beautypg.com

Static address translation, Translation of a single ip address (1:1), Section 7.3, “static address translation – D-Link DFL-2500 User Manual

Page 210

background image

7.3. Static Address Translation

NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are
transpositions, that is, each address or port is mapped to a corresponding address or port in the new
range, rather than translating them all to the same address or port. This functionality is known as
Static Address Translation (SAT).

Unlike NAT, SAT requires more than just a single SAT rule to function. NetDefendOS does not
terminate the rule set lookup upon finding a matching SAT rule. Instead, it continues to search for a
matching Allow, NAT or FwdFast rule. Only when it has found such a matching rule does
NetDefendOS execute the SAT rule.

7.3.1. Translation of a Single IP Address (1:1)

The simplest form of SAT usage is translation of a single IP address. A very common scenario for
this is to enable external users to access a protected server having a private address. This scenario is
also sometimes referred to as a Virtual IP or Virtual Server in some other manufacturer's products.

Example 7.3. Enabling Traffic to a Protected Web Server in a DMZ

In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web
server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address
object wan_ip (defined as 195.55.66.77) as IP address. The web server has the IP address 10.10.10.5 and is
reachable through the dmz interface.

CLI
First create a SAT rule:

gw-world:/> add IPRule Action=SAT Service=http SourceInterface=any

SourceNetwork=all-nets DestinationInterface=core
DestinationNetwork=wan_ip SATTranslate=DestinationIP
SATTranslateToIP=10.10.10.5 Name=SAT_HTTP_To_DMZ

Then create a corresponding Allow rule:

gw-world:/> add IPRule action=Allow Service=http SourceInterface=any

SourceNetwork=all-nets DestinationInterface=core
DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ

Web Interface

First create a SAT rule:

1.

Go to Rules > IP Rules > Add > IPRule

2.

Specify a suitable name for the rule, eg. SAT_HTTP_To_DMZ

3.

Now enter:

Action: SAT

Service: http

Source Interface: any

Source Network: all-nets

Destination Interface: core

Destination Network: wan_ip

4.

Under the SAT tab, make sure that the Destination IP Address option is selected

5.

In the New IP Address textbox, enter 10.10.10.5

6.

Click OK

7.3. Static Address Translation

Chapter 7. Address Translation

210