There can be situations in which the standard subnet access setting process is not specific enough for the needs of an organization. Instead, access or firewall rules need to be defined based upon destination and source IP addresses, transport types, and ports. The Advanced Subnet Access screen allows the administrator to create more complicated inbound and outbound policies.
Select Network Configuration --> Firewall --> Advanced Subnet Access from the left menu. The screen consists of two areas. The Settings area enables or disables the data found on this screen. The Firewall Rules area displays the currently defined and active firewall rules. This area will display either the inbound or outbound rules. The rules are applied in the order that they are listed. The rules at the top of the list take precedence over the rules lower in the list.
UDP User Datagram Protocol (UDP) is mostly used for broadcasting data over the Internet. Like TCP, UDP runs on top of Internet Protocol (IP) networks. Unlike TCP/IP, UDP/IP provides very few error recovery services and methods. UDP offers a way to directly connect, and then send and receive datagrams over an IP network.
ICMP Internet Control Message Protocol (ICMP) is tightly integrated with IP. ICMP messages, delivered in IP packets, are used for out-of-band messages related to network operation. Because ICMP uses IP, ICMP packet delivery is unreliable. Hosts cannot count on receiving ICMP packets for a network problem.
AH Authentication Header (AH) is one of the two key components of IP Security Protocol (IPSec). The other key component is Encapsulating Security Protocol (ESP), described below.
AH provides authentication, proving the packet sender really is the sender, and the data really is the data sent. AH can be used in transport mode, providing security between two end points. Also, AH can be used in tunnel mode, providing security like that of a Virtual Private Network (VPN).
ESP Encapsulating Security Protocol (ESP) is one of the two key components of IP Security Protocol (IPSec). The other key component is Authentication Header (AH), described above.
ESP encrypts the payload of packets, and also provides authentication services. ESP can be used in transport mode, providing security between two end points. Also, ESP can be used in tunnel mode, providing security like that of a Virtual Private Network (VPN).
GRE General Routing Encapsulation (GRE) supports VPNs across the Internet. GRE is a mechanism for encapsulating network layer protocols over any other network layer protocol. Such encapsulation allows routing of IP packets between private IP networks across an Internet that uses globally assigned IP addresses.
Transport Description
1. To enable the advanced access settings, check the Override Subnet Access and NAT settings box. The rest of the screen will become active. When this box is not checked, the settings in both the Subnet Access screen (under Firewall) and the NAT screen (under WAN) are disabled; the switch will use the settings found on this screen instead.
2. If you want the application to translate the subnet access settings into Firewall Rules (displayed in the lower area), click the Import rules from Subnet Access button. This button removes the need for the administrator to reenter the information defined on the Subnet Access screen.
Next, add, delete, or modify rules in the Firewall Rules list, as necessary.
3. Select Inbound or Outbound from the pull-down menu at the top of the Firewall Rules area, to display either the inbound (data entering the LAN) or outbound (data exiting the LAN) rules.
4. To modify a rule, select the rule from the Firewall Rules list, then edit the fields by clicking in the field to modify. Often a dialog box will appear to facilitate the entry of the field data.
5. To add a rule, click the Add button and then add data to the six rule fields. Note that not all fields are required.
6. To delete a rule, select a rule from the list and click the Del button.
7. Move rules to a higher or lower precedence by clicking the Move Up or Move Down buttons, as necessary.
8. When you have finished defining the Firewall Rules, click the Apply button to save changes.
Use the following information to help set the Firewall Rule fields:
• Index—The index number determines the order in which firewall rules will be executed. The rules are executed in order from lowest index number to highest number. Use the Move Up and Move Down buttons to change the index number.
• Source IP—The Source IP range determines the origin address(es) for the firewall rule. To set the Source IP range, click the field and a new window will pop up to enter the IP address and a second number that indicates that number of IP numbers starting at the first address (the range). An IP address of 0.0.0.0 indicates all IP addresses.
• Destination IP—The Destination IP range determines the target address(es) for the firewall rule. To configure the Destination IP range, click the field and a new window will pop up to enter the IP address and range. An IP address of 0.0.0.0 indicates all IP addresses.
• Transport—To determine the transport protocol to be filtered in the firewall rule, click the field to choose from the list of protocols:
• Src. Ports (Source Ports)—The source port range determines which ports the firewall rule applies to on the source IP address. To configure the source port range, click the field and a new window will pop up to enter the starting and ending ports in the range. For rules where only a single port is necessary, enter the same port in the start and end port fields.
• Dst. Ports (Destination Ports)—The destination port range determines which ports the firewall rule applies to on the destination IP address. To configure the destination port range, click the field and a new window will pop up to enter the starting and ending ports in the range. For rules where only a single port is necessary, enter the same port in the start and end port fields.
Transport Description
ALL This selection designates all of the protocols displayed in the table’s pull-down menu, as described below.
TCP Transmission Control Protocol (TCP) is a set of rules used with Internet Protocol (IP) to send data as message units over the Internet. While IP handles the actual delivery of data, TCP keeps track of individual units of data called packets. Messages are divided into packets for efficient routing through the Internet.
UDP User Datagram Protocol (UDP) is mostly used for broadcasting data over the Internet. Like TCP, UDP runs on top of Internet Protocol (IP) networks. Unlike TCP/IP, UDP/IP provides very few error recovery services and methods. UDP offers a way to directly connect, and then send and receive datagrams over an IP network.
ICMP Internet Control Message Protocol (ICMP) is tightly integrated with IP. ICMP messages, delivered in IP packets, are used for out-of-band messages related to network operation. Because ICMP uses IP, ICMP packet delivery is unreliable. Hosts cannot count on receiving ICMP packets for a network problem.
AH Authentication Header (AH) is one of the two key components of IP Security Protocol (IPSec). The other key component is Encapsulating Security Protocol (ESP), described below.
AH provides authentication, proving the packet sender really is the sender, and the data really is the data sent. AH can be used in transport mode, providing security between two end points. Also, AH can be used in tunnel mode, providing security like that of a Virtual Private Network (VPN).
ESP Encapsulating Security Protocol (ESP) is one of the two key components of IP Security Protocol (IPSec). The other key component is Authentication Header (AH), described above.
ESP encrypts the payload of packets, and also provides authentication services. ESP can be used in transport mode, providing security between two end points. Also, ESP can be used in tunnel mode, providing security like that of a Virtual Private Network (VPN).
GRE General Routing Encapsulation (GRE) supports VPNs across the Internet. GRE is a mechanism for encapsulating network layer protocols over any other network layer protocol. Such encapsulation allows routing of IP packets between private IP networks across an Internet that uses globally assigned IP addresses.
• Rev. NAT (Reverse NAT) (inbound) / NAT (outbound)—To enable NAT or reverse NAT for a firewall rule, enter this value.
For Inbound, click the Rev. NAT field and a new window will pop up to enter the IP address and translation port for the reverse NAT host.
For the Outbound direction, select the WAN (WAN1, WAN2, and so on) from the NAT field menu that is associated with the appropriate NAT definition. (See Configuring Network Address Translation (NAT)).
• Action—Choose Allow or Deny from the pull-down menu in this field to determine whether the firewall rule is to allow or deny the specified rule.