How to configure DNAT in order to publish internal services via Internet



Similar documents
Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

HOWTO: How to configure IPSEC gateway (office) to gateway

How to Create a Basic VPN Connection in Panda GateDefender eseries

HOWTO: How to configure VPN SSL roadwarrior to gateway

How to configure the Panda GateDefender Performa explicit proxy in a Local User Database or in a LDAP server

Panda Security for Exchange Servers

Technical Support Information

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Lab Configuring Access Policies and DMZ Settings

Chapter 3 Security and Firewall Protection

Application Description

Configuration Example

SANGFOR SSL VPN. Quick Start Guide

DSL-G604T Install Guides

Lab Configuring Access Policies and DMZ Settings

Definition of firewall

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

How To Set Up A Pploe On A Pc Orca On A Ipad Orca (Networking) On A Macbook Orca 2.5 (Netware) On An Ipad 2.2 (Netrocessor

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Using Remote Desktop Software with the LAN-Cell

UTM Quick Installation Guide

Implementing Network Address Translation and Port Redirection in epipe

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Chapter 4 Customizing Your Network Settings

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

SuperLumin Nemesis. Administration Guide. February 2011

Microsoft Office Communications Server 2007 R2

Chapter 4 Customizing Your Network Settings

Panda Perimeter Management Console. Guide for Partners

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Service Managed Gateway TM. How to Configure a Firewall

Chapter 5 Customizing Your Network Settings

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

NAT REFERENCE GUIDE. VYATTA, INC. Vyatta System NAT. Title

Configuring DrayTek Equipment With A Sky Network.

Firewall REFERENCE GUIDE. VYATTA, INC. Vyatta System. IPv4 Firewall IPv6 Firewall Zone-Based Firewall. Title

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

CORE Enterprise on a WAN

Using Remote Desktop Software with the LAN-Cell 3

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Edgewater Routers User Guide

Multi-Homing Security Gateway

Firewall VPN Router. Quick Installation Guide M73-APO09-380

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Configuration Example

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

Load Balance Mechanism

Network Security Topologies. Chapter 11

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Remote Firewall Deployment

Best Practices: Pass-Through w/bypass (Bridge Mode)

IP Filter/Firewall Setup

NEFSIS DEDICATED SERVER

SSL-VPN 200 Getting Started Guide

Figure 41-1 IP Filter Rules

Configuring Security for FTP Traffic

Edgewater Routers User Guide

Blue Coat Security First Steps Transparent Proxy Deployments

A Quick Guide to Publish Thecus NAS on Internet. Contents

Internet and Intranet Calling with Polycom PVX 8.0.1

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Broadband Phone Gateway BPG510 Technical Users Guide

Broadband Router ESG-103. User s Guide

Firewall Firewall August, 2003

Application Note - Using Tenor behind a Firewall/NAT

HP Load Balancing Module

For extra services running behind your router. What to do after IP change

Owner of the content within this article is Written by Marc Grote

Configuring a LAN SIParator. Lisa Hallingström Paul Donald Bogdan Musat Adnan Khalid Per Johnsson Rickard Nilsson

WAN Failover Scenarios Using Digi Wireless WAN Routers

Accessing Remote Devices via the LAN-Cell 2

PFSENSE Load Balance with Fail Over From Version Beta3

Installation of the On Site Server (OSS)

OfficeConnect Internet Firewall 25 Internet Firewall DMZ. QuickStart Guide (3C16770, 3C16771)

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Configuration Example

Explaining DMZ s and Port Forwarding for home networking, broadband routers, and NAT connection sharing. First some definitions (greatly simplified)

NATed Network Testing IxChariot

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

M2M Series Routers. Port Forwarding / DMZ Setup

How to set up Inbound Load Balance under Drop-in Mode

User Manual. Page 2 of 38

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

How to configure your Thomson SpeedTouch 780WL for ADSL2+

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Layer 2 Networking. Overview. VLANs. Tech Note

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CORE 9 on a WAN. CORE on a Wide Area Network (WAN)

How To. Achieve Quality of Service over a low-speed WAN that has a non-qos capable gateway device. Introduction

Step-by-Step Configuration

DIR-100. Before You Begin. Check Your Package Contents. Triple Play Router

Front Desk Web Appointment Book Installation

Appendix IP CAMERA Network Connections

Multi-Homing Dual WAN Firewall Router

Instructions for Activating and Configuring the SAFARI Montage Managed Home Access Software Module

Cyclope Internet Filtering Proxy

Transcription:

How to configure DNAT in order to publish internal services via Internet How-to guides for configuring VPNs with GateDefender Integra Panda Security wants to ensure you get the most out of GateDefender Integra. For this reason, we offer you all the information you need about the characteristics and configuration of the product. Refer to http://www.pandasecurity.com/ and http://www.pandasecurity.com/enterprise/support/ for more information. How-to guides for Panda GateDefender Integra The software described in this document is delivered under the terms and conditions of the end user license agreement and can only be used after accepting the terms and conditions of said agreement. The anti-spam technology in this product is provided by Mailshell. The web filtering technology in this product is provided by Cobion. Copyright notice Panda 2007. All rights reserved. Neither the documents nor the programs that you may access may be copied, reproduced, translated or transferred to any electronic or readable media without prior written permission from Panda, c/ Buenos Aires, 12 48001 Bilbao (Biscay) Spain. Registered Trademarks Panda Security. TruPrevent: Registered in U.S.A Patent and Trademark Office. Windows Vista and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and other countries. All other product names may be registered trademarks of their respective owners. D. L. BI-1915-07 Panda 2007. All rights reserved.

INDEX 1 INTRODUCTION...3 2 PROCEDURE...5 2.1 EXAMPLE 1... 5 2.2 EXAMPLE 2... 9 3 MOST COMMON PROBLEMS...12 Symbols and styles used in this documentation Symbols used in this documentation: Note. Clarification and additional information. Important. Highlights the importance of a concept. Tip. Ideas to help you get the most from your program. Reference. Other references with more information of interest. Fonts and styles used in the documentation: Bold: Names of menus, options, buttons, windows or dialog boxes. Codes style: Names of files, extensions, folders, command line information or configuration files, for example, scripts. Italics: Names of options related with the operating system and programs or files with their own name. Panda GateDefender Integra Page 2 of 12

1 Introduction Below is an outline of the necessary steps to be taken in order to set up DNAT correctly in Panda GateDefender Integra and to be able to publish internal services via Internet. Throughout this explanation, the following network will be used as a reference point: Figure 1 In this simulated set-up, Panda GateDefender Integra has been installed on the perimeter of the network in order to carry out corporate firewall functions (any other module could also be enabled along with the Firewall module). Within this context, Integra has been configured with 3 interfaces: Eth0 for the WAN zone, Eth1 for the LAN, and Eth2 for the DMZ. Corporate servers have been located in the DMZ. Normally, in the most common real set-ups, the WAN interface is given a private IP address, with an additional device providing it with WAN services - for example, an ADSL router, a cable modem, etc. - which has a public IP address (either dynamic or static). This device normally translates the Integra WAN private address to an Internet valid public address, through NAT. As you can see in the diagram, Integra is located behind an ADSL router, which is performing NAT for the packets received through its LAN interface. To make this document more intuitive, it assumes that the ASDL router is configured to perform redirectioning, port forwarding, or Panda GateDefender Integra Page 3 of 12

destination NAT for all the traffic it receives in its public interface (62.14.249.65) to the GateDefender Integra WAN interface, i.e., to the IP address 192.168.1.1. It also assumes that Integra has already been configured with SNAT rules, and that both the LAN and the DMZ are therefore transparent beyond the Integra's WAN interface, the IP (192.168.1.1) address of which is the only network representative which Panda GateDefender Integra protects. In other words, the only way of reaching both Integra and its internal networks (LAN and DMZ in this case) is via the public IP address that has been assigned to the ADSL device, whose traffic is redirected to GateDefender Integra. As the internal networks are "hidden", in order to be able to reach the DMZ servers in the event that the user wishes to publish their services, the user will need to set up an advanced configuration, adding DNAT rules, a technique which is also known as Port Forwarding. What follows is a number of different scenarios, with explanations as to how the necessary configurations can be set up in order to publish the services offered by the DMZ servers. Index Panda GateDefender Integra Page 4 of 12

2 Procedure 2.1 Example 1 As it can be seen in the following scenario, the DMZ web server is offering services in port 8080: Figure 2 In order to be able to access this hidden service from the Internet through Integra's firewall, static mapping can be carried out in such a way as to allow the traffic that reaches Integra's WAN port via port 8080 to be redirected to the internal WEB server at the same port. It is important to consider the approach being used, in which all the traffic received in the public interface of the ADSL router is redirected to the Integra WAN interface. With this set up, requests to the IP address of Integra s WAN interface through port 8080 will pass through Integra, which then replaces the target IP address with the private IP address of the DMZ web server. In order to do this, it is necessary to add a DNAT rule to the firewall. Follow the steps below according to the defined scenario: 1. Network definitions are entered which might be useful when configuring rules. Panda GateDefender Integra Page 5 of 12

Figure 3 In this case, the range of LAN and DMZ networks are defined as well as the IP address assigned to the WAN interface. Note: This step is not obligatory - addresses can be entered without having defined ranges first, although in the event that there are a large number of rules to be entered, pre-defining them significantly simplifies the task. 2. The service which is to be mapped is first defined. In this case it is not necessary to enter a new service as there is already an HTTP service in port 8080 in the predefined default services: Figure 4 3. A DNAT rule is then added which maps HTTP traffic to the internal web server via port 8080: Panda GateDefender Integra Page 6 of 12

A DNAT action is then selected, thus creating a DNAT rule: Figure 5 A name is assigned to the rule, and the characteristics of the traffic which will be affected by this rule are then defined: Figure 6 The rule is applied to traffic coming from any source, as the source of requests from the Internet is not known. The IP address of the interface receiving this traffic should be selected as the target, in this example, the eth0 interface. The service to which the rule is to be applied in our example is HTTP_COMMON, predefined by default, and which includes HTTP traffic via port 8080. 4. The parameters of the final target of the static mapping are then defined: Figure 7 In the NAT target address field, the target server for the HTTP request should be entered. In this case, we can use the definition which has been entered for the DMZ web server, instead of directly entering the IP address. If you select Keep source address, the target header will not change. This option can be used in special circumstances. The Target Port option in this case is not necessary as it is not going to change. 5. The other optional parameters dealing with data logging, rule schedule, etc. can now be defined. Once all parameters have been defined, the rule will appear as shown here: Panda GateDefender Integra Page 7 of 12

Figure 8 Once the DNAT rule has been entered, it is necessary to ensure that the traffic to be redirected is not blocked by the firewall's filter rules. In this case, the default rules block HTTP traffic via port 8080, making it necessary to enter a rule which will allow such traffic: In order to do this, a new filter rule must be set up as shown here: This rule permits traffic sent from any source to the IP address assigned to the WAN interface and whose target ports are included in the service defined as HTTP_common, including port 8080. Figure 9 These filter rules, along with the defined DNAT rule, will redirect traffic that reaches Integra via the WAN interface to port 8080 on the DMZ web server. Panda GateDefender Integra Page 8 of 12

2.2 Example 2 In this example, you should proceed as in Example 1, with the only difference being that in this case, the web server offers its services via port 80, although publicly it continues to offer them via 8080. In this case, in addition to changing the target IP address, the target port will also have to be changed from 8080 to 80. Figure 10 In order to do this, it is necessary to add a DNAT rule to the firewall. Follow the steps below according to the defined scenario: 1. The same network and service definitions as in Example 1 are entered. 2. A DNAT rule is then added which maps HTTP traffic to the internal web server via port 8080:: A DNAT action is then selected, thus creating a DNAT rule: Figure 11 A name is given to the rule, and the characteristics of the traffic which will be affected by this rule are then defined: Panda GateDefender Integra Page 9 of 12

Figure 12 The rule is applied to traffic coming from any source, as the source of requests from the Internet is not known. The IP address of the interface receiving this traffic should be selected as the target- in this example, the web interface to which a public IP address has been assigned. The service to which the rule is to be applied in our example is HTTP_COMMON, predefined by default, and which includes HTTP traffic via port 8080. 3. The parameters of the final target of the static mapping are then defined: Figure 13 In this example, as the target port needs to be changed, you have to check the corresponding checkbox and enter the real target port that the server is listening on, in this case, port 80. 4. The other optional parameters dealing with data logging, rule schedule, etc. can now be defined. Once all parameters have been defined, the rule will appear as shown here; as in the previous example, filter rules should not block the incoming traffic which needs to be redirected Panda GateDefender Integra Page 10 of 12

Figure 14 In order to do this, a new filter rule must be set up, as shown here: Figure 15 This rule allows incoming traffic from any source to pass to the public IP address assigned to the web interface and whose target ports are included in the service defined as HTTP_common, including port 8080. These filtering rules, along with the defined DNAT rule, will redirect traffic that reaches Integra through port 8080 via the WAN interface to port 80 on the DMZ web server. Index Panda GateDefender Integra Page 11 of 12

3 Most Common Problems One of the most common problems that arises when configuring DNAT is the blocking of DNAT traffic due to the firewall's own filtering rules. In addition to establishing DNAT rules, therefore, it will also be necessary to ensure that the firewall rules allow this sort of traffic to pass unhindered. Another typical problem you might encounter is the incorrect definition of the parameters which define the traffic to which the DNAT rule is to be applied. In this case, you need to ensure that the target IP field refers to the interface to which incoming traffic is to be redirected. In the previous examples, this would be the Integra IP address refering to the eth0 interface. Figure 16 Index Panda 2007 0707-PGDIHT03-03-EN Panda GateDefender Integra Page 12 of 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information