Address Translation; Dynamic Network Address Translation - D-Link NetDefend DFL-210 User Manual

Chapter 7. Address Translation
This chapter describes NetDefendOS address translation capabilities.
• Dynamic Network Address Translation, page 204
• NAT Pools, page 207
• Static Address Translation, page 210
The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link
Firewall is known as address translation. NetDefendOS supports two types of translation: Dynamic
Network Address Translation (NAT) and Static Address Translation (SAT). Both translations are
policy-based meaning that they can be applied to specific traffic based on source/destination
network/interface as well as service. Two types of IP rules, NAT rules and SAT rules, are used to
specify address translation within the IP rule set.
There are two main reasons for employing address translation:
• Functionality. Perhaps you use private IP addresses on your protected network and your
protected hosts to have access to the Internet. This is where dynamic address translation may be
used. You might also have servers with private IP addresses that need to be publicly accessible.
This is where static address translation may be the solution.
• Security. Address translation does not, in itself provide any greater level of security, but it can
make it more difficult for intruders to understand the exact layout of the protected network and
which machines are susceptible to attack. In the worst case scenario, employing address
translation will mean that an attack will take longer, which will also make it more visible in
NetDefendOS's log files. In the best-case scenario, an intruder will just give up.
This section describes dynamic as well as static address translation, how they work and what they
can and cannot do. It also provides examples of configuring NAT and SAT rules.

7.1. Dynamic Network Address Translation

Dynamic Network Address Translation (NAT) provides a mechanism for translating original source
IP addresses to a different addresses. The most common usage for NAT is when using private IP
addresses in an internal network and it is desirable that outbound connections appear as though they
originate from the D-Link Firewall itself instead of the internal addresses.
NAT is a many-to-one translation, meaning that each NAT rule will translate several source IP
addresses into a single source IP address. To maintain session state information, each connection
from dynamically translated addresses must use a unique port number and IP address combination
as its sender. Therefore, NetDefendOS will perform an automatic translation of the source port
number as well. The source port used will be the next free port, usually one above 32768. This
means that there is a limitation of about 30000 simultaneous connections using the same translated
source IP address.
NetDefendOS supports two strategies for how to translate the source address:
Use Interface Address
Specify Sender Address
When a new connection is established, the routing table is
consulted to resolve the egress interface for that connection. The
IP address of that resolved interface is then being used as the
new source IP address when NetDefendOS performs the address
translation.
A specific IP address can be specified as the new source IP
address. The specified IP address needs to have a matching ARP
204