- Clavister Security Gateway
I can't get my static address translation (SAT) rules to work properly. What am I doing wrong?
Common mistakes made in setting up SAT rules are:
- 1. Forgetting that the SAT rule does not in and of itself do anything to a packet. When a packet matches a SAT rule, the SGW remembers that a static address translation is to be performed at a later point and continues to look for a matching FwdFast, Allow, NAT, Drop or Reject rule. The reason for this is that you should only need to set up one single SAT rule, even if you use more than two interfaces. If, for example, you have a DMZ on a third interface, you probably employ separate rules for traffic from external networks (usually Allow rules) and the protected network (usually NAT rules).
1.1. Note: This is not needed in the majority of the scenarios when using IP Policy's instead of IP Rules. IP Policy's create the needed rules automatically to cover the majority of the common scenarios. There may be some unusual scenarios that requires additional Policy's however.
2. If you use FwdFast, rules must also be set up for return traffic. Consequently, these also require that you employ two sets of SAT rules; one for traffic in each direction.
3. Static address translation does not take place until a matching FwdFast, Allow or NAT rule has been encountered. This means that a SAT rule that translates destination address 184.108.40.206 to 220.127.116.11, must have a corresponding to a FwdFast or NAT rule with a destination address of 18.104.22.168, not 22.214.171.124!
4. Addresses owned by an interface (ip_wan etc) is routed on Core, hence destination interface must be Core.
5. If you have a SAT rule that translate a destination adress on <core> to a adress on dmz the corresponding rule must also use <core> and not dmz.
6. ARP published addresses are routed on the interface, not on Core
7. See section Using Address Translation the user's guide.
You have users connected via wireless LAN (WLAN) on the DMZ interface and users on the LAN interface. They should all be able to surf on the Internet, and also to your Web Server on the external WAN IP (ip_wan).
Note: The order SAT-NAT-Allow is easiest to use. Extend/convert this example to the environment you are using.
If you are using ARP published IPs for the server, the destination interface is WAN instead of Core.
A good way to get around most of the hassle with using IP rules is to use IP Policies instead.
The points mentioned above: 1, 3 and 5 are not applied to policies which makes it much easier to set up.
With policies we will only need two rules to get the same results as the example above, one to allow access to the WebServer and one to allow user access to the internet.
SAT policies have combined SAT-NAT/Allow so you are not required to have a following allow rule to your SAT rule.
In this example we use a group interface instead of any on the SAT policy to make sure that the WebServer is only reachable through the interfaces we choose.