Configuring a service for incoming static nat – WatchGuard Technologies FireboxTM System 4.6 User Manual

Configuring a service for incoming static NAT

66

Configuring a service for incoming static NAT

Static NAT works on a port-to-host basis. Incoming packets destined for a specific
public address and port on the External network are remapped to an address and
port behind the firewall. You must configure each service separately for static NAT.
Typically, static NAT is used for public services such as Web sites and e-mail that do
not require authentication.

Static NAT can be used only to forward connections from the outside to an internal
host. It is not possible for hosts already behind the Firebox to use the static NAT entry
when accessing an internal server. While hosts on the External interface of the Firebox
connect to the Firebox IP address and specified port (which then forwards the
connection internally), hosts on the inside of the Firebox must connect directly to the
actual, internal server IP address. This is usually only a problem when DNS is
involved. To avoid this problem, it is best to use a private DNS server (or static DNS
mapping, such as /etc/hosts for UNIX machines, or an Lmhosts file for Windows
machines) for internal hosts. This way, internal systems that try to connect to the
server by name will always get the internal IP address.

Adding external IP addresses

Static NAT converts a Firebox public IP and port into specific destinations on the
Trusted or Optional networks. If the Firebox has not already been assigned the public
IP address you want to use, you must designate a new public IP address using the
Add External IP dialog box. From Policy Manager:

1

Select Network => Configuration. Click the External tab.

2

Click Aliases.

3

At the bottom of the dialog box, enter the public IP address. Click Add.

4

Repeat until all external public IP addresses are added. Click OK.

Setting static NAT for a service

Static NAT, like service-based NAT, is configured on a service-by-service basis.
Because of the way static NAT functions, it is available only for services containing
TCP, UDP, FTP, SMTP, or HTTP. A service containing any other protocol cannot use
incoming static NAT, and the button in the service’s Properties dialog box is
disabled.

1

Double-click the service icon in the Services Arena.

The service’s Properties dialog box appears, displaying the Incoming tab.

2

Use the Incoming drop list to select Enabled and Allowed.

To use static NAT, the service must allow incoming traffic.

3

Under the To list, click Add.

The Add Address dialog box appears.

4

Click NAT.

5

Use the External IP Address drop list to select the “public” address to be used for
this service.

If the public address does not appear in the drop list, click Edit to open the Add External IP

Address dialog box.