Scenario: Map IP addresses using NAT

In this scenario, your company uses static network address translation (NAT) to map its private IP addresses to public addresses.

Situation

You own a company, and you decide to start a private network. However, you have never registered or acquired permission to use public IP addresses. When you access the Internet, you find that your company's address range is registered to someone else, so you think your current setup is obsolete. You need to allow public users access to your Web server. What should you do?


This picture shows a network consisting of an iSeries (192.12.3.1) connected to the Internet. Behind the server is a private network on token ring 10.10.1.0. On this ring exists a personal computer with the IP address 10.10.1.1. The personal computer (10.10.1.1) is mapped to the public IP address 192.12.3.1.

Solution

You can use static NAT. Static NAT assigns one original (private) address to one registered (public) address. Your iSeries™ server maps this registered address to your private address. The registered address allows your private address to communicate with the Internet. Essentially, it forms a bridge between the two networks. Communication can then be initiated from either network.

By using static NAT, you can keep all of your current internal IP addresses and still access the Internet. You need to have one registered IP address for each private address that accesses the Internet. For example, if you have 12 users, you need 12 public IP addresses to map to your 12 private addresses.

In this example, the NAT address, 192.12.3.1, sits unusable, like a shell, waiting for information to come back. When the information returns, NAT maps the address back to the personal computer. When static NAT is active, any inbound traffic destined directly to the address 192.12.3.1 will never get to that interface because it is only representing your internal address. The real private address 10.10.1.1 is the actual destination, even though (to the world outside the iSeries server) it appears that 192.12.3.1 is the required IP address.

Configuration

To configure the packet rules described in this scenario, you should use the Address Translation wizard in iSeries Navigator. The wizard requires the following information:
  • Private address you want to map: 10.10.1.1
  • Public address to which you want to map the private address: 192.12.3.1
  • The name of line over which the address mapping takes place: TRNLINE

To use the Address Translation wizard, follow these steps:

  1. In iSeries Navigator, select your server > Network > IP policies .
  2. Right-click Packet Rules, and select Rules Editor.
  3. From the Welcome Packet Rules Configuration dialog, select Create a new packet rules file, and click OK.
  4. From the Wizards menu, select Address Translation, and follow the wizard's instructions to configure the map address translation packet rules.

The packet rules look like the following example:


How your packet rules look like

After you finish creating these rules and any others you determine you need, you should verify them to ensure that they will activate without errors. After that, you can activate them.

Note: The token ring line that is defined above (LINE=TRNLINE) must be the line that 192.12.3.1 uses. This static NAT will not work if 10.10.1.1 uses the defined token ring line above. Whenever you use NAT, you should also enable IP forwarding.
Parent topic: Scenarios: Packet rules
Related concepts
Static (map) NAT
Related tasks
Verify packet rules
Activate packet rules
Related reference
Troubleshoot packet rules