Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
451452453454455456457458459460
5-14
Network Address Translation
Configuring NAT Policies
Configuring NAT Policies
The TMS zl Module requires you to specify the following parameters for each
NAT policy:
NAT type (source, destination, or exclusion)
Source and destination zones
Services to which NAT is applied
Source address(es)
Destination address(es)
New IP address(es) and port(s)
When configuring NAT policies, follow these guidelines:
Along with the NAT policy, you must configure a firewall access policy
that permits at minimum the same services and addresses (source and
destination). You can also configure the firewall access policy to be
broader than the NAT policy (to include more addresses or services). For
example, if the NAT policy specifies source addresses in the range of
10.1.1.5 to 10.1.1.100, you can configure the firewall access policy with
source addresses in the 10.1.1.0/24 network. (See “Firewall Access Poli-
cies for NAT” on page 5-23.)
In a NAT policy, you can use only single-entry address objects for the
source and destination addresses. You can also use service objects and
service group objects.
With destination NAT two additional rules apply:
The destination zone will always be the Self zone because the traffic
is initially addressed to an IP address that the module considers to be
its own.
The NAT IP address will always be a single IP address.
You should create an exclusion policy to prevent the translation of traffic
that should be sent over a VPN tunnel by a more general NAT policy. The
exclusion policy’s service, source addresses, and destination addresses
should match the traffic selector on the IPsec policy. The exclusion policy
priority should be higher (numerically lower) than the more general NAT
policy.