Dst address translation (DNAT)

Destination Network Address Translation (DNAT)

Destination Network Address Translation (NAT) is to chance request packet destination IP address to another IP based on IP field or packet header field. This is typically used for inbound access, from public Internet to Internal network resources. mbox supports three types of Destination Network Address Translation (DNAT)

  • Static DNAT (one static public IP mapped to one private IP)
  • Port forwarding (one static public IP mapped to multiple private IP using different protocol & port numbers)
  • Dynamic DNAT (dynamic WAN IP address, mapped to private IP using protocol & port numbers)

NOTE:

  • When we need to map internal host to a dedicated public IP address, the public IP address(es) has/have to be configured on the external WAN interface (as secondary IP) otherwise mBox will not respond to upstream ARP requests for the NAT address.
  • The firewall access-rule also must permit the respective inbound access to the private IPs.

#1 DNAT - Port forwarding (when WAN IP is static).

!interface eth0 enable ip address 203.127.1.7/28 ip address 203.127.1.8/28 ip address 203.127.1.9/28!!"Static NAT rule, from pubic IP to internal IP for http service only"firewall dnat-rule 1 translate inbound eth0 tcp dst 203.127.1.8 dport 80 xdst 192.168.1.8 xdport 80!!"Static NAT rule, from pubic IP to internal IP for http service only"firewall dnat-rule 2 translate translate inbound eth0 tcp dst 203.127.1.9 dport 443 xdst 192.168.1.9xdport 443!firewall accesss-rule 1 permit inbound eth0 tcp dport 80 remark "firewall rule must permit this access also"firewall accesss-rule 2 permit inbound eth0 tcp dport 443!

#2 dynamic DNAT - Port forwarding (when WAN IP is dynamic)

!firewall dnat-rule 1 translate inbound eth0 tcp dport 80 xdst 192.168.1.8 xdport 80!firewall accesss-rule 1 permit inbound eth0 tcp dport 80!

#3 DNAT - Static (one to one).

!interface eth 0 enable ip address 203.127.1.7/28 ip address 203.127.1.8/28!firewall dnat-rule 1 translate inbound eth0 ip dst 203.127.1.8 xdst 192.168.1.8!firewall accesss-rule 1 permit inbound eth0 tcp dport 80firewall accesss-rule 2 permit inbound eth0 tcp dport 443!