In this scenario, your company uses masquerade network address translation (NAT) to hide the private addresses of your personal computers. At the same time, your company enables your employees to access the Internet.
You have a small company and you want to allow HTTP service on your System i™ platform. Your system has one Ethernet card and three personal computers. Your Internet service provider (ISP) provides you with a Digital Subscriber Line (DSL) connection and a DSL modem. The ISP also assigns you the following public IP addresses: 192.20.12.1 and 192.20.12.2. All of your personal computers have 10.1.1.x addresses on the internal network. You want to ensure that the private addresses of your personal computers remain hidden to prevent external users from initiating communications with your internal network, while allowing your employees to access the Internet. What should you do?
Hide your personal computer addresses, 10.1.1.1 through 10.1.1.4, behind the public address, 192.20.12.1. You can run TCP/IP services from the 10.1.1.1 address. Range NAT (hiding a range of internal addresses) protects your personal computers from communication that is initiated outside your network because for range NAT to start, traffic must be initiated internally. However, range NAT do not protect the System i interface. You need to filter traffic to protect your system from receiving unwanted information.
To configure the packet rules described in this scenario, use the Address Translation wizard in iSeries™ Navigator. The wizard requires the following information:
To use the Address Translation wizard, follow these steps:
The packet rules look like the following example.
After you finish creating these filter rules, you should verify them to ensure that they will activate without errors. After that, you can activate them.
Related concepts
Masquerade (hide) NAT