Network Address Translation

Network Address Translation (NAT)

Conceals internal computers and users from outside networks and is a separate component of the Firewall – 1 security policy. NAT changes (translates) or hides IP addresses.

Classful Addressing

INVALID/RESERVED ADDRESSES		CLASS	NETWORK RANGE
10.0.0.0	10.255.255.255	1 Class A Network	10.0.0.0
172.16.0.0	172.31.255.255	16 Class B Networks	176.16-31.0.0
192.168.0.0	192.168.255.255	256 Class C Networks	192.168.0-255.0

Firewall–1 translates packet addresses transparently. This is done in the kernel module before they reach their destination. NAT updates its internal table and translates the packet. When the packet leaves, Firewall–1 rewrites the invalid/reserved IP address to its original legal address. This takes place in the ADDRESS TRANSLATION MODULE.

The KERNEL MODULE does NOT translate addresses.

It verifies packet addresses before passing them out from an internal network It verifies packet addresses before passing them to the address translation module

NAT Modes

STATIC SOURCE MODE	Translates invalid/reserved INTERNAL addresses to legal IP addresses when packets EXIT an Internal Network.
STATIC DESTINATION MODE	Translates legal INTERNAL addresses to invalid/reserved IP addresses when packets ENTER an Internal Network.
HIDE MODE	Hides one or more invalid/reserved IP addresses behind one legal IP address.

Static Mode translates addresses using a one-to-one relationship.
When generating address translation rules automatically, static source and destination mode rules are always generated in pairs.

Applying NAT Modes

To add address translation modes to Firewall–1, you edit or add network objects, servers, gateways and routers. Define source or destination static mode by placing the network object as source or destination in the Rule Base.

NAT Rule Base

When defining network objects during set-up of Firewall–1, NAT rules are generated automatically. You can add or edit rules manually to the automatically generated rules and provide complete control over Firewall–1 NAT. Firewall–1 validates address translation rules, helping avoid mistakes in the set-up process.

For complete control over Firewall–1 address translation you can do one or more of the following:

Specify objects by name or IP address
Restrict rules to specific destination and/or source IP addresses
Translate source and destination IP addresses in the same packet
Restrict rules to specific services (Ports)
Translate ports

NAT Rules

Each of the address translation rules consists of the following three elements:

Conditions that specify when a rule is to be applied
Action to be taken when the rule is applied
The network object to enforce the action

WHEN RULE IS APPLIED	ACTION TO BE TAKEN
Original Packet	Define source, destination and service
Translated Packet	Define source, destination and service
Install On	Define firewall objects to enforce this rule

Back Home