Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)
Use Port Address Translation (PAT) to enable multiple hosts (up to 64,500) to share the same IP address. The security device maintains a list of assigned port numbers to distinguish which session belongs to which host. Use PAT in conjunction with a MIP and a DIP pool to resolve the problem of overlapping address spaces.
Some applications, such as NetBIOS Extended User Interface (NetBEUI) and Windows Internet Naming Service (WINS), require specific port numbers and do not work with PAT. For these applications, you cannot use PAT; you must configure the DIP pool to use a fixed port (numbered IP). For fixed-port DIP, the security device hashes and saves the original host IP address in its host hash table, enabling the device to associate the right session with each host.
In this example, you want to create a VPN tunnel for users at one site to reach an FTP server at another site. However, the internal networks at both sites use the same private address space of 10.1.1.0/24.
On the first device, an NetScreen-HSC, you create a tunnel interface in the Untrust zone with IP address 10.10.1.1/24, and associate it with a DIP pool containing the IP address range 10.10.1.2–10.10.1.2 (addresses in the neutral address space of 10.10.1.0/24). You enable port address translation for the DIP pool. On the second device, an NetScreen-208, you create a tunnel interface with an IP address in a neutral address space and set up a mapped IP (MIP) address to its FTP server. This example provides details on configuring the NetScreen-HSC to use a DIP pool with PAT; details on configuring the second device in the VPN are not provided.
Add a NetScreen-HSC security device. Choose Model when adding the device and configure the device as running ScreenOS 5.x and ScreenOS 6.2 in Transparent mode.
Configure the tunnel/vlan interface:
In the device navigation tree, select Network > Interface.
Click the Add icon and select New > Tunnel or Vlan Interface. The General Properties screen appears.
Configure the DIP pool:
In the interface navigation tree, select NAT > DIP to display the DIP screen.
Click the Add icon to display the New Dynamic IP dialog box.
Enter the DIP ID.
Add multiple DIP ranges for a particular DIP ID as follows:
Select the Multiple DIP Range check box.
Click the Add icon. The New Dynamic IP dialog box appears.
For Rang ID, enter 1.
For Lower IP, enter 10.10.1.2.
For Upper IP, enter 10.10.1.2.
For Start, enter 10.10.1.1.
For End, enter 10.10.1.1.
For Netmask, enter 24.
Click OK to save your changes to the interface, and then click OK to save your changes to the device.