>From: "disarray0019" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: SunScreen Lite >Date: Sun, 20 Jan 2002 17:50:24 -0000 > >Anyone out there have experience with SunScreen Lite? I'm trying to >setup NAT on my home LAN, but the documentation that Sun provides, >doesn't go in depth enough for my setup.
There is a Security BluePrint on SunScreen Lite available at: http://www.sun.com/software/security/blueprints/#sunscreenlite I can't remember how much detail this goes into on NAT, but below is a brief description I wrote for another alias on setting up NAT for Lite at home (based on CLI): Since you're using lite, it is limited to only translating 10 private IPs, so if you have more than 10 private hosts, this may not be possible to set up right. You'll want to set up address groups to represent your internal network, your public address, and the internet. Are you using DHCP? If yes, then you'll want to set up an address group that is recalculated at activation time that represents your public IP ("localhost" is defined at activation time, and can be used dynamicly as follows): edit> add address "insideLocal" HOST 192.168.1.1 edit> add address "publicIP" GROUP { localhost } { insideLocal } edit> add address "inside" RANGE 192.168.1.2 192.168.1.10 edit> add address "Internet" GROUP { * } { inside } edit> add NAT DYNAMIC "inside" "Internet" "publicIP" "Internet" edit> save edit> quit # ssadm activate <configname> So, your "source" is the source IP seen in the packet as it arrives at the screen, "inside". "dest" is when you want to do NAT (when talking to the Internet, "*" also would work, but then you would have trouble communicating directly to the screen). "transSrc" is what the source IP should look like as it leaves the screen ("publicIP"), and "transDst" is what the destinationIP should look like when it leaves the box. It's actually valid to have a dynamic NAT rule where you are modifying the destination addresses, and not the source IPs. If you are using DHCP, then you will need to reactivate your sunscreen configuration when you've aquired a new IP address - you can write a script to do this. hope that helps! Valerie -- [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
