Network Address Translation (Nat); Twice Nat Commands - Symbol WS5000 Series System Reference Manual

12-26
WS5000 Series Switch System Reference Guide

12.6 Network Address Translation (NAT)

Twice NAT is used for non-VPN clients to establish communication with the trusted side network. When the
NAT feature is enabled, the switch can alter the source and destination IP addresses of packets so that hosts
on different subnets can communicate with each other.
For instance, when VPN is used, the real IP addresses of MUs are are allocated from a different subnet from
trusted wired hosts. A host cannot communicate with another host on a different subnet without an
intermediate router. This does not pose a problem for MUs that run the VPN client. They communicate with
trusted hosts, since the VPN server performs the IP address translation. However, MUs not running a VPN
session will be unable to do so. To get around this problem, the switch can translate the source and destination
IP address between the MU and wired host so that the MU can address the latter with an IP address on its
own subnet and vice versa.
Figure 12.2.1 displays the issues that need to be addressed to have an external device at address a.b.c.1
communicate with a device behind the firewall at address x.y.z.1:
Figure 12.3 Configuring NAT

12.6.1 Twice NAT Commands

To add the NAT entry pairs associating the local NAT address and the real IP address, go to the
conf.fw.eth2 context and use the
WS5100_VPN> config fw eth2
WS5100_VPN.(Cfg).Fw.[eth2]> set addnat ?
Syntax: set addnat <"remoteRealIp,localNatIp">
In this command, a NAT entry was added in the
To delete a NAT entry, use set
To add a range of NAT addresses, use
set addnet command:
eth2 LAN.
delnat and specify the addresses to be deleted.
set addrange
: