•
lan_ip (10.0.0.1): the local network's private IPv4 address
•
wwwsrv_ip (10.0.0.2): the web server's private IPv4 address
•
client_ip (10.0.0.3): the local client's private IPv4 address
The Problem
If a
SAT
rule is created as before with an
Allow
rule, the rule set would be as follows:
# Action
Src Iface
Src Net
Dest Iface Dest Net
Service
SAT Action
1 SAT
any
all-nets
core
wan_ip
http-all
Destination IP: wwwsrv_ip Port: 80
2 Allow
any
all-nets
core
wan_ip
http-all
However, this will not work for clients on the same network as the web server. The reason is that
when such a client receives the reply, the source address will not match the IP address to which
the request was sent. This results in the client ignoring the reply. This is because of the following
sequence of events:
1.
The local client performs a public DNS lookup for the web server IP and then sends an HTTP
request to
wan_ip
to reach the web server.
10.0.0.3:1038 => 203.0.113.10:80
2.
NetDefendOS translates the address in accordance with
SAT
rule 1 and forwards the packet
in accordance with
Allow
rule 2:
10.0.0.3:1038 => 10.0.0.2:80
3.
The server at
wwwsrv_ip
processes the packet and replies:
10.0.0.2:80 => 10.0.0.3:1038
The reply will be sent directly to the client across the local network, bypassing the firewall.
4.
The client expects a reply from
203.0.113.10:80
and not
10.0.0.2:80
. so the response is
discarded and the client continues to wait for a response from
203.0.113.10:80
, which will
never arrive.
The Solution is Using SAT with NAT
In order that the reply from the web server has the expected source IP address when it arrives at
the client, a
NAT
rule has to be added as shown below:
# Action
Src Iface
Src Net
Dest Iface Dest Net
Service
SAT Action
1 SAT
any
all-nets
core
wan_ip
http-all
Destination IP: wwwsrv_ip
2 NAT
lan
lan_net
core
wan_ip
http-all
3 Allow
any
all-nets
core
wan_ip
http-all
The order of events now becomes:
1.
The client sends traffic to
wan_ip
in order to reach the webserver:
10.0.0.3:1038 => 203.0.113.10:80
2.
NetDefendOS translates the connection in accordance with rule 1 to change the destination
Chapter 7: Address Translation
604
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...