Amer-networks E5Web GUI Manual do Utilizador Página 516

  • Descarregar
  • Adicionar aos meus manuais
  • Imprimir
Vista de página 515
External traffic to wan_ip will match rules 1 and 4, and will be sent to wwwsrv. This is correct.
Return traffic from wwwsrv will match rules 2 and 3. The replies will therefore be dynamically
address translated. This changes the source port to a different port, which is incorrect.
The correct set of IP rules that will provide the desired effect is the following:
# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action
1 SAT any all-nets core wan_ip http Destination IP: wwwsrv
2 SAT lan wwwsrv any all-nets http Source IP: wan_ip
3 FwdFast lan wwwsrv any all-nets http
4 NAT lan lan_net any all-nets all_services
5 FwdFast lan wwwsrv any all-nets http
These rules will yield the following actions:
External traffic to wan_ip will match rules 1 and 5 and will be sent to wwwsrv.
Return traffic from wwwsrv will match rules 2 and 3.
Internal traffic to wan_ip will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the Clavister Security Gateway's internal IP address, guaranteeing that return
traffic passes through the Clavister Security Gateway.
Return traffic will automatically be handled by the Clavister Security Gateway's stateful
inspection mechanism.
7.4.7. Using an IP Policy for SAT
An alternative to using two IP rules for SAT is to use a single IP Policy object. This simplifies the
SAT definition process as well as allowing other features such as application control,
authentication and traffic shaping to be more easily associated with the rule.
When creating a SAT policy, the policy is either for source or destination translation, or both. The
way the translation functions for the source and/or destination address is determined by two
specifying one or both of the following actions:
Address Action
This determines how the IP address is translated and can be one of the following:
i. Single IP - Either a single original IP or a range/network will be translated to the single
new IP address specified. This yields both a one-to-one or a many-to-one IP address
translation.
ii. Transposed - This yields a many-to-many translation where each address in the original
range/network is transposed to a new range/network, using the specified new IP
address as the base address for the transposition.
Port Action
This determines how the IP address is translated and can be one of the following:
i. None - No port translation takes place.
Chapter 7: Address Translation
516
Vista de página 515
1 2 ... 511 512 513 514 515 516 517 518 519 520 521 ... 776 777

Comentários a estes Manuais

Sem comentários