Table of Contents
Advertisement
•
Return traffic from wwwsrv will match rules 2 and 3. The replies will therefore be dynamically
address translated. This changes the source port to a different port, which is incorrect.
The correct set of IP rules that will provide the desired effect is the following:
# Action
Src Iface Src Net
1 SAT
any
2 SAT
lan
3 FwdFast any
4 NAT
lan
5 FwdFast lan
These rules will yield the following actions:
•
External traffic to wan_ip will match rules 1 and 5 and will be sent to wwwsrv.
•
Return traffic from wwwsrv will match rules 2 and 3.
•
Internal traffic to wan_ip will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic
passes through the NetDefend Firewall.
•
Return traffic will automatically be handled by the NetDefend Firewall's stateful inspection
mechanism.
7.4.7. Using an IP Policy for SAT
An alternative to using two IP rules for SAT is to use a single IP Policy object. This simplifies the
SAT definition process as well as allowing other features such as application control,
authentication and traffic shaping to be more easily associated with the rule.
When creating a SAT policy, the policy is either for source or destination translation, or both. The
way the translation functions for the source and/or destination address is determined by two
specifying one or both of the following actions:
•
Address Action
This determines how the IP address is translated and can be one of the following:
i.
Single IP - Either a single original IP or a range/network will be translated to the single
new IP address specified. This yields both a one-to-one or a many-to-one IP address
translation.
ii.
Transposed - This yields a many-to-many translation where each address in the original
range/network is transposed to a new range/network, using the specified new IP
address as the base address for the transposition.
•
Port Action
This determines how the IP address is translated and can be one of the following:
i.
None - No port translation takes place.
ii.
Single Port - This is used for a one-to-one translation to the new port number specified.
Dest Iface Dest Net
all-nets
core
wan_ip
wwwsrv
any
all-nets
all-nets
core
wan_ip
lan_net
any
all-nets
wwwsrv
any
all-nets
601
Chapter 7: Address Translation
Service
SAT Action
http-all
Destination IP: wwwsrv
http-all
Source IP: wan_ip
http-all
all_services
http-all
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
