NAPT
NAPT (Network Address and Port Translation) is a form of destination NAT and is often called
port forwarding. This allows the services of the internal nodes to be reached from external that
are hidden by IP masquerading or source NAT.
Incoming data packets are translated that come from the external network and are intended for
an external IP address of the device (destination IP address). The destination IP address is
replaced by the IP address of the internal node. In addition to address translation, port
translation is also possible.
The options are available for port translation:
from
to
Response
a single port
the same port
If the ports are the same, the frames will be forwarded without port
translation.
a single port
a single port
The frames are translated to the port.
a port range
a single port
The frames from the port range are translated to the same port (n:1).
a port range
the same port
range
If the port ranges are the same, the frames will be forwarded without
port translation.
Port forwarding can be used to allow external nodes access to certain services of the internal
network e.g. FTP, HTTP.
You configure NAPT in "Layer 3" > "NAT" > "NAPT (Page 237)".
Source NAT
As with masquerading, in source NAT the source address is translated. In addition to this, the
outgoing data packets can be restricted. These include limitation to certain IP addresses or IP
address ranges and limitation to certain interfaces.
Source NAT can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because a private address range such as 192.168.x.x is used.
You configure source NAT in "Layer 3" > "NAT" > "Source NAT (Page 238)".
NETMAP
With NETMAP it is possible to translate complex subnets to a different subnet. In this
translation, the subnet part of the IP address is changed and the host part remains. For
translation with NETMAP only one rule is required. NETMAP can translate both the source IP
address and the destination IP address. To perform the translation with destination NAT and
source NAT, numerous rules would be necessary. NETMAP can also be applied to VPN
connections.
You configure NETMAP in "Layer 3" > "NAT" > "NETMAP (Page 241)".
3.5.4
NAT and firewall
The firewall and NAT router support the "Stateful Inspection" mechanism. If the IP data traffic
from internal to external is enabled, internal notes can initiate a communications connection
into the external network.
Technical basics
3.5 Security functions
SCALANCE S615 Web Based Management
46
Configuration Manual, 11/2019, C79000-G8976-C388-08