Chapter 8 – Frequently Asked Questions (FAQs)
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
135
Q13. Can I forward SSH connections?
A13.
Yes, by configuring port forwarding of SSH (dest. port 22):
Source: External Interface Port 22 goes to
Destination: SSH_Server Port 22
Procedure:
1. Define two Hosts in
Networks & Services
:
external_NIC a.b.c.d 255.255.255.255
SSH_Server e.f.g.h 255.255.255.255
2. Define one Service in
Networks & Services
:
NAT_SSH TCP 0:65534 22
3. Add one NAT-Rule in
Network Setup > DNAT
: external_NIC NAT_SSH -> SSH_Server NAT_SSH.
4. Add one Rule in
Packet Filters > Packet Filter Rules
: Any NAT_SSH SSH_Server Allow.
This way, the destination address of every TCP packet will be translated from a.b.c.d:22 (Firewall) to e.f.g.h:22 (SSH-
Server) and back again.
Q14. SNAT: what is it and what would I use it for?
A14.
SNAT is similar to Masquerading.
Definition SNAT (DSNAT): With SNAT you can rewrite the original Source Address of a specific IP connection with
another static IP address.
You must make sure that the answer comes back to the firewall (e.g., if you want to access a Cisco router via telnet
and the RouteFinder only allows connects from a specific static IP address, you can specify this in Source NAT.
Define a rule like: AdminPC, Telnet, Cisco Router > Allowed Cisco IP.
Now you can communicate with the Router. This is needed for more complex configurations.
Q15. How do I set up RouteFinder Masquerading?
A15.
Configure Masquerading in WebAdmin:
1. Define Interfaces in
Network
Setup >
Interface
. Here you define your Network Interface settings as well as your
default gateway, for example:
LAN Internal: 192.168.100.1/255.255.255.255
WAN External: 194.162.134.10/255.255.255.128
Gateway: 194.162.134.1/255.255.255.128
2. Define Network definitions in
Networks & Services >
Networks
. Here you define your host and network
definitions, which you will use for further configuration like Masquerading or Packet Filter Rules later on (i.e.,
Internal-Network 192.168.100.0 255.255.255.0 / Peters-Laptop 192.168.100.12 255.255.255.255).
3. Define Masquerading in
Network
Setup >
Masquerading
. Here you define which network should be
masqueraded on which network interface (i.e.,
Internal-Network
>
External
).
4. Define Packet filter Rules and Proxy Settings. Now you have set your Security Policy in terms of what is allowed
and what is not allowed. The RouteFinder uses stateful inspection, so you only have to define which services are
allowed; the way back is opened automatically (e.g.,
Internal-Network - FTP - Any - Accept
| Peters-Laptop
- Telnet - Any - Accept
). If you want to use the Proxies you can configure them in
Proxy
.
Q16. Can I do DNAT with Port ranges?
A16.
Yes. Mapping DNAT port ranges is supported, with the limitation that you can only map the same range (so, for
example, you can map ports 500-600 to 500-600 but not 500-600 to 300-400).
Q17. Does NAT take place before or after routing and filtering take place?
A17.
In short, DNAT is done before the packets pass the packet filter, and SNAT and Masquerading are done after that.
The RouteFinder uses a 2.4 kernel and IP tables (the internal logic in the netfilter code).
Q18. What are the current Certificate export laws?
A18.
New US encryption export regulations took effect on January 14th, 2000. At the time of this publication, CAs may
export certificates to any non-government entity and to any commercial government-owned entity (except those that
produce munitions), in any country except Afghanistan (Taliban-controlled areas), Cuba, Iran, Iraq, Libya, North
Korea, Serbia (except Kosovo), Sudan and Syria.
For the latest information on United States cryptography export and import laws, contact the Bureau of Export
Administration (BXA) (http://www.bxa.doc.gov/).
For many years, the U.S. government did not approve export of cryptographic products unless the key size was
strictly limited. For this reason, cryptographic products were divided into two classes: products with "strong"
cryptography and products with "weak" (that is, exportable) cryptography. Weak cryptography generally means a key
size of at most 56 bits in symmetric algorithms. Note that 56-bit DES keys have been cracked. In January 2000 the
restrictions on export regulations were dramatically relaxed. Today, any cryptographic product is exportable under a
license exception (i.e., without a license) unless the end-users are foreign governments or embargoed destinations
(Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Taleban-controlled areas of Afghanistan, as of
January 2000). Export to government end-users may also be approved, but under a license.