Address Translation; Dynamic Address Translation (Nat) - D-Link NetDefend DFL-210 User Manual

Chapter 7. Address Translation
This chapter describes NetDefendOS address translation capabilites.
• Dynamic Address Translation (NAT), page 161
• Static Address Translation (SAT), page 164
NetDefendOS supports two types of address translation: Dynamic Address Translation (NAT) and
Static Address Translation (SAT). Both types of translations are policy-based, and can thus be ap-
plied on any type of traffic through the system. Two specific types of rules, NAT and SAT rules, are
used to specify address translation policies within the standard IP rule-set.
There are two main reasons for employing address translation:
• Functionality. Perhaps you use private IP addresses on your protected network and your protec-
ted hosts to have access to the Internet. This is where dynamic address translation may be used.
You might also have servers with private IP addresses that need to be publicly accessible. This is
where static address translation may be of assistance.
• Security. Address translation does not, in itself provide any greater level of security, but it can
make it more difficult for intruders to understand the exact layout of your protected network and
which machines are susceptible to attack. In the worst case scenario, employing address transla-
tion will mean that an intruders attack will take longer, which will also make him more visible in
the firewalls log files. In the best-case scenario, the intruder will just give up.
This section describes dynamic as well as static address translation, how they work and what they
can and cannot do. It also provides examples of what NAT and SAT rules can look like.

7.1. Dynamic Address Translation (NAT)

Dynamic Address Translation (hereinafter referred to as NAT) provides a method for translating the
original source IP address to a different address. The most common usage for NAT is when you are
using private IP addresses on one of your internal networks, and would like the outbound connec-
tions to appear as they are originating from the D-Link Firewall itself.
NAT is a many-to-one translation, meaning that each NAT rule will translate several source IP ad-
dresses into a single source IP address. To maintain session state information, each connection from
dynamically translated addresses must use a unique port number and IP address combination as its
sender. Therefore, NetDefendOS will perform an automatic translation of the source port number as
well. The source port used will be the next free port, usually one above 32768. This means that there
is a limitation of about 30000 simultaneous connections using the same translated source IP address.
NetDefendOS supports two strategies for how to translate the source address:
Use Interface Address
Specify Sender Address
The following example illustrates how NAT is applied in practice on a new connection:
When a new connection is established, the routing table is con-
sulted to resolve the egress interface for that connection. The IP
address of that resolved interface is then being used as the new
source IP address when NetDefendOS performs the address
translation.
A specific IP address can be specified as the new source IP ad-
dress. The specified IP address needs to have a matching ARP
Publish entry configured for the egress interface. Otherwise, the
return traffic will not be received by the D-Link Firewall.
161