<\/span><\/h2>\nFirst of all lets look at configuration settings to translate a network range behind behind a single IP.<\/p>\n
set nat source rule 10 source address '192.168.0.0\/16'\r\nset nat source rule 10 outbound-interface 'eth2'\r\nset nat source rule 10 protocol 'all'\r\nset nat source rule 10 translation address 'masquerade'<\/pre>\nIn this example all traffic coming from 192.168.0.0\/16 will have the source IP addresses translated to the IP of eth2.<\/p>\n
<\/span>Static NAT<\/strong><\/span><\/h2>\nStatic NAT provides a one-to-one mapping.<\/p>\n
set nat source rule 12 source address 192.168.131.32\r\nset nat source rule 12 outbound-interface eth0\r\nset nat source rule 12 translation address 172.16.130.32\r\n\r\nset nat destination rule 12 inbound-interface eth0\r\nset nat destination rule 12 destination address 172.16.131.32\r\nset nat destination rule 12 translation address 192.168.130.32<\/pre>\nIn this example traffic destined to 172.16.131.32 inbound to eth0 will be translated to 192.168.130.32. Traffic initiated from 192.168.130.32 will be translated to the source address of 172.16.130.32.<\/p>\n
<\/span>Port Forwarding<\/strong><\/span><\/h2>\nPort forward involves translation of a port. Based on the example below traffic destined to 172.16.130.32 on tcp port 8080 will be translated to an IP of 192.168.130.32, port 80.<\/p>\n
set nat destination rule 33 destination address '172.16.130.32'\r\nset nat destination rule 33 destination port '8080'\r\nset nat destination rule 33 inbound-interface 'eth0'\r\nset nat destination rule 33 protocol 'tcp'\r\nset nat destination rule 33 translation port '80'\r\nset nat destination rule 33 translation address '192.168.130.32'<\/pre>\n<\/span>Policy NAT<\/strong><\/span><\/h2>\nPolicy NAT involves the translation of either a port or address based on conditions other then the address\/port that is subject to translation. i.e NAT destination address X to destination address Y when source address is Z.<\/p>\n
Within this example we will static NAT a entire subnet when the traffic is sourced\/destined to\/from 10.1.1.0\/24.<\/p>\n
The NAT rule reads:<\/p>\n
\nDestination<\/strong> – when traffic from 10.1.1.0\/24 destined to 172.16.130.0\/24 translate the destination to 192.168.130.0\/24.<\/li>\nSource<\/strong> – when traffic from 192.168.130.0\/24 destined to 10.1.1.0\/24 translate the source address to 172.16.130.0\/24.<\/li>\n<\/ul>\nNote<\/strong> : Each address is mapped based on a 1 to 1 mapping. i.e 172.16.130.33 would be translated to 192.168.130.33.<\/em><\/p>\nset nat destination rule 33 destination address '172.16.130.0\/24'\r\nset nat destination rule 33 source address '10.1.1.0\/24'\r\nset nat destination rule 33 inbound-interface 'eth0'\r\nset nat destination rule 33 protocol 'tcp'\r\nset nat destination rule 33 translation address '192.168.130.0\/24'\r\n\r\nset nat source rule 33 destination address '10.1.1.0\/24'\r\nset nat source rule 33 source address '192.168.130.0\/24'\r\nset nat source rule 33 outbound-interface 'eth0'\r\nset nat source rule 33 protocol 'tcp'\r\nset nat source rule 33 translation address '172.16.130.0\/24'<\/pre>\n<\/span>Show<\/strong><\/span><\/h2>\nThough there are a number of show and monitor commands available when troubleshooting NAT. The main commands you should know are shown below,<\/p>\n
\nmonitor nat destination translations<\/strong> – monitor in real time the current translations.<\/li>\nshow nat destination translations<\/strong> – show the NAT translation table.<\/li>\nshow nat destination rules<\/strong> – show the NAT rules within the configuration.<\/li>\n<\/ul>\nNote<\/em><\/strong> : when troubleshooting source based NAT replace the ‘destination’ keyword with ‘source’.<\/p>\n<\/span>Output Examples<\/strong><\/span><\/h4>\nvyatta@vyatta:~$ show nat destination translations<\/strong>\r\nPre-NAT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Post-NAT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Prot\u00a0 Timeout\r\n172.16.130.32:8080\u00a0\u00a0 192.168.130.32:80\u00a0\u00a0\u00a0 tcp\u00a0\u00a0 3<\/pre>\nvyatta@vyatta:~$ show nat destination rules<\/strong>\r\nDisabled rules are not shown\r\nCodes: X - exclude rule\r\n\r\n rule\u00a0\u00a0\u00a0 intf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 translation\r\n----\u00a0\u00a0\u00a0 ----\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -----------\r\n33\u00a0\u00a0\u00a0\u00a0\u00a0 eth0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 daddr 172.16.130.32 to 192.168.130.32\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 proto-tcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dport 8080 to 80<\/pre>\n","protected":false},"excerpt":{"rendered":"Introduction Within this article we will look at the various way to configure NAT on a Vyatta appliance. To configure NAT source and destination rules are defined using the ‘set nat source’ and ‘set nat destination’ commands. The source rules relate to the translation of the source address, and the destination rules relate to the … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"yoast_head":"\nVyatta - How do I configure NAT ? - Fir3net<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n