Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
101102103104105106107108109110
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 7 - 1
Chapter 7
Configuring FWLB for NAT Firewalls
Some Layer 3 firewalls perform network address translation (NAT). These firewalls translate private addresses on
the private side of the network into public (Internet) addresses on the public side of the network.
NOTE: The configuration steps for firewalls that perform NAT are identical to the steps for basic and IronClad
FWLB without NAT, with just one additional step. The additional step disables load balancing for the NAT
addresses. The following sections provide more information.
You can deploy ServerIrons to load balance NAT firewalls in a basic configuration or an IronClad configuration, just
as in the examples in the previous sections. Configuring the ServerIrons for NAT requires only one additional step.
The additional step disables load balancing for the NAT addresses, which are the addresses the firewalls use
when translating private addresses into Internet addresses.
You can configure a single ServerIron on each side of the firewalls (as in the basic configuration example in Figure
7.1) or you can configure active-standby pairs of ServerIrons on each side of the firewalls (as in Figure 7.2).
Firewalls perform NAT in either of the following ways. The ServerIron supports load balancing for either method
and the ServerIron configuration is the same for each method. You do not need to know which method your
firewalls are using to configure the ServerIrons to load balance for them.
Hiding internal addresses behind a single public address – The firewall is configured with a single Internet
address that it uses for clients that initiate traffic from within the private side of the network. The firewall
translates the source address for such traffic from the private address of the client into the public address.
The firewall keeps track of the private addresses by including a Layer 4 port number from a pool of such
numbers. When the firewall receives a return packet from a destination, the firewall uses the port number to
identify the correct private address and translates the packet’s destination address from the public address
into the correct private address.
Static translation – For traffic from a client inside the private network to a destination on the Internet, the
firewall translates the private address into a unique Internet address. Likewise, for traffic from the Internet,
the firewall translates the public address into a private address. Unlike the method above, the static method
assigns a different, unique Internet address for each client in the private network. The method above uses a
common Internet address for all private addresses.
Configuring Basic Layer 3 FWLB for NAT Firewalls
Figure 7.1 shows an example of a basic FWLB configuration for Layer 3 NAT firewalls. The procedures and CLI
configuration example in this section are based on this sample configuration.