Port Translation based on Source Address

I've heard that some firewalls / nat routers are capable of carrying out port translation based on source address.


  • The public address of my border firewall is
  • I want to configure a nat/pat to forward port 22 from the public source address to my inside device, and requests from all other public source addresses to be handled by the router itself (ie not natted).

Apparently this is possible on Microsoft ISA & OpenBSD, but as far as I know Cisco can't do it, for example in cisco you would just type: ip nat inside source static tcp 22 interface 22

and that would nat ALL traffic directed at port 22 of it's public ip address to the inside device, ie you can't differentiate based on source address.

If anyone can write on their experience with this on Cisco, ISA, Checkpoint, OpenBSD or anything else that would be great.

regards KC

Reply to
Loading thread data ...

WatchGuard has two methods - drop-in and routed mode. In drop-in mode you map IP to IP (meaning public to public, but all internal public Ip are protected), and you can do NAT. In routed mode you can do IP to NAT or IP to public depending on how you setup your internal addresses.

Reply to

You could add an acl in order to accept only some addresses, the others would be dropped, no ?

With checkpoint, nat (as well as access/deny rules) is rules based, you can define a rule which will nat src,dst,service to src2,dst2,service2. src,dst & service can be 'any'. You'll need a somewhat recent firewall-1 (ng fp 2?) in order to be able to nat a single destination to various net segments (routing was done before nat on older firewall-1, now routing is done after nat, the packets are thus routed to the right segment). On openbsd or linux, iptable seems very customisable.

Reply to
stephane nasdrovisky

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.