Firewall Wizards mailing list archives
Re: Sunscreen NAT
From: Valerie Anne Bubb <Valerie.Bubb () Sun COM>
Date: Tue, 8 Jan 2002 09:51:26 -0800 (PST)
From: "Gary Ferrer" <gary () ferrer yi org> To: "Firewall-Wizard" <firewall-wizards () nfr com> Date: Mon, 7 Jan 2002 15:25:43 -0800 I'm wondering if someone could help me configure SunScreen 3.1 Lite NAT. I'm having a lot of trouble with it and can't get the NAT side of it working. My network is as follows: Private network (192.x.x.x) to firewall gateway with Dynamic IP. 1) Do I need two Dynamic NAT rules or just one?
Really, just one should do. Since you're using lite, it is limited to only translating 10 private IPs, so if you have more than 10 private hosts, this may not be possible to set up right.
2) How do I set up the rules (I've tried all sorts of combinations of 'source, Dest, Trans_source, Trans_Dest)
(command syntax is coming from memory, so bear with me) You'll want to set up address groups to represent your internal network, your public address, and the internet. Are you using DHCP? If yes, then you'll want to set up an address group that is recalculated at activation time that represents your public IP ("localhost" is defined at activation time, and can be used dynamicly as follows): edit> add address "insideLocal" HOST 192.168.1.1 edit> add address "publicIP" GROUP { localhost } { insideLocal } edit> add address "inside" RANGE 192.168.1.2 192.168.1.10 edit> add address "Internet" GROUP { * } { inside } edit> add NAT DYNAMIC "inside" "Internet" "publicIP" "Internet" edit> save edit> quit # ssadm activate <configname> So, your "source" is the source IP seen in the packet as it arrives at the screen, "inside". "dest" is when you want to do NAT (when talking to the Internet, "*" also would work, but then you would have trouble communicating directly to the screen). "transSrc" is what the source IP should look like as it leaves the screen ("publicIP"), and "transDst" is what the destinationIP should look like when it leaves the box. It's actually valid to have a dynamic NAT rule where you are modifying the destination addresses, and not the source IPs. If you are using DHCP, then you will need to reactivate your sunscreen configuration when you've aquired a new IP address - you can write a script to do this. hope that helps! Valerie -- valerie.bubb () sun com bubb () bubb org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Sunscreen NAT Gary Ferrer (Jan 08)
- <Possible follow-ups>
- RE: Sunscreen NAT Mendez, David (CORP, DDEMESIS) (Jan 09)
- Re: Sunscreen NAT Gary Ferrer (Jan 09)
- Re: Sunscreen NAT Valerie Anne Bubb (Jan 09)
- Re: Sunscreen NAT Gary Ferrer (Jan 09)
- Re: Sunscreen NAT Valerie Anne Bubb (Jan 09)