Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

1-to-1 NAT mapping is done in the pre-routing step in the firewall (see

fig. 31.1

).

This means (for inbound packets affected by a 1-to-1 NAT rule) that the desti-
nation IP address is changed to another IP address before routing is done and
before rules in the input filtering and forward filtering chains are evaluated. Make
sure that you only use the internal network block (called ”new destination” in the
web configuration and ”to-dst” in CLI config) in routing and filtering as the exter-
nal network is not visible inside the unit.

31.1.4.2.2

Reverse 1-to-1 NAT

Public Network (Internet)

1−TO−1

NAT

Gateway

.1

Web

Server

.2

192.168.0.2

10.20.30.2

IP Source

IP Source

Inbound Interface

Figure 31.7: Reverse 1-to-1 NAT mapping

1-to-1 NAT is bi-directional which means that the NAT works in the reverse direc-
tion too. A request coming from an internal IP will be transformed so it appears
to come from the external net when leaving the router through the configured
”inbound” interface (see

fig. 31.7

).

In this case the translation of the IP source address will be performed in the post-
routing chain (

fig. 31.1

), just before packets leave the router. This means that

the original internal network IP will be matched as source in any forward filtering
and output filtering rules. The external addresses will not be visible here similar
to the forward direction NAT.

700

➞ 2015 Westermo Teleindustri AB