Chapter 12 Policy and Static Routes
IPPR follows the existing packet filtering facility of RAS in style and in implementation.
12.2.1 NAT and SNAT
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a
packet in one network to a different IP address in another network. Use SNAT (Source NAT)
to change the source IP address in one network to a different IP address in another network.
12.2.2 Port Triggering
Some services use a dedicated range of ports on the client side and a dedicated range of ports
on the server side. With regular port forwarding, you set the port(s) and IP address to forward
a service (coming in from the remote server) to a client computer. The problem is that port
forwarding only forwards a service to a single IP address. In order to use the same service on a
different computer, you have to manually replace the client computer's IP address with another
client computer's IP address.
Port triggering allows the client computer to take turns using a service dynamically. Whenever
a client computer's packets match the routing policy, it can use the pre-defined port triggering
setting to connect to the remote server without manually configuring a port forwarding rule for
each client computer.
Port triggering is used especially when the remote server responses using a different port from
the port the client computer used to request a service. The ZyWALL records the IP address of
a client computer that sends traffic to a remote server to request a service (incoming service).
When the ZyWALL receives a new connection (trigger service) from the remote server, the
ZyWALL forwards the traffic to the IP address of the client computer that sent the request.
You need to create a firewall rule to allow an incoming service before using a
port triggering rule.
In the following example, you configure two services for port triggering:
Incoming service: Game (UDP: 1234)
Trigger service: Game-1 (UDP: 5670-5678)
1 Computer A wants to play a multiplayer online game and tries to connect to game server
1 using port 1234. The ZyWALL records the IP address of computer A when the packets
match a policy with SNAT configured.
2 Game server 1 responds using a port number ranging between 5670 - 5678. The
ZyWALL allows and forwards the traffic to computer A.
3 Computer A and game server 1 are connected to each other until the connection is closed
or times out. Any other computers (such as B or C) cannot connect to remote server 1
using the same port triggering rule as computer A unless they are using a different next
hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the
connection is closed or times out.
226
ZyWALL USG 300 User's Guide