Scenario: Hiding IP addresses using masquerade NAT

In this scenario, your company uses masquerade network address translation (NAT) to hide the private addresses of your personal computers. At the same time, your company enables your employees to access the Internet.

Situation

You have a small company and you want to allow HTTP service on your IBM® i platform. Your system has one Ethernet card and three personal computers. Your Internet service provider (ISP) provides you with a Digital Subscriber Line (DSL) connection and a DSL modem. The ISP also assigns you the following public IP addresses: 192.20.12.1 and 192.20.12.2. All of your personal computers have 10.1.1.x addresses on the internal network. You want to ensure that the private addresses of your personal computers remain hidden to prevent external users from initiating communications with your internal network, while allowing your employees to access the Internet. What should you do?

The picture shows a system (connected to the Internet) with the public addresses of 192.20.12.2 and 192.20.12.1.

Solution

Hide your personal computer addresses, 10.1.1.1 through 10.1.1.4, behind the public address, 192.20.12.1. You can run TCP/IP services from the 10.1.1.1 address. Range NAT (hiding a range of internal addresses) protects your personal computers from communication that is initiated outside your network because for range NAT to start, traffic must be initiated internally. However, range NAT do not protect the IBM i interface. You need to filter traffic to protect your system from receiving unwanted information.

Configuration

To configure the packet rules that are described in this scenario, use the Address Translation wizard in IBM Navigator for i. The wizard requires the following information:

  • The set of the addresses that you want to hide: 10.1.1.1 through 10.1.1.4.
  • The interface address behind which you want to hide the set: 192.20.12.1.

To use the Address Translation wizard, follow these steps:

  1. In IBM Navigator for i, expand Network > IP Policies, and click Packet Rules.
  2. In the Packet Rules panel, click Actions and select Rules Editor.
  3. From the Welcome Packet Rules Configuration dialog, select Create a new packet rules file, and click OK.
  4. If the Getting Started dialog pops up, read the instructions and click OK.
  5. From the Wizards menu, select Address Translation, and follow the wizard's instructions to configure the hide-address -translation packet rules.

The packet rules look like the following example.

How your packet rules look like

After you finish creating these filter rules, you should verify them to ensure that they will activate without errors. After that, you can activate them.