Re: Sunscreen NAT

[Valerie Anne Bubb <Valerie.Bubb () Sun COM>]

> From: "Gary Ferrer" <gary () ferrer yi org>
> To: "Valerie Anne Bubb" <Valerie.Bubb () Sun COM>, <firewall-wizards () nfr com>
> Subject: Re: [fw-wiz] Sunscreen NAT
>
> > edit> add address "insideLocal" HOST 192.168.1.1
> > edit> add address "publicIP" GROUP { localhost } { insideLocal }
> >
> > edit> add address "inside" RANGE 192.168.1.2 192.168.1.10
> > edit> add address "Internet" GROUP { * } { inside }
> >
> > edit> add NAT DYNAMIC "inside" "Internet" "publicIP" "Internet"
> > edit> save
> > edit> quit
>
> This is interesting, I didn't know you could use 'localhost' to depict the
> 'external dynamic ip' of the machine!  

"localhost" is a reserved address that is calculated at activation
time (based, essentially, on what you see from "ifconfig -a" at the
time you do an activation).

> You would think that 'publicIP'
> should contain a range of valid dynamic IP addresses the DHCP server would
> spit out.  

SunScreen NAT is *very* explicit - the way those addresses work out,
"publicIP" ends up being a single IP address, which is equal to your
DHCP address at the time of activation.   I believe this is how dynamic
NAT or masquerading works with most NAT implementations - they need
to know *exactly* what IP you're translating to.


> I also would not have thought about including 'inside' as part of
> the 'internet' group.

It's actually excluded, so:

edit> add address Internet GROUP { * } { inside }

Is read as "Internet is a group of addresses that includes
everything, but excludes inside."  This prevents NAT from occuring
while communicating directly to your screen ( or, in the case
of multiple interfaces, from NATing while communicating to your
DMZ).

> This worked wonderfully, Thank you.

Glad to hear it! :-)

Valerie
--
valerie.bubb () sun com
bubb () bubb org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards