NAT Configuration Examples

10.4.1 Dynamic NAT (many to many)

In dynamic (many-to-many) NAT type, multiple source IP addresses in the corporate network will be mapped to multiple NAT IP addresses (not necessarily of equal number). For a set of local IP address from 10.1.1.1 to 10.1.1.4 there will be a set of NAT IP address from 60.1.1.1 to 60.1.1.2. In case of many-to-many NAT, only IP address translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall only substitutes the source address in the IP header with one of the NAT IP address and the source port will be the same as the original. If traffic emanates from the same client to any other server, the same NAT IP address is assigned. The advantage is that the NAT IP addresses are utilized in a better and optimum manner dynamically.

If a NAT IP address cannot be allocated dynamically at the connection creation time, the packet would be dropped.

Figure 19 Dynamic NAT

10.1.1.1

INTERNET

60.1.1.1-60.1.1.2

10.1.1.2

10.1.1.3

10.1.1.4

The dynamic NAT configuration shown in Figure 19 includes:

„

„

Private network addresses:10.1.1.1—10.1.1.4

Public (NAT) IP address range: 60.1.1.1—60.1.1.2

To create NAT pool with type dynamic, specify the IP address and the NAT ending IP address.Then add a policy with the source IP address range, and attach the NAT pool to the policy.

Blackbox/configure> firewall corp Blackbox/configure/firewall corp> object Blackbox/configure/firewall corp/object> nat-pool addresspoolDyna

dynamic 60.1.1.1 60.1.1.2 Blackbox/configure/firewall corp/object> exit

Blackbox/configure/firewall corp> policy 8 out

address 10.1.1.1

10.1.1.4 any any

 

Blackbox/configure/firewall corp/policy 8 out>

apply-object

nat-pool addresspoolDyna

 

Blackbox/configure/firewall corp/policy 8 out>

exit 2

Blackbox/configure>

 

75

Page 73
Image 73
Black Box LR1114A-T1/E1, LR1112A-T1/E1, LR1104A-T1/E1, LR1102A-T1/E1 Dynamic NAT many to many, NAT Configuration Examples