Scenario: Combine NAT and IP filtering

In this scenario, your company combines network address translation (NAT) and IP filtering together. Your company wants to hide its personal computers and Web server behind a single, public, IP address and to allow other companies to access the Web server.

Situation

Your business has a moderately sized internal network that uses an iSeries™ server as its gateway. You want to transfer all Web traffic from the gateway iSeries server to a dedicated Web server, behind the gateway. The Web server runs on port 5000. You want to hide all of your private personal computers and the Web server behind an address on the gateway iSeries interface; AS02 in the following diagram. You also want to allow other companies to access the Web server. What should you do?


This picture shows Company A and Company B. Each company resides on opposite sides of an Internet cloud. Company A has an iSeries with the public IP address 192.27.1.1. On the token ring behind this server is a private network with the following IP addresses: 10.1.1.251–10.1.1.254 and a Web server (10.1.1.250, port 5000).

Solution

You can use IP filtering and NAT together to configure your personal computers and Web server.

Configuration

To configure the hide NAT packet rules described in this scenario, use the Address Translation wizard in iSeries Navigator. The wizard requires the following information:
  • The set of addresses you want to hide: 10.1.1.251 through 10.1.1.254
  • The interface address behind which you want to hide the set of addresses: 192.27.1.1

To use the Address Translation wizard, follow these steps:

  1. In iSeries Navigator, select your server > Network > IP policies.
  2. Right-click Packet Rules, and select Rules Editor.
  3. From the Welcome Packet Rules Configuration dialog, select Create a new packet rules file, and click OK.
  4. From the Wizards menu, select Address Translation, and follow the wizard's instructions to configure the hide address translation packet rules.

This packet rule will hide your four personal computers behind a public address, so they can access the Internet. Your hide NAT packet rule looks like the following example:


How your hide NAT packet rules look like

To configure the port-mapped NAT, follow these steps:

  1. Access the Packet Rules Editor from iSeries Navigator.
  2. Create a defined address for the Web server address and port 5000:
    1. From the Insert menu, select Address....
    2. On the General page, enter Web250 in the Address name field.
    3. Select IP addresses in the Defined address drop-down list. Then click Add and enter the IP address of the Web server 10.1.1.250 in the edit field.
    4. Click OK.
  3. Create a defined address to represent the public address 192.27.1.1:
    Note: Because you already created a defined address to represent the public address 192.27.1.1 when you configured the hide NAT packet rules, you can omit this step for this particular scenario and skip to Step 4. However, if you use these instructions to configure the port-mapped NAT for your own network and you did not configure the hide NAT packet rules, then continue with the instructions for this step.
    1. From the Insert menu, select Address....
    2. On the General page, enter or select BEHIND1 in the Address name field.
    3. Select IP addresses in the Defined address drop-down list. Then click Add and enter 192.27.1.1 in the IP addresses edit field.
    4. Click OK.
  4. Create the port-mapped NAT rule:
    1. From the Insert menu, select Hide....
    2. On the General page, select Web250 from the Hide address name drop-down list.
    3. Select BEHIND1 from the Behind address name drop-down list.
    4. Select Allow inbound connections, and enter 5000 in the Hide port field.
    5. Enter 80 in the Behind port field.
    6. Enter 16 and select seconds in the Timeout fields.
    7. Enter 64 in the Maximum conversations field.
    8. Select OFF from the Journaling drop-down list.
    9. Click OK.

This port-mapped NAT will hide your Web server address and port number behind a public address and port number. Notice that both NAT rules are hidden behind one common IP address. This is acceptable as long as the addresses you are hiding do not overlap. This port-mapped NAT rule will only allow externally initiated traffic on port 80 to access your system.

The port-mapped NAT rule looks like the following example: 

ADDRESS Web250   IP = 10.1.1.250
ADDRESS BEHIND1   IP = 192.27.1.1
HIDE Web250:5000   BEHIND BEHIND1:80   TIMEOUT = 16   MAXCON = 64   JRN = OFF

To create the filter rules described in this scenario, follow these steps:

  1. Access the Packet Rules Editor from iSeries Navigator.
  2. Create a filter rule to permit inbound traffic destined for your private network.
    1. From the Welcome Packet Rules Configuration dialog, select Create a new packet rules file, and click OK.
    2. From the Insert menu, select Filter....
    3. On the General page, enter external_rules in the Set name field.
    4. Select PERMIT from the Action drop-down list.
    5. Select INBOUND from the Direction drop-down list.
    6. Select = and * from the Source address name drop-down lists.
    7. Select = and enter 192.27.1.1 in the Destination address name fields.
    8. Select OFF from the Journaling drop-down list.
    9. On the Services page, select Service.
    10. Select TCP from the Protocol drop-down list.
    11. Select = and * from the Source port drop-down lists.
    12. Select = and * from the Destination port drop-down lists.
    13. Click OK.
  3. Create a filter rule to permit outbound traffic from your private network to the Internet.
    1. From the Welcome Packet Rules Configuration dialog, select Open an existing packet rules file, and click OK.
    2. From the Open file dialog, select the external_rules file, and click Open.
    3. From the Insert menu, select Filter....
    4. On the General page, select external_rules from the Set name drop-down list.
    5. Select PERMIT from the Action drop-down list.
    6. Select OUTBOUND from the Direction drop-down list.
    7. Select = and enter 192.27.1.1 in the Source address name fields.
    8. Select = and * from the Destination address name drop-down lists.
    9. Select OFF from the Journaling drop-down list.
    10. On the Services page, select Service.
    11. Select TCP from the Protocol drop-down list.
    12. Select = and * from the Source port drop-down lists.
    13. Select = and * from the Destination port drop-down lists.
    14. Click OK.
  4. Define a filter interface for the filter set that you created:
    1. From the Insert menu, select Filter interface....
    2. Select Line name and select TRNLINE from the Line name drop-down list.
    3. On the Filter sets page, select external_rules from the Filter set drop-down list, and click Add.
    4. Click OK.

These filters, in conjunction with the HIDE statement, will permit any inbound traffic destined for your private network through to NAT and any outbound traffic out to the Internet. However, NAT will only allow externally initiated traffic on port 80 to enter the server. NAT will not translate externally initiated traffic that does not match the port-mapped NAT rule. The filter rules look like the following example: 

FILTER SET external_files   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = 192.27.1.1
   PROTOCOL = TCP   DSTPORT = *   SRCPORT = *   JRN = OFF
FILTER SET external_files   ACTION = PERMIT   DIRECTION = OUTBOUND   SRCADDR = 192.27.1.1   DSTADDR = *
   PROTOCOL = TCP   DSTPORT = *   SRCPORT = *   JRN = OFF

This statement binds (associates) the 'external_rules' filter set with the correct physical interface.

FILTER_INTERFACE   LINE = TRNLINE   SET = external_files

After you finish creating these filter rules, you should verify them to ensure they will activate without errors. After that, you can activate them.

Parent topic: Scenarios: Packet rules
Related tasks
Verify packet rules
Activate packet rules