
# Rule 0 (NAT) # no nat proto {tcp udp icmp} from 172.16.22.0/24 to 192.168.2.0/24 no rdr proto {tcp udp icmp} from 172.16.22.0/24 to 192.168.2.0/24
For PIX, Firewall Builder generates "nat 0" rule:
! Rule 0 (NAT) ! access-list nat0.inside permit ip 172.16.22.0 255.255.255.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list nat0.inside !
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.