Introduction to NAT
77
Models 2603, 2621, and 2635 User Manual
7
• Security
unacknowledged SYN/ACK packets. Once the queue is full, the system will ignore all incoming SYN request
and no legitimate TCP connections can be established.
– Once the maximum number of unfinished TCP handshaking sessions is reached, an attempted DOS
attack is detected. The firewall blocks the suspected attacker for the time limit specified in the DOS
Attack Block Duration parameter.
– Maximum Ping Count:Default = 15
Sets the maximum number of pings per second that are allowed by the firewall before an Echo Storm is
detected. Echo Storm is a DOS attack. An attacker sends oversized ICMP datagrams to the system using the
‘ping’ command. This can cause the system to crash, freeze, or reboot, resulting in denial of service to legiti-
mate users.
– Maximum ICMP Count:Default = 100
Sets the maximum number of ICMP packets per second that are allowed by the firewall before an ICMP Flood
is detected. An ICMP Flood is a DOS attack. The attacker tries to flood the network with ICMP packets in
order to prevent transmission of legitimate network traffic.
4.
After selecting the chosen parameters, click on
Update
.
Introduction to NAT
The basic steps for configuring NAT are:
1.
Enable NAT between the internal and external interfaces of the firewall.
2.
Create global addresses which will be added to the global pool of IP addresses on the WAN interface.
3.
Create a reserved mapping between a global IP address and the IP address of an internal PC.
A Global Address Pool is a pool of addresses seen from the outside network. Each external interface creates a
Global Address Pool with a single address—the address assigned to that interface. For outbound sessions, an
address is picked from a pool by hashing the source IP address for a pool index and then hashing again for an
address index. For inbound sessions, it is necessary to create a reserved mapping.
A reserved mapping is used so that NAT knows where to route packets on inbound sessions. The reserved map-
ping will map a specific global address and port to an inside address and port. Reserved mappings can also be
used so that different inside hosts can share a global address by mapping different ports to different hosts. For
example, Host A is an FTP server and Host B is a web server. By mapping the FTP port to Host A and the
HTTP port to Host B, both insides hosts can share the same global address. Setting the protocol number to
255 (0xFF) means that the mapping will apply to all protocols.
Setting the port number to 65535 (0xFFFF) for
TCP or UDP protocols means that the mapping will apply to all port numbers for that protocol.
Some applications embed address and/or port information in the payload of the packet. The most notorious of
these is FTP. For most applications, it is sufficient to create a trigger with address replacement enabled. How-
ever there are three applications for which a specific Application Level Gateway is provided: FTP, NetBIOS,
and DNS.
Enabling NAT
The configuration of NAT in this example follows on the preceding configuration completed earlier in this
chapter.
Содержание OnSite 2603
Страница 23: ...23 Chapter 2 Product Overview Chapter contents Introduction 24 Applications Overview 25...
Страница 38: ...38 Chapter 4 Ethernet LAN Port Chapter contents Introduction 39 LAN Connections 39 Ethernet Port 39...
Страница 120: ...120 Appendix C Cable Recommendations Chapter contents Ethernet Cable 121 Adapter 121...