Nat And Snat; Port Triggering - ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual

Chapter 12 Policy and Static Routes
IPPR follows the existing packet filtering facility of RAS in style and in implementation.

12.2.1 NAT and SNAT

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a
packet in one network to a different IP address in another network. Use SNAT (Source NAT)
to change the source IP address in one network to a different IP address in another network.

12.2.2 Port Triggering

Some services use a dedicated range of ports on the client side and a dedicated range of ports
on the server side. With regular port forwarding, you set the port(s) and IP address to forward
a service (coming in from the remote server) to a client computer. The problem is that port
forwarding only forwards a service to a single IP address. In order to use the same service on a
different computer, you have to manually replace the client computer's IP address with another
client computer's IP address.
Port triggering allows the client computer to take turns using a service dynamically. Whenever
a client computer's packets match the routing policy, it can use the pre-defined port triggering
setting to connect to the remote server without manually configuring a port forwarding rule for
each client computer.
Port triggering is used especially when the remote server responses using a different port from
the port the client computer used to request a service. The ZyWALL records the IP address of
a client computer that sends traffic to a remote server to request a service (incoming service).
When the ZyWALL receives a new connection (trigger service) from the remote server, the
ZyWALL forwards the traffic to the IP address of the client computer that sent the request.
You need to create a firewall rule to allow an incoming service before using a
port triggering rule.
In the following example, you configure two services for port triggering:
Incoming service: Game (UDP: 1234)
Trigger service: Game-1 (UDP: 5670-5678)
1 Computer A wants to play a multiplayer online game and tries to connect to game server
1 using port 1234. The ZyWALL records the IP address of computer A when the packets
match a policy with SNAT configured.
2 Game server 1 responds using a port number ranging between 5670 - 5678. The
ZyWALL allows and forwards the traffic to computer A.
3 Computer A and game server 1 are connected to each other until the connection is closed
or times out. Any other computers (such as B or C) cannot connect to remote server 1
using the same port triggering rule as computer A unless they are using a different next
hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the
connection is closed or times out.
226
ZyWALL USG 300 User's Guide