The zNID features a configurable Network Address Translation (NAT) and Network Address Port Translation (NAPT) mechanism, allowing you to control the network addresses and ports of packets routed through your gateway. When enabling multiple computers on your network to access the Internet using a fixed number of public IP addresses, you can statically define which LAN IP address will be translated to which NAT IP address and/or ports.
By default, the zNID operates in NAPT routing mode. However, you can control your network translation by defining static NAT/NAPT rules. Such rules map LAN computers to NAT IP ad- dresses.
The NAT/NAPT mechanism is useful for managing Internet usage in your LAN, or complying with various application demands. For example, you can assign your primary LAN computer with a single NAT IP address, in order to assure its permanent connection to the Internet. Another example is when an application server with which you wish to connect, such as a security server, requires that packets have a specific IP address – you can define a NAT rule for that address.
Configuration
Click the ‘NAT’ tab in the ‘Security’ management screen. The ‘NAT’ screen will appear.
Figure 113: Network Address Translation
Before configuring NAT/NAPT rules, you must first enter the additional public IP addresses obtained from your ISP as your NAT IP addresses, in the ‘NAT IP Addresses Pool’ section. The primary IP address used by the WAN device for dynamic NAPT should not be added to this table.
To add a NAT IP address, click the ‘New IP Address’ link. The ‘Edit Item’ screen will appear.
Select between IP address, subnet or range in the ‘Network Object Type’ combo-box, and enter the information respectively.
To add a new NAT/NAPT rule, click the ‘New Entry’ link in the ‘NAT/NAPT Rule Sets’ section. The ‘Add NAT/NAPT Rule’ screen will appear.
Figure 115: Add NAT/NAPT Rule
This screen is divided into two main sections, ‘Matching’ and ‘Operation’. The ‘Matching’ section defines the LAN addresses to be translated to the external addresses, which are defined in the ‘Operation’ section.
Matching Use this section to define the rule’s conditions, which are the LAN computer’s parameters to be matched.
Source Address The source address of packets sent or received from the LAN computer. The combo-box displays all the host names or IP addresses of currently connected LAN computers, as well as the options ‘Any’ and ‘User Defined’. Select an address from the list, or ‘Any’ to apply the rule on all computers. If you would like add a new address, select the ‘User Defined’ option in the combo-box. This will commence a sequence that will add a new network object, representing the LAN computer.
The network object may be an IP address, subnet or range, a MAC address or a host name.
Destination Address The destination address of packets sent or received from the network object. This address can be configured in the same manner as the source address. This entry enables further filtration of the packets.
Protocol You may also specify a traffic protocol. Selecting the ‘Show All Services’ option in the combo-box will expand the list of available protocols. Select a protocol or add a new one using the ‘User Defined’ option. This will commence a sequence that will add a new service, representing the protocol.
Operation Use this section to define the operation that will be applied on the IP addresses matching the criteria defined above. The operations available are NAT or NAPT. Selecting each from the combo-box will refresh the screen accordingly.
Figure 116: Add NAT Rule
NAT Addresses The NAT address into which the original IP address will be translated. The combo- box displays all of your added NAT addresses/ranges, from which you can select an entry. If you would like to add a new address, select the ‘User Defined’ option in the combo-box. Similarly, this will commence a sequence that will add a new network object.
Logging Monitor the rule:
Log Packets Matched by This Rule Check this check box to log the first packet from a connection that was matched by this rule.
NAPT Address The NAPT address into which the original IP address will be translated. The combo- box displays all of your added NAPT addresses/ ranges, from which you can select an entry. If you would like to add a new address, select the ‘User Defined’ option in the combo-box. Similarly, this will commence a sequence that will add a new network object. Note, however, that in this case the network object may only be an IP address, as NAPT is port-specific.
NAPT Ports Specify the port(s) of the IP address into which the original IP address will be translated. Enter a single port or select ‘Range’ in the
combo-box. The screen will refresh, enabling you to enter a range of ports.
Figure 118: Add NAPT Rule
Logging Monitor the rule:
Log Packets Matched by This Rule Check this check box to log the first packet from a connection that was matched by this rule.
Schedule By default, the rule will always be active. However, you can configure scheduler rules by selecting ‘User Defined’, in order to define time segments during which the rule may be active.