D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: DFL800_noob on February 02, 2011, 03:19:27 PM

Title: Confused at SAT and NAT rules on DFL 800
Post by: DFL800_noob on February 02, 2011, 03:19:27 PM

Comming from a Cisco background, SAT was always use to redirect a source port to an internal private port for secure communication.

Eg, port 223 from WAN IP to port 22 on SSH linux box.

NAT however, is used for Port Overload reasons, in other words, you NAT the inside and outside interfaces so it can translate the private address to a public address with a dynamic source port.

Is this the same concept for DFL-800? I am just seeing how the previous employee set this up, and count me as confused.

He has the following RULES to get SMTP traffic through to the exchange server.


1  SAT_mail    SAT  lan    lannet                  wan2  mail_wan2_ip  all_services
2  NAT_mail    NAT  lan    lannet                  wan2  mail_wan2_ip  all_services
3  SAT_smtp   SAT  any  smtp_trustedhosts  wan2  mail_wan2_ip  smtp-in
4  NAT_smtp   NAT  any  smtp_trustedhosts  wan2  mail_wan2_ip  smtp-in
5  allow_smtp Allow  any  smtp_trustedhosts  wan2  mail_wan2_ip  smtp-in

I don't understand why all these rules are needed just to route SMTP mail from the outside to the inside. Why does it need a SAT rule, then a NAT rule, and then an ALLOW rule?

If someone can please explain this that will be great.

Title: Re: Confused at SAT and NAT rules on DFL 800
Post by: juanjo on February 04, 2011, 12:07:58 AM

hmmmm

Yes, i am a little bit confused also.

As I understand, rules 1 and 5 can be deleted, but i don't know which is the network installation.
Regards

Title: Re: Confused at SAT and NAT rules on DFL 800
Post by: silver_surfer30 on February 08, 2011, 03:17:43 PM

the way the device works is as that:

the first sat rule will bind the outside internet ip to the private IP and the service.

the allow or nat rule will process the packet.

so if Need to redirect the smtp trafic to my private server, i neeed a sat rule using the smtp service and bind it to the private ip of my mail server like this

wan1/all-nets   core:wan1-ip (if i use the ip address of the wan1 interface)  action sat and smtp service. then in the sat tab specify the private ip of my server and if needed the new port.

the do the same rule with the allow or nat rule. depending of the action the packet will not be processed the same way.

According to your configuration you have a range of public ip assigned by your isp.
so basically you need to arp publish the public ip in the arp feature to the wan1 or wan2 interface.
then dfl will respond to the range of ip assign by the isp using arp protocol
so the ip rule will be a little bit different

the first rule will be
sat wan1/all-nets wan2/publi-ip of mail server  smtp service and in the sat tab select the private ip of smtp server

create same rule with allow or nat action

to avoid being considered as a spam by your isp, you need to create a nat rule for the server sending mail with the following rule:

nat server private _ip/lannet  wan1 or wan2/all-nets service smtp and in the nat tab click the use the following address and select the public ip of the smtp server