Knowledge Search


×
 

[ScreenOS] Configuration example using interface-based NAT

  [KB4761] Show Article Properties


Summary:
Configuring interface-based NAT or NAT Mode.
Symptoms:
What are the steps to configure interface-based NAT?


Cause:

Solution:
To configure interface-based NAT, perform the following steps using the WEBUI or CLI:

Note: This article assumes the chosen interface is already bound to a zone. For more information on how to bind an interface to a zone, go to Binding an Interface to a Zone.

WEBUI

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI


Step two: From the ScreenOS options menu, click Network, and then click Interfaces.


Step three: From the Interface list, choose the Interface you wish to modify, and click Edit.

Note: For this example, we chose to edit the ethernet1 interface.

Image of step three


Step four: From Interface Mode, click to select NAT.

Image of step four

Step five: Click OK.

 



CLI


To configure an interface for NAT mode:
set interface <interface> nat

To configure an interface for ROUTE mode:
unset interface <interface> nat





Where does interfaced-based NAT work?

Interface based NAT only works from the Trust zone to the Untrust zone in the Trust-VR. Traffic from and to other zones will be routed.  The behavior for interface NAT with the Untrust-VR is different. If the destination zone is in the Untrust-VR, then NAT will take place from ANY zone.


Here is an example configuration in the Trust-VR:

e1 bound to Trust zone, NAT configured on e1

ns25-> get i e1
Interface ethernet1:
  number 4, if_info 800, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr
  *ip 10.1.1.1/24   mac 0010.db15.1c44
  *manage ip 10.1.1.1, mac 0010.db15.1c44
  ping enabled, telnet enabled, SCS enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-Relay disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps

e2 bound to the DMZ zone, NAT configured on e2

ns25-> get i e2
Interface ethernet2:
  number 5, if_info 1000, if_index 0, mode nat
  link down, phy-link down
  vsys Root, zone DMZ, vr trust-vr
  *ip 172.16.20.1/24   mac 0010.db15.1c45
  *manage ip 172.16.20.1, mac 0010.db15.1c45
  ping enabled, telnet disabled, SCS disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-Relay disabled
  bandwidth: physical 0kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps

e3 bound to the Untrust zone

ns25-> get i e3
Interface ethernet3:
  number 6, if_info 1200, if_index 0, mode route
  link up, phy-link up/half-duplex
  vsys Root, zone Untrust, vr trust-vr
  dhcp disabled
  *ip 10.100.31.130/24   mac 0010.db15.1c46
  *manage ip 10.100.31.130, mac 0010.db15.1c46
  ping enabled, telnet enabled, SCS enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-Relay disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps

Traffic from e1 > e3 will be NAT'd and traffic from e1 > e2 will be NAT'd.



Note: NAT mode is also documented in the ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation [PDF]:

Chapter 2 - Source Network Address Translation
“NAT-Src from the Egress Interface IP Address”
Example: NAT-Src Without DIP

Related Links: