address on the firewall then this will constitute two, unique IP pairs. The 64,500 figure is therefore
not a limitation for the entire NetDefend Firewall.
Tip: Use NAT pools to get around the connection limit
The connection maximum per unique IP pair is normally adequate for all but the most
extreme scenarios. However, to increase the number of NAT connections that can exist
between the NetDefend Firewall and a particular external host IP, the NetDefendOS
NAT pools feature can be used which can automatically make use of additional IP
addresses on the firewall.
See Section 7.3, “NAT Pools” for more information about this topic.
The Source IP Address Used for Translation
There are three options for how NetDefendOS determines the source IP address that will be used for
NAT:
•
Use the IP Address of the Interface
When a new connection is established, the routing table is consulted to resolve the outbound
interface for the connection. The IP address of that resolved interface is then used as the new
source IP address when NetDefendOS performs the address translation. This is the default way
that the IP address is determined.
•
Specify a Specific IP Address
A specific IP address can be specified as the new source IP address. The specified IP address
needs to have a matching ARP Publish entry configured for the outbound interface. Otherwise,
the return traffic will not be received by the NetDefend Firewall. This technique might be used
when the source IP is to differ based on the source of the traffic. For example, an ISP that is
using NAT, might use different IP addresses for different customers.
•
Use an IP Address from a NAT Pool
A NAT Pool, which is a set of IP addresses defined by the administrator, can be used. The next
available address from the pool can be used as the IP address used for NAT. There can be one or
many NAT pools and a single pool can be used in more than one NAT rule. This topic is
discussed further in Section 7.3, “NAT Pools”.
Applying NAT Translation
The following illustrates how NAT is applied in practice on a new connection:
1.
The sender, for example 192.168.1.5, sends a packet from a dynamically assigned port, for
instance, port 1038, to a server, for example 195.55.66.77 port 80.
192.168.1.5:1038 => 195.55.66.77:80
2.
In this example, the Use Interface Address option is used, and we will use 195.11.22.33 as the
interface address. In addition, the source port is changed to a random free port on the
NetDefend Firewall and which is above port 1024. In this example, we will assume port 32789
is chosen. The packet is then sent to its destination.
195.11.22.33:32789 => 195.55.66.77:80
3.
The recipient server then processes the packet and sends its response.
7.2. NAT
Chapter 7. Address Translation
342
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...