One-to-one ip translation – Amer Networks E5Web GUI User Manual

Specifying the Type of Port Mapping

If the Port property is specified for the SAT rule, cOS Core performs port translation in a way that
is slightly different to IP address translation. It uses the following rules:

•

If the Service object used with the SAT IP rule does not have a single value or simple range
specified for its port property, port translation will never be performed.

The term simple range means a range with only a lower and upper value or a single value. For
example, 50-60 is a simple range.

For this reason, an all-to-one port translation is not possible and the All to One property for
the IP rule is ignored for port translation.

•

If a new port number is specified and the Service object used with the SAT IP rule has a single
number for its port property then all connections will be translated to the new port number.

•

If a new port number is specified and the Service object used with the SAT IP rule has a simple
number range for its port property then all connections will be transposed to a new range
which begins with the new port number.

7.4.2. One-to-One IP Translation

The simplest form of SAT usage is the translation of a single IP address to another single, static
address. A very common scenario for this usage is to enable external users to access a protected
server in a DMZ that has a private address. This is also sometimes referred to as implementing a
Virtual IP or a Virtual Server and is often used in conjunction with a DMZ.

The Role of a DMZ

At this point, it is relevant to discuss the role of the network known as the Demilitarized Zone
(DMZ) since SAT rules are often used for allowing DMZ access.

The DMZ's purpose is to have a network where the administrator can place those resources
which will be accessed by external, untrusted clients and where this access typically takes place
across the public Internet. The servers in the DMZ will have the maximum exposure to external
threats and are therefore at most risk of being compromised.

By isolating these servers in a DMZ, the object is to create a distinct network, separated from
much more sensitive local, internal networks. This allows cOS Core to have control over what
traffic flows between the DMZ and internal networks and to better isolate any security breaches
that might occur in DMZ servers.

The illustration below shows a typical network arrangement with a Clavister Security Gateway
mediating communications between the public Internet and servers in the DMZ and between
the DMZ and local clients on a network called LAN.

Example 7.4. One-to-One IP Translation

In this example, SAT will be used to translate and allow connections from the public Internet to a
web server located in a DMZ. The Clavister Security Gateway is connected to the Internet via the
wan interface with address object wan_ip (defined as 195.55.66.77) as its IP address. The web
server has the IPv4 address 10.10.10.5 and is reachable through the dmz interface. The port
number will not be translated.

Chapter 7: Address Translation

504