Firewall Wizards mailing list archives

Re: Sunscreen NAT

From: "Gary Ferrer" <gary () ferrer yi org>
Date: Tue, 8 Jan 2002 10:45:17 -0800

Hi Valerie,

Are you using DHCP?  If yes, then you'll want to set up an
address group that is recalculated at activation time that
represents your public IP ("localhost" is defined at activation
time, and can be used dynamicly as follows):

edit> add address "insideLocal" HOST 192.168.1.1
edit> add address "publicIP" GROUP { localhost } { insideLocal }

edit> add address "inside" RANGE 192.168.1.2 192.168.1.10
edit> add address "Internet" GROUP { * } { inside }

edit> add NAT DYNAMIC "inside" "Internet" "publicIP" "Internet"
edit> save
edit> quit


This is interesting, I didn't know you could use 'localhost' to depict the
'external dynamic ip' of the machine!  You would think that 'publicIP'
should contain a range of valid dynamic IP addresses the DHCP server would
spit out.  I also would not have thought about including 'inside' as part of
the 'internet' group.

This worked wonderfully, Thank you.

PS:  I used to work at Sun in Vancouver until this summer.  Hope things are
going well!

# ssadm activate <configname>

So, your "source" is the source IP seen in the packet as
it arrives at the screen, "inside". "dest" is when you
want to do NAT (when talking to the Internet, "*" also would
work, but then you would have trouble communicating directly
to the screen).

"transSrc" is what the source IP should look like as it leaves
the screen ("publicIP"), and "transDst" is what the destinationIP
should look like when it leaves the box.

It's actually valid to have a dynamic NAT rule where you
are modifying the destination addresses, and not the source IPs.

If you are using DHCP, then you will need to reactivate your
sunscreen configuration when you've aquired a new IP address - you
can write a script to do this.

hope that helps!

Valerie
--
valerie.bubb () sun com
bubb () bubb org


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Sunscreen NAT Gary Ferrer (Jan 08)
- <Possible follow-ups>
- RE: Sunscreen NAT Mendez, David (CORP, DDEMESIS) (Jan 09)
  - Re: Sunscreen NAT Gary Ferrer (Jan 09)
- Re: Sunscreen NAT Valerie Anne Bubb (Jan 09)
  - Re: Sunscreen NAT Gary Ferrer (Jan 09)
- Re: Sunscreen NAT Valerie Anne Bubb (Jan 09)