Changing the destination port on NATed traffic (11.x)

Security Gateway Articles and How to's
Locked
Peter
Posts: 653
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Changing the destination port on NATed traffic (11.x)

Post by Peter » 29 Oct 2008, 13:22

This How-to applies to:
  • Clavister Security Gateway 11.x
Problem
We would like to change the destination port on i.e outgoing telnet traffic towards the Internet from port 8000 to 23. I.e when we connect with telnet to whatever IP number on port 8000, the destination port should automatically be changed when the packet leave the external interface to be 23 instead of 8000.

Solution

In order to solve this we need to make some unusual SAT/Nat rules in order to get this working. A NAT rule can only change the Source IP and port, so in order to change the Destination port we need to use SAT.

We will split all available network addresses with the use of 2 SAT policies so we can use the Transposed Address Action.

Ruleset example:
  • Name: SAT-Redirect1
    Action: Allow
    Rule->Source Interface: Lan
    Rule->Source Network: Lannet
    Rule->Destination Interface: Any
    Rule->Destination Network: 0.0.0.0/1
    Service->Service: Custom TCP DestPort 8000
    Source Translation -> Address Translation: NAT
    Source Translation -> Address Action: Outgoing Interface IP
    Destination Translation -> Address Translation: SAT
    Destination Translation -> Address Action: Transposed
    Destination Translation -> Base IP Address: 0.0.0.0
    Destination Translation -> Port Action: Single Port
    Destination Translation -> New port: 23
  • Name: SAT-Redirect2
    Action: Allow
    Rule->Source Interface: Lan
    Rule->Source Network: Lannet
    Rule->Destination Interface: Any
    Rule->Destination Network: 128.0.0.0/1
    Service->Service: Custom TCP DestPort 8000
    Source Translation -> Address Translation: NAT
    Source Translation -> Address Action: Outgoing Interface IP
    Destination Translation -> Address Translation: SAT
    Destination Translation -> Address Action: Transposed
    Destination Translation -> Base IP Address: 128.0.0.0
    Destination Translation -> Port Action: Single Port
    Destination Translation -> New port: 23
Note: In this example we used Telnet, but if you want to try use this for i.e HTTP, it will not work if the page the user connects to then redirects to a normal port 80 page. Another rule to allow outgoing HTTP traffic is then needed.

mape
Posts: 41
Joined: 24 Oct 2016, 08:23

Re: Changing the destination port on NATed traffic (11.x)

Post by mape » 16 Dec 2016, 14:42

Updated 2016-12-16

Locked