Configuring Network Address Translation (NAT)

(1)

8

Configuring Network Address Translation

(NAT)

Overview . . . 8-3 Translating Between an Inside and an Outside Network . . . 8-3 Local and Global Addresses . . . 8-4 NAT Implementation Methods . . . 8-5 Dynamic, or Many-to-One, NAT . . . 8-5 Dynamic NAT for Wireless Traffic . . . 8-5 Dynamic NAT for Wired Traffic . . . 8-6 Port Address Translation for Dynamic NAT . . . 8-7 Static, or One-to-One, NAT . . . 8-8 Static NAT on Destination Addresses . . . 8-8 Using Port Forwarding with Static Destination NAT . . . 8-10 Static NAT on Source Addresses . . . 8-12 Understanding Local and Global Addresses . . . 8-12 Planning the NAT Configuration . . . 8-14 Consider Your Company’s Requirements for NAT . . . 8-14 Record Necessary IP Addresses and Select the NAT

Implementation Method . . . 8-15 Planning the Configuration for Dynamic NAT . . . 8-16 Planning the Configuration for Static NAT . . . 8-17 Configuring Standard ACLs for Dynamic NAT . . . 8-20 Configuring NAT . . . 8-22 Defining Interfaces as Outside or Inside . . . 8-22 Configuring Dynamic NAT . . . 8-24

(2)

Configuring Network Address Translation (NAT) Contents

Configuring Static Translation . . . 8-27 Configuring Static Source NAT . . . 8-28 Configuring Static Destination NAT . . . 8-31 Viewing NAT Status . . . 8-36

(3)

Configuring Network Address Translation (NAT) Overview

Overview

You can configure the ProCurve Wireless Edge Services xl Module to perform Network Address Translation (NAT) on traffic routed between two subnet- works—typically, traffic exchanged between the wireless and the wired network. The module can translate either the source or the destination IP address in a packet’s IP header to a new address.

The Wireless Edge Services xl Module allows you to implement NAT in several different ways. For example, you can configure the module to use a single IP address as the source address for an entire group of wireless stations when these stations transmit data to a wired network. This implementation of NAT allows users whose wireless stations have private IP addresses to access the Internet using one public IP address. NAT also adds another layer of security by concealing the actual IP addresses of wireless devices from users in the wired network.

Translating Between an Inside and an Outside Network

When implementing NAT, the Wireless Edge Services xl Module distinguishes between an inside and an outside network, and implements NAT at the border between the two networks.

When you configure NAT, you define the inside and outside networks by specifying if a given virtual LAN (VLAN) interface is inside or outside. For example, in Figure 8-1, wireless LAN (WLAN) A is assigned to VLAN 8, which has been defined as an inside interface. On the other hand, VLAN 4, which is used in the Ethernet LAN, is defined an outside interface.

The setting you select for a particular VLAN—either inside or outside—

depends on how you implement NAT. (The options for implementing NAT are described in “NAT Implementation Methods” on page 8-5.)

(4)

Figure 8-1. Dividing Interfaces into Inside and Outside Interfaces

The Wireless Edge Services xl Module always performs NAT on traffic as the traffic arrives on an interface. Because the module can apply NAT to both inside and outside interfaces, it can perform NAT in both directions.

N o t e When the Wireless Edge Services xl Module maps wireless traffic to a VLAN, that traffic is considered to have arrived on the VLAN interface.

Local and Global Addresses

In addition to identifying inside and outside networks, the Wireless Edge Services xl Module distinguishes between an IP address as it appears before and after translation. The Web browser interface and the command line interface (CLI) use two terms to make this distinction:

■ local IP address—the IP address as it appears before translation

■ global IP address—the IP address as it appears after translation As mentioned earlier, the Wireless Edge Services xl Module translates the IP address in a packet’s IP header. Depending on how you implement NAT, the module can translate a packet’s source IP address or its destination IP address.

(5)

NAT Implementation Methods

On the Wireless Edge Services xl Module, you can configure:

■ dynamic NAT

■ static NAT

Dynamic NAT affects only source IP addresses while static NAT can translate either source or destination IP addresses.

Dynamic, or Many-to-One, NAT

Perhaps the most common implementation of NAT is dynamic NAT, sometimes called many-to-one NAT because it allows multiple stations to share the same IP address after translation. Dynamic NAT applies only to source IP addresses.

You define dynamic NAT using the following specifications:

■ access control lists (ACLs), which select the source IP addresses of traffic on which the Wireless Edge Services xl Module performs NAT

■ a Wireless Edge Services xl Module interface, which defines the IP address to which the source address is translated

This NAT method is considered dynamic because when you modify an ACL or interface, the corresponding NAT definition is modified accordingly.

You can apply dynamic NAT to traffic that arrives on inside interfaces, on outside interfaces, or on both. The sections below discuss some uses for dynamic NAT for wireless traffic and for wired traffic. (Whether configuring NAT on wireless traffic requires inside or outside NAT depends on how you define the VLAN interface in which the module places wireless traffic.)

Dynamic NAT for Wireless Traffic

Implementing dynamic NAT on wireless traffic allows you to create VLANs for wireless traffic only. The Wireless Edge Services xl Module assigns WLAN traffic to a VLAN reserved for wireless stations; its internal DHCP server issues wireless stations IP addresses in this VLAN. Before routing wireless traffic into the Ethernet network, the module translates these local DHCP addresses to an IP address valid in the wired network—the module’s own.

This implementation also has the advantage of conserving IP addresses:

instead of each wireless station having its own IP address that is valid in the wired network, all wireless stations share the Wireless Edge Services xl

(6)

Figure 8-2 illustrates this configuration, which allows wireless stations to use IP addresses local to the wireless network but still to open sessions with servers in the Ethernet network.

Figure 8-2. Dynamic Source NAT on Wireless Traffic

You can also implement NAT on the module to ready wireless traffic for transmission to the Internet—if you do not have another device that does so.

Many companies have only one public IP address although they have many employees who need Internet access. With dynamic NAT, all these employees can share one IP address. When users on the company’s wireless network send requests to the Internet, the Wireless Edge Services xl Module translates the senders’ local IP addresses to a global address—the module’s IP address in the wired network. After translating packets’ source IP addresses, the module forwards the requests onto the Ethernet network and toward the Internet.

Dynamic NAT for Wired Traffic

You can configure dynamic NAT for traffic bound from the wired network to the wireless network. In this case, the Wireless Edge Services xl Module translates wired devices’ IP addresses to one of the module’s own IP addresses.

(7)

You might use dynamic NAT on wired traffic when your wireless network receives a great deal of public traffic. You can then conceal the IP addresses of devices in your private network from the wireless users. (See Figure 8-3.)

Figure 8-3. Dynamic Source NAT

Again, whether you apply dynamic NAT to inside or outside traffic depends on how you have defined interfaces. In this example, you have defined the VLAN used in the wired network as an outside interface, so you configure outside dynamic NAT.

If you want to allow wireless users to access internal servers, you must configure destination NAT to translate the publicly known IP address back to the servers’ internal addresses. (See “Static NAT on Destination Addresses”

on page 8-8.)

In fact, instead of configuring dynamic source NAT to conceal private addresses, you might want to configure only destination NAT. The Wireless Edge Services xl Module automatically performs source NAT on the traffic returning from the server.

Port Address Translation for Dynamic NAT

To enable multiple users to share one IP address, the Wireless Edge Services xl Module uses port address translation in conjunction with NAT. When the module translates a local IP address to a global address, it assigns each local address a unique port number, as shown in Table 8-1.

(8)

The Wireless Edge Services xl Module uses this port number to forward return traffic, which is destined to the single global IP address, to the correct local IP address. For example, Table 8-1 lists possible IP address for the network shown in Figure 8-3. In this case, the module translates all inside addresses (in the 192.168.1.0/24 subnetwork) to 10.1.1.1. If a packet arrives for 10.1.1.1 on port 4001, the module knows to forward the packet toward the station at 192.168.1.11.

Table 8-1. Information Recorded in a Port-Mapping Table for a Sample Network

Static, or One-to-One, NAT

You can also configure static definitions for NAT. In this case, you manually specify the following information for each one-to-one NAT:

■ the IP address (and optionally, port) that should be translated

■ the IP address (and optionally, port) that should replace the original address

The Wireless Edge Services xl Module can perform static translation on both source IP addresses and destination IP addresses. In addition, it can apply NAT to traffic inbound from the inside network or from the outside network.

Static NAT on Destination Addresses

One reason to use destination NAT is to allow wireless users to access servers on your internal LAN, while still concealing the servers’ IP addresses. This use is particularly important when you open your wireless network to the public.

Because this wireless network is much like the Internet—filled with untrusted users—you should implement the same types of security measures that you put in place for users who access your network from the Internet.

Local IP Address Translated (Global) IP Address

Translated Port Destination IP Address Destination Port

192.168.1.10 10.1.1.1 4000 10.20.1.1 80

192.168.1.11 10.1.1.1 4001 172.16.1.10 80

192.168.1.12 10.1.1.1 4002 172.16.10.5 80

192.168.1.13 10.1.1.1 4003 10.45.16.1 80

192.168.1.14 10.1.1.1 4004 172.16.11.1 80

(9)

Configure destination NAT to allow wireless users to send traffic toward a server’s publicly known address. The Wireless Edge Services xl Module translates the traffic’s destination address to the correct local address. When the server replies, the module automatically translates the source address back to the address to which the traffic was originally destined, and the private address remains concealed.

For example, your company may have a Web server or an FTP server, which is housed on your internal LAN. To access this server, wireless users enter a URL, which is resolved through a Domain Name System (DNS) server to a public IP address. When your Wireless Edge Services xl Module receives a packet destined to this address, it translates the destination IP address and forwards the packet toward the correct internal device.

For example, in Figure 8-4, a Web server on the internal LAN has an IP address of 192.168.1.10. However, the IP address to which wireless stations send traffic is 10.1.1.1. When the ProCurve Wireless Edge Services xl Module receives packets with the destination address of 10.1.1.1, it translates the destination address to the private IP address of the Web server: 192.168.1.10. The source IP address is not affected. (See Figure 8-4.) Therefore, you must ensure that devices in the wired network can route traffic back to the subnetwork used in the wireless network.

Figure 8-4. Outside Destination NAT

(10)

One principle to remember: on the Wireless Edge Services xl Module, you define which VLANs are inside interfaces and which are outside. Figure 8-4 shows a configuration in which the VLAN used in the Ethernet network is an outside interface. So you configure the destination NAT on inside interfaces (these interfaces receive traffic that is destined to the outside VLAN).

As mentioned earlier, you can apply destination NAT to traffic from both the inside and the outside network. In theory, you could also apply destination NAT to traffic being sent from the wired network to the wireless network.

However, destination NAT is typically used to allow servers to share a public IP address and to conceal their private addresses. Your wireless network is unlikely to include such servers, so you would probably set up destination NAT in one direction.

Using Port Forwarding with Static Destination NAT

The Wireless Edge Services xl Module also supports port forwarding for static destination NAT. Port forwarding allows two or more devices on a network to share a single IP address known in the other network. For example, you could have wireless users send traffic that is destined to two different servers to the same IP address:

■ your LAN’s Web server

■ your LAN’s FTP server

The Wireless Edge Services xl Module would then translate the destination IP addresses of all traffic destined to port 80 to the Web server’s private IP address (the address on wired network). Likewise, the module would translate all traffic destined to port 21 to the FTP server’s private IP address.

(11)

Figure 8-5. Outside Destination NAT with Port Forwarding

When the module translates the destination IP address, it can also perform port translation, assigning the traffic to the particular port used by the destination device.

(12)

Static NAT on Source Addresses

Static source NAT is an alternative to dynamic source NAT. However, instead of allowing many stations to share one global address, static source NAT sets up a one-to-one correspondence between a particular IP address and a translated IP address. Use this option only when relatively few devices in one network (inside or outside) need to access devices in the other network.

Understanding Local and Global Addresses

When you configure NAT on the Wireless Edge Services xl Module, you define a local address and a global address. As mentioned earlier, the local address is the pre-translation address. For source NAT, the local address is always the IP address assigned to the device for the network in which the device resides.

In Figure 8-6, the local address is any address used by a device in WLAN A—

the 10.1.1.0/24 subnetwork.

Figure 8-6. Local Addresses

However, for destination NAT, the local address is actually the address as it appears across the border between inside and outside. This is because packets, pre-translation, are destined to the IP address that the originating station knows for the destination device, not the destination’s actual IP address. In Figure 8-5 on page 8-11, for example, the local address is 10.1.1.1.

(13)

Table 8-2 summarizes this terminology.

Table 8-2. Terminology for IP Addresses According to NAT Implementation

NAT Interface Type (Inside or Outside)

NAT Address Type

Address Explanation of Address

Inside Source Local An inside station’s IP address as it appears on the inside network

Inside Source Global An inside station’s IP address as it appears on the outside network

Inside Destination Local An outside station’s IP address as it appears on the inside network

Inside Destination Global An outside station’s IP address as it appears on the outside network

Outside Source Local An outside station’s IP address as it appears on the outside network

Outside Source Global An outside station’s IP address as it appears on the inside network

Outside Destination Local An inside station’s IP address as it appears on the outside network

Outside Destination Global An inside station’s IP address as it appears on the inside network

(14)

Configuring Network Address Translation (NAT) Planning the NAT Configuration

Planning the NAT Configuration

Before you access the Security > NAT screen and begin to set up NAT for your wireless network, you should plan your configuration:

1. Consider your company’s network topology and security needs and determine the requirements for NAT.

In other words, which NAT methods do you need to configure, and which traffic should be translated.

2. Record the IP addresses necessary for your NAT configuration.

3. If you are using dynamic NAT, configure the necessary standard ACLs.

The following sections outline these steps in more detail.

Consider Your Company’s Requirements for NAT

The Wireless Edge Services xl Module supports a variety of options for NAT.

Use the following scenarios to determine which options you must configure:

■ You want to assign wireless stations to VLANs reserved for wireless traffic (either for security or to conserve IP addresses on your LAN or both). All wireless stations will share a single IP address in your LAN—an address used by the Wireless Edge Services xl Module.

Assign the WLAN to a VLAN not used in the Ethernet network. Use DHCP to assign addresses to wireless stations in that VLAN. (See Chapter 6: IP Services—IP Settings, DHCP, and DNS.)

Define the VLAN in which the Wireless Edge Services xl Module places wireless traffic as an inside VLAN and configure dynamic NAT on inside traffic. Or, define the VLAN as an outside VLAN and configure dynamic NAT on outside traffic. (For the exact configuration steps, see “Configur- ing Dynamic NAT” on page 8-24.)

■ You want to prepare wireless traffic for transmission on the Internet.

This scenario is similar that above. Define VLANs associated with wireless traffic as inside VLANs and configure dynamic NAT on inside traffic. Make sure that your Wireless Edge Services xl Module has a valid public IP address and can reach your Internet Service Provider’s (ISP’s) router.

(15)

■ You want to conceal IP addresses used in your LAN from wireless users.

Separate the VLANs for wired traffic from the VLANs for wireless traffic:

When you specify the uplink VLANs in which the Wireless Edge Services xl Module places traffic from WLANs, choose different VLANs from those already used in the wired network.

Next, define the wired VLANs as inside interfaces and define the wireless VLANs as outside interfaces.

Configure static destination NAT on outside traffic. Each static destination NAT definition allows you to map a global IP address and destination port to a particular address used in your internal network, typically that of network servers. Create a different NAT definition for each server in the Ethernet network that users in the wireless network must access.

N o t e The Wireless Edge Services xl Module performs at most one type of NAT on a packet. Therefore, you should typically configure source NAT for either inside or outside interfaces.

For example, your internal (wired) network might use VLAN 2, and the module might perform dynamic source NAT on all traffic from that VLAN, translating the addresses used on the Ethernet network to the module’s address on the wireless network. You might also configure static destination NAT for wireless traffic destined to certain wired servers.

Configuring dynamic NAT for wireless traffic would have no effect on traffic destined to the wired resources: when the module translates an outside packet’s destination address, it does not apply dynamic NAT.

Because wireless traffic enters the Ethernet network with its source address unchanged, the Ethernet infrastructure devices must know routes to the subnetwork for wireless traffic.

Record Necessary IP Addresses and Select the NAT

Implementation Method

As part of your NAT planning, you should record:

■ local address—the address or addresses that will be translated

■ global address—the address that will replace the local address when the module applies NAT

(16)

You should also determine which NAT implementation method you are using.

For example, if you want to conserve IP addresses on your LAN, you will probably decide to use dynamic NAT on inside traffic. If you want to allow wireless users access to private Web or FTP servers with concealed IP addresses, you will use static NAT.

Planning the Configuration for Dynamic NAT

If you are using dynamic NAT, you must use ACLs to specify which traffic the Wireless Edge Services xl Module NATs. Consider which IP addresses these ACLs should select. For example, if you want to NAT all traffic from wireless stations in a particular WLAN, you can create an ACL that permits any IP address and specifies that particular WLAN.

You may want the Wireless Edge Services xl Module to NAT traffic from wireless stations before that traffic enters your wired network. In this case, you would first configure the module to place wireless stations in a particular VLAN and act as a DHCP server, assigning the stations IP addresses in a corresponding subnet. Before the module forwarded this traffic to the wired network, it would NAT the traffic to a single IP address, as shown in Figure 8-7.

Figure 8-7. Dynamic NAT on a Sample Network

(17)

For this NAT implementation, you would record the IP addresses specified in the DHCP pool and configure an ACL that selects those addresses. Table 8-3 lists the actual IP addresses that you would record for the sample network shown in Figure 8-7.

Table 8-3. Recording Addresses for Dynamic NAT on a Sample Network

Planning the Configuration for Static NAT

For static NAT, you manually specify the IP address and port settings within each NAT configuration. You must configure a separate static definition specifically for each IP address that your Wireless Edge Services xl Module must translate.

Before configuring static destination NAT for traffic destined to network servers, collect the following information:

■ the IP address that you want to advertise to wireless stations (through, for example, a DNS server)

This will be the original destination address (local address) for incoming packets.

■ the destination port for traffic that will be subject to NAT (local port) and the corresponding protocol (TCP or UDP)

This setting is for port translation, which enables multiple internal servers to share one advertised IP address. For example, the Wireless Edge Services xl Module can select traffic destined to:

• a Web server on port 80

• an FTP server on port 21

■ the internal device’s IP address on your LAN

This will be the translated destination address (global address).

■ the translated destination port (global port)

This setting is also optional. If you do not specify this port, the module forwards traffic to the destination port on which it arrived.

NAT Interface Type (Inside or Outside)

Local or Global Address Recorded Addresses for the Sample Network

Inside Source Local (stations’ IP addresses as they appear on the wireless network)

10.1.1.0/24 subnetwork—assigned through DHCP and specified in an ACL

Inside Source Global (IP address for all stations as it appears on the wired network)

192.168.1.10—module’s vlan 1 IP address

(18)

To configure static source NAT, you must know:

■ the local address to which the module must apply NAT

■ the global address to which the module should translate the original address

You can optionally specify a new source port for the translated traffic.

In Figure 8-8, for example, the company wants to conceal the actual IP address of its Web server—192.168.1.25. The company has also set up its Web server to use a different port—port 51000. For this implementation, you must configure destination NAT with port translation.

Figure 8-8. Outside Destination NAT with Port Translation on a Sample Network

In Figure 8-8, the VLAN for wireless stations is the inside interface, so the Web server is an outside device. Therefore you must set up inside destination NAT.

You could alternatively define the Web server’s VLAN as the inside interface, in which case you would configure outside destination NAT.

When you record the local address for destination NAT, identify the destina- tion device’s IP address as it appears on the source network. On the wireless network, the Web server’s IP address appears to be 10.1.1.1. For this sample network, you would record 10.1.1.1 for the local address, as shown in Table 8-4.

(19)

When you record the global address for destination NAT, identify the inside device’s IP address as it appears in the destination network. For the sample network, the Web server’s actual IP address is 192.168.1.25. You would, therefore, record 192.168.1.25 as the global address.

Because the sample network is also using port address translation, you should record the port for the translated traffic, as shown in Table 8-4.

Table 8-4. Recording Addresses for Outside Destination NAT

NAT Interface Type

Local or Global Address Local or Global Port Recorded Addresses for the Sample Network

Recorded Ports for the Sample Network Inside Destination Local (outside device’s IP

address as it appears on the inside network)

Local (port to which the inside devices originally send traffic)

10.1.1.1 80

Inside Destination Global (outside device’s IP address as it appears on the outside network)

Global (port used by the outside device)

192.168.1.25 51000

(20)

Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT

Configuring Standard ACLs for Dynamic

NAT

To configure dynamic translation, you use a standard ACL to select the IP addresses that the Wireless Edge Services xl Module NATs. Although you can use any ACL that you have configured, you will probably want to configure ACLs to meet the specific requirements for your NAT implementation.

Remember that depending on the types of NAT you are configuring, you might need to create several ACLs. If your module will NAT both inside and outside traffic, you must create one ACL to select IP addresses used in the inside network and one ACL that selects addresses used in the outside network.

To create ACLs, use the procedure documented in Chapter 7: Access Control Lists (ACLs). For NAT, you must create a standard IP ACL.

To add rules to the ACL, use the screen shown in Figure 8-9.

Figure 8-9. Add Rule Screen for Standard IP ACLs

(21)

Configuring Network Address Translation (NAT) Configuring Standard ACLs for Dynamic NAT

The full procedure for adding rules to ACLs is documented in Chapter 7:

Access Control Lists (ACLs). The following rule guidelines apply to ACLs used for NAT:

■ In the Operation field, the permit operation means that traffic will be subject to NAT; the deny operation means that traffic will not be subject to NAT. (The mark operation does not apply to NAT.)

■ The entries in the Filters area specify the source IP address or range of source IP addresses for which NAT will be either permitted or denied.

(The Wlan Index entry is optional.)

For example, to NAT all traffic that arrives from the wireless network, you would set up a “permit any” rule. Or, to NAT all traffic from a particular subnet, the rule would specify the subnet’s IP address and subnet mask. For example, you might have mapped a particular WLAN to a VLAN, and then set up a DHCP pool for that VLAN on the Wireless Edge Services xl Module. To apply NAT to all of the wireless stations that have been assigned addresses in that VLAN, specify the VLAN’s subnet IP address and mask.

After you have created ACLs and added rules to them, you can select those ACLs when you set up NATs using dynamic translation. (See “Configuring Dynamic NAT” on page 8-24.)

(22)

Configuring Network Address Translation (NAT) Configuring NAT

Configuring NAT

To configure NAT, follow these steps:

1. Enable routing.

See “IP Settings” on page 6-3 of Chapter 6: IP Services—IP Settings, DHCP, and DNS.

2. Define interfaces as inside or outside interfaces.

When you create a NAT definition, you will select whether this definition applies to inside or outside traffic. To do so, you must know which Wireless Edge Services xl Module interfaces connect to inside networks and which to outside networks. See “Defining Interfaces as Outside or Inside” on page 8-22.

3. Configure one or both types of NATs:

• Dynamic translation—based on ACLs, which permit or deny NAT based on IP addresses; as the ACL configuration changes, the NAT configuration changes as well.

• Static translation—configured to specific IP addresses and ports;

any configuration changes are made within the NAT configuration itself.

Defining Interfaces as Outside or Inside

NAT configurations have no effect until you map interfaces to NAT by defining particular interfaces as outside or inside. For example, when traffic arrives on an inside interface, the module applies the configurations created for inside NAT (as long as the traffic matches the specifications for that NAT definition).

N o t e NAT applies to traffic that arrives on an interface. NAT does not affect traffic sent from an interface.

To define an interface as outside or inside, complete these steps:

1. Select Security > NAT and click the Interfaces tab.

(23)

Figure 8-10. Security > NAT > Interfaces Screen

2. Click the Add button. The Add Interface screen is displayed.

Figure 8-11. Add Interface Screen

3. In the Interfaces field, use the drop-down menu to select an interface configured on the module.

(24)

4. In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public).

5. Click the OK button.

The interface is now listed on the Security > NAT > Interfaces screen.

Figure 8-12. Interface Assignment in Security > NAT > Interfaces Screen

Configuring Dynamic NAT

For each NAT configuration that will use dynamic NAT, you must first set up an ACL. This ACL contains rules that select the source addresses for traffic to be translated. For information about creating this ACL, see Chapter 7: Access Control Lists (ACLs) and “Configuring Standard ACLs for Dynamic NAT” on page 8-20.

To configure dynamic translation, complete these steps:

1. Select Security > NAT and click the Dynamic Translation tab.

(25)

Figure 8-13. Security > NAT > Dynamic Translation Screen

2. Click the Add button. The Add Dynamic Translation screen is displayed.

Figure 8-14. Add Dynamic Translation Screen

(26)

3. In the NAT Interface field, use the drop-down menu to select the type of interfaces to which the module applies NAT:

• Inside (Private)—traffic that arrives from the inside network

In other words, inside NAT applies to incoming traffic on an inside interface; typically, the inside traffic should be bound to the outside network.

Internal addresses are those that you are trying to adjust for, or to conceal from, the outside world, so you will usually select this option for dynamic source NAT.

• Outside (Public)—traffic that arrives from the outside network In other words, incoming traffic on an outside interface.

4. In the NAT Address Type field, leave the setting at Source (the only option permitted for dynamic translation).

The Wireless Edge Services xl Module translates the source addresses of selected traffic.

5. In the Access List field, use the drop-down menu to select the ACL that you configured to select traffic.

This ACL should permit the source addresses that you want to translate.

For inside dynamic NAT, the ACL should select inside addresses as they appear locally (on the inside network). When using outside dynamic NAT, choose an ACL that selects outside address as they appear on the outside network. For example, if your outside network is a publicly used wireless network, the ACL should select traffic from the IP addresses assigned to wireless stations.

6. From the Interface drop-down menu, select one of the module’s VLAN or tunnel interfaces.

The Wireless Edge Services xl Module translates the source addresses to the IP address on the specified interface. Ethernet interfaces are named vlan1, vlan2, and so on; GRE tunnel interfaces are named tunnel1, tunnel2, and so on.

If you are configuring dynamic NAT on traffic from wireless stations, make sure to choose an interface that is tagged on the module’s uplink port. In this way, return traffic from the wired network can reach the wireless stations.

The interface you select is sometimes called the overloaded interface because many devices share its IP address.

(27)

The definition for dynamic translation is now listed on the Security > NAT >

Dynamic Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured dynamic NAT. (See “Defining Interfaces as Outside or Inside” on page 8-22.)

Figure 8-15. Dynamic NAT Configuration in the Security > NAT > Dynamic Translation Screen

Configuring Static Translation

Static translation sets up a one-to-one correspondence between a source or destination IP address and a translated IP address.

The configuration steps depend on whether you configuring static source NAT or static destination NAT.

(28)

Configuring Static Source NAT

When the Wireless Edge Services xl Module stands between two networks that use different IP addresses, static source NAT allows a device in one network to reach devices in the other network. The module translates traffic’s source address so that the device that sent the traffic appears to have a valid IP address in the other network.

Note that the more typical configuration for source NAT is often dynamic NAT because it allows multiple devices to share the same translated IP address.

To configure a static source translation, complete these steps:

1. Select Security > NAT and click the Static Translation tab.

Figure 8-16. Security > NAT > Static Translation Screen

2. Click the Add button. The Add Static Translation screen is displayed.

(29)

Figure 8-17. Add Static Translation Screen

3. In the NAT section, select the Interface Type and Address Type:

a. The Interface Type determines to which interfaces the Wireless Edge Services xl Module applies the static NAT definition:

– Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface b. For the Address Type, select Source—The module translates the

packet’s source IP address.

The correct settings depend, of course, on the goal of the NAT configuration and on how you have defined interfaces in your network.

When you select Source for the Address Type, the Interface Type choice is relatively straightforward: choose Inside (Private) to apply NAT to inside devices and Outside (Public) to apply NAT to outside devices.

See the “Static, or One-to-One, NAT” on page 8-8 and “Planning the NAT Configuration” on page 8-14 for more guidelines on choosing these settings.

4. In the Before Translation section, specify the IP address of traffic to which the module should apply NAT.

a. In the Local Address field, enter the IP address to be translated.

(30)

Table 8-5. Determining the IP Address for the Local Address Field

For example, for source NAT, enter the configured IP address assigned to a device in its own network. This address is typically allocated out of a private address space.

b. The Local Port field is not available for source NAT.

5. In the After Translation section, specify the IP address to which the Wireless Edge Services xl Module should translate the source address:

a. In the Global Address field, enter the IP address as it should appear after translation.

See Table 8-6 for guidelines on specifying this address.

Table 8-6. Determining the IP Address for the Global Address Field

Make sure to enter a valid IP address on this Wireless Edge Services xl Module. Select an address that is valid in the network to which the traffic is destined. For example, if you are configuring source NAT for a wireless device, enter an IP address on a VLAN tagged on the uplink.

b. The Global Port field is not available for source NAT. The Wireless Edge Services xl Module automatically assigns a port to the translated packet.

The static NAT definition is now listed on the Security > NAT > Static Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured static source NAT. (See “Defin- ing Interfaces as Outside or Inside” on page 8-22.)

Interface Type Address Type IP Address for the Local Address Field

Inside (Private) Source IP address of an inside device as it appears on the inside network

Outside (Public) Source IP address of an outside device as it appears on the outside network

Interface Type Address Type IP Address for the Global Address Field Inside (Private) Source IP address of an inside device as it should appear

on the outside network

Outside (Public) Source IP address of an outside device as it should appear on the inside network

(31)

Figure 8-18. Static NAT Definition in the Security > NAT > Static Translation Screen

Configuring Static Destination NAT

Again, the Wireless Edge Services xl Module stands between two networks that use different IP addresses. Destination NAT allows clients in one network to open sessions with servers in the other network. You must configure destination NAT statically.

To configure a static destination translation, complete these steps:

1. Select Security > NAT and click the Static Translation tab.

(32)

Figure 8-19. Security > NAT > Static Translation Screen

2. Click the Add button. The Add Static Translation screen is displayed.

(33)

Figure 8-20. Add Static Translation Screen

3. In the NAT section, select the Interface Type and Address Type:

a. The Interface Type determines to which interfaces the Wireless Edge Services xl Module applies the static NAT definition:

– Outside (Public)—incoming traffic on an outside interface – Inside (Private)—incoming traffic on an inside interface

b. For the Address Type, select Destination—the module translates the destination IP address in the IP header.

The correct settings depend, of course, on the goal of the NAT configuration and on how you have defined interfaces in your network.

Remember: destination NAT allows client traffic to reach servers at public IP address, and servers are typically in your wired network. If you define VLANs for wired servers as outside interfaces, you should define VLANs for wireless traffic as inside interfaces. Then select Destination for the Address Type and Inside(Private) for the Interface Type. On the other hand, you might define VLANs for wireless traffic as outside interfaces. In this case, select Destination for the Address Type and Outside(Public) for the Interface Type. In either case, NAT applies to traffic from wireless stations destined to wired servers.

See the “Static, or One-to-One, NAT” on page 8-8 and “Planning the NAT Configuration” on page 8-14 for more guidelines on choosing these

(34)

4. Select either TCP or UDP in the Protocol drop-down menu.

This setting, which is available only for destination NAT, allows you to configure port forwarding. Choose the protocol for the application for which you are creating the NAT definition. For example, if you are setting up destination NAT to allow wireless stations to reach your Web server, select TCP.

5. In the Before Translation section, specify the IP address and port to the traffic to be translated is destined.

a. In the Local Address field, enter the IP address to be translated.

This address depends on the choices that you made in the NAT section.

Refer to Table 8-5.

Table 8-7. Determining the IP Address for the Local Address Field

For destination NAT, the local address is actually the IP address of a host as it appears to hosts in the opposite network. So if you are using destination NAT to translate wireless requests to a wired server, enter the address known in the wireless network (typically, the Wireless Edge Services xl Module’s).

b. In the Local Port field, enter the port to which the traffic to be translated is destined. Specify a number from 1 through 65,535.

This setting is used for port forwarding and is available only when you select Destination for the Address Type. See “Using Port Forwarding with Static Destination NAT” on page 8-10 for more information.

For example, you are setting up NAT for traffic inbound from a public wireless network to your internal FTP server. This traffic from the public network is destined to port 21, so you enter 21 in the Local Port field.

6. In the After Translation section, specify how the Wireless Edge Services xl Module should translate the IP header:

a. In the Global Address field, enter the IP address as it should appear after translation. In other words, enter the actual IP address of the server to which the traffic is destined.

Interface Type Address Type IP Address for the Local Address Field

Inside (Private) Destination IP address of an outside device as it appears on the inside network

Outside (Public) Destination IP address of an inside device as it appears on the outside network

(35)

See Table 8-6 for guidelines on specifying this address.

Table 8-8. Determining the IP Address for the Global Address Field

In the example in which you are configuring destination NAT to allow public access to your company’s FTP server, you would enter the FTP server’s private address.

b. In the Global Port field, enter the port to which the Wireless Edge Services xl Module should forward the traffic.

This optional setting for destination NAT provides port translation.

For example, traffic arrives for your internal Web server on its public IP address and the standard HTML port 80 (which you specify in the Local Port field of the Before Translation section). The module trans- lates the traffic to the Web server’s private address and a private port, selected by your company. Enter the private address in the Global Address field and the private port in the Global Port field.

The static NAT definition is now listed on the Security > NAT > Static Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured static destination NAT. (See

“Defining Interfaces as Outside or Inside” on page 8-22.)

Interface Type Address Type IP Address for the Global Address Field Inside (Private) Destination IP address of an outside device on the outside

network

Outside (Public) Destination IP address on an inside device on the inside network

(36)

Figure 8-21. Static NAT Definition in the Security > NAT > Static Translation Screen

Viewing NAT Status

To view current translations, select Security > NAT and click the Status tab.

Alternatively, you can select Security and click the NAT Status tab. (See Figure 8-22.)

(37)

Figure 8-22. Security > NAT > Status Screen

Each active session to which the Wireless Edge Services xl Module has applied NAT is displayed in a row. The screen columns show the IP addresses associated with the session:

■ Inside-Global—the source IP address as it appears in the destination device’s network

■ Inside-Local—the source IP address as it appears in the source device’s network

■ Outside-Global—the destination IP address as it appears in the destination device’s network

■ Outside-Local—the destination IP address as it appears in the source device’s network

For example, if you have configured dynamic source NAT on inside traffic, the Inside-Local column lists the IP address of the source device in the inside network. The Inside-Global column lists the translated IP address. (See the top row in Figure 8-22.)

(38)

The number after a colon indicates the port. For example, the module has translated the source IP addresses in the first three rows to the same global source address, but different port numbers.

On the other hand, for a session using static destination NAT on outside traffic, the translation appears in the Outside-Global and Outside-Local columns. The Outside-Local column shows the IP address to which the source device actually destines the packet. The Outside-Global column shows the destination IP address after the module has translated it to the destination device’s actual address. (See Figure 8-23.)

Figure 8-23. Viewing Outside NAT in the Security > NAT > Status Screen

To export statistical information about a specific session, select the row and click the Export button. On the screen that is displayed, specify the destination filename and location.

(39)

The logged information is saved to a comma-separated values (CSV) file on your workstation, which lets you:

■ save information that might be important later, while keeping logs or statistics clear for future events

■ send a file to support staff for troubleshooting help

■ pool information from multiple devices in a central location

■ track patterns of network activity

(40)