Nat Ip Address Translation - D-Link DFL-1660 User Manual
Network security firewall
Hide thumbs
Also See for DFL-1660:
- User manual (595 pages) ,
- Installation manual (45 pages) ,
- Reference manual (948 pages)
Table of Contents
Advertisement
7.1. NAT
NAT provides many-to-one translation. This means that each NAT rule in the IP rule set will
translate between several source IP addresses and a single source IP address.
To maintain session state information, each connection from dynamically translated addresses uses a
unique port number and IP address combination as its sender. NetDefendOS performs automatic
translation of the source port number as well as the IP address. In other words, the source IP
addresses for connections are all translated to the same IP address and the connections are
distinguished from one another by the allocation of a unique port number to each connection.
The diagram below illustrates the concept of NAT.
Figure 7.1. NAT IP Address Translation
In the illustration above, three connections from IP addresses A, B and C are NATed through a
single single source IP address N. The original port numbers are also changed.
The source port number allocated for a new NAT connection will be the next free, available port and
usually the port allocated is equal to or above port number 32,768 (in other words the upper half of
the total 65,536 port number range). This means that there is a limitation of a maximum of 32,768
simultaneous NAT connections that can use the same translated source IP address. This is normally
adequate for all but the most extreme scenarios.
The Source IP Address Used for Translation
There are three options for how NetDefendOS determines the source IP address that will be used for
NAT:
•
Use the IP Address of the Interface
When a new connection is established, the routing table is consulted to resolve the outbound
interface for the connection. The IP address of that resolved interface is then used as the new
source IP address when NetDefendOS performs the address translation. This is the default way
that the IP address is determined.
•
Specify a Specific IP Address
A specific IP address can be specified as the new source IP address. The specified IP address
needs to have a matching ARP Publish entry configured for the outbound interface. Otherwise,
the return traffic will not be received by the NetDefend Firewall. This technique might be used
when the source IP is to differ based on the source of the traffic. For example, an ISP that is
using NAT, might use different IP addresses for different customers.
•
Use an IP Address from a NAT Pool
A NAT Pool, which is a set of IP addresses defined by the administrator, can be used. The next
available address from the pool can be used as the IP address used for NAT. There can be one or
293
Chapter 7. Address Translation
Advertisement
Table of Contents
Troubleshooting
