7 • NAT (Network Address Translation)
Model 3086 G.SHDSL Integrated Access Device User Guide
118
Introduction
Introduction
The basic steps for configuring NAT are:
1. Enable NAT between the internal and external interfaces of the firewall.
2. Create global addresses which will be added to the global pool of IP addresses on the WAN interface.
3. Create a reserved mapping between a global IP address and the IP address of an internal PC.
A Global Address Pool is a pool of addresses seen from the outside network. Each external interface creates a
Global Address Pool with a single address—the address assigned to that interface. For outbound sessions, an
address is picked from a pool by hashing the source IP address for a pool index and then hashing again for an
address index. For inbound sessions, it is necessary to create a reserved mapping.
A reserved mapping is used so that NAT knows where to route packets on inbound sessions. The reserved map-
ping will map a specific global address and port to an inside address and port. Reserved mappings can also be
used so that different inside hosts can share a global address by mapping different ports to different hosts. For
example, Host A is an FTP server and Host B is a web server. By mapping the FTP port to Host A and the
HTTP port to Host B, both insides hosts can share the same global address. Setting the protocol number to
255 (0xFF) means that the mapping will apply to all protocols. Setting the port number to 65535 (0xFFFF) for
TCP or UDP protocols means that the mapping will apply to all port numbers for that protocol.
Some applications embed address and/or port information in the payload of the packet. The most notorious
of these is FTP. For most applications, it is sufficient to create a trigger with address replacement enabled.
However there are three applications for which a specific ALF is provided: FTP, NetBIOS, and DNS.
Enabling NAT
The configuration of NAT in this example follows on the preceding configuration completed in the chapter,
“Security.”
1. Go to the “Security Interface Configuration” page by clicking on
Security
under Configuration in the
menu.
2. Click on
Enable NAT to internal interfaces
in the table, Security Interfaces. NAT is now
enabled between the internal (LAN) and the external (WAN) interfaces of the firewall.