Sat With Nat - D-Link NetDefendOS User Manual

Generally, SAT can handle all protocols that allow address translation to take place. However,
there are protocols that can only be translated in special cases, and other protocols that cannot
be translated at all.
Protocols that are impossible to translate using SAT are most likely also impossible to translate
using NAT. Reasons for this include:
• The protocol cryptographically requires that the addresses are unaltered; this applies to
many VPN protocols.
• The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently
requires that, in some way or another, the addresses visible on IP level are the same as those
embedded in the data. Examples of this include FTP and logins to NT domains via NetBIOS.
• Either party is attempting to open new dynamic connections to the addresses visible to that
party. In some cases, this can be resolved by modifying the application or the firewall
configuration.
There is no definitive list of what protocols can or cannot be address translated. A general rule is
that VPN protocols cannot usually be translated. In addition, protocols that open secondary
connections in addition to the initial connection can be difficult to translate.

7.4.9. SAT with NAT

Sometimes a SAT rule will require an accompanying NAT rule instead of an Allow rule. Consider
the situation shown in the diagram below where a web server is on the same network as an
internal client instead of the server being in a separate DMZ. It is never recommended to do this
but it is a situation which illustrates where a NAT rule might be used with a SAT rule.
Assume the following IPv4 addresses:
• wan_ip (203.0.113.10): the firewall's public IPv4 address
Figure 7.6. SAT with NAT
603
Chapter 7: Address Translation