FirewallBuilder

The examples above were "hiding" multiple internal addresses behind just one external address. We had a whole network (potentially 254 hosts) use the same external address to access the Internet. Sometimes it is necessary to do translation where each internal host has a dedicated corresponding address on the outside. This is often called "1-1" NAT. Here is how this is done in Firewall Builder when a whole network of the same dimension is available on the outside:

Figure 14.79. 

Network object ext net defines network "192.0.2.0/24", which is the same size as the internal network (this is a hypothetical example). Here is iptables command produced for this rule:

# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING   -s 172.16.22.0/24 -j NETMAP --to 192.0.2.0/24 

        

NETMAP target maps a whole network of addresses onto another network of addresses.

In PF the following "nat" command is used:

# Rule  0 (NAT)
# 
nat proto {tcp udp icmp} from 172.16.22.0/24 to any -> 192.0.2.0/24 

        

For PIX, Firewall Builder generates a "global" address pool the size of the 192.0.2.0/24 network:

! Rule  0 (NAT)
! 
global (outside) 1 192.0.2.0 netmask 255.255.255.0
access-list id54756X30286.0 permit ip 172.16.22.0 255.255.255.0  any 
nat (inside) 1 access-list id54756X30286.0 tcp 0 0