Chapter 6 – RouteFinder Software
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
93
Network Setup > DNAT
Network Setup > DNAT
On this screen you can set up DNAT re-routing. DNAT
(Destination Network Address Translation) describes the target
addresses of the IP packets. Use DNAT if you want to operate a private network behind your RouteFinder firewall and
provide network services that run only behind this private network available to the Internet. Note that for DNAT support, the
TCP and/or UDP settings must be enabled (at
Networks & Services > Services > Protocol
).
Important Notes:
•
You
cannot
add a DNAT rule with the Pre DNAT Network as ANY, with Service as ANY, and a Destination
Service as ANY. All the packets will be routed to the system with Post SNAT network, and then the services in
the firewall will not function properly.
•
As the address conversion takes place BEFORE the filtering by the packet filter rules, you must set the
appropriate rules in the
Packet Filter > Rules
menu to let the already-translated packets pass. You can find
more about setting packet filter rules earlier in this chapter.
Add DNAT Definition
The DNAT screen contains four drop down list boxes. The first two define the original target of the IP packets
that are to be re-routed. The last two define the new target to which the packets are forwarded. From the drop
down list boxes, select IP packet characteristics to be translated.
Pre DNAT Destination
Select the target host or target network (e.g., PPTP-Pool) and the corresponding Service (e.g., DNS,
FTP, FTP-CONTROL) to be redirected. Note that a network can consist of one single address with net
mask 255.255.255.255.
Post DNAT Destination
Select a host to which the IP packets are to be diverted. Only one host can be defined as the Post
DNAT destination.
Important:
If you are using a port range as the Post DNAT Service, you must enter the same Service
definition as you entered in the Pre DNAT Service. In other words, you can only map one port range
to the same port range. Select a corresponding Service (e.g., DNS, FTP, FTP-CONTROL) to be
redirected.
Add, Edit, Delete
Click the
Add
button to save your choices. After saving the settings, a table is created. You can edit or
delete entries by highlighting the desired entries and clicking either the
Edit
or
Delete
button listed
under
Command
.
DNAT Example
Your Internet/private network has the address range 192.168.0.0/255.255.255.0. You now want to make a Web
server that is running on port 80 of the server with the IP address 192.168.0.20 accessible to clients outside your
LAN. These clients cannot contact its address directly, as the IP address is not routed in the Internet. It is, however,
possible to contact an external address of your RouteFinder from the Internet. With DNAT, you can re-route port 80
on the RouteFinder’s external interface onto the Web server.
Note:
To divert port 443 (HTTPS), you must change the value of the TCP port on the
Administration >
Administrative Access
screen in the field
Administrative Access HTTPS Port
(e.g., port 444).
Examples of DNAT Network Combinations
You can map:
IP/Port
⇒
IP/Port
IP/Port-Range
⇒
IP/Port
IP/Port-Range
⇒
IP/Port-Range (only if the Port-Range is the same for PRE and POST)
IP-Range/Port
⇒
IP/Port
IP-Range/Port-Range
⇒
IP/Port
You cannot map:
IP
⇒
IP
IP-Range
⇒
IP
IP-Range
⇒
IP-Range
IP
⇒
IP-Range (load balancing)
The “way back" (return) translation is done automatically; you do not need a rule for it.