NAT in Application-level Gateway is an option to change source/destination IP address information in the server side of connections of the firewall, immediately before the connection is started. Since NAT (if used) decisions are made after all other IP address related configurations, such as router, proxy configuration, NAT can override these previous settings. NAT in Application-level Gateway can be used to shift IP address ranges, to set IP addresses and to customize these operations.
In a service definition there are potentially two different components that directly deal with IP address setting:
a router (compulsory),
and a NAT policy (or two) (optional).
In the address setting procedure the following processes are involved.
Incoming connection is accepted and a new session is created.
Destination address is set by the Router and using the
option the source address of the server side connection is also set.Remember that the Router only gives a suggestion for the source/destination IP addresses as the proxy or the NAT can later override these suggestions.
Router settings can be altered by the proxy if the
option is set orInbandRouter
is selected and the proxy has some protocol based information.NAT is performed, depending on NAT types (SNAT/DNAT).
Access control check is performed based on the final destination IP address decision. Check whether the service is allowed as an
inbound service
into the zone where the destination IP address belongs to.The connection to the server is established.
Note |
---|
When checking the inbound services of the zone, the IP address to which the firewall actually connects to is considered. In other words, the original destination address of the client may be overridden by the router, the proxy and DNAT as well. Zone access control uses only the final IP address, all interim addresses (set by the Router, Proxy, but not used as the final one) are ignored in the access control decision. |
If a service uses an SNAT Policy, the
is implicitly set as well so that SNAT uses the client IP address instead of the firewall IP address. That is, if the NAT policy does not include SNAT modification, the client's IP address is used even if the is unset in the router.Tip |
---|
The versatility of NAT policies is especially useful in large-scale, enterprise deployments or where a lot of NAT is used. |
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu