This article describes how to configure Crimson 3.2 Network Address Translation (NAT) for One-to-One (1:1)
FlexEdge DA50A, DA70A
In this example a DA50 we will be used in the topology below. The PC connected to Ethernet 1 needs access to the HMI web server connected to Ethernet 2. Note: Ethernet 2 Trust Status setting are configured as Untrusted. The PC and HMI have gateway settings configured for their respective network.
To configure NAT setting browse to Device Configuration> Firewall> NAT and DMZ.
Select Inbound Interface property to define the interface the traffic will be accepted on.
In this example a setting of Automatic is used when the Inbound IP is not an existing IP address of the required interface, such that you want Crimson to add the IP address for you.
The Target IP property is used to define the IP address of the host to which the incoming traffic will be redirected. The Inbound IP should not be used by any other device within the network to avoid duplicate IP address conflict.
The Block Size property is used to allow several rules to be defined at the same time, forwarding
traffic from sequential inbound IP addresses to sequential target addresses. If the block size is 32 or
less, the automatic addition of IP addresses are described above will still be performed. Larger
blocks will need specific routes added to external devices to allow those devices to forward traffic
to the appropriate address on this device.
The Protocol property is used to select the type of traffic to be forwarded. Settings of TCP, UDP,
TCP+UDP are supported.
The Direction property allows NAT to operate in inbound mode or bidirectional mode. In the former mode, connections from the Inbound IP will be mapped to the Target IP, but outbound connections from the target device will not be translated as coming from the Inbound IP and will in fact be prevented from emerging on that interface. In the latter mode, outbound translation will be performed, and the target device will be able to make connections that will appear to be coming from the Inbound IP.
The Masquerade property controls how the source address of the packets coming from the Crimson device and sent to target device is handled. If Masquerade is disabled, the source address will remain that of the external device that made the connection, and so the target device will need a route or default gateway entry to let it know to send the reply back to the Crimson device. If Masquerade is enabled, the source IP will be changed to that of the interface connected to the target device, allowing it to reply to an on-link address. This is not without cost, however, in that it may break some protocols embedded IPs and port addresses within their traffic. The device knows how to handle most of these situations, but that does not mean that it will always work.
The Gateway Symmetry property ensure the path that traffic takes in one direction (from source to destination) should be the same path it takes back (from destination to source).
The White List property is used to limit this rule to a specific set of hosts, based on the settings made in the Access Lists section of the configuration.
