Hide Mode
Dynamic (Hide)—Many invalid addresses are translated to a single valid address, and
dynamically assigned port numbers are used to distinguish between the invalid addresses.
Dynamic Address Translation is called Hide Mode, because the invalid addresses are “hidden” behind the valid address. For details of this mode, see “Hide Mode” on page 71.
Static—Each invalid address is translated to a corresponding valid address. There are two modes of Static Address Translation:
• Static Source Mode (see “Static Source Mode” on page 75)
• Static Destination Mode (see “Static Destination Mode” on page 77)
In This Section
Hide Mode
Hide Mode is used for connections initiated by hosts in an internal network, where the hosts’ IP addresses are invalid. In Hide Mode, the invalid internal addresses are hidden behind a single valid external address. Different connections are distinguished from each other using both:
• dynamically assigned port numbers, and • the destination IP address
Distinguishing Between Connections
For each destination IP address, source port numbers are dynamically assigned from two pools of numbers:
• from 600 to 1023 (low ports)
Hide Mode page 71
Static Source Mode page 75
Static Destination Mode page 77
Warning - The IP address of a gateway’s external interface must never be hidden.
Address Translation Modes
• from 10,000 to 60,000 (high ports)
If the original source port number is less than 1024, then a port number is assigned from the first pool. If the original port number is greater than 1024, then a source port number is assigned from the second pool. VPN-1/FireWall-1 keeps track of the source port numbers assigned, so that the original source port number is correctly restored for return packets. A port number currently in use is not assigned again to a new
connection.
The total number of connections that can be hidden is more than 50,000 for each destination IP address.
Limitations
Hide Mode has several limitations:
• Hide Mode does not allow access to the “hidden” hosts to be initiated from the outside, that is, an external machine cannot connect to any of the hosts whose addresses have been translated. For example, in the configuration in FIGURE 2-3 on page 73, if you run your HTTP server on 200.0.0.108 (one of the internal machines with an invalid address), external machines will not be able to connect to your HTTP server using 199.100.145.35 (the gateway’s valid address) as the destination.
This limitation can also be considered an advantage of Hide Mode.
• Hide Mode cannot be used for protocols where the source port number cannot be changed.
• Hide Mode cannot be used when the external server must distinguish between
clients on the basis of their IP addresses, since all clients share the same IP address under Hide Mode.
Example
Suppose localnet is an internal network with invalid addresses are as follows:
199.100.145.35 is the address of gateway’s external interface.
You can hide the invalid addresses behind the valid address by specifying Address Translation in the NAT tab of localnet’s Network Properties window as follows:
Valid IP address Invalid IP addresses
Hide Mode
FIGURE 2-2NAT tab for localnet
Source addresses of outbound packets from hosts in localnet will be translated to 199.100.145.35, as illustrated in FIGURE 2-3. The source port number serves to direct reply packets to the correct host.
FIGURE 2-3Hide Mode Address Translation
In FIGURE 2-4, the first rule must be manually inserted, and the second rule is automatically generated from the above definition (FIGURE 2-2 on page 73):
Original Packet Gateway internal network localnet Internet Address Translation address port source destination 200.0.0.104 192.233.145.35 1305 x address port source destination 192.233.145.35 199.100.145.35 199.100.145.35 199.100.145.35 2531 x address port source destination 200.0.0.104 192.233.145.35 1305 x address port internal
interface source destination
192.233.145.35 2531 x Reply Packet external interface
Address Translation Modes
FIGURE 2-4Hide Mode Automatically Generated Rules
The first rule (which does not translate anything) applies to connections from the gateway to localnet and prevents the address of the gateway’s internal interface from being translated.
For an explanation of why this rule is necessary, see “Can I translate the gateway’s internal address?” on page 117.
The second rule expresses the Address Translation defined in the NAT tab (FIGURE 2- 2 on page 73) and illustrated in FIGURE 2-3. Note the small letter H under localnet’s icon, which indicates Hide Mode translation.
For a detailed description of the meaning of the fields in an Address Translation Rule Base, see “Structure of a NAT Rule” on page 89.
Choosing the Valid External Address for Hide Mode
You can choose to hide the internal IP addresses either behind the IP address of the gateway’s external interface, or behind another IP address (that is, a valid IP address that does not belong to any of the gateway’s interfaces, but one which you can route to the gateway).
If you hide the internal IP addresses behind the IP address of the gateway’s external interface ...
You will not have to make any changes to your routing tables (see “Address Translation and Routing” on page 78), because presumably the routing tables are already correctly configured for the gateway’s external interface.
On the other hand, you may have problems when a hidden connection shadows a connection originating on the gateway itself. For example, suppose a user on the gateway TELNETs to an external server, and is allocated the local TCP port 10001 by the gateway’s TCP module. Next, a user on one of the internal hosts also TELNETs
Note - Routing tables on the gateway and router may have to be modified to implement this scheme (see “Address Translation and Routing” on page 78).