#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST wwwsrv 80
2
Allow
any
all-nets
core
wan_ip
http
These two rules allow us to access the web server via the firewall's external IP address. Rule 1 states that
address translation will take place if the connection is permitted, and rule 2 permits the connection.
Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet.
In this example, we use a rule that permits everything from the internal network to access the Internet via NAT
hide:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
3
NAT
lan
lannet
core
wan_ip
all_services
The problem with this rule set is that it will not work at all for traffic from the internal network.
In order to illustrate exactly what happens, we use the following IP addresses:
•
wan_ip (195.55.66.77): a public IPv4 address
•
lan_ip (10.0.0.1): the NetDefend Firewall's internal, private IPv4 address
•
wwwsrv (10.0.0.2): the web server's private IPv4 address
•
PC1 (10.0.0.3): a PC with a private IPv4 address
The order of events is as follows:
•
PC1 sends a packet to wan_ip to reach www.ourcompany.com:
10.0.0.3:1038 => 195.55.66.77:80
•
NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with
rule 2:
10.0.0.3:1038 => 10.0.0.2:80
•
wwwsrv processes the packet and replies:
10.0.0.2:80 => 10.0.0.3:1038
This reply arrives directly to PC1 without passing through the NetDefend Firewall. This causes problems.
The reason this will not work is because PC1 expects a reply from 195.55.66.77:80 and not 10.0.0.2:80. The
unexpected reply is discarded and PC1 continues to wait for a response from 195.55.66.77:80 which will never
arrive.
Making a minor change to the rule set in the same way as described above, will solve the problem. In this
example, we choose to use option 2:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST wwwsrv 80
2
NAT
lan
lannet
core
wan_ip
all_services
3
Allow
any
all-nets
core
wan_ip
http
•
PC1 sends traffic to wan_ip in order to reach "www.ourcompany.com":
10.0.0.3:1038 => 195.55.66.77:80
•
NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with
rule 2:
10.0.0.1:32789 => 10.0.0.2:80
•
wwwsrv processes the traffic and replies:
10.0.0.2:80 => 10.0.0.1:32789
7.4.1. Translation of a Single IP
Address (1:1)
Chapter 7. Address Translation
382
Summary of Contents for NetDefend DFL-1660
Page 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Page 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Page 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Page 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Page 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Page 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Page 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Page 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Page 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Page 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Page 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Page 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Page 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Page 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...