Hello,
I wanted to run this by the board here, and maybe help others looking for a similar answer.
I have a firewall migration where the existing NAT is set up to translate traffic from different sources destined to the the same public IP (not the interface IP), and different ports.
The use cases are as follows:
- Incoming packet from src:3.3.3.3 dst:2.2.2.1 port:4567, translate to src:3.3.3.3 dst:10.2.2.1 port:4567
- Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:5678, translate to src:4.4.4.4 dst: 10.4.4.1 port:5678
- Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:5678, translate to src:4.4.4.5 dst: 10.4.4.1 port:5678
- Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:6789, translate to src:4.4.4.4 dst: 10.4.4.1 port:6789
- Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:6789, translate to src:4.4.4.5 dst: 10.4.4.1 port:6789
- Incoming packet from src:5.5.5.5 dst:2.2.2.1 port:7890, translate to src:5.5.5.5 dst: 10.5.5.1 port:7890
Lines 2,3,4,5 represent a group of source hosts that connect to multiple destination ports.
Field Abreviations: Orignal Source(OSrc), Original Destination(ODst), Orignal Service(OSrv), Translated Source(TSrc), Translated Destination(TDst), Translated Service(TSrv)
I believe that I need to configure manual rules for each of these as follows, and also configure a proxy arp entry for 2.2.2.1:
- OSrc:3.3.3.3 ODst:2.2.2.1 OSrv:4567 TSrc:Original TDst:10.2.2.1 TSrv:Original
- OSrc:10.2.2.1 ODst:3.3.3.3 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
- OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:5678 TSrc:Original TDst:10.4.4.1 TSrv:Original
- OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:6789 TSrc:Original TDst:10.4.4.1 TSrv:Original
- OSrc:10.4.4.1 ODst:(4.4.4.4-4.4.4.5) OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
- OSrc:5.5.5.5 ODst:2.2.2.1 OSrv:7890 TSrc:Original TDst:10.5.5.1 TSrv:Original
- OSrc:10.5.5.1 ODst:5.5.5.5 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
With lines 3 and 4, since the return traffic will be the same, there is only line 5 that is needed, but this is because I am assuming that the use of Any for the original port for the return traffic is correct.
Does this look correct, or is there a better way to do this without manual NAT?
Thanks,
Leon