7.4.7. SAT and FwdFast Rules
We will now try moving the NAT rule between the SAT and FwdFast rules:
#
Action
1
SAT
2
SAT
3
NAT
4
FwdFast
5
FwdFast
What happens now?
•
External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct.
•
Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be
dynamically address translated. This changes the source port to a completely different port,
which will not work.
The problem can be solved using the following rule set:
#
Action
1
SAT
2
SAT
3
FwdFast
4
NAT
5
FwdFast
•
External traffic to wan_ip:80 will match rules 1 and 5 and will be sent to wwwsrv.
•
Return traffic from wwwsrv:80 will match rules 2 and 3.
•
Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic
passes through the NetDefend Firewall.
•
Return traffic will automatically be handled by the NetDefend Firewall's stateful inspection
mechanism.
Src Iface
Src Net
any
all-nets
lan
wwwsrv
lan
lannet
any
all-nets
lan
wwwsrv
Src Iface
Src Net
any
all-nets
lan
wwwsrv
lan
wwwsrv
lan
lannet
lan
wwwsrv
Dest Iface
Dest Net
core
wan_ip
any
all-nets
any
all-nets
core
wan_ip
any
all-nets
Dest Iface
Dest Net
core
wan_ip
any
all-nets
any
all-nets
any
all-nets
any
all-nets
315
Chapter 7. Address Translation
Parameters
http SETDEST wwwsrv 80
80 -> All SETSRC wan_ip 80
All
http
80 -> All
Parameters
http SETDEST wwwsrv 80
80 -> All SETSRC wan_ip 80
80 -> All
All
80 -> All