Configuring Network Address Translation (NAT)

8 Configuring Network Address Translation (NAT) Contents Overview...................................................... 8-3 Translating Between an Inside and an Outside Network........... 8-3 Local and Global Addresses................................... 8-4 NAT Implementation Methods................................ 8-5 Dynamic, or Many-to-One, NAT............................ 8-5 Dynamic NAT for Wireless Traffic.......................... 8-5 Dynamic NAT for Wired Traffic............................ 8-6 Port Address Translation for Dynamic NAT.................. 8-7 Static, or One-to-One, NAT................................... 8-8 Static NAT on Destination Addresses....................... 8-8 Using Port Forwarding with Static Destination NAT......... 8-10 Static NAT on Source Addresses.......................... 8-12 Understanding Local and Global Addresses.................... 8-12 Planning the NAT Configuration................................. 8-14 Consider Your Company s Requirements for NAT............... 8-14 Record Necessary IP Addresses and Select the NAT Implementation Method..................................... 8-15 Planning the Configuration for Dynamic NAT............... 8-16 Planning the Configuration for Static NAT.................. 8-17 Configuring Standard ACLs for Dynamic NAT...................... 8-20 Configuring NAT............................................... 8-22 Defining Interfaces as Outside or Inside....................... 8-22 Configuring Dynamic NAT................................... 8-24 8-1

Contents Configuring Static Translation................................ 8-27 Configuring Static Source NAT........................... 8-28 Configuring Static Destination NAT....................... 8-31 Viewing NAT Status........................................ 8-36 8-2

Overview Overview You can configure the ProCurve Wireless Edge Services xl Module to perform Network Address Translation (NAT) on traffic routed between two subnetworks typically, traffic exchanged between the wireless and the wired network. The module can translate either the source or the destination IP address in a packet s IP header to a new address. The Wireless Edge Services xl Module allows you to implement NAT in several different ways. For example, you can configure the module to use a single IP address as the source address for an entire group of wireless stations when these stations transmit data to a wired network. This implementation of NAT allows users whose wireless stations have private IP addresses to access the Internet using one public IP address. NAT also adds another layer of security by concealing the actual IP addresses of wireless devices from users in the wired network. Translating Between an Inside and an Outside Network When implementing NAT, the Wireless Edge Services xl Module distinguishes between an inside and an outside network, and implements NAT at the border between the two networks. When you configure NAT, you define the inside and outside networks by specifying if a given virtual LAN (VLAN) interface is inside or outside. For example, in Figure 8-1, wireless LAN (WLAN) A is assigned to VLAN 8, which has been defined as an inside interface. On the other hand, VLAN 4, which is used in the Ethernet LAN, is defined an outside interface. The setting you select for a particular VLAN either inside or outside depends on how you implement NAT. (The options for implementing NAT are described in NAT Implementation Methods on page 8-5.) 8-3

Overview Figure 8-1. Dividing Interfaces into Inside and Outside Interfaces The Wireless Edge Services xl Module always performs NAT on traffic as the traffic arrives on an interface. Because the module can apply NAT to both inside and outside interfaces, it can perform NAT in both directions. Note When the Wireless Edge Services xl Module maps wireless traffic to a VLAN, that traffic is considered to have arrived on the VLAN interface. Local and Global Addresses In addition to identifying inside and outside networks, the Wireless Edge Services xl Module distinguishes between an IP address as it appears before and after translation. The Web browser interface and the command line interface (CLI) use two terms to make this distinction: local IP address the IP address as it appears before translation global IP address the IP address as it appears after translation As mentioned earlier, the Wireless Edge Services xl Module translates the IP address in a packet s IP header. Depending on how you implement NAT, the module can translate a packet s source IP address or its destination IP address. 8-4

NAT Implementation Methods Configuring Network Address Translation (NAT) Overview On the Wireless Edge Services xl Module, you can configure: dynamic NAT static NAT Dynamic NAT affects only source IP addresses while static NAT can translate either source or destination IP addresses. Dynamic, or Many-to-One, NAT Perhaps the most common implementation of NAT is dynamic NAT, sometimes called many-to-one NAT because it allows multiple stations to share the same IP address after translation. Dynamic NAT applies only to source IP addresses. You define dynamic NAT using the following specifications: access control lists (ACLs), which select the source IP addresses of traffic on which the Wireless Edge Services xl Module performs NAT a Wireless Edge Services xl Module interface, which defines the IP address to which the source address is translated This NAT method is considered dynamic because when you modify an ACL or interface, the corresponding NAT definition is modified accordingly. You can apply dynamic NAT to traffic that arrives on inside interfaces, on outside interfaces, or on both. The sections below discuss some uses for dynamic NAT for wireless traffic and for wired traffic. (Whether configuring NAT on wireless traffic requires inside or outside NAT depends on how you define the VLAN interface in which the module places wireless traffic.) Dynamic NAT for Wireless Traffic Implementing dynamic NAT on wireless traffic allows you to create VLANs for wireless traffic only. The Wireless Edge Services xl Module assigns WLAN traffic to a VLAN reserved for wireless stations; its internal DHCP server issues wireless stations IP addresses in this VLAN. Before routing wireless traffic into the Ethernet network, the module translates these local DHCP addresses to an IP address valid in the wired network the module s own. This implementation also has the advantage of conserving IP addresses: instead of each wireless station having its own IP address that is valid in the wired network, all wireless stations share the Wireless Edge Services xl Module s address. 8-5

Overview Figure 8-2 illustrates this configuration, which allows wireless stations to use IP addresses local to the wireless network but still to open sessions with servers in the Ethernet network. Figure 8-2. Dynamic Source NAT on Wireless Traffic You can also implement NAT on the module to ready wireless traffic for transmission to the Internet if you do not have another device that does so. Many companies have only one public IP address although they have many employees who need Internet access. With dynamic NAT, all these employees can share one IP address. When users on the company s wireless network send requests to the Internet, the Wireless Edge Services xl Module translates the senders local IP addresses to a global address the module s IP address in the wired network. After translating packets source IP addresses, the module forwards the requests onto the Ethernet network and toward the Internet. Dynamic NAT for Wired Traffic You can configure dynamic NAT for traffic bound from the wired network to the wireless network. In this case, the Wireless Edge Services xl Module translates wired devices IP addresses to one of the module s own IP addresses. 8-6

Overview You might use dynamic NAT on wired traffic when your wireless network receives a great deal of public traffic. You can then conceal the IP addresses of devices in your private network from the wireless users. (See Figure 8-3.) Figure 8-3. Dynamic Source NAT Again, whether you apply dynamic NAT to inside or outside traffic depends on how you have defined interfaces. In this example, you have defined the VLAN used in the wired network as an outside interface, so you configure outside dynamic NAT. If you want to allow wireless users to access internal servers, you must configure destination NAT to translate the publicly known IP address back to the servers internal addresses. (See Static NAT on Destination Addresses on page 8-8.) In fact, instead of configuring dynamic source NAT to conceal private addresses, you might want to configure only destination NAT. The Wireless Edge Services xl Module automatically performs source NAT on the traffic returning from the server. Port Address Translation for Dynamic NAT To enable multiple users to share one IP address, the Wireless Edge Services xl Module uses port address translation in conjunction with NAT. When the module translates a local IP address to a global address, it assigns each local address a unique port number, as shown in Table 8-1. 8-7

Overview The Wireless Edge Services xl Module uses this port number to forward return traffic, which is destined to the single global IP address, to the correct local IP address. For example, Table 8-1 lists possible IP address for the network shown in Figure 8-3. In this case, the module translates all inside addresses (in the 192.168.1.0/24 subnetwork) to 10.1.1.1. If a packet arrives for 10.1.1.1 on port 4001, the module knows to forward the packet toward the station at 192.168.1.11. Table 8-1. Information Recorded in a Port-Mapping Table for a Sample Network Local IP Address Translated (Global) IP Address Translated Port Destination IP Address Destination Port 192.168.1.10 10.1.1.1 4000 10.20.1.1 80 192.168.1.11 10.1.1.1 4001 172.16.1.10 80 192.168.1.12 10.1.1.1 4002 172.16.10.5 80 192.168.1.13 10.1.1.1 4003 10.45.16.1 80 192.168.1.14 10.1.1.1 4004 172.16.11.1 80 Static, or One-to-One, NAT You can also configure static definitions for NAT. In this case, you manually specify the following information for each one-to-one NAT: the IP address (and optionally, port) that should be translated the IP address (and optionally, port) that should replace the original address The Wireless Edge Services xl Module can perform static translation on both source IP addresses and destination IP addresses. In addition, it can apply NAT to traffic inbound from the inside network or from the outside network. Static NAT on Destination Addresses One reason to use destination NAT is to allow wireless users to access servers on your internal LAN, while still concealing the servers IP addresses. This use is particularly important when you open your wireless network to the public. Because this wireless network is much like the Internet filled with untrusted users you should implement the same types of security measures that you put in place for users who access your network from the Internet. 8-8

Overview Configure destination NAT to allow wireless users to send traffic toward a server s publicly known address. The Wireless Edge Services xl Module translates the traffic s destination address to the correct local address. When the server replies, the module automatically translates the source address back to the address to which the traffic was originally destined, and the private address remains concealed. For example, your company may have a Web server or an FTP server, which is housed on your internal LAN. To access this server, wireless users enter a URL, which is resolved through a Domain Name System (DNS) server to a public IP address. When your Wireless Edge Services xl Module receives a packet destined to this address, it translates the destination IP address and forwards the packet toward the correct internal device. For example, in Figure 8-4, a Web server on the internal LAN has an IP address of 192.168.1.10. However, the IP address to which wireless stations send traffic is 10.1.1.1. When the ProCurve Wireless Edge Services xl Module receives packets with the destination address of 10.1.1.1, it translates the destination address to the private IP address of the Web server: 192.168.1.10. The source IP address is not affected. (See Figure 8-4.) Therefore, you must ensure that devices in the wired network can route traffic back to the subnetwork used in the wireless network. Figure 8-4. Outside Destination NAT 8-9

Overview One principle to remember: on the Wireless Edge Services xl Module, you define which VLANs are inside interfaces and which are outside. Figure 8-4 shows a configuration in which the VLAN used in the Ethernet network is an outside interface. So you configure the destination NAT on inside interfaces (these interfaces receive traffic that is destined to the outside VLAN). As mentioned earlier, you can apply destination NAT to traffic from both the inside and the outside network. In theory, you could also apply destination NAT to traffic being sent from the wired network to the wireless network. However, destination NAT is typically used to allow servers to share a public IP address and to conceal their private addresses. Your wireless network is unlikely to include such servers, so you would probably set up destination NAT in one direction. Using Port Forwarding with Static Destination NAT The Wireless Edge Services xl Module also supports port forwarding for static destination NAT. Port forwarding allows two or more devices on a network to share a single IP address known in the other network. For example, you could have wireless users send traffic that is destined to two different servers to the same IP address: your LAN s Web server your LAN s FTP server The Wireless Edge Services xl Module would then translate the destination IP addresses of all traffic destined to port 80 to the Web server s private IP address (the address on wired network). Likewise, the module would translate all traffic destined to port 21 to the FTP server s private IP address. 8-10

Overview Figure 8-5. Outside Destination NAT with Port Forwarding When the module translates the destination IP address, it can also perform port translation, assigning the traffic to the particular port used by the destination device. 8-11

Overview Static NAT on Source Addresses Static source NAT is an alternative to dynamic source NAT. However, instead of allowing many stations to share one global address, static source NAT sets up a one-to-one correspondence between a particular IP address and a translated IP address. Use this option only when relatively few devices in one network (inside or outside) need to access devices in the other network. Understanding Local and Global Addresses When you configure NAT on the Wireless Edge Services xl Module, you define a local address and a global address. As mentioned earlier, the local address is the pre-translation address. For source NAT, the local address is always the IP address assigned to the device for the network in which the device resides. In Figure 8-6, the local address is any address used by a device in WLAN A the 10.1.1.0/24 subnetwork. Figure 8-6. Local Addresses However, for destination NAT, the local address is actually the address as it appears across the border between inside and outside. This is because packets, pre-translation, are destined to the IP address that the originating station knows for the destination device, not the destination s actual IP address. In Figure 8-5 on page 8-11, for example, the local address is 10.1.1.1. 8-12

Overview Table 8-2 summarizes this terminology. Table 8-2. Terminology for IP Addresses According to NAT Implementation NAT Interface Type (Inside or Outside) NAT Address Type Address Explanation of Address Inside Source Local An inside station s IP address as it appears on the inside network Inside Source Global An inside station s IP address as it appears on the outside network Inside Destination Local An outside station s IP address as it appears on the inside network Inside Destination Global An outside station s IP address as it appears on the outside network Outside Source Local An outside station s IP address as it appears on the outside network Outside Source Global An outside station s IP address as it appears on the inside network Outside Destination Local An inside station s IP address as it appears on the outside network Outside Destination Global An inside station s IP address as it appears on the inside network 8-13

Planning the NAT Configuration Planning the NAT Configuration Before you access the Security > NAT screen and begin to set up NAT for your wireless network, you should plan your configuration: 1. Consider your company s network topology and security needs and determine the requirements for NAT. In other words, which NAT methods do you need to configure, and which traffic should be translated. 2. Record the IP addresses necessary for your NAT configuration. 3. If you are using dynamic NAT, configure the necessary standard ACLs. The following sections outline these steps in more detail. Consider Your Company s Requirements for NAT The Wireless Edge Services xl Module supports a variety of options for NAT. Use the following scenarios to determine which options you must configure: You want to assign wireless stations to VLANs reserved for wireless traffic (either for security or to conserve IP addresses on your LAN or both). All wireless stations will share a single IP address in your LAN an address used by the Wireless Edge Services xl Module. Assign the WLAN to a VLAN not used in the Ethernet network. Use DHCP to assign addresses to wireless stations in that VLAN. (See Chapter 6: IP Services IP Settings, DHCP, and DNS.) Define the VLAN in which the Wireless Edge Services xl Module places wireless traffic as an inside VLAN and configure dynamic NAT on inside traffic. Or, define the VLAN as an outside VLAN and configure dynamic NAT on outside traffic. (For the exact configuration steps, see Configuring Dynamic NAT on page 8-24.) You want to prepare wireless traffic for transmission on the Internet. This scenario is similar that above. Define VLANs associated with wireless traffic as inside VLANs and configure dynamic NAT on inside traffic. Make sure that your Wireless Edge Services xl Module has a valid public IP address and can reach your Internet Service Provider s (ISP s) router. 8-14

Planning the NAT Configuration You want to conceal IP addresses used in your LAN from wireless users. Separate the VLANs for wired traffic from the VLANs for wireless traffic: When you specify the uplink VLANs in which the Wireless Edge Services xl Module places traffic from WLANs, choose different VLANs from those already used in the wired network. Next, define the wired VLANs as inside interfaces and define the wireless VLANs as outside interfaces. Configure static destination NAT on outside traffic. Each static destination NAT definition allows you to map a global IP address and destination port to a particular address used in your internal network, typically that of network servers. Create a different NAT definition for each server in the Ethernet network that users in the wireless network must access. Note The Wireless Edge Services xl Module performs at most one type of NAT on a packet. Therefore, you should typically configure source NAT for either inside or outside interfaces. For example, your internal (wired) network might use VLAN 2, and the module might perform dynamic source NAT on all traffic from that VLAN, translating the addresses used on the Ethernet network to the module s address on the wireless network. You might also configure static destination NAT for wireless traffic destined to certain wired servers. Configuring dynamic NAT for wireless traffic would have no effect on traffic destined to the wired resources: when the module translates an outside packet s destination address, it does not apply dynamic NAT. Because wireless traffic enters the Ethernet network with its source address unchanged, the Ethernet infrastructure devices must know routes to the subnetwork for wireless traffic. Record Necessary IP Addresses and Select the NAT Implementation Method As part of your NAT planning, you should record: local address the address or addresses that will be translated global address the address that will replace the local address when the module applies NAT 8-15

Planning the NAT Configuration You should also determine which NAT implementation method you are using. For example, if you want to conserve IP addresses on your LAN, you will probably decide to use dynamic NAT on inside traffic. If you want to allow wireless users access to private Web or FTP servers with concealed IP addresses, you will use static NAT. Planning the Configuration for Dynamic NAT If you are using dynamic NAT, you must use ACLs to specify which traffic the Wireless Edge Services xl Module NATs. Consider which IP addresses these ACLs should select. For example, if you want to NAT all traffic from wireless stations in a particular WLAN, you can create an ACL that permits any IP address and specifies that particular WLAN. You may want the Wireless Edge Services xl Module to NAT traffic from wireless stations before that traffic enters your wired network. In this case, you would first configure the module to place wireless stations in a particular VLAN and act as a DHCP server, assigning the stations IP addresses in a corresponding subnet. Before the module forwarded this traffic to the wired network, it would NAT the traffic to a single IP address, as shown in Figure 8-7. Figure 8-7. Dynamic NAT on a Sample Network 8-16

Planning the NAT Configuration For this NAT implementation, you would record the IP addresses specified in the DHCP pool and configure an ACL that selects those addresses. Table 8-3 lists the actual IP addresses that you would record for the sample network shown in Figure 8-7. Table 8-3. Recording Addresses for Dynamic NAT on a Sample Network NAT Interface Type (Inside or Outside) NAT Address Type Local or Global Address Recorded Addresses for the Sample Network Inside Source Local (stations IP addresses as they appear on the wireless network) Inside Source Global (IP address for all stations as it appears on the wired network) 10.1.1.0/24 subnetwork assigned through DHCP and specified in an ACL 192.168.1.10 module s vlan 1 IP address Planning the Configuration for Static NAT For static NAT, you manually specify the IP address and port settings within each NAT configuration. You must configure a separate static definition specifically for each IP address that your Wireless Edge Services xl Module must translate. Before configuring static destination NAT for traffic destined to network servers, collect the following information: the IP address that you want to advertise to wireless stations (through, for example, a DNS server) This will be the original destination address (local address) for incoming packets. the destination port for traffic that will be subject to NAT (local port) and the corresponding protocol (TCP or UDP) This setting is for port translation, which enables multiple internal servers to share one advertised IP address. For example, the Wireless Edge Services xl Module can select traffic destined to: a Web server on port 80 an FTP server on port 21 the internal device s IP address on your LAN This will be the translated destination address (global address). the translated destination port (global port) This setting is also optional. If you do not specify this port, the module forwards traffic to the destination port on which it arrived. 8-17

Planning the NAT Configuration To configure static source NAT, you must know: the local address to which the module must apply NAT the global address to which the module should translate the original address You can optionally specify a new source port for the translated traffic. In Figure 8-8, for example, the company wants to conceal the actual IP address of its Web server 192.168.1.25. The company has also set up its Web server to use a different port port 51000. For this implementation, you must configure destination NAT with port translation. Figure 8-8. Outside Destination NAT with Port Translation on a Sample Network In Figure 8-8, the VLAN for wireless stations is the inside interface, so the Web server is an outside device. Therefore you must set up inside destination NAT. You could alternatively define the Web server s VLAN as the inside interface, in which case you would configure outside destination NAT. When you record the local address for destination NAT, identify the destination device s IP address as it appears on the source network. On the wireless network, the Web server s IP address appears to be 10.1.1.1. For this sample network, you would record 10.1.1.1 for the local address, as shown in Table 8-4. 8-18

Planning the NAT Configuration When you record the global address for destination NAT, identify the inside device s IP address as it appears in the destination network. For the sample network, the Web server s actual IP address is 192.168.1.25. You would, therefore, record 192.168.1.25 as the global address. Because the sample network is also using port address translation, you should record the port for the translated traffic, as shown in Table 8-4. Table 8-4. Recording Addresses for Outside Destination NAT NAT Interface Type NAT Address Type Local or Global Address Local or Global Port Recorded Addresses for the Sample Network Recorded Ports for the Sample Network Inside Destination Local (outside device s IP address as it appears on the inside network) Inside Destination Global (outside device s IP address as it appears on the outside network) Local (port to which the inside devices originally send traffic) Global (port used by the outside device) 10.1.1.1 80 192.168.1.25 51000 8-19

Configuring Standard ACLs for Dynamic NAT Configuring Standard ACLs for Dynamic NAT To configure dynamic translation, you use a standard ACL to select the IP addresses that the Wireless Edge Services xl Module NATs. Although you can use any ACL that you have configured, you will probably want to configure ACLs to meet the specific requirements for your NAT implementation. Remember that depending on the types of NAT you are configuring, you might need to create several ACLs. If your module will NAT both inside and outside traffic, you must create one ACL to select IP addresses used in the inside network and one ACL that selects addresses used in the outside network. To create ACLs, use the procedure documented in Chapter 7: Access Control Lists (ACLs). For NAT, you must create a standard IP ACL. To add rules to the ACL, use the screen shown in Figure 8-9. Figure 8-9. Add Rule Screen for Standard IP ACLs 8-20

Configuring Standard ACLs for Dynamic NAT The full procedure for adding rules to ACLs is documented in Chapter 7: Access Control Lists (ACLs). The following rule guidelines apply to ACLs used for NAT: In the Operation field, the permit operation means that traffic will be subject to NAT; the deny operation means that traffic will not be subject to NAT. (The mark operation does not apply to NAT.) The entries in the Filters area specify the source IP address or range of source IP addresses for which NAT will be either permitted or denied. (The Wlan Index entry is optional.) For example, to NAT all traffic that arrives from the wireless network, you would set up a permit any rule. Or, to NAT all traffic from a particular subnet, the rule would specify the subnet s IP address and subnet mask. For example, you might have mapped a particular WLAN to a VLAN, and then set up a DHCP pool for that VLAN on the Wireless Edge Services xl Module. To apply NAT to all of the wireless stations that have been assigned addresses in that VLAN, specify the VLAN s subnet IP address and mask. After you have created ACLs and added rules to them, you can select those ACLs when you set up NATs using dynamic translation. (See Configuring Dynamic NAT on page 8-24.) 8-21

Configuring NAT Configuring NAT To configure NAT, follow these steps: 1. Enable routing. See IP Settings on page 6-3 of Chapter 6: IP Services IP Settings, DHCP, and DNS. 2. Define interfaces as inside or outside interfaces. When you create a NAT definition, you will select whether this definition applies to inside or outside traffic. To do so, you must know which Wireless Edge Services xl Module interfaces connect to inside networks and which to outside networks. See Defining Interfaces as Outside or Inside on page 8-22. 3. Configure one or both types of NATs: Dynamic translation based on ACLs, which permit or deny NAT based on IP addresses; as the ACL configuration changes, the NAT configuration changes as well. Static translation configured to specific IP addresses and ports; any configuration changes are made within the NAT configuration itself. Defining Interfaces as Outside or Inside NAT configurations have no effect until you map interfaces to NAT by defining particular interfaces as outside or inside. For example, when traffic arrives on an inside interface, the module applies the configurations created for inside NAT (as long as the traffic matches the specifications for that NAT definition). Note NAT applies to traffic that arrives on an interface. NAT does not affect traffic sent from an interface. To define an interface as outside or inside, complete these steps: 1. Select Security > NAT and click the Interfaces tab. 8-22

Configuring NAT Figure 8-10. Security > NAT > Interfaces Screen 2. Click the Add button. The Add Interface screen is displayed. Figure 8-11. Add Interface Screen 3. In the Interfaces field, use the drop-down menu to select an interface configured on the module. 8-23

Configuring NAT 4. In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public). 5. Click the OK button. The interface is now listed on the Security > NAT > Interfaces screen. Figure 8-12. Interface Assignment in Security > NAT > Interfaces Screen Configuring Dynamic NAT For each NAT configuration that will use dynamic NAT, you must first set up an ACL. This ACL contains rules that select the source addresses for traffic to be translated. For information about creating this ACL, see Chapter 7: Access Control Lists (ACLs) and Configuring Standard ACLs for Dynamic NAT on page 8-20. To configure dynamic translation, complete these steps: 1. Select Security > NAT and click the Dynamic Translation tab. 8-24

Configuring NAT Figure 8-13. Security > NAT > Dynamic Translation Screen 2. Click the Add button. The Add Dynamic Translation screen is displayed. Figure 8-14. Add Dynamic Translation Screen 8-25

Configuring NAT 3. In the NAT Interface field, use the drop-down menu to select the type of interfaces to which the module applies NAT: Inside (Private) traffic that arrives from the inside network In other words, inside NAT applies to incoming traffic on an inside interface; typically, the inside traffic should be bound to the outside network. Internal addresses are those that you are trying to adjust for, or to conceal from, the outside world, so you will usually select this option for dynamic source NAT. Outside (Public) traffic that arrives from the outside network In other words, incoming traffic on an outside interface. 4. In the NAT Address Type field, leave the setting at Source (the only option permitted for dynamic translation). The Wireless Edge Services xl Module translates the source addresses of selected traffic. 5. In the Access List field, use the drop-down menu to select the ACL that you configured to select traffic. This ACL should permit the source addresses that you want to translate. For inside dynamic NAT, the ACL should select inside addresses as they appear locally (on the inside network). When using outside dynamic NAT, choose an ACL that selects outside address as they appear on the outside network. For example, if your outside network is a publicly used wireless network, the ACL should select traffic from the IP addresses assigned to wireless stations. 6. From the Interface drop-down menu, select one of the module s VLAN or tunnel interfaces. The Wireless Edge Services xl Module translates the source addresses to the IP address on the specified interface. Ethernet interfaces are named vlan1, vlan2, and so on; GRE tunnel interfaces are named tunnel1, tunnel2, and so on. If you are configuring dynamic NAT on traffic from wireless stations, make sure to choose an interface that is tagged on the module s uplink port. In this way, return traffic from the wired network can reach the wireless stations. The interface you select is sometimes called the overloaded interface because many devices share its IP address. 7. Click the OK button. 8-26

Configuring NAT The definition for dynamic translation is now listed on the Security > NAT > Dynamic Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured dynamic NAT. (See Defining Interfaces as Outside or Inside on page 8-22.) Figure 8-15. Dynamic NAT Configuration in the Security > NAT > Dynamic Translation Screen Configuring Static Translation Static translation sets up a one-to-one correspondence between a source or destination IP address and a translated IP address. The configuration steps depend on whether you configuring static source NAT or static destination NAT. 8-27

Configuring NAT Configuring Static Source NAT When the Wireless Edge Services xl Module stands between two networks that use different IP addresses, static source NAT allows a device in one network to reach devices in the other network. The module translates traffic s source address so that the device that sent the traffic appears to have a valid IP address in the other network. Note that the more typical configuration for source NAT is often dynamic NAT because it allows multiple devices to share the same translated IP address. To configure a static source translation, complete these steps: 1. Select Security > NAT and click the Static Translation tab. Figure 8-16. Security > NAT > Static Translation Screen 2. Click the Add button. The Add Static Translation screen is displayed. 8-28

Configuring NAT Figure 8-17. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services xl Module applies the static NAT definition: Outside (Public) incoming traffic on an outside interface Inside (Private) incoming traffic on an inside interface b. For the Address Type, select Source The module translates the packet s source IP address. The correct settings depend, of course, on the goal of the NAT configuration and on how you have defined interfaces in your network. When you select Source for the Address Type, the Interface Type choice is relatively straightforward: choose Inside (Private) to apply NAT to inside devices and Outside (Public) to apply NAT to outside devices. See the Static, or One-to-One, NAT on page 8-8 and Planning the NAT Configuration on page 8-14 for more guidelines on choosing these settings. 4. In the Before Translation section, specify the IP address of traffic to which the module should apply NAT. a. In the Local Address field, enter the IP address to be translated. This address depends on the choices that you made in the NAT section. Refer to Table 8-5. 8-29

Configuring NAT Table 8-5. Determining the IP Address for the Local Address Field Interface Type Address Type IP Address for the Local Address Field Inside (Private) Source IP address of an inside device as it appears on the inside network Outside (Public) Source IP address of an outside device as it appears on the outside network For example, for source NAT, enter the configured IP address assigned to a device in its own network. This address is typically allocated out of a private address space. b. The Local Port field is not available for source NAT. 5. In the After Translation section, specify the IP address to which the Wireless Edge Services xl Module should translate the source address: a. In the Global Address field, enter the IP address as it should appear after translation. See Table 8-6 for guidelines on specifying this address. Table 8-6. Determining the IP Address for the Global Address Field Interface Type Address Type IP Address for the Global Address Field Inside (Private) Source IP address of an inside device as it should appear on the outside network Outside (Public) Source IP address of an outside device as it should appear on the inside network Make sure to enter a valid IP address on this Wireless Edge Services xl Module. Select an address that is valid in the network to which the traffic is destined. For example, if you are configuring source NAT for a wireless device, enter an IP address on a VLAN tagged on the uplink. b. The Global Port field is not available for source NAT. The Wireless Edge Services xl Module automatically assigns a port to the translated packet. 6. Click the OK button. The static NAT definition is now listed on the Security > NAT > Static Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured static source NAT. (See Defining Interfaces as Outside or Inside on page 8-22.) 8-30

Configuring NAT Figure 8-18. Static NAT Definition in the Security > NAT > Static Translation Screen Configuring Static Destination NAT Again, the Wireless Edge Services xl Module stands between two networks that use different IP addresses. Destination NAT allows clients in one network to open sessions with servers in the other network. You must configure destination NAT statically. To configure a static destination translation, complete these steps: 1. Select Security > NAT and click the Static Translation tab. 8-31

Configuring NAT Figure 8-19. Security > NAT > Static Translation Screen 2. Click the Add button. The Add Static Translation screen is displayed. 8-32

Configuring NAT Figure 8-20. Add Static Translation Screen 3. In the NAT section, select the Interface Type and Address Type: a. The Interface Type determines to which interfaces the Wireless Edge Services xl Module applies the static NAT definition: Outside (Public) incoming traffic on an outside interface Inside (Private) incoming traffic on an inside interface b. For the Address Type, select Destination the module translates the destination IP address in the IP header. The correct settings depend, of course, on the goal of the NAT configuration and on how you have defined interfaces in your network. Remember: destination NAT allows client traffic to reach servers at public IP address, and servers are typically in your wired network. If you define VLANs for wired servers as outside interfaces, you should define VLANs for wireless traffic as inside interfaces. Then select Destination for the Address Type and Inside(Private) for the Interface Type. On the other hand, you might define VLANs for wireless traffic as outside interfaces. In this case, select Destination for the Address Type and Outside(Public) for the Interface Type. In either case, NAT applies to traffic from wireless stations destined to wired servers. See the Static, or One-to-One, NAT on page 8-8 and Planning the NAT Configuration on page 8-14 for more guidelines on choosing these settings. 8-33

Configuring NAT 4. Select either TCP or UDP in the Protocol drop-down menu. This setting, which is available only for destination NAT, allows you to configure port forwarding. Choose the protocol for the application for which you are creating the NAT definition. For example, if you are setting up destination NAT to allow wireless stations to reach your Web server, select TCP. 5. In the Before Translation section, specify the IP address and port to the traffic to be translated is destined. a. In the Local Address field, enter the IP address to be translated. This address depends on the choices that you made in the NAT section. Refer to Table 8-5. Table 8-7. Determining the IP Address for the Local Address Field Interface Type Address Type IP Address for the Local Address Field Inside (Private) Destination IP address of an outside device as it appears on the inside network Outside (Public) Destination IP address of an inside device as it appears on the outside network For destination NAT, the local address is actually the IP address of a host as it appears to hosts in the opposite network. So if you are using destination NAT to translate wireless requests to a wired server, enter the address known in the wireless network (typically, the Wireless Edge Services xl Module s). b. In the Local Port field, enter the port to which the traffic to be translated is destined. Specify a number from 1 through 65,535. This setting is used for port forwarding and is available only when you select Destination for the Address Type. See Using Port Forwarding with Static Destination NAT on page 8-10 for more information. For example, you are setting up NAT for traffic inbound from a public wireless network to your internal FTP server. This traffic from the public network is destined to port 21, so you enter 21 in the Local Port field. 6. In the After Translation section, specify how the Wireless Edge Services xl Module should translate the IP header: a. In the Global Address field, enter the IP address as it should appear after translation. In other words, enter the actual IP address of the server to which the traffic is destined. 8-34

Configuring NAT See Table 8-6 for guidelines on specifying this address. Table 8-8. Determining the IP Address for the Global Address Field Interface Type Address Type IP Address for the Global Address Field Inside (Private) Destination IP address of an outside device on the outside network Outside (Public) Destination IP address on an inside device on the inside network In the example in which you are configuring destination NAT to allow public access to your company s FTP server, you would enter the FTP server s private address. b. In the Global Port field, enter the port to which the Wireless Edge Services xl Module should forward the traffic. This optional setting for destination NAT provides port translation. For example, traffic arrives for your internal Web server on its public IP address and the standard HTML port 80 (which you specify in the Local Port field of the Before Translation section). The module translates the traffic to the Web server s private address and a private port, selected by your company. Enter the private address in the Global Address field and the private port in the Global Port field. 7. Click the OK button. The static NAT definition is now listed on the Security > NAT > Static Translation screen. Remember: the translation does not take effect unless you define an interface as the type on which you configured static destination NAT. (See Defining Interfaces as Outside or Inside on page 8-22.) 8-35

Configuring NAT Figure 8-21. Static NAT Definition in the Security > NAT > Static Translation Screen Viewing NAT Status To view current translations, select Security > NAT and click the Status tab. Alternatively, you can select Security and click the NAT Status tab. (See Figure 8-22.) 8-36

Configuring NAT Figure 8-22. Security > NAT > Status Screen Each active session to which the Wireless Edge Services xl Module has applied NAT is displayed in a row. The screen columns show the IP addresses associated with the session: Inside-Global the source IP address as it appears in the destination device s network Inside-Local the source IP address as it appears in the source device s network Outside-Global the destination IP address as it appears in the destination device s network Outside-Local the destination IP address as it appears in the source device s network For example, if you have configured dynamic source NAT on inside traffic, the Inside-Local column lists the IP address of the source device in the inside network. The Inside-Global column lists the translated IP address. (See the top row in Figure 8-22.) 8-37

Configuring NAT The number after a colon indicates the port. For example, the module has translated the source IP addresses in the first three rows to the same global source address, but different port numbers. On the other hand, for a session using static destination NAT on outside traffic, the translation appears in the Outside-Global and Outside-Local columns. The Outside-Local column shows the IP address to which the source device actually destines the packet. The Outside-Global column shows the destination IP address after the module has translated it to the destination device s actual address. (See Figure 8-23.) Figure 8-23. Viewing Outside NAT in the Security > NAT > Status Screen To export statistical information about a specific session, select the row and click the Export button. On the screen that is displayed, specify the destination filename and location. 8-38

Configuring NAT The logged information is saved to a comma-separated values (CSV) file on your workstation, which lets you: save information that might be important later, while keeping logs or statistics clear for future events send a file to support staff for troubleshooting help pool information from multiple devices in a central location track patterns of network activity 8-39

Configuring NAT 8-40