Destination NAT

Learning Outcome

  • Destination Network Address Translation (DNAT) is used to redirect incoming traffic with an external address destination to an internal IP address inside the network. The external address can be the firewall interface or a virtual IP address. DNAT also offers the option to perform port forwarding or port translation.

  • DNAT enhances network security by hiding internal network infrastructure from translating public IP addresses, thus preventing direct access from external network.

Network Diagram

Table of IP addresses

Device Name

Interface

IP address

Client PC

ethernet

DHCP (192.168.1.224 in this case)

Checkpoint firewall

WAN

DHCP

Port 1

192.168.1.1 /24

Port 2

10.0.0.1 /24

NAT

192.168.1.100

SSH Server

ens33

10.0.0.101 /24

Web Server

ens33

10.0.0.102 /24

Introduction

The Client PC acts as an external party to access the internal resources from an external IP address and port. They are then translated to the internal server IP address and relative ports (http port 80 to 9000, ssh port 22 to 9500)

Procedures

  1. Physically connect the devices as shown in the network diagram.

Set up VMWare

  1. On the classroom PC, use 7-Zip to extract the Ubuntu VM image from Desktop> Files > Ubuntu.

  2. Repeat the previous step to extract another Ubuntu VM.

  1. In VMWare Workstation, go to File > Open, and select the location of the Ubuntu VM you have just extracted.

  2. Now, there should be 2 Ubuntu VMs showing like the following screen. Rename them if required.

  1. Right-click on both of the Ubuntu VMs and change the Network Adapter connection to VMnet0.

  2. In VMware Workstation, click on Edit > Virtual Network Editor.

  3. Click Change Settings

  4. Make sure VMnet0 is showing Auto-bridging

  1. Start the 2 Ubuntu virtual machines.

SSH server

  1. Set IP address as 10.0.0.101 with subnet mask /24.

  2. Install SSH by entering the command 

sudo apt install ssh

Web server

  1. Set IP address as 10.0.0.102 with subnet mask /24.

  2. Install Apache web server by entering the command

sudo apt install apache2

Checkpoint firewall configuration

  1. Go to the firewall GUI https://192.168.1.1:4434

  2. Go to Device > Local Network.

  3. LAN1 should be already configured as 192.168.1.1.

  4. Setup LAN2 as a separate network with IP address 10.0.0.1 and a subnet mask /24.

  1. Go to Users & Objects > Network Objects.

  2. Create Web-Server, SSH-Server, and the NAT IP address as shown in the following screenshot

  1. Go to Access Policy > NAT.

  2. Add 2 manual NAT rules.

  3. Create TCP port 9000 and 9500 as the DNAT ports while creating the rules.

  1. Go to Access Policy > Policy

  2. Create 2 incoming rules to allow access to the internal servers.

Verification

On the Client PC:

  1. Open a web browser and go to http://192.168.1.100:9000

  2. Open the command prompt and type in ssh 192.168.1.100 -p 9500 -l ubuntu

Teams:

  • Chawla, Harchit Singh

  • Dela Cruz, Juan Alden

  • Park, Jinwoo

  • Rezazadehnojehdehi, Nasim

  • Tsang, Ho Wan Howard

PreviousSource NATNextCaptive Portal

Last updated