CHAPTER 3. Firewall NAT238 © SAMSUNG Electronics Co., Ltd.Configuring Firewallsy Typical topology diagramy Describe firewall configuration about firewall policy, dos-protect, filter, andport-trigger, etc.− Network Address Translation(NAT) serves two purposes:y Allow LAN administrators to create secure, private, non-routable IPnetworks behind firewallsy Stretch the number of available IP addresses by allowing LANs to use onepublic(real) IP address as the gateway with a very large pool of NATaddresses behind it.In the most common NAT application(which is to provide secure networkingbehind a firewall), the device(Ubigate iBG2016) that connects the user LANto the Internet will have two IP addresses:y A private IP address on the LAN side for the RFC 1918 address rangey A public address, routable over the Internet, on the WAN sideConsider a PC on the LAN sending a packet destined for some.server.com.The source IP address and port are in the packet together with the destinationIP address and port. When the packet arrives at the Ubigate iBG2016 it will bede-encapsulated, modified, and re-encapsulated.The re-encapsulated packet sent by the Ubigate iBG2016 destined for theInternet contains the Ubigate iBG2016’s public IP address, a source portallocated from its list of available ports, and the same destination IP addressand port number generated by the PC.Name-DenyPutIP Protocol-TCPApplication Port-21Type-FTPAction-DenyCommandsSTORName-DenyJavaIP Protocol-TCPApplication Port-80Type-HTTPAction-DenyProxy-DeniedFile Extensions*.javaName-AllowFaxIP Protocol-UDPApplication Port-111Type-RPCAction-AllowCommands12345678FTP Control HTTP Control RPC Control
