A SAT rule with an original, untranslated address of all-nets always results in an all-to-one
mapping.
Specifying the Type of Port Mapping
If the Port property is specified for the SAT rule, NetDefendOS performs port translation in a way
that is slightly different to IP address translation. It uses the following rules:
• If the Service object used with the SAT IP rule does not have a single value or simple range
specified for its port property, port translation will never be performed.
The term simple range means a range with only a lower and upper value or a single value. For
example, 50-60 is a simple range.
For this reason, an all-to-one port translation is not possible and the All to One property for
the IP rule is ignored for port translation.
• If a new port number is specified and the Service object used with the SAT IP rule has a single
number for its port property then all connections will be translated to the new port number.
• If a new port number is specified and the Service object used with the SAT IP rule has a simple
number range for its port property then all connections will be transposed to a new range
which begins with the new port number.
7.4.2. One-to-One IP Translation
The simplest form of SAT usage is the translation of a single IP address to another single, static
address. A very common scenario for this usage is to enable external users to access a protected
server in a DMZ that has a private address. This is also sometimes referred to as implementing a
Virtual IP or a Virtual Server and is often used in conjunction with a DMZ.
The Role of a DMZ
At this point, it is relevant to discuss the role of the network known as the Demilitarized Zone
(DMZ) since SAT rules are often used for allowing DMZ access.
The DMZ's purpose is to have a network where the administrator can place those resources
which will be accessed by external, untrusted clients and where this access typically takes place
across the public Internet. The servers in the DMZ will have the maximum exposure to external
threats and are therefore at most risk of being compromised.
By isolating these servers in a DMZ, the object is to create a distinct network, separated from
much more sensitive local, internal networks. This allows NetDefendOS to have control over
what traffic flows between the DMZ and internal networks and to better isolate any security
breaches that might occur in DMZ servers.
The illustration below shows a typical network arrangement with a NetDefend Firewall
mediating communications between the public Internet and servers in the DMZ and between
the DMZ and local clients on a network called LAN.
Note: The DMZ port could be any port
On some models of D-Link NetDefend hardware, there is a specific Ethernet interface
which is marked as being for the DMZ network. Although this is the port's intended use,
Chapter 7: Address Translation
590
To Next Page
Loading...
