Destination NAT/port forwarding, Enable | SnapGear 2.0.1 instruction

The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on.

The Outgoing Interface is the interface/network port that the CyberGuard SG appliance will route the network traffic out. None will match network traffic that is destined for the CyberGuard SG appliance itself. This is useful for controlling access to services provided by the CyberGuard SG appliance, such as the Web Management Console.

The Log option controls whether to log the first packet of the connection. You may enter a Log Prefix to make it easier to identify which rules are being matched when inspecting the system log.

NAT

Once appropriate addresses (and perhaps service groups) have been defined, you may add 1-to-1 and Destination NAT rules. Source NAT rules may be added at any time, as these may apply solely between the interfaces of the CyberGuard SG appliance itself.

By default, the CyberGuard SG appliance performs Source NAT on traffic where the incoming interface is LAN and the outgoing interface is WAN. See the Advanced section of the chapter entitled Network Connections for information on configuring the basic masquerading (Source NAT) relationships between your CyberGuard SG appliance’s interfaces.

Destination NAT/port forwarding

Destination NAT alters the destination address and optionally the destination port of packets received by the CyberGuard SG appliance. Typically this is used for port forwarding.

Port forwarding allows controlled access to services provided by machines on your private network to users on the Internet by forwarding requests for a specific service coming into one of the CyberGuard SG appliance’s interfaces (typically the WAN interface) to a machine on your LAN, which services the request.

Enable	Uncheck to temporarily disable this rule
Descriptive Name	An arbitrary name for this rule

This rule will be applied to packets that match the critera described by the next four fields.

Incoming Interface	The interface that receives the request (for port
	forwarding will typically be set to WAN/Internet)

77

Firewall

Image 81

SnapGear 2.0.1 user manual Destination NAT/port forwarding, Enable, Descriptive Name

Contents

Revision June 7 Contents 104 Firewall 169 159170 177 Introduction CyberGuard SG Gateway AppliancesIntroduction CyberGuard SG PCI Appliances Secure by default Bridged mode Document Conventions Text like this highlights important issues Your CyberGuard SG Gateway Appliance Front panel LEDsSG300 model includes two blue straight through UTP cables Rear panel Virtual Private Networking is enabled Internet link features CyberGuard SG Gateway Appliance FeaturesLAN link features DMZ link features SG570, SG575 only LEDs Your CyberGuard SG PCI Appliance CyberGuard SG PCI Appliance Features Network link featuresEnvironmental features Getting Started 255.255.255.0 192.168.0.1Page Right click on Local Area Connection and select Properties 192.168.0.100 Set up the Password and LAN Connection Settings Root Getting Started Getting Started Cable modem Set up Internet Connection SettingsAnalog modem DSL modem Set up the PCs on your LAN to Access the Internet LAN with no Dhcp server LAN with a Dhcp server To manually set up each Windows PC on your network Select Dhcp Server from the Networking menu Getting Started Set up your PC to Connect to the Web Management Console Install the Network Driver on your PC Select Use the following DNS server addresses and enter Select Internet Protocol TCP/IP and click Properties Set up the Password and Network Connection Settings Network Setup Connections page will display Ensure Dhcp assigned is unchecked Click Apply and Reboot Getting Started Click Apply and Reboot Getting Started Page Network Connections ConnectionsNetwork Connections Bridging LAN Internet Internet Connection Methods Physically connect modem deviceCable Direct Internet Bridged Internet COM/Modem Failover Direct/Cable/ADSL InternetDialout Internet ISP. The Password and Confirm Password fields must Field DescriptionOptional Dialin access Direct DMZBridged DMZ Direct LAN Services on the DMZ NetworkBridged LAN DMZ as a second Internet connection DMZ as a backup/failover Internet connection Load BalancingInternet Failover Set up a secondary backup Internet connection Enable the primary connection for failover Network Connections Routes Additional routesRoute management Advanced HostnameDNS Proxy Network Address Translation NAT/masquerading Dynamic DNS Interface aliases Change MAC address QoS Traffic Shaping Dialin Setup Dialin Setup Dialin Setup Following table describes the fields on the Dial-In Setup Dialin User Accounts Account list Page Windows 95/98/Me Remote User Configuration Dialin Setup Windows 2000/XP Dialin Setup Page Dhcp Server Configuration Dhcp ServerDhcp Server Dhcp Server Subnet List Enable/DisableInterface Subnet Dhcp Server Dhcp Proxy Incoming Access FirewallFirewall Administration services CyberGuard SG Administrative Web Server SSL/HTTPS Secure Http Add Local and Private Certificates SSL Certificate Setup Incoming Interface Packet FilteringOutgoing Interface Action Addresses Service groups Rules Enable Destination NAT/port forwardingDescriptive Name Source NAT Destination ServicesSource Address Destination Address To-1 NAT Rules User authentication Access Control and Content FilteringPage Click Advanced Browser setup IP lists Web lists Content Categories Reports ZoneAlarm Intrusion Detection Intrusion Detection Benefits of using an IDS Basic Intrusion Detection and Blocking Page Advanced Intrusion Detection Advanced Intrusion Detection configuration Intrusion Detection Setting up the analysis server Page Web Cache Web cache is only available on SG575 modelsWeb Cache Cache size Web Cache Setup Network Shares Create a new user account100 Web Cache 101 Web Cache Create the network share 102 Web Cache Set the CyberGuard SG appliance to use the network share Set up LAN PCs to Use the Web Cache Peers103 Web Cache 104 Virtual Private Networking Virtual Private Networking Pptp Client Setup 106 Virtual Private Networking 107 Virtual Private Networking Pptp Server Setup 108 Virtual Private Networking Enable and configure the Pptp VPN server Data private as well as providing secure authentication Encryption is strongly recommended. This keeps your109 Virtual Private Networking Configuring user accounts for VPN server 111 Virtual Private Networking 112 Virtual Private Networking Configuring the remote VPN client Windows 95, Windows 98 and Windows Me 114 Virtual Private Networking Windows 115 Virtual Private Networking 116 Virtual Private Networking Windows XP 117 Virtual Private Networking Connecting the remote VPN client Set up the Branch Office IPSec SetupCyberGuard SG appliance to CyberGuard SG appliance Enabling IPSec 119 Virtual Private Networking Configure a tunnel to connect to the headquarters office Tunnel settings120 Virtual Private Networking 121 Virtual Private Networking 122 Virtual Private Networking 123 Virtual Private Networking Local endpoint settings 124 Virtual Private Networking 125 Virtual Private Networking Other options 126 Virtual Private Networking 127 Virtual Private Networking 128 Virtual Private Networking Tcgid Phase 1 settings Kept confidential129 Virtual Private Networking 130 Virtual Private Networking 131 Virtual Private Networking Phase 2 settings 132 Virtual Private Networking Configuring the Headquarters 133 Virtual Private Networking Remote endpoint settings Leave the Enable IP Payload Compression checkbox unchecked134 Virtual Private Networking 135 Virtual Private Networking Connection Tunnel ListRemote party 136 Virtual Private Networking 137 Virtual Private Networking Status 138 Virtual Private Networking 139 Virtual Private Networking NAT Traversal Support Dynamic DNS Support140 Virtual Private Networking Certificate Management Extracting certificates141 Virtual Private Networking 142 Virtual Private Networking Creating certificates 143 Virtual Private Networking Create the self-signed root CA certificate 144 Virtual Private Networking Adding certificates 145 Virtual Private Networking Adding a CA or CRL certificate 146 Virtual Private Networking Adding a local certificate 147 Virtual Private Networking Troubleshooting 148 Virtual Private Networking 149 Virtual Private Networking 150 Virtual Private Networking CyberGuard SG appliance in Brisbane Internet address Setting up a GRE tunnelLAN address CyberGuard SG appliance in Slough Internet address Remote subnet/netmask 10.1.0.0 GRE over IPSec 154 Virtual Private Networking 155 Virtual Private Networking Local Internal Address Place on Ethernet Bridge 156 Virtual Private Networking Troubleshooting 157 Virtual Private Networking L2TP VPN client 158 Virtual Private Networking L2TP server Date and Time SystemSet date and time NTP time server 160 System Locality 161 System Users Diagnostic AdministrationEncrypted save/restore all User settings Internet access via access controls DiagnosticsPassword Diagnostics 164 System Network tests Configuration files System log165 System Flash upgrade Reset button Reboot Technical Support Appendix a IP Address Ranges B.c.d B.c.d-e B.c.d-e.f.g.h B.c.d/e169 Appendix a IP Address Ranges Appendix B Terminology Term Meaning170 Appendix B Terminology 171 Appendix B Terminology DNS 172 Appendix B Terminology IDB 173 Appendix B Terminology Isakmp 174 Appendix B Terminology NTP 175 Appendix B Terminology SHA 176 Appendix C System Log Access Logging Eth0 Default DenyEth1 Ppp 179 Appendix C System Log Creating Custom Log Rules 180 Appendix C System Log 181 Appendix C System Log Iptables -I Forward -j LOG -i eth0 -p tcp 182 Appendix C System Log Rate Limiting Administrative Access Logging Boot Log Messages183 Appendix C System Log 184 Appendix D Firmware Upgrade Practices and Precaut ions Appendix D Firmware Upgrade Practices and Precautions