̈ Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50
79
Routing and WAN
connections
Configuration of the inverse masquerading
Stateful Inspection and inverse masquerading
If in the Masquerading module a port is exposed (i.e. all packets received on
this port should be forwarded to a server in the local area network), then this
requires with a Deny All Firewall strategy an additional entry in the Stateful
Inspection Firewall, which enables the access of all stations to the respective
server.
7.3.3 Unmasked Internet access for server in the DMZ
While the inverse masquerading described in the proceeding paragraph
allows to expose at least one service of each type (e.g. one Web, Mail and FTP
server), this method is bound to some restrictions.
̈ The masquerading module must support and ’understand’ the particular
server service of the ’exposed host’. For instance, several VoIP servers use
proprietary, non-standard ports for extended signalling. Thus such server
could be used on unmasked connections solely.
̈ From a security point of view, it must be considered that the ’exposed
host’ resides within the LAN. When the host is under control of an
attacker, it could be misused as a starting point for further attacks against
machines in the local network.
In order to prevent attacks from a cracked server to the local network,
some LANCOM provide a dedicated DMZ interface (LANCOM 7011
VPN) or are able to separate their LAN ports on Ethernet level by hard-
ware (LANCOM 821 ADSL/ISDN and LANCOM 1621 ADSL/ISDN with
the Switch set to ’Private Mode’).
Two local networks - operating servers in a DMZ
This feature requires an Internet access with multiple static IP addresses.
Please contact you ISP for an appropriate offer.
Configuration tool Run
LANconfig IP router ̈ Masq. ̈ Service list
WEBconfig Expert Configuration ̈ Setup ̈ IP-router-module ̈
Masquerading ̈ Service-table
Terminal/Telnet
/setup/IP-router-module/masquerading/
service-table