Home  Prev  cOS Stream 4.00.03 Administration Guide  Next

9.5. SAT

It is possible to translate entire ranges of IP addresses and/or port numbers. These translations are transpositions where each address or port is mapped to a corresponding address or port in a new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translation (SAT).

SAT is configured by setting either the SourceTranslation or DestinationTranslation to the value SAT in an IP rule with an action of Allow. Other SAT options are also added to completely specify the translation required.

9.5.1. One-to-One Translation (1:1)

The simplest form of SAT usage is the translation of a single IP address to another, single IP address (a 1:1 relationship). A very common scenario for this is to enable external users to access a protected server in a DMZ that has a private network address. This is sometimes referred to as implementing a Virtual IP or as a Virtual Server.

Using a DMZ

At this point, it is important to understand the role of networks designated as a DMZ since SAT IP rules are often used with them.

The DMZ's purpose is to act as a network where resources, such as servers, are placed for access by external, untrusted clients, typically across the public Internet. This network, therefore, has the maximum exposure to external threats.

By isolating the DMZ network, a clear security separation is created from sensitive, internal networks. Security policies can then control traffic flows between the DMZ and internal networks, isolating any security problems occurring in the DMZ.

The illustration below shows a typical network arrangement with a Clavister NetShield Firewall mediating communications between the public Internet and servers in a DMZ and between the DMZ and local clients on an internal network called LAN. This is a simplified diagram since it is recommended to keep an SMTP server and a web server on separate networks.

The Role of the DMZ

Figure 9.3. The Role of the DMZ

Example 9.8. Enabling Traffic to a Protected Web Server in a DMZ (1:1)

In this example, we will create a SAT IP rule that will translate and allow IPv4 flows from the Internet to a web server located in a DMZ. The Clavister NetShield Firewall is connected to the Internet using the wan interface with address object wan_ip (defined as 195.55.66.77) as IPv4 address. The web server has the private IPv4 address 10.10.10.5 and is on the network connected to the dmz interface.

Command-Line Interface

Change the current CLI context to be the main IP rule set: 

System:/> cc RuleSet IPRuleSet main

Create a SAT IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=any
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=all_services
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=10.10.10.5
			Name=SAT_HTTP_To_DMZ

Now, return to the default CLI context if no more rules are needed:

System:/IPRuleSet/main> cc
System:/>

9.5.2. Many-to-Many Translation (M:N)

A single SAT rule can be used to translate an entire range of IP addresses (a many-to-many translation). This results in a transposition where the first original IP address will be translated to the first IP address in the translation address list and so on. Port numbers are not changed.

Example 9.9. Translating Traffic to Multiple Protected Web Servers (M:N)

In this simple example, a SAT IP rule will translate from five IPv4 public IP addresses to five web servers located in a DMZ. The firewall is connected to the Internet via the wan interface and the public IPv4 addresses are the range 195.55.66.77 to 195.55.66.81. The web servers have the private IPv4 address range 10.10.10.5 to 10.10.10.9 and are on the network connected to the dmz interface. The SAT IP rule must translate the nth public address to the nth private server address.

The following steps need to be performed:

  • Define an address object containing all the public IPv4 addresses.

  • Define another address object set to be the first IPv4 address 10.10.10.5 of the web servers.

  • Publish the public IPv4 addresses on the wan interface using the ARP publish mechanism.

  • Create a SAT rule that will perform the translation.

  • Create an Allow rule that will permit the incoming HTTP flows.

Since the five public IPv4 addresses are being ARP published so these addresses are not routed on core, the SAT destination interface is wan and not core.

Command-Line Interface

Create an address object for the public IPv4 addresses: 

System:/> add Address IPAddress wwwsrv_pub
			Address=195.55.66.77-195.55.66.81

Now, create another object for the base of the web server IPv4 addresses: 

System:/> add Address IPAddress wwwsrv_priv_base Address=10.10.10.5

Publish the public IPv4 addresses on the wan interface using ARP publish. CLI commands similar to the following are needed for each IP address: 

System:/> cc ARPEntries
System:/ARPEntries> add ARPEntry
			Interface=wan
			IP=195.55.66.77
			Mode=Publish

This could alternatively be done by assigning all five addresses to the Ethernet interface since cOS Stream supports multiple IP addresses on interfaces.

Next, change the current CLI context to be the main IP rule set: 

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation: 

System:/IPRuleSet/main> add IPRule
			SourceInterface=any	
			SourceNetwork=all-nets-ip4
			DestinationInterface=wan
			DestinationNetwork=wwwsrv_pub
			Service=http
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=wwwsrv_priv_base

Next, return to the default CLI context using the command: 

System:/IPRuleSet/main> cc
System:/>

Example 9.10. Source Address Translation (M:N)

Suppose there is a network 192.168.0.0/24 called lan_net connected to the lan interface. There is also a network called dmz_net connected to the dmz interface.

Hosts on lan_net need to communicate with servers on dmz_net and appear as though they are coming from the network 172.16.0.0/24. For example, the source IP address 192.168.0.25 will become 172.16.0.25.

The required SAT rule is defined as follows:

Command-Line Interface

Change the current CLI context to be the main IP rule set: 

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation: 

System:/IPRuleSet/main> add IPRule
			SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=dmz
			DestinationNetwork=dmz_net
			Service=http
			Action=Allow
			SourceTranslation=SAT
			NewDestinationIP4=172.16.0.0

Next, return to the default CLI context using the command: 

System:/IPRuleSet/main> cc
System:/>

[Note] Note

In the above examples, IPv4 addresses are used. The option NewDestinationIP6= could be used with, or instead of NewDestinationIP4= to perform the same function with IPv6 addresses.

A SAT IP rule can combine source and destination translation in the same rule if required.

9.5.3. Many-to-One Translation (N:1)

It is possible to translate ranges and/or groups into just one IP address.

Example 9.11. Translating Traffic to a Single Web Server (N:1)

This example is similar to the previous many-to-many (M:N) example but this time a SAT IP will translate from five public IPv4 addresses to a single web server located on a DMZ network. The Clavister NetShield Firewall is connected to the Internet via the wan interface and the public IP addresses have the range of 195.55.66.77 to 195.55.66.81. The server has the private IPv4 address 10.10.10.5 and is on the network connected to the dmz interface.

The following steps need to be performed:

  • Define an address object containing all the public IP addresses.

  • Define another address object set to be the IP address 10.10.10.5 of the web server.

  • Publish the public IP addresses on the wan interface using the ARP publish mechanism.

  • Create a SAT rule that will perform the translation.

  • Create an Allow rule that will permit the incoming HTTP flows.

Command-Line Interface

Create an address object for the public IP addresses: 

System:/> add Address IPAddress wwwsrv_pub
			Address=195.55.66.77-195.55.66.81

Now, create another object for the base of the web server IP addresses: 

System:/> add Address IPAddress wwwsrv_priv Address=10.10.10.5

Publish the public IP addresses on the wan interface using ARP publish. To do this, change the CLI context to be ARPEntries: 

System:/> cc ARPEntries

Then enter a command like the following for each IP address: 

System:/ARPEntries> add ARPEntry
			Interface=wan
			IP=195.55.66.77
			Mode=Publish

This could alternatively be done by assigning all five addresses to the Ethernet interface since cOS Stream supports multiple interface IP addresses.

Next, change the current CLI context to be the main IP rule set: 

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation: 

System:/IPRuleSet/main> add IPRule
			SourceInterface=wan	
			SourceNetwork=all-nets-ip4
			DestinationInterface=dmz
			DestinationNetwork=wwwsrv_pub
			Service=http
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=AllToOne
			NewDestinationIP4=wwwsrv_priv

Return to the default CLI context with the command: 

System:/IPRuleSet/main> cc

In the above example, the option NewDestinationIP6= could be used with or instead of NewDestinationIP4= to perform the same function with IPv6 addresses.

[Note] Note

When all-nets or all-nets-ip4 or all-nets-ip6 is the destination in a SAT rule, an All-to-One mapping is always done.

9.5.4. Port Translation with SAT

Port Translation (also known as Port Address Translation - PAT) can be defined in a SAT IP rule to modify either the source or destination port. This is similar to the 1:1 translation specified above but the additional option NewDestinationPort is used.

Port translation is dependent on the range of port numbers specified in the Service filter parameter used in the IP rule. If the Service object specifies only a single port number then the port is always translated to the NewDestinationPort value. If the Service object specifies a port range then the new port number is the NewDestinationPort value plus the offset within the range.

For example, suppose that NewDestinationPort=80 is specified in the SAT IP rule and the Service object used for the rule has a port range of 1000 to 1050. If the traffic allowed by the IP rule has a destination port number of 1003, this will be translated to port 83 (1003 - 1000 + 80).

[Note] Note

Both predefined or custom service objects can be used with SAT IP rules. A custom service might be needed to identify the exact port range being translated, as shown in the example below.

Example 9.12. Port Translation with SAT

This example is very similar to the N:1 example near the beginning of this SAT section but the port number will also be changed by the translation. Assume that a web server has a private IP address of wwwsrv_priv and is located on the DMZ interface. All incoming HTTP flows must be translated to wwwsrv_priv and all ports in the http service object's range 80 - 85 must be translated to the range 1080 - 1085.

Command-Line Interface

First, create a custom HTTP service: 

System:/> add Service ServiceTCPUDP http_custom DestinationPorts=80-85

Change the current CLI context to be the main IP rule set: 

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation: 

System:/IPRuleSet/main> add IPRule
			SourceInterface=wan	
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=http_custom
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=AllToOne
			NewDestinationIP4=wwwsrv_priv
			SetDestinationPort=Offset
			NewDestinatPort=1000

Finally, return to the default CLI context with the command: 

System:/IPRuleSet/main> cc
System:/>

9.5.5. Combining SAT with NAT in the Same Rule

Both SAT and NAT translation can be combined into the same Allow IP rule by using the options SourceTranslation=SAT and DestinationTranslation=SAT together.

Example 9.13. Combining NAT and SAT

Assume a number of clients on the internal, protected lan_net network are surfing the public Internet. Normally their flows are routed out to the Internet via the wan interface.

However, sometimes these clients will try to access their own web server that has the private IP address our_server_ip and is located on the local dmz_net. This will cause a problem because a public DNS server will resolve the local server's domain name to wan_ip which is the public IP address of the firewall's wan interface IP.

The solution is to create a SAT rule for the clients that translates wan_ip to our_server_ip. However, NAT is also required to handle the server requests coming from the different clients via the dmz interface.

The required IP rule is defined as follows:

Command-Line Interface

Change the current CLI context to be the main IP rule set: 

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation: 

System:/IPRuleSet/main> add IPRule
			SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=wan
			DestinationNetwork=wan_ip
			Service=http
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=our_server_ip
			SourceTranslation=NAT
			SetSourceAddress=AllToOne
			NewSourceIP4=dmz_ip

Finally, return to the default CLI context with the command: 

System:/IPRuleSet/main> cc
System:/>

Home  Prev   Next