Negation in the NAT Policy Contributed by BenSmith Published in geeklog Wednesday, June 25 2003 @ 06:19 PM EST Published in oldfaq 2002-Nov-18 14:33 dwelchATphoneboyDOTcom Much like the security policy rules, the NAT rules are processed in order. Once a packet matches a rule, it is processed and sent on its way. Instead of negating, set up a rule before your main NAT rule that excludes certain sources and certain destinations from being translated.
In this example, several things are happening:
- internal-networks is a large group of networks
- internal-networks-legal is a subset of internal-networks that contains "legal" (i.e. routable) addresses
- the internal-networks are not translated when accessing the dmz-net
- the internal-networks-legal are never translated
- the "illegal" parts of internal-networks will be hidden behind internal-networks-hide
Notice the order of the rules. The part of internal networks that is "excluded" from translation is listed in its own rule before the "hide" rule.
Original Translated No. Source Destination Service Source Destination Service 1 internal-networks-legal Any Any Orig Orig Orig 2 internal-networks dmz-net Any Orig Orig Orig 3 internal-networks Any Any internal-networks-hide Orig Orig
--
RayLodato - 12 Jan 2004
FAQForm FAQs.Class:
NetworkAddressTranslationFAQs FAQs.OS: FAQs.Version:
Negation in the NAT Policy 
2005-08-14 
Negation in the NAT Policy 
Linear Mode
