14

Release Note

Paladin Firewall Enhancements

The existing firewall NAT performs address translation for traffic passing between a pair of interfaces. With Software Release 2.3.1, firewall rules can also be configured which selectively perform address translation on sessions passing through an interface, based on the properties of the session (protocol, ports, IP addresses). In addition to standard NAT and enhanced NAT rules, it is possible to configure reverse NAT (translates destination address of outbound packets, and source address of inbound), double NAT (translates both source and destination addresses) and subnet variations of these which translate addresses from one subnet to another. Reverse enhanced NAT can also be configured, by applying an enhanced NAT rule to a public interface. Reverse enhanced NAT allows multiple inbound sessions to appear to devices on the private LAN as if all the sessions have come from the same private interface IP.

A rule can be given a limited time to live (TTL) in hours and minutes, after which it will no longer be applied and all sessions allowed by the rule will be deleted.

These features allow a service provider to bill multiple users, and provide each of them with customised, time-limited secure connections from multiple sites. For examples of their use, see Web Redirection with Reverse NAT Rules” on page 18 and Further Examples” on page 19.

As in previous releases, the Paladin Firewall requires a special feature licence. (Note that routers already configured to use Paladin do not require a new password.)

Interface-based NAT

The existing interface-based NAT provides a simple address translation for traffic passing between a pair of interfaces. The following methodologies are supported by interfaced-based NAT:

Standard NAT

This translates the addresses of private side devices to addresses suitable for the public side of the firewall (source address will be translated for outbound packets, destination address for inbound packets).

Enhanced NAT

This translates many private side addresses into a single global address suitable for use on the public side of the firewall (source address will be translated for outbound packets, destination address for inbound packets).

Rule-based NAT

The new rule-based NAT provides advanced address translation based on the properties of a packet received on a particular firewall interface. Selector values such as source address, destination address, protocol type and port number (TCP/UDP) determine which packets undergo translation. The following methodologies are supported:

Standard NAT

This translates the addresses of private side devices to addresses suitable for the public side of the firewall (source address will be translated for outbound packets, destination address for inbound packets).

Software Release 2.3.1 C613-10325-00 REV B

Page 13 Page 15
Page 14
Image 14
Allied Telesis AT-AR300 manual Paladin Firewall Enhancements, Interface-based NAT, Rule-based NAT
Page 13 Page 15
Top Page Image Contents