Allied Telesis AT-AR300 manual Paladin Firewall Enhancements, Interface-based NAT, Rule-based NAT

Page 14

14

Release Note

Paladin Firewall Enhancements

The existing firewall NAT performs address translation for traffic passing between a pair of interfaces. With Software Release 2.3.1, firewall rules can also be configured which selectively perform address translation on sessions passing through an interface, based on the properties of the session (protocol, ports, IP addresses). In addition to standard NAT and enhanced NAT rules, it is possible to configure reverse NAT (translates destination address of outbound packets, and source address of inbound), double NAT (translates both source and destination addresses) and subnet variations of these which translate addresses from one subnet to another. Reverse enhanced NAT can also be configured, by applying an enhanced NAT rule to a public interface. Reverse enhanced NAT allows multiple inbound sessions to appear to devices on the private LAN as if all the sessions have come from the same private interface IP.

A rule can be given a limited time to live (TTL) in hours and minutes, after which it will no longer be applied and all sessions allowed by the rule will be deleted.

These features allow a service provider to bill multiple users, and provide each of them with customised, time-limited secure connections from multiple sites. For examples of their use, see Web Redirection with Reverse NAT Rules” on page 18 and Further Examples” on page 19.

As in previous releases, the Paladin Firewall requires a special feature licence. (Note that routers already configured to use Paladin do not require a new password.)

Interface-based NAT

The existing interface-based NAT provides a simple address translation for traffic passing between a pair of interfaces. The following methodologies are supported by interfaced-based NAT:

Standard NAT

This translates the addresses of private side devices to addresses suitable for the public side of the firewall (source address will be translated for outbound packets, destination address for inbound packets).

Enhanced NAT

This translates many private side addresses into a single global address suitable for use on the public side of the firewall (source address will be translated for outbound packets, destination address for inbound packets).

Rule-based NAT

The new rule-based NAT provides advanced address translation based on the properties of a packet received on a particular firewall interface. Selector values such as source address, destination address, protocol type and port number (TCP/UDP) determine which packets undergo translation. The following methodologies are supported:

Standard NAT

This translates the addresses of private side devices to addresses suitable for the public side of the firewall (source address will be translated for outbound packets, destination address for inbound packets).

Software Release 2.3.1 C613-10325-00 REV B

Page 13 Page 15
Image 14
Page 13 Page 15
Contents Software Release Rapier i Series IntroductionHardware Platforms Hot Swapping Network Service Modules Hot swap an NSM out of an NSM bay Software Features Example output from the Show Interface command NSM Hot Swap Software SupportDomain Name Server Enhancements DNS CachingServer Selection Triggers for Ethernet Interfaces Automatic Nameserver ConfigurationTelnet Server Port Number Enco Channels IP Security IPsec Source Interface Enhancements Ospf on Demand Isdn Rule-based NAT Paladin Firewall EnhancementsInterface-based NAT New Command Syntax Time Limited RulesRelease Note Software Release Web Redirection with Reverse NAT Rules Required parameters for Firewall NAT rules ParametersFurther Examples Firewall and IPsec TunnelStandard NAT Paladin Firewall Http Application Gateway Proxy Show OutputFirewall Http Proxies and Firewall Policies Http FiltersADD Firewall POLICY=zone1 HTTPFILTER=banned.htp Http Cookies Firewall Policy Debugging Show Firewall PolicyVrrp Port Monitoring Http Proxy Filter FileWhere Stepvalue is a decimal number in the range 1 to Border Gateway Protocol 4 BGP-4 IP and Interface Counters Internet Protocol IPTo reset IP interfaces, use the command Example output from the Show IP COUNTER=INTERFACE command Example output from the Show IP COUNTER=SNMP command Telephony PBX Functionality Bandwidth Limiting Errata Telnet ServerInstallation Enable Telnet ServerRelease Note
Top Page Image Contents