D-Link DFL-800-AV-12 User Manual - Page 216
Port Translation, 7.3.5. Protocols handled by SAT, Port Address Translation
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 216 highlights
7.3.4. Port Translation Chapter 7. Address Translation NetDefendOS can be used to translate ranges and/or groups into just one IP address. # Action Src Iface 1 SAT any Src Net all-nets Dest Iface core Dest Net 194.1.2.16-194.1.2.20, 194.1.2.30 Parameters http SETDEST all-to-one 192.168.0.50 80 This rule produces a N:1 translation of all addresses in the group (the range 194.1.2.16 - 194.1.2.20 and 194.1.2.30) to the IP 192.168.0.50. • Attempts to communicate with 194.1.2.16, port 80, will result in a connection to 192.168.0.50 • Attempts to communicate with 194.1.2.30, port 80, will result in a connection to 192.168.0.50 Note When all-nets is the destination, All-to-One mapping is always done. 7.3.4. Port Translation Port Translation, also known as Port Address Translation (PAT), can be used to modify the source or destination port. # Action Src Iface 1 SAT any Src Net all-nets Dest Iface Dest Net Parameters core wwwsrv_pub TCP 80-85 SETDEST 192.168.0.50 1080 This rule produces a 1:1 translation of all ports in the range 80 - 85 to the range 1080 - 1085. • Attempts to communicate with the web servers public address, port 80, will result in a connection to the web servers private address, port 1080. • Attempts to communicate with the web servers public address, port 84, will result in a connection to the web servers private address, port 1084. Note In order to create a SAT Rule that allows port transation, a Custom Service must be used with the SAT Rule. 7.3.5. Protocols handled by SAT Generally, static address translation can handle all protocols that allow address translation to take place. However, there are protocols that can only be translated in special cases, and other protocols that simply cannot be translated at all. Protocols that are impossible to translate using SAT are most likely also impossible to translate using NAT. Reasons for this include: • The protocol cryptographically requires that the addresses are unaltered; this applies to many VPN protocols. • The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently requires that, in some way or another, the addresses visible on IP level are the same as those embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS. • Either party is attempting to open new dynamic connections to the addresses visible to that party. In some cases, this can be resolved by modifying the application or the firewall 216