Page 1 of 1

Changing only the dest. port, not network using IP Policies.

Posted: 27 Feb 2014, 09:00
by Peter
This How-to applies to:
  • Clavister Security Gateway 11.x.

Problem:

I want to do an automatic translation of the destination port from e.g. port 81 to 80, meaning that whatever destination IP the user goes to on port 81, the port should automatically become 80 when it leaves the Security Gateway (SGW).

Description:

This is quite a tricky operation as IP Policies base options do not account for this particular scenario. So we have to configure this quite differently.

For example, the IP Policy could look something like this:
  • Action: Allow
    Interface: Lan
    Network: Lan_net
    Destination Interface: Wan
    Destination Network: 0.0.0.1-255.255.255.255
    Service: Destport_81
    Source Translation: NAT
    Destination Translation: SAT
    Address Action: Transposed
    Base IP Address: 0.0.0.1
IP_Policy.png
IP_Policy.png (10.92 KiB) Viewed 2123 times
On SetDest we must also use 0.0.0.1 as that is the first address in the destination network, 0.0.0.0 is invalid and 0.0.0.2 for instance would cause an offset of all destination network addresses by +1.

Note: If you use this setup as the example for HTTP traffic, then you must remember that if you go to Webpage-A using for instance
It will become 80 when it leaves the SGW. But the destination webpage most likely links to other HTTP pages using port 80, those will NOT be translated by this rule as it will be a sort of redirection to port 80 that we cannot control. So if you do not have a rule that allows HTTP port 80 in your ruleset, it would cause big delays as the browser is awaiting a reply on port 80 that is blocked by the SGW.

Re: Changing only the dest. port, not network using IP Policies.

Posted: 08 Dec 2016, 14:09
by mape
Updated 2016-12-07