beautypg.com

Port translation, Protocols handled by sat – D-Link DFL-2500 User Manual

Page 216

background image

NetDefendOS can be used to translate ranges and/or groups into just one IP address.

#

Action Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

194.1.2.16-194.1.2.20,
194.1.2.30

http

SETDEST

all-to-one

192.168.0.50 80

This rule produces a N:1 translation of all addresses in the group (the range 194.1.2.16 - 194.1.2.20
and 194.1.2.30) to the IP 192.168.0.50.

Attempts to communicate with 194.1.2.16, port 80, will result in a connection to 192.168.0.50

Attempts to communicate with 194.1.2.30, port 80, will result in a connection to 192.168.0.50

Note

When all-nets is the destination, All-to-One mapping is always done.

7.3.4. Port Translation

Port Translation, also known as Port Address Translation (PAT), can be used to modify the source
or destination port.

#

Action Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wwwsrv_pub

TCP 80-85 SETDEST 192.168.0.50 1080

This rule produces a 1:1 translation of all ports in the range 80 - 85 to the range 1080 - 1085.

Attempts to communicate with the web servers public address, port 80, will result in a
connection to the web servers private address, port 1080.

Attempts to communicate with the web servers public address, port 84, will result in a
connection to the web servers private address, port 1084.

Note

In order to create a SAT Rule that allows port transation, a Custom Service must be
used with the SAT Rule.

7.3.5. Protocols handled by SAT

Generally, static address translation can handle all protocols that allow address translation to take
place. However, there are protocols that can only be translated in special cases, and other protocols
that simply cannot be translated at all.

Protocols that are impossible to translate using SAT are most likely also impossible to translate
using NAT. Reasons for this include:

The protocol cryptographically requires that the addresses are unaltered; this applies to many
VPN protocols.

The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently
requires that, in some way or another, the addresses visible on IP level are the same as those
embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS.

Either party is attempting to open new dynamic connections to the addresses visible to that
party. In some cases, this can be resolved by modifying the application or the firewall

7.3.4. Port Translation

Chapter 7. Address Translation

216