Westermo RedFox Series User Manual
Page 700
Westermo OS Management Guide
Version 4.17.0-0
1-to-1 NAT mapping is done in the pre-routing step in the firewall (see
This means (for inbound packets affected by a 1-to-1 NAT rule) that the desti-
nation IP address is changed to another IP address before routing is done and
before rules in the input filtering and forward filtering chains are evaluated. Make
sure that you only use the internal network block (called ”new destination” in the
web configuration and ”to-dst” in CLI config) in routing and filtering as the exter-
nal network is not visible inside the unit.
31.1.4.2.2
Reverse 1-to-1 NAT
Public Network (Internet)
1−TO−1
NAT
Gateway
.1
Web
Server
.2
192.168.0.2
10.20.30.2
IP Source
IP Source
Inbound Interface
Figure 31.7: Reverse 1-to-1 NAT mapping
1-to-1 NAT is bi-directional which means that the NAT works in the reverse direc-
tion too. A request coming from an internal IP will be transformed so it appears
to come from the external net when leaving the router through the configured
”inbound” interface (see
In this case the translation of the IP source address will be performed in the post-
routing chain (
), just before packets leave the router. This means that
the original internal network IP will be matched as source in any forward filtering
and output filtering rules. The external addresses will not be visible here similar
to the forward direction NAT.
700
➞ 2015 Westermo Teleindustri AB