Sat; Translation Of A Single Ip Address (1:1); Enabling Traffic To A Protected Web Server In A Dmz - D-Link DFL-1660 User Manual
Network security firewall
Hide thumbs
Also See for DFL-1660:
- User manual (595 pages) ,
- Installation manual (45 pages) ,
- Reference manual (948 pages)
Table of Contents
Advertisement
7.3. SAT
7.3. SAT
NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are
transpositions, each address or port is mapped to a corresponding address or port in the new range,
rather than translating them all to the same address or port. In NetDefendOS this functionality is
known as Static Address Translation (SAT).
SAT Requires Multiple IP Rules
Unlike NAT, SAT requires more than just a single IP rule to be defined. A SAT rule must first be
added to specify the address translation but NetDefendOS does not terminate the rule set lookup
upon finding a matching SAT rule. Instead, it continues to search for a matching Allow, NAT or
FwdFast rule. Only when it has found such a matching rule does NetDefendOS execute the original
SAT rule.
The SAT rule only defines the translation that is to take place. A second, associated rule, such as an
Allow rule, must exist to actually allow the traffic to pass through the firewall.
The Second Rule Must Trigger on the Untranslated Destination IP
An important principle to keep in mind when creating the IP rules for SAT is that the second rule,
for example an Allow rule, must trigger on the untranslated destination IP address. A common
mistake is to create a rule which triggers on the translated address given by the SAT rule.
For example, if a SAT rule translates the destination from 1.1.1.1 to 2.2.2.2 then the second
associated rule should allow traffic to pass to the destination 1.1.1.1 and not 2.2.2.2.
Only after the second rule triggers to allow the traffic, is the route lookup then done by
NetDefendOS on the translated address to work out which interface the packets should be sent from.
7.3.1. Translation of a Single IP Address (1:1)
The simplest form of SAT usage is translation of a single IP address. A very common scenario for
this is to enable external users to access a protected server having a private address. This scenario is
also sometimes referred to as a Virtual IP or Virtual Server in some other manufacturer's products.
Example 7.3. Enabling Traffic to a Protected Web Server in a DMZ
In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web
server located in a DMZ. The NetDefend Firewall is connected to the Internet using the wan interface with
address object wan_ip (defined as 195.55.66.77) as IP address. The web server has the IP address 10.10.10.5
and is reachable through the dmz interface.
CLI
First, change the current category to be the main IP rule set:
gw-world:/> cc IPRuleSet main
Next, create a SAT IP rule:
gw-world:/main> add IPRule Action=SAT Service=http SourceInterface=any
Note: Port forwarding
Some network equipment vendors use the term "port forwarding" when referring to
SAT. Both terms are referring to the same functionality.
SourceNetwork=all-nets DestinationInterface=core
300
Chapter 7. Address Translation
Advertisement
Table of Contents
Troubleshooting
