Chapter 10. Network Address Translation

This chapter discusses the topic of Network Address Translation (NAT). I first discuss the reasons NAT was created and how NAT is implemented in FireWall-1. Next, I show a step-by-step example of how to implement NAT in a network. I then talk about some of the inherent limitations of NAT and discuss a couple of ways to work around them. Finally, I talk about troubleshooting NAT with a packet sniffer.

By the end of this chapter, you should be able to:

Understand why NAT is necessary
Identify what NAT actually does
Identify why NAT does not always work
Effectively troubleshoot NAT problems with a packet sniffer
Implement a NAT configuration

Frequently Asked Questions

Chapter 1. Introduction to Firewalls

Chapter 2. Planning Your FireWall-1 Installation

Chapter 3. Installing FireWall-1

Chapter 4. Building Your Rulebase

Chapter 5. Logging and Alerting

Chapter 6. Common Issues

Chapter 7. Remote Management

Chapter 8. User Authentication

Chapter 9. Content Security

Chapter 10. Network Address Translation

Introduction to Address Translation

RFC1918 and Link-Local Addresses

How NAT Works in FireWall-1

Implementing NAT: A Step-by-Step Example

Limitations of NAT

Troubleshooting NAT with a Packet Sniffer

Sample Configurations

Chapter 11. Site-to-Site VPN

Chapter 12. SecuRemote and SecureClient

Chapter 13. High Availability

Chapter 14. INSPECT

Appendix A. Securing Your Bastion Host

Appendix B. Sample Acceptable Usage Policy

Appendix C. 'firewall-1.conf' File for Use with OpenLDAP v1

Appendix D. 'firewall-1.schema' File for Use with OpenLDAP v2

Appendix E. Performance Tuning

Appendix F. Sample 'defaultfilter.pf' File

Appendix G. Other Resources

Appendix H. Further Reading