Network Address Translation (Nat) - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent VPN Firewall Brick

Network Address Translation (NAT)

...................................................................................................................................................................................................................................
Overview
As with many other Brick device features, Network Address Translation and Port
Address Translation are performed on the Policy Rule level, within a given Virtual
Firewall. Every policy rule may have an Address Translation entry. Each Address
Translation entry consists of any of the following three types of translation:
• Source Address Translation
• Destination Address Translation
• Destination Port Translation
Source Address Translation
Source Address Translation will translate the source IP address (and possibly layer-4
source port) of all forward packets within the session, and retranslate the destination IP
address and possibly ports on all reverse packets within the session. Source address
translation is available in four modes: Direct, Pool, Dynamic, and Local. Direct source
address translation, provides a one-to-one map between an inbound set of address and
a translated set of addresses. Pool source address translation allows a large number of
inbound addresses to be multiplexed to a smaller number of translated addresses, using
other protocol fields (such as source TCP or UDP port) to establish a unique socket.
This capability is also commonly called Port Address Translation (PAT) or Network
Port Address Translation (NPAT). Dynamic source address translation is a variation of
NAT in which the original (usually private) IP address of a client that is connecting to
a service provider network is dynamically mapped to another (usually public) IP
address by its supporting Brick from a pool of IP addresses, usually on a per-zone
basis. Local source address translation is only used in conjunction with Client VPN
and is used to give an inbound client VPN connection a "local" address on the
protected network.
Destination Address Translation
Destination Address Translation will translate the destination IP address (and possibly
layer-4 destination port) of all forward packets within the session and retranslate the
source IP addresses and possibly ports on all reverse packets within the session.
Destination address translation is available in four modes: Direct, Pool, Dynamic, and
Local. Direct destination address translation, provides a one-to-one map between an
inbound set of address and a translated set of addresses, usually to provide public
images for servers with private addresses. Pool destination address translation is used
to provide session-based server-load-balancing. Dynamic destination address translation
is a variation of NAT in which the public IP address of an inbound packet is
dynamically mapped to a private client IP address by its supporting Brick from a pool
...................................................................................................................................................................................................................................
260-100-022R9.4
Issue 1, June 2009
™
Security Appliance
1-15