Software Release 2.3.1 15
Software Release 2.3.1
C613-10325-00 REV B
■
Reverse NAT
This translates the addresses of public side devices to addresses suitable
for the private side of the firewall (destination address will be translated
for outbound packets, source address for inbound packets).
■
Double NAT
This translates both the public and private side source and destination
addresses.
■
Enhanced NAT
This translates many private or public side addresses into a single global or
local address. If it is applied to a private interface the rule matches the
outbound sessions (source address will be translated for outbound packets,
destination address for inbound packets). If it is applied to a public
interface the rule matches the inbound sessions (source address will be
translated for inbound packets, destination address for outbound packets).
■
Subnet Translation
This translates IP addresses from one subnet into another subnet (e.g. all
192.168.xxx.xxx IP addresses can be translated into 202.36.xxx.xxx
addresses). Subnet translation may be applied to Standard, Reverse and
Double NAT.
Time Limited Rules
Rules can be set to expire after a specified Time To Live (TTL). A new
parameter, TTL, specifies the time duration in hours and minutes that the rule
will exist. The rule will be active from the creation of the rule and will be
deleted after the time specified has expired. All entries created from this rule
will be destroyed once the rule expires. Rules defined with a TTL value will not
appear in router-generated configuration scripts, as they are dynamic.
New Command Syntax
The new syntax is:
ADD FIREWALL POLICY=policy RULE=rule-id ACTION={ALLOW|DENY|
NAT|NONAT} INTERFACE=interface PROTOCOL={protocol|ALL|EGP|
GRE|OSPF|SA|TCP|UDP} [AFTER=hh:mm] [BEFORE=hh:mm]
[DAYS={MON|TUE|WED|THU|FRI|SAT|SUN|WEEKDAY|
WEEKEND}[,...]] [ENCAPSULATION={NONE|IPSEC}] [GBLIP=ipadd]
[GBLPORT={ALL|port[-port]}] [GBLREMOTEIP=ipadd[-ipadd]]
[IP=ipadd[-ipadd]] [LIST={list-name|RADIUS}]
[NATTYPE={DOUBLE|ENHANCED|REVERSE|STANDARD}]
[NATMASK=ipadd] [PORT={ALL|port[-port]|service-name]
[REMOTEIP=ipadd[-ipadd]] [SOURCEPORT={ALL|port[-port]}]
[TTL=hh:mm]
SET FIREWALL POLICY=name RULE=rule-id [PROTOCOL={protocol|
ALL|EGP|GRE|OSPF|SA|TCP|UDP}] [AFTER=hh:mm] [BEFORE=hh:mm]
[DAYS={MON|TUE|WED|THU|FRI|SAT|SUN|WEEKDAY|
WEEKEND}[,...]] [ENCAPSULATION={NONE|IPSEC}] [GBLIP=ipadd]
[GBLPORT={ALL|port[-port]}] [GBLREMOTEIP=ipadd[-ipadd]]
[IP=ipadd[-ipadd]] [NATMASK=ipadd] [PORT={ALL|port[-port]|
service-name}] [REMOTEIP=ipadd[-ipadd]] [SOURCEPORT={ALL|
port[-port]}] [TTL=hh:mm]
These commands add or modify a rule defining the access allowed between
private and public interfaces of the specified policy. By default all access from
public interfaces (outside the firewall) is denied and all access from private
interfaces (inside the firewall) is allowed. To refine the security policy