WESM zl Management and Configuration Guide WT.01.03 and greater
8-9
Configuring Network Address Translation (NAT)
Overview
Static NAT on Destination Addresses
One reason to use destination NAT is to allow wireless users to access servers
on your internal LAN, while still concealing the servers’ IP addresses. This use
is particularly important when you open your wireless network to the public.
Because this wireless network is much like the Internet—filled with untrusted
users—you should implement the same types of security measures that you
put in place for users who access your network from the Internet.
Configure destination NAT to allow wireless users to send traffic toward a
server’s publicly known address. The Wireless Edge Services zl Module trans-
lates the traffic’s destination address to the correct local address. When the
server replies, the module automatically translates the source address back
to the address to which the traffic was originally destined, and the private
address remains concealed.
For example, your company may have a Web server or an FTP server, which
is housed on your internal LAN. To access this server, wireless users enter a
URL, which is resolved through a Domain Name System (DNS) server to a
public IP address. When your Wireless Edge Services zl Module receives a
packet destined to this address, it translates the destination IP address and
forwards the packet toward the correct internal device.
For example, in Figure 8-4, a Web server on the internal LAN has an IP address
of 192.168.1.10. However, the IP address to which wireless stations send traffic
is 10.1.1.1. When the ProCurve Wireless Edge Services zl Module receives
packets with the destination address of 10.1.1.1, it translates the destination
address to the private IP address of the Web server: 192.168.1.10. The source
IP address is not affected. (See Figure 8-4.) Therefore, you must ensure that
devices in the wired network can route traffic back to the subnetwork used
in the wireless network.