Help

Static Network Address Translation

Static NAT is a way to make systems behind a firewall and configured with private IP addresses (those reserved for private use in RFC1918) appear to have public IP addresses. To allow the clients of you internal network to access the Internet, you need to masquerade this network with respect to the Internet, as it is based on private addresses invalid on the Internet.

IMPORTANT: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use static NAT. Port forwarding can be accomplished with simple entries in the "rules" sub-section. Also, in most cases Proxy ARP provides a superior solution to static NAT because the internal systems are accessed using the same IP address internally and externally.

ID: The unique ID number identifying this static NAT rule.
External Public IP: External IP address for the translation - This should NOT be the primary IP address of the interface named in the next field.
On this Network Interface: Interface that you want the "External Public IP" address to appear on.
Internal Private IP (RFC1918): Internal IP address for the translation. It must be a private IP address as defined by RFC 1918.

Two options are available for the translation:

All Hosts If activated, this NAT will be effective from all hosts. If not then NAT will be effective only through the interface named in the "On this Network Interface" field.
Firewall system If activated, the NAT will be effective also from the firewall system itself.

Example: We want to make the internal system with IP 10.1.1.2 appear to be on the Internet 130.252.100.* subnet. If we assume that the interface to the Internet is eth0, then the following rule would make the 10.1.1.2 system appear to have IP address 130.252.100.18.

External Public IP: 130.252.100.18
On this Network Interface: eth0
Internal Private IP: 10.1.1.2
All Hosts Yes
Firewall system Yes

Note 1: The "All Hosts" option is used to specify that access to the external IP from all firewall interfaces should undergo NAT. If set to "No", only access from the interface in the "Interface" field should undergo NAT.

Note 2: Setting the The "Firewall system" option makes the packet originating on the firewall itself and destined for the "External" address to be redirected to the "Internal Private IP".