Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)

If circumstances require that the source IP address in outbound firewall traffic be translated to an address in a different subnet from that of egress interface, you can use the extended interface option. This option enables you to graft a second IP address and an accompanying DIP pool onto an interface that is in a different subnet. You can then enable NAT on a per-policy basis and specify the DIP pool built on the extended interface for the translation.

In this example, two branch offices have leased lines to a central office. The central office requires them to use only the authorized IP addresses it has assigned them. However, the offices receive different IP addresses from their ISPs for Internet traffic. For communication with the central office, you use the extended interface option to configure the security device in each branch office to translate the source IP address in packets it sends to the central office to the authorized address. Table 24 lists the authorized and assigned IP addresses for branch offices A and B.

Table 24: Sample Branch Office Addresses

Office A

195.1.1.1/24

211.10.1.1/24

Office B

201.1.1.1/24

211.20.1.1/24

The security devices at both sites have a Trust zone and an Untrust zone. All security zones are in the trust-vr routing domain. You bind ethernet1 to the Trust zone and assign it IP address 10.1.1.1/24. You bind ethernet3 to the Untrust zone and give it the IP address assigned by the ISPs: 195.1.1.1/24 for Office A and 201.1.1.1/24 for Office B. You then create an extended interface with a DIP pool containing the authorized IP address on ethernet3:

You set the Trust zone interface in NAT mode. It uses the Untrust zone interface IP address as its source address in all outbound traffic except for traffic sent to the central office. You configure a policy to the central office that translates the source address to an address in the DIP pool in the extended interface. (The DIP pool ID number is 5. It contains one IP address, which, with port address translation, can handle sessions for ~64,500 hosts.) The MIP address that the central office uses for inbound traffic is 200.1.1.1, which you enter as “ HQ” in the Untrust zone address book on each security device.

Each ISP must set up a route for traffic destined to a site at the end of a leased line to use that leased line. The ISPs route any other traffic they receive from a local security device to the Internet.

  1. Add the devices:
    • For Office A, add a NetScreen-208 security device.
    • For Office B, add a NetScreen-204 security device.
  2. Configure ethernet1 (Trust Zone) for Office A:
    • Double-click Office A device to open the device configuration. In the device navigation tree, select Network > Interface.
    • Double-click ethernet1. The General Properties screen appears.
  3. Configure IP address/netmask as 10.1.1.1/24 and Interface Mode as NAT.
  4. Click OK to save your changes.
  5. Configure ethernet3 (Untrust Zone) for Office A:
    • In the device navigation tree, select Network > Interface.
    • Double-click ethernet3. The General Properties screen appears.
    • Configure IP address/netmask as 195.1.1.1/24 and Interface Mode as Route.
  6. In the interface navigation tree, select NAT > DIP. Click the Add icon to display the New Dynamic IP dialog box. Configure the DIP, and then click OK:
  7. Enter the DIP ID.
  8. Add multiple DIP ranges for a particular DIP ID as follows:
    • Select the Multiple DIP Range check box.
    • Click the Add icon. The New MultiRange of DIP dialog box appears.
    • For Rang ID, enter 1.
    • For Lower IP, enter 210.10.1.1.
    • For Upper IP, enter 210.10.1.1.
  9. For Start, enter 210.10.1.1.
  10. For End, enter 210.10.1.1.
  11. For Shift From, enter 10.10.1.2.
  12. For Scale-Size, enter 1.
  13. Select the Fixed Port check box.

    Note: The Fixed Port is enabled by default while adding multiple DIP range for a DIP ID.

  14. For Extended IP, enter 211.10.1.10.
  15. For Netmask, enter 24.
  16. Add the route to the Corporate Office on the trust-vr of Office A:
    • In the device navigation tree, select Network > Routing. Double-click trust-vr router. The General Properties screen appears.
  17. In the trust-vr navigation tree, select Routing Table. Click the Add icon and configure the new route:
    • Set the IP address/netmask to 0.0.0.0/0.
    • For Next Hop, select Gateway, and the gateway options appear.
    • For Interface, select ethernet3.
    • For Gateway IP Address, enter 195.1.1.254.
  18. Leave all other defaults, and then click OK to save the route.
  19. Click OK to save your changes to the trust-vr, and then click OK to save your changes and close the Office A device configuration.
  20. Configure ethernet1 (Trust Zone) for Office B:
    • Double-click Office B device to open the device configuration. In the device navigation tree, select Network > Interface.
    • Double-click ethernet1. The General Properties screen appears.
  21. Configure IP address/netmask as 10.1.1.1/24 and Interface Mode as NAT.
    • Click OK to save your changes.
  22. Configure ethernet3 (Untrust Zone) for Office B:
    • In the device navigation tree, select Network > Interface.
    • Double-click ethernet3. The General Properties screen appears.
    • Configure IP address/netmask as 201.1.1.1/24 and Interface Mode as Route.
  23. In the interface navigation tree, select NAT > DIP. Click the Add icon to display the New Dynamic IP dialog box. Configure the DIP, and then click OK.
  24. Enter the DIP ID.
  25. To add multiple DIP ranges for a particular DIP ID:
    • Enable the Multiple DIP Range check box.
    • Click the Add icon to display the New MultiRange of DIP dialog box.
    • For Rang ID, enter 1.
    • For Lower IP, enter 10.10.1.2.
    • For Upper IP, enter 10.10.1.2.
  26. For Start, enter 210.10.1.1.
  27. For End, enter 210.10.1.1.
  28. For Shift From, enter 10.10.1.2.
  29. For Scale-Size, enter 1.
  30. Enable the Fixed Port check box.

    Note: The Fixed Port is enabled by default while adding multiple DIP range for a DIP ID.

  31. For Extended IP, enter 211.10.1.10.
  32. For Netmask, enter 24.
  33. Add the route to the Corporate Office on the trust-vr of Office B:
    • In the device navigation tree, select Network > Routing. Double-click trust-vr router. The General Properties screen appears.
  34. In the trust-vr navigation tree, select Routing Table. Click the Add icon and configure the new route:
    • Set the IP address/netmask to 0.0.0.0/0.
    • For Next Hop, select Gateway, and the gateway options appear.
    • For Interface, select ethernet3.
    • For Gateway IP Address, enter 201.1.1.254.
    • Leave all other defaults, and then click OK to save the route.
    • Click OK to save your changes to the trust-vr, then click OK to save your changes and close the Office A device configuration.
  35. Add the Address Object that represents HQ:
    • In the main navigation tree, select Object Manager > Address Objects. Click the Add icon and select Host. The New Host dialog box appears.
  36. Configure the Host as detailed below, and then click OK:
    • For Name, enter Central Office HQ.
    • Select IP, and then enter the IP Address 200.1.1.1.
  37. Create a Global DIP to reference the DIP pool on each device. You use a Global DIP when configuring NAT in a firewall rule; the Global DIP references the DIP pool for an individual device, enabling you to use one object (the Global DIP object) to represent multiple DIP pools in a single rule.
    • In the navigation tree, select Object Manager > NAT Objects > DIP.
    • Click the Add icon to display the new Global DIP dialog box. Configure the Global DIP and then click OK:
  38. Configure two firewall rules, one which uses the Global DIP object for NAT translation.

Related Documentation