6.7.5.1.1. Procedure – Configuring NAT

1. Create the required NAT policies on the Policies tab of the Zorp ZMC component.

   

   Figure 6.71. NAT policy configuration window

   Click the New button, select NAT Policy from the Policy type combobox and supply a name for the new policy.

   Names should be descriptive and ideally contain information about the direction of NATing and/or about the type of traffic NATed.

   In most network configurations NAT is typically not service-specific; a generic NAT policy may be adequate for most outgoing or incoming traffic. There are no compulsory rules for naming.

   NAT policies can be renamed any time.

   Tip
   Remove NAT policies from the configuration set if they are no longer needed. NAT policies can be removed only if they are not used in any service definition.

2. Configure a NAT solution.

   Zorp supports several different NAT solutions.

   

   Figure 6.72. Editing a GeneralNAT rule

   GeneralNAT has three parameters: source subnet, destination subnet, and the translated subnet. Connections arriving from the source subnet, that target the destination subnet, are modified to use the translated subnet. If the NAT policy is used as Source-NAT (SNAT), the source subnet is translated to translated subnet, if the policy is used as Destination NAT (DNAT), the target subnet is translated.

   

   Figure 6.73. Sample GeneralNAT rule

   Note
   The original and translated netmasks do not need to be the same: it is possible to map an entire /24 network onto a single IP address (/32 mask). However, the order of the pairs is important because the Zorp processes the list from top to bottom.

   Depending on the NAT type (SNAT, DNAT), Zorp evaluates the NAT rules one after the other. If a row containing the address to be NATed as the source network, the iteration stops and Zorp modifies the IP address as specified in that row. If no match is found, the original IP address is used.

   When modifying the address, it calculates the host ID of the address using the target netmask and the source network address and adds it to the target network.

   Example 6.14. Address translation examples using GeneralNAT

   The following two tables show a number of simple and special GeneralNAT cases. The Destination Address in these cases is set to 0.0.0.0/0. Source network Target network Source IP address Translated IP address 10.0.1.0/24 192.168.1.0/24 10.0.1.5 192.168.1.5 10.0.1.0/24 192.168.1.0/25 10.0.1.130 192.168.1.2 10.0.1.0/25 192.168.1.0/24 10.0.1.42 192.168.1.42 Source network Target network Original IP address New IP address 0.0.0.0/0 192.168.2.2/32 172.17.3.5 192.168.2.2 0.0.0.0/0 192.168.3.0/31 172.18.1.1 192.168.3.1 0.0.0.0/0 192.168.3.0/31 172.18.1.2 192.168.3.0 192.168.3.1/32 172.19.2.0/24 192.168.3.1 172.19.2.0

3. Configure caching.

   Since the NAT decision may take a long time in some cases (for example, if there are many mappings in the list), the decisions can be stored in a cache. Storing the decisons in a cache accelerates future decisions. Caching can be enabled/disabled using the Cacheable checkbox in the configuration window of the NAT policy.

   Tip
   It is recommended to enable caching for complex NAT decisions.

   Note

   Enabling caching can have interesting, but sometimes unwanted effects on some NAT types, for example on RandomNAT. Using RandomNAT and the Cachable option together would result in Load Balancing, but with sticky IP addresses, the cache would remember which source IP address was used before for a specific client's IP address and would use the same address again. This can be very useful, but can also cause a lot of problems and troubleshooting.