Configuring a service for incoming static NAT
Configuring a service for incoming static NAT
Static NAT works on a
Static NAT can be used only to forward connections from the outside to an internal host. It is not possible for hosts already behind the Firebox to use the static NAT entry when accessing an internal server. While hosts on the External interface of the Firebox connect to the Firebox IP address and specified port (which then forwards the connection internally), hosts on the inside of the Firebox must connect directly to the actual, internal server IP address. This is usually only a problem when DNS is involved. To avoid this problem, it is best to use a private DNS server (or static DNS mapping, such as /etc/hosts for UNIX machines, or an Lmhosts file for Windows machines) for internal hosts. This way, internal systems that try to connect to the server by name will always get the internal IP address.
Adding external IP addresses
Static NAT converts a Firebox public IP and port into specific destinations on the Trusted or Optional networks. If the Firebox has not already been assigned the public IP address you want to use, you must designate a new public IP address using the Add External IP dialog box. From Policy Manager:
1Select Network => Configuration. Click the External tab.
2 Click Aliases.
3 At the bottom of the dialog box, enter the public IP address. Click Add. 4 Repeat until all external public IP addresses are added. Click OK.
Setting static NAT for a service
Static NAT, like
1
The service’s Properties dialog box appears, displaying the Incoming tab.
2Use the Incoming drop list to select Enabled and Allowed.
To use static NAT, the service must allow incoming traffic.
3Under the To list, click Add.
The Add Address dialog box appears.
4Click NAT.
5Use the External IP Address drop list to select the “public” address to be used for
this service.
If the public address does not appear in the drop list, click Edit to open the Add External IP Address dialog box.
66
