Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leon_Jaimes1
Participant

NAT based on source address and destination address and destination port

Jump to solution

Hello,

I wanted to run this by the board here, and maybe help others looking for a similar answer.

I have a firewall migration where the existing NAT is set up to translate traffic from different sources destined to the the same public IP (not the interface IP), and different ports. 

The use cases are as follows:

  1. Incoming packet from src:3.3.3.3 dst:2.2.2.1 port:4567, translate to src:3.3.3.3 dst:10.2.2.1 port:4567
  2. Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:5678, translate to src:4.4.4.4 dst: 10.4.4.1 port:5678
  3. Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:5678, translate to src:4.4.4.5 dst: 10.4.4.1 port:5678
  4. Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:6789, translate to src:4.4.4.4 dst: 10.4.4.1 port:6789
  5. Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:6789, translate to src:4.4.4.5 dst: 10.4.4.1 port:6789
  6. Incoming packet from src:5.5.5.5 dst:2.2.2.1 port:7890, translate to src:5.5.5.5 dst: 10.5.5.1 port:7890

Lines 2,3,4,5 represent a group of source hosts that connect to multiple destination ports.

Field Abreviations: Orignal Source(OSrc), Original Destination(ODst), Orignal Service(OSrv), Translated Source(TSrc), Translated Destination(TDst), Translated Service(TSrv) 

I believe that I need to configure manual rules for each of these as follows, and also configure a proxy arp entry for 2.2.2.1:

  1. OSrc:3.3.3.3 ODst:2.2.2.1 OSrv:4567 TSrc:Original TDst:10.2.2.1 TSrv:Original
  2. OSrc:10.2.2.1 ODst:3.3.3.3 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
  3. OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:5678 TSrc:Original TDst:10.4.4.1 TSrv:Original
  4. OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:6789 TSrc:Original TDst:10.4.4.1 TSrv:Original
  5. OSrc:10.4.4.1 ODst:(4.4.4.4-4.4.4.5) OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
  6. OSrc:5.5.5.5 ODst:2.2.2.1 OSrv:7890 TSrc:Original TDst:10.5.5.1 TSrv:Original
  7. OSrc:10.5.5.1 ODst:5.5.5.5 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original

With lines 3 and 4, since the return traffic will be the same, there is only line 5 that is needed, but this is because I am assuming that the use of Any for the original port for the return traffic is correct.

Does this look correct, or is there a better way to do this without manual NAT?

Thanks,

Leon

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
If it could be initiated from either side, then you need NAT rules for both directions.
Otherwise, you only need NAT rules in one direction, which will handle reply traffic.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
Because port factors in, manual rules are what you have to use.
Curious why you're using two rules for these different use cases.
Is it because the traffic could be initiated from either end?
0 Kudos
Leon_Jaimes1
Participant

On the two rules, I might be misunderstanding the Manual NAT.  I thought it needed the rule to match the reverse traffic.  Or is that incorrect and the return traffic matches the rule that was used by the initiating traffic?

[edit] - The traffic may need to be initiated from either side as well, I will double check on that.

0 Kudos
PhoneBoy
Admin
Admin
If it could be initiated from either side, then you need NAT rules for both directions.
Otherwise, you only need NAT rules in one direction, which will handle reply traffic.

View solution in original post