D-Link DFL-800-AV-12 User Manual - Page 204
Address Translation, 7.1. Dynamic Network Address Translation
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 204 highlights
Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. • Dynamic Network Address Translation, page 204 • NAT Pools, page 207 • Static Address Translation, page 210 The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link Firewall is known as address translation. NetDefendOS supports two types of translation: Dynamic Network Address Translation (NAT) and Static Address Translation (SAT). Both translations are policy-based meaning that they can be applied to specific traffic based on source/destination network/interface as well as service. Two types of IP rules, NAT rules and SAT rules, are used to specify address translation within the IP rule set. There are two main reasons for employing address translation: • Functionality. Perhaps you use private IP addresses on your protected network and your protected hosts to have access to the Internet. This is where dynamic address translation may be used. You might also have servers with private IP addresses that need to be publicly accessible. This is where static address translation may be the solution. • Security. Address translation does not, in itself provide any greater level of security, but it can make it more difficult for intruders to understand the exact layout of the protected network and which machines are susceptible to attack. In the worst case scenario, employing address translation will mean that an attack will take longer, which will also make it more visible in NetDefendOS's log files. In the best-case scenario, an intruder will just give up. This section describes dynamic as well as static address translation, how they work and what they can and cannot do. It also provides examples of configuring NAT and SAT rules. 7.1. Dynamic Network Address Translation Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different addresses. The most common usage for NAT is when using private IP addresses in an internal network and it is desirable that outbound connections appear as though they originate from the D-Link Firewall itself instead of the internal addresses. NAT is a many-to-one translation, meaning that each NAT rule will translate several source IP addresses into a single source IP address. To maintain session state information, each connection from dynamically translated addresses must use a unique port number and IP address combination as its sender. Therefore, NetDefendOS will perform an automatic translation of the source port number as well. The source port used will be the next free port, usually one above 32768. This means that there is a limitation of about 30000 simultaneous connections using the same translated source IP address. NetDefendOS supports two strategies for how to translate the source address: Use Interface Address Specify Sender Address When a new connection is established, the routing table is consulted to resolve the egress interface for that connection. The IP address of that resolved interface is then being used as the new source IP address when NetDefendOS performs the address translation. A specific IP address can be specified as the new source IP address. The specified IP address needs to have a matching ARP 204