Network Address Translation (NAT) Support
Firebox® technology supports the use of Network Address Translation (NAT), a technology where you advertise one IP address for the world to send stuff to (e-mails, HTTP, database traffic, whatever). The Firebox translates that request from the outside world and sends it to the appropriate IP address inside your network. In this way, the Firebox can hide from outsiders the IP addresses of machines on your internal network.
Various techniques for applying NAT include dynamic NAT, static NAT, and one-to-one NAT. The type of NAT supported by Firebox models is provided below.
| Model | Dynamic NAT | Static NAT (PAT) | 1:1 NAT | IPSec NAT Traversal (NAT-T) |
|---|---|---|---|---|
| Firebox® X Peak™ |  |
|
|
|
| Firebox® X Core™ | |
|
|
|
| Firebox® X Edge e-Series | |
|
|
|
| Firebox® X Edge | |
— | — | |
| Firebox® SOHO 6 | |
— | — | |
| Firebox® III | |
|
|
|
Dynamic Network Address Translation
Firebox and SOHO security appliances can hide internal IP addresses from the external network. This gives you an optional level of firewall protection by enabling one of your legal Internet IP addresses to serve as the gateway for all of your outbound traffic from internal networks. Return connections are re-mapped by the Firebox® appliance to the correct client machine based on port number. Depending on configuration, Dynamic NAT capability is provided through the kernel-level packet filter engine or proxies.
Making many internal hosts look like one very busy external host has several advantages:
- From a security standpoint, it denies outsiders information about the shape and configuration of your internal network. It also makes it more difficult to derive individual usage patterns.
- From a network management standpoint, it enables your internal or trusted networks to use RFC 1918 private IP addresses that are invalid on the Internet. This frees up "real" IP addresses for better purposes.
- From an administrative standpoint, it allows you to change your Internet Service Provider without needing to renumber internal IP addresses.
Static Network Address Translation
Firebox security appliances allow your internal hosts with unregistered IP addresses to function as Internet-reachable servers. Static NAT (sometimes referred to as Port Address Translation or PAT) works by redirecting packets from public hosts on the Internet to private hosts behind the Firebox appliance based on the original destination port number.
For example, using SMTP Port Forwarding, the Firebox® appliance allows you to maintain a public e-mail server with an invalid Internet IP address behind the Firebox® appliance, and publish the IP address of the Firebox® as its mail server. Whenever the Firebox® appliance receives a TCP/IP packet on SMTP's registered service port of 25, the Firebox® appliance will forward the packet to the masqueraded SMTP server for processing.
By enabling you to set IP aliases for the external interface of the Firebox® appliance, Static NAT allows you to forward packets destined for the same port to more than one privately addressed host behind the Firebox® appliance.
1:1 NAT
(Firebox® X Core™ and Firebox® III models) is a global Network Address Translation (NAT) policy that rewrites and redirects packets sent to one address range to a completely different range of addresses. This address translation works in both directions so that you are able to effectively mask your network address.
1:1 NAT gives you the ability to work with specific address ranges rather than applying a global policy that encompasses the complete system. Each NAT policy contains four configurable pieces of information:
- The interface (External, Trusted, Optional, IPSec)
- The NAT base IP address
- The real base IP address
- The number of hosts to remap
The NAT base plus the range defines the NAT region, while the real base plus the range defines the hidden or forwarded region.
IPSec NAT Traversal (NAT-T)
In Internet communications, the number of NAT domains between end points which break IPSec is growing. Using NAT-T in the gateway and client makes the underlying infrastructure transparent when using IPSec. NAT-T uses User Datagram Protocol (UDP) encapsulation to wrap the IPsec packet inside a UDP/IP header so that NAT devices in front of the firewall can change IP or port addresses without modifying the IPsec packet.
