beautypg.com

Using an ip policy for sat – Amer Networks E5Web GUI User Manual

Page 516

background image

External traffic to wan_ip will match rules 1 and 4, and will be sent to wwwsrv. This is correct.

Return traffic from wwwsrv will match rules 2 and 3. The replies will therefore be dynamically
address translated. This changes the source port to a different port, which is incorrect.

The correct set of IP rules that will provide the desired effect is the following:

# Action

Src Iface

Src Net

Dest Iface Dest Net

Service

SAT Action

1 SAT

any

all-nets

core

wan_ip

http

Destination IP: wwwsrv

2 SAT

lan

wwwsrv

any

all-nets

http

Source IP: wan_ip

3 FwdFast lan

wwwsrv

any

all-nets

http

4 NAT

lan

lan_net

any

all-nets

all_services

5 FwdFast lan

wwwsrv

any

all-nets

http

These rules will yield the following actions:

External traffic to wan_ip will match rules 1 and 5 and will be sent to wwwsrv.

Return traffic from wwwsrv will match rules 2 and 3.

Internal traffic to wan_ip will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the Clavister Security Gateway's internal IP address, guaranteeing that return
traffic passes through the Clavister Security Gateway.

Return traffic will automatically be handled by the Clavister Security Gateway's stateful
inspection mechanism.

7.4.7. Using an IP Policy for SAT

An alternative to using two IP rules for SAT is to use a single IP Policy object. This simplifies the
SAT definition process as well as allowing other features such as application control,
authentication and traffic shaping to be more easily associated with the rule.

When creating a SAT policy, the policy is either for source or destination translation, or both. The
way the translation functions for the source and/or destination address is determined by two
specifying one or both of the following actions:

Address Action

This determines how the IP address is translated and can be one of the following:

i.

Single IP - Either a single original IP or a range/network will be translated to the single
new IP address specified. This yields both a one-to-one or a many-to-one IP address
translation.

ii.

Transposed - This yields a many-to-many translation where each address in the original
range/network is transposed to a new range/network, using the specified new IP
address as the base address for the transposition.

Port Action

This determines how the IP address is translated and can be one of the following:

i.

None - No port translation takes place.

Chapter 7: Address Translation

516

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: