Firewall Wizards mailing list archives

Re: Sunscreen NAT

From: Valerie Anne Bubb <Valerie.Bubb () Sun COM>
Date: Tue, 8 Jan 2002 09:51:26 -0800 (PST)

From: "Gary Ferrer" <gary () ferrer yi org>
To: "Firewall-Wizard" <firewall-wizards () nfr com>
Date: Mon, 7 Jan 2002 15:25:43 -0800

I'm wondering if someone could help me configure SunScreen 3.1 Lite NAT.
I'm having a lot of trouble with it and can't get the NAT side of it
working.

My network is as follows:
Private network (192.x.x.x) to firewall gateway with Dynamic IP.

1) Do I need two Dynamic NAT rules or just one?


Really, just one should do.   Since you're using lite, it is limited
to only translating 10 private IPs, so if you have more than 10 private
hosts, this may not be possible to set up right.

2) How do I set up the rules (I've tried all sorts of combinations of
'source, Dest, Trans_source, Trans_Dest)


(command syntax is coming from memory, so bear with me)

You'll want to set up address groups to represent your
internal network, your public address, and the internet.

Are you using DHCP?  If yes, then you'll want to set up an
address group that is recalculated at activation time that
represents your public IP ("localhost" is defined at activation
time, and can be used dynamicly as follows):

edit> add address "insideLocal" HOST 192.168.1.1
edit> add address "publicIP" GROUP { localhost } { insideLocal }

edit> add address "inside" RANGE 192.168.1.2 192.168.1.10
edit> add address "Internet" GROUP { * } { inside }

edit> add NAT DYNAMIC "inside" "Internet" "publicIP" "Internet"
edit> save
edit> quit

# ssadm activate <configname>

So, your "source" is the source IP seen in the packet as
it arrives at the screen, "inside". "dest" is when you 
want to do NAT (when talking to the Internet, "*" also would
work, but then you would have trouble communicating directly
to the screen).

"transSrc" is what the source IP should look like as it leaves
the screen ("publicIP"), and "transDst" is what the destinationIP
should look like when it leaves the box.

It's actually valid to have a dynamic NAT rule where you 
are modifying the destination addresses, and not the source IPs.

If you are using DHCP, then you will need to reactivate your
sunscreen configuration when you've aquired a new IP address - you
can write a script to do this.

hope that helps!  

Valerie
--
valerie.bubb () sun com 
bubb () bubb org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Sunscreen NAT Gary Ferrer (Jan 08)
- <Possible follow-ups>
- RE: Sunscreen NAT Mendez, David (CORP, DDEMESIS) (Jan 09)
  - Re: Sunscreen NAT Gary Ferrer (Jan 09)
- Re: Sunscreen NAT Valerie Anne Bubb (Jan 09)
  - Re: Sunscreen NAT Gary Ferrer (Jan 09)
- Re: Sunscreen NAT Valerie Anne Bubb (Jan 09)