Multi-Tech Systems RF600, RF660, RF760

Chapter 8 – Frequently Asked Questions (FAQs)

Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D) 135

Q13. Can I forward SSH connections?

A13. Yes, by configuring port forwarding of SSH (dest. port 22):

Source: External Interface Port 22 goes to

Destination: SSH_Server Port 22

Procedure:

1. Define two Hosts in Networks & Services:

external_NIC a.b.c.d 255.255.255.255

SSH_Server e.f.g.h 255.255.255.255

2. Define one Service in Networks & Services:

NAT_SSH TCP 0:65534 22

3. Add one NAT-Rule in Network Setup > DNAT: external_NIC NAT_SSH -> SSH_Server NAT_SSH.

4. Add one Rule in Packet Filters > Packet Filter Rules: Any NAT_SSH SSH_Server Allow.

This way, the destination address of every TCP packet will be translated from a.b.c.d:22 (Firewall) to e.f.g.h:22 (SSH-

Server) and back again.

Q14. SNAT: what is it and what would I use it for?

A14. SNAT is similar to Masquerading.

Definition SNAT (DSNAT): With SNAT you can rewrite the original Source Address of a specific IP connection with

another static IP address.

You must make sure that the answer comes back to the firewall (e.g., if you want to access a Cisco router via telnet

and the RouteFinder only allows connects from a specific static IP address, you can specify this in Source NAT.

Define a rule like: AdminPC, Telnet, Cisco Router > Allowed Cisco IP.

Now you can communicate with the Router. This is needed for more complex configurations.

Q15. How do I set up RouteFinder Masquerading?

A15. Configure Masquerading in WebAdmin:

1. Define Interfaces in Network Setup > Interface. Here you define your Network Interface settings as well as your

default gateway, for example:

LAN Internal: 192.168.100.1/255.255.255.255

WAN External: 194.162.134.10/255.255.255.128

Gateway: 194.162.134.1/255.255.255.128

2. Define Network definitions in Networks & Services > Networks. Here you define your host and network

definitions, which you will use for further configuration like Masquerading or Packet Filter Rules later on (i.e.,

Internal-Network 192.168.100.0 255.255.255.0 / Peters-Laptop 192.168.100.12 255.255.255.255).

3. Define Masquerading in Network Setup > Masquerading. Here you define which network should be

masqueraded on which network interface (i.e., Internal-Network > External).

4. Define Packet filter Rules and Proxy Settings. Now you have set your Security Policy in terms of what is allowed

and what is not allowed. The RouteFinder uses stateful inspection, so you only have to define which services are

allowed; the way back is opened automatically (e.g., Internal-Network - FTP - Any - Accept | Peters-Laptop

- Telnet - Any - Accept). If you want to use the Proxies you can configure them in Proxy.

Q16. Can I do DNAT with Port ranges?

A16. Yes. Mapping DNAT port ranges is supported, with the limitation that you can only map the same range (so, for

example, you can map ports 500-600 to 500-600 but not 500-600 to 300-400).

Q17. Does NAT take place before or after routing and filtering take place?

A17. In short, DNAT is done before the packets pass the packet filter, and SNAT and Masquerading are done after that.

The RouteFinder uses a 2.4 kernel and IP tables (the internal logic in the netfilter code).

Q18. What are the current Certificate export laws?

A18. New US encryption export regulations took effect on January 14th, 2000. At the time of this publication, CAs may

export certificates to any non-government entity and to any commercial government-owned entity (except those that

produce munitions), in any country except Afghanistan (Taliban-controlled areas), Cuba, Iran, Iraq, Libya, North

Korea, Serbia (except Kosovo), Sudan and Syria.

For the latest information on United States cryptography export and import laws, contact the Bureau of Export

Administration (BXA) (http://www.bxa.doc.gov/).

For many years, the U.S. government did not approve export of cryptographic products unless the key size was

strictly limited. For this reason, cryptographic products were divided into two classes: products with "strong"

cryptography and products with "weak" (that is, exportable) cryptography. Weak cryptography generally means a key

size of at most 56 bits in symmetric algorithms. Note that 56-bit DES keys have been cracked. In January 2000 the

restrictions on export regulations were dramatically relaxed. Today, any cryptographic product is exportable under a

license exception (i.e., without a license) unless the end-users are foreign governments or embargoed destinations

(Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Taleban-controlled areas of Afghanistan, as of

January 2000). Export to government end-users may also be approved, but under a license.