beautypg.com

2 tracking connection state, 4 default acl rules, 2 nat overview – Asus SL1000 User Manual

Page 62: 1 static (one to one) nat

background image

Chapter 9. Configuring Firewall/NAT Settings

Internet Security Router User

’s Manual

46

9.1.3.2

Tracking Connection State

The stateful inspection engine in the firewall keeps track of the state, or progress, of a network connection. By
storing information about each connection in a state table, Internet Security Router is able to quickly determine
if a packet passing through the firewall belongs to an already established connection. If it does, it is passed
through the firewall without going through ACL rule evaluation.

For example, an ACL rule allows outbound ICMP packet from 192.168.1.1 to 192.168.2.1. When 192.168.1.1
send an ICMP echo request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will send an ICMP echo reply to
192.168.1.1. In the Internet Security Router, you don

’t need to create another inbound ACL rule because

stateful packet inspection engine will remember the connection state and allows the ICMP echo reply to pass
through the firewall

9.1.4

Default ACL Rules

The Internet Security Router supports three types of default access rules:

„ Inbound Access Rules: for controlling incoming access to computers on your LAN.
„ Outbound Access Rules: for controlling outbound access to external networks for hosts on your LAN.
„ Self Access Rules: for controlling access to the Internet Security Router itself.

Default Inbound Access Rules

No default inbound access rule is configured. That is, all traffic from external hosts to the internal hosts is
denied.

Default Outbound Access Rules

The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external
network using NAT.

WARNING

It is not necessary to remove the default ACL rule from the ACL
rule table! It is better to create higher priority ACL rules to override
the default rule.

9.2 NAT Overview

Network Address Translation allows use of a single device, such as the Internet Security Router, to act as an
agent between the Internet (public network) and a local (private) network. This means that a NAT IP address
can represent an entire group of computers to any entity outside a network. Network Address Translation (NAT)
is a mechanism for conserving registered IP addresses in large networks and simplifying IP addressing
management tasks. Because of the translation of IP addresses, NAT also conceals true network address from
privy eyes and provide a certain degree security to the local network.

The NAT modes supported are static NAT, dynamic NAT, NAPT, reverse static NAT and reverse NAPT.

9.2.1

Static (One to One) NAT

Static NAT maps an internal host address to a globally valid Internet address (one-to-one). The IP address in
each packet is directly translated with a globally valid IP contained in the mapping. Figure 9.1 illustrates the IP
address mapping relationship between the four private IP addresses and the four globally valid IP addresses.
Note that this mapping is static, i.e. the mapping will not change over time until this mapping is manually
changed by the administrator. This means that a host will always use the same global valid IP address for all
its outgoing traffic.