Configuring Network Address Translation
Configuring NAT
You then create a second ACL called FTPserver, to select traffic from any
device that is destined for the public IP address (in this example, 10.1.10.1) on
port 21, the well-known port for FTP traffic.
ProCurve(config)# ip access-list extended FTPServer
ProCurve(config-ext-nacl)# permit tcp any host 10.1.10.1 eq 21
ProCurve(config-ext-nacl)# exit
Next, you create an ACP with two entries: one for the Web server and one for
the FTP server. Traffic selected by the Webserver ACL is assigned the desti-
nation IP address of 192.168.2.11, the actual IP address of the Web server on
the internal network. When configuring the ACP, you include the port option
so that the traffic continues to be transmitted on port 80. Traffic selected by
FTPserver ACL is assigned the destination IP address of 192.168.2.12, the
actual IP address of the FTP server on the internal network. Again, you include
the port number for FTP, port 21.
ProCurve(config)# ip policy-class NATservers
ProCurve(config-policy-class)# nat destination list Webserver address 192.168.2.11
port 80
ProCurve(config-policy-class)# nat destination list FTPServer address 192.168.2.12
port 21
ProCurve(config-policy-class)# exit
Assigning the ACP to an Interface
The ACP you configure will have no effect until you assign it to an active
interface. After you assign the ACP to an interface, the Secure Router OS
firewall will use it to NAT traffic arriving on the interface. Traffic sent from
the interface will not be affected.
To assign the ACP to a particular interface, you must move to the configuration
mode context for that interface and enter:
Syntax: access-policy <policyname>
For example, to assign the NATInside ACP to the Ethernet 0/1 interface, enter:
ProCurve(config)# interface eth 0/1
ProCurve(config-eth 0/1)# access-policy NATInside
6-15