background image
Chapter 9. Configuring Firewall/NAT Settings
Internet Security Router User
’s Manual
46
9.1.3.2
Tracking Connection State
The stateful inspection engine in the firewall keeps track of the state, or progress, of a network connection. By
storing information about each connection in a state table, Internet Security Router is able to quickly determine
if a packet passing through the firewall belongs to an already established connection. If it does, it is passed
through the firewall without going through ACL rule evaluation.
For example, an ACL rule allows outbound ICMP packet from 192.168.1.1 to 192.168.2.1. When 192.168.1.1
send an ICMP echo request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will send an ICMP echo reply to
192.168.1.1. In the Internet Security Router, you don
’t need to create another inbound ACL rule because
stateful packet inspection engine will remember the connection state and allows the ICMP echo reply to pass
through the firewall
9.1.4
Default ACL Rules
The Internet Security Router supports three types of default access rules:
„ Inbound Access Rules: for controlling incoming access to computers on your LAN.
„ Outbound Access Rules: for controlling outbound access to external networks for hosts on your LAN.
„ Self Access Rules: for controlling access to the Internet Security Router itself.
Default Inbound Access Rules
No default inbound access rule is configured. That is, all traffic from external hosts to the internal hosts is
denied.
Default Outbound Access Rules
The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external
network using NAT.
WARNING
It is not necessary to remove the default ACL rule from the ACL
rule table! It is better to create higher priority ACL rules to override
the default rule.
9.2
NAT Overview
Network Address Translation allows use of a single device, such as the Internet Security Router, to act as an
agent between the Internet (public network) and a local (private) network. This means that a NAT IP address
can represent an entire group of computers to any entity outside a network. Network Address Translation (NAT)
is a mechanism for conserving registered IP addresses in large networks and simplifying IP addressing
management tasks. Because of the translation of IP addresses, NAT also conceals true network address from
privy eyes and provide a certain degree security to the local network.
The NAT modes supported are static NAT, dynamic NAT, NAPT, reverse static NAT and reverse NAPT.
9.2.1
Static (One to One) NAT
Static NAT maps an internal host address to a globally valid Internet address (one-to-one). The IP address in
each packet is directly translated with a globally valid IP contained in the mapping. Figure 9.1 illustrates the IP
address mapping relationship between the four private IP addresses and the four globally valid IP addresses.
Note that this mapping is static, i.e. the mapping will not change over time until this mapping is manually
changed by the administrator. This means that a host will always use the same global valid IP address for all
its outgoing traffic.