ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajb_5.4.0.1/rzajbrzajb0gexample5.htm

101 lines
7.2 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Hide IP addresses using masquerade NAT" />
<meta name="abstract" content="In this scenario, your company uses masquerade network address translation (NAT) to hide the private addresses of your personal computers. At the same time, your company allows your employees to access the Internet." />
<meta name="description" content="In this scenario, your company uses masquerade network address translation (NAT) to hide the private addresses of your personal computers. At the same time, your company allows your employees to access the Internet." />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb0awhyip.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8a1verifyingsd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbactivaterules.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb4bhidenat.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajb0g-example5" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Hide IP addresses using masquerade NAT</title>
</head>
<body id="rzajb0g-example5"><a name="rzajb0g-example5"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Hide IP addresses using masquerade NAT</h1>
<div><p>In this scenario, your company uses masquerade network address
translation (NAT) to hide the private addresses of your personal computers.
At the same time, your company allows your employees to access the Internet.</p>
<div class="section"><h4 class="sectiontitle">Situation</h4><p>You have a small company and you want
to allow HTTP service on your iSeries™ server. Your iSeries server
has one Ethernet card and three personal computers. Your Internet Service
Provider (ISP) provides you with a DSL connection and a DSL modem. The ISP
also assigns you the following public IP addresses: 192.20.12.1 and 192.20.12.2.
All of your personal computers have 10.1.1.x addresses on the internal network.
You want to ensure that the private addresses of your personal computers remain
hidden to prevent external users from initiating communications with your
internal network, while at the same time, allowing your employees to access
the Internet. What should you do?</p>
</div>
<div class="section"><p><br /><img src="rzajb502.gif" alt="The picture&#xA;shows an iSeries (connected to the Internet) with the public addresses of&#xA;192.20.12.2 and 192.20.12.1. The private network contains the following addresses:&#xA;10.1.1.110.1.1.4." /><br /> </p>
</div>
<div class="section"><h4 class="sectiontitle">Solution</h4><p>Hide your personal computer addresses,
10.1.1.1 through 10.1.1.4, behind the public address, 192.20.12.1. You will
then be able to run TCP/IP services from the 10.1.1.1 address. Range NAT (hiding
a range of internal addresses) will protect your personal computers from communication
that is initiated outside your network because for range NAT to start, traffic
must be initiated internally. However, range NAT will not protect the iSeries interface.
You will need to filter traffic to protect your iSeries server from receiving untranslated
information.</p>
</div>
<div class="section"><h4 class="sectiontitle">Configuration</h4><p>To configure the packet rules described
in this scenario, use the <span class="uicontrol">Address Translation</span> wizard
in iSeries Navigator.
The wizard requires the following information: </p>
<ul><li>The set of addresses you want to hide: 10.1.1.1 through 10.1.1.4</li>
<li>The interface address behind which you want to hide the set: 192.20.12.1</li>
</ul>
</div>
<div class="section"><p>To use the <span class="uicontrol">Address Translation</span> wizard,
follow these steps:</p>
</div>
<div class="section"> <ol><li>In iSeries Navigator,
select <span class="menucascade"><span class="uicontrol"><var class="varname">your server</var></span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">IP policies</span></span>.</li>
<li>Right-click <span class="uicontrol">Packet Rules</span>, and select <span class="uicontrol">Rules
Editor</span>.</li>
<li>From the <span class="uicontrol">Welcome Packet Rules Configuration</span> dialog,
select <span class="uicontrol">Create a new packet rules file</span>, and click <span class="uicontrol">OK</span>.</li>
<li>From the <span class="uicontrol">Wizards</span> menu, select <span class="uicontrol">Address
Translation</span>, and follow the wizard's instructions to configure
the hide address translation packet rules.</li>
</ol>
</div>
<div class="section"><p>The packet rules look like the following example: </p>
<br /><img src="rzajb510.gif" alt="How your packet rules look like" /><br /></div>
<div class="section"><p>After you finish creating these filter rules, you should verify
them to ensure that they will activate without errors. After that, you can
activate them.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajb0awhyip.htm" title="Use these scenarios to learn how you can use network address translation (NAT) and IP filtering to protect your network.">Scenarios: Packet rules</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajbrzajb4bhidenat.htm" title="Masquerade (hide) network address translation (NAT) allows you to keep the outside world (outside the iSeries server) from knowing the actual address of a personal computer. NAT routes traffic from your personal computer to your iSeries server, which essentially makes the iSeries server the gateway for your personal computer.">Masquerade (hide) NAT</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzajbrzajb8a1verifyingsd.htm" title="Always verify your rules before you activate them. This helps ensure that the rules will be activated without problems.">Verify packet rules</a></div>
<div><a href="rzajbactivaterules.htm" title="Activating the packet rules that you create is the final step in configuring packet rules.">Activate packet rules</a></div>
</div>
</div>
</body>
</html>