To display the NAT Rule Base Editor (FIGURE 2-22), select the Address Translation
tab in the Rule Base Editor.
Note - Routing tables on the gateway and router may have to be modified to implement NAT (see “Address Translation and Routing” on page 78).
Network Address Translation Rule Base
FIGURE 2-22Ad d ress Translation Rules Ed itor
To return to the Rule Base Editor, select the Rule Base tab.
The NAT Rule Base is part of a Security Policy. If you have more than one Security Policy, then each of them can have a corresponding NAT Rule Base. The NAT Rule Base is installed when the Security Policy is installed.
Editing a NAT Rule Base Adding a Rule
You can add a rule at any point in the NAT Rule Base, except between automatically generated rules.
TABLE 2-4 Adding a Rule
To add a rule Select from menu Toolbar Button
after the last rule Rule>Add>Bottom
before the first rule Rule>Add>Top
after the current rule Rule>Add>After
Using the NAT Rule Base Editor
A new rule will be added to the NAT Rule Base, and default values will appear in all the data fields. You can modify the default values as needed.
Modifying a Rule’s Data Fields
To modify a data field in a rule, right click on the value. A menu will be displayed, from which you can choose the new value.
Original Packet — Source
Source can consist of only one object. The types of objects allowed for Source under
Original Packet depend on what is specified for Source under Translated Packet, as listed in TABLE 2-5.
Add —The Object Manager window (FIGURE 2-23) is displayed, from which you can select a network object.
FIGURE 2-23Object Manager window
Replace — The Object Manager window (FIGURE 2-23) is displayed, from which you can select an object to replace the object currently in the rule’s Source.
Edit — Edit the object in the rule’s Source.
The appropriate window is opened (depending on the type of the selected object), and you can change the object’s properties.
Delete — Delete the object currently in the rule’s Source.
Cut — Delete the object currently in the rule’s Source and put it on the clipboard.
Note - To select a rule or rules, select their numbers.
TABLE 2-5 Original Packet - Source
If Translated Packet - Source is ...
Original Hide Static
Original Packet -
Source can be ... Machine,
Network, Address Range or a group of one of these Machine, Network, Address Range or a group of one of these Machine, Network, Address Range but not a group
Network Address Translation Rule Base
Copy — Copy the object currently in the rule’s Source to the clipboard. Paste — Paste the object on the clipboard in the rule’s Source.
Original Packet — Destination
Destination can consist of only one object. The types of objects allowed for Destination
under Original Packet depend on what is specified for Destination under Translated Packet, as listed in TABLE 2-6.
Add — The Object Manager window (FIGURE 2-23) is displayed, from which you can select a network object.
Replace — The Object Manager window (FIGURE 2-23) is displayed, from which you can select an object to replace the object currently in the rule’s Destination.
Edit — Edit the object in the rule’s Destination.
The appropriate window is opened (depending on the type of the selected object), and you can change the object’s properties.
Delete — Delete the object currently in the rule’s Destination.
Cut — Delete the object currently in the rule’s Destination and put it on the clipboard. Copy — Copy the object currently in the rule’s Destination to the clipboard.
Paste — Paste the object on the clipboard in the rule’s Destination.
TABLE 2-6 Original Packet - Destination
If Translated Packet - Destination is ...
Original Static
Original Packet - Destination can be ...
Machine, Network, Address Range or a group of one of these
Machine, Network, Address Range but not a group
Using the NAT Rule Base Editor
Original Packet — Service
Services can consist of only one object. The types of objects allowed for Services under
Original Packet depend on what is specified for Services under Translated Packet, as
listed in TABLE 2-7.
Add — The Services window (FIGURE 2-24) is displayed, from which you can select a service.
FIGURE 2-24Services window
Replace — The Services window (FIGURE 2-24) is displayed, from which you can select an object to replace the object currently in the rule’s Services.
Edit — Edit the service.
The appropriate window is opened (depending on the type of the selected service), and you can change the service’s properties.
Delete — Delete the object currently in the rule’s Services.
Cut — Delete the object currently in the rule’s Services and put it on the clipboard.
Copy — Copy the object currently in the rule’s Services to the clipboard.
TABLE 2-7 Original Packet - Services
If Translated Packet - Services is ...
Original Hide Static
Original Packet -
Services can be ... TCP, UDP, Range
or group of one of the above TCP, UDP, Range or group of one of the above TCP, UDP, Range but not a group
Network Address Translation Rule Base
Paste — Paste the object on the clipboard in the rule’s Services.
Translated Packet — Source
Source can consist of only one object. The types of objects allowed for Source depend on the type of Address Translation, as listed in TABLE 2-8.
Add (Static) — The Object Manager window (FIGURE 2-23 on page 95) is displayed, from which you can select a network object.
The Source object under Original Packet will be translated to Source under Translated Packet, in Source Static Mode.
Replace (Static) — The Object Manager window (FIGURE 2-23 on page 95) is
displayed, from which you can select an object to replace the object currently in the rule’s Source.
Replace (Static) is only available when the Source object was added by Add (Static). If
you wish to replace an Add (Hide) object by an Add (Static) object, first delete the Add (Hide) object, and then choose Add (Static) from the menu.
Add (Hide) — The Object Manager window (FIGURE 2-23 on page 95) is displayed, from which you can select a network object.
The Source object under Original Packet will be translated to Source under Translated Packet, in Hide mode.
Replace (Hide) — The Object Manager window (FIGURE 2-23 on page 95) is
displayed, from which you can select an object to replace the object currently in the rule’s Source.
Replace (Hide) is only available when the Source object was added by Add (Hide). If
you wish to replace an Add (Static) object by an Add (Hide) object, first delete the Add (Static) object, and then choose Add (Hide) from the menu.
Edit — Edit the Source object.
TABLE 2-8 Translated Packet - Source
If the Address Translation is
Hide Static
Translated Packet
- Source can be ... Machine, Network, or
Range of same size as
Original Packet - Source
Machine, Network, Router, or Range of size 1
Using the NAT Rule Base Editor
Delete — Delete the object currently in the rule’s Source.
After you delete the object, Source is set to Original.
Cut — Delete the object currently in the rule’s Source and put it on the clipboard. After you cut the object, Source is set to Original.
Copy —Copy the object currently in the rule’s Source to the clipboard. Paste — Paste the object on the clipboard in the rule’s Source.
Translated Packet — Destination
Destination can consist of only one object. The types of objects allowed for Destination
depend on the type of Address Translation, as listed in TABLE 2-9.
Add (Static) — The Object Manager window (FIGURE 2-23 on page 95) is displayed, from which you can select a network object.
The Destination object under Original Packet will be translated to Destination under Translated Packet, in Destination Static Mode.
Replace (Static) — The Object Manager window (FIGURE 2-23 on page 95) is displayed, from which you can select an object to replace the object currently in the rule’s Destination.
Replace (Static) is only available when the Destination object was added by Add (Static).
Edit — Edit the Destination object.
The appropriate window is opened (depending on the type of the Destination object),
and you can change the object’s properties.
Delete — Delete the object currently in the rule’s Destination.
After you delete the object, Destination is set to Original.
Cut — Delete the object currently in the rule’s Destination and put it on the clipboard.
TABLE 2-9 Translated Packet - Destination
If the Address Translation is
Hide Static
Translated Packet - Destination can be ...
Machine, Network, or Range of same size as
Original Packet -
Destination
Machine, Network, Router, or Range of size 1
Network Address Translation Rule Base
After you cut the object, Destination is set to Original.
Copy —Copy the object currently in the rule’s Destination to the clipboard.
Paste — Paste the object on the clipboard in the rule’s Destination.
Translated Packet — Service
Service can consist of only one object. The types of objects allowed for Service are:
• TCP
• UDP
• Port Range
Add (Static) — The Service window (FIGURE 2-24 on page 97) is displayed, from which you can select a network object.
The Service object under Original Packet will be translated to Service under Translated Packet.
Replace (Static) —The Services window (FIGURE 2-24 on page 97) is displayed, from which you can select an object to replace the object currently in the rule’s Service.
Replace (Static) is only available when the Service object was added by Add (Static). Edit — Edit the Service object.
The appropriate window is opened (depending on the type of the Service object), and you can change the object’s properties.
Delete — Delete the object currently in the rule’s Service. After you delete the object, Service is set to Original.
Cut — Delete the object currently in the rule’s Service and put it on the clipboard.
After you cut the object, Service is set to Original.
Copy —Copy the object currently in the rule’s Service to the clipboard.
Paste — Paste the object on the clipboard in the rule’s Service.
Install On
The Install On field specifies which FireWalled objects will enforce the rule. You cannot change the Install On field for automatically generated rules, but you can change it for
Using the NAT Rule Base Editor
To modify the Install On field, right click on it. A menu is displayed, from which you
can select one of the values listed in TABLE 2-10.
Comment
You can add comments to a rule. Double click on the Comment field to open the
Comment window (FIGURE 2-25).
FIGURE 2-25Comment window
Type any text you wish in the text box and click on OK.
Copying, Cutting and Pasting Rules
To copy, cut or paste, select a rule or rules by selecting their numbers.
TABLE 2-10Install On Menu
Install On Meaning
Gateways — Enforce on all network objects defined as gateways.
Integrated FireWalls — Enforce on all network objects defined as integrated FireWalls.
Targets — Enforce on the specified target object(s) only.
TABLE 2-11Copying, Cutting and Pasting Rules
Action Select from menu Toolbar Button
Cut Edit>Cut
Copy Edit>Copy