Справочник Пользователя для ASUS rx3041h
Chapter 9. Configuring Firewall/NAT Settings
RX3041H User’s Manual
52
9.1.3.2
Tracking Connection State
The stateful inspection engine in the firewall keeps track of the state, or progress, of a network connection. By
storing information about each connection in a state table, RX3041H is able to quickly determine if a packet
passing through the firewall belongs to an already established connection. If it does, it is passed through the
firewall without going through ACL rule evaluation.
storing information about each connection in a state table, RX3041H is able to quickly determine if a packet
passing through the firewall belongs to an already established connection. If it does, it is passed through the
firewall without going through ACL rule evaluation.
For example, an ACL rule allows outbound ICMP packet from 192.168.1.1 to 192.168.2.1. When 192.168.1.1
send an ICMP echo request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will send an ICMP echo reply to
192.168.1.1. In the RX3041H, you don’t need to create another inbound ACL rule because stateful packet
inspection engine will remember the connection state and allows the ICMP echo reply to pass through the
firewall.
send an ICMP echo request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will send an ICMP echo reply to
192.168.1.1. In the RX3041H, you don’t need to create another inbound ACL rule because stateful packet
inspection engine will remember the connection state and allows the ICMP echo reply to pass through the
firewall.
9.1.4
Default ACL Rules
The RX3041H supports three types of default access rules:
Inbound Access Rules: for controlling incoming access to computers on your LAN.
Outbound Access Rules: for controlling outbound access to external networks for hosts on your LAN.
Self Access Rules: for controlling access to the RX3041H itself.
Outbound Access Rules: for controlling outbound access to external networks for hosts on your LAN.
Self Access Rules: for controlling access to the RX3041H itself.
Default Inbound Access Rules
No default inbound access rule is configured. That is, all traffic from external hosts to the internal hosts is
denied.
denied.
Default Outbound Access Rules
The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external
network using NAT.
network using NAT.
WARNING
It is not necessary to remove the default ACL rule from the ACL
rule table! It is better to create higher priority ACL rules to override
the default rule.
rule table! It is better to create higher priority ACL rules to override
the default rule.
9.2 NAT
Overview
Network Address Translation allows use of a single device, such as the RX3041H, to act as an agent between
the Internet (public network) and a local (private) network. This means that a NAT IP address can represent an
entire group of computers to any entity outside a network. Network Address Translation (NAT) is a mechanism
for conserving registered IP addresses in large networks and simplifying IP addressing management tasks.
Because of the translation of IP addresses, NAT also conceals true network address from privy eyes and
provide a certain degree security to the local network.
the Internet (public network) and a local (private) network. This means that a NAT IP address can represent an
entire group of computers to any entity outside a network. Network Address Translation (NAT) is a mechanism
for conserving registered IP addresses in large networks and simplifying IP addressing management tasks.
Because of the translation of IP addresses, NAT also conceals true network address from privy eyes and
provide a certain degree security to the local network.
The NAT modes supported are static NAT, dynamic NAT, NAPT, reverse static NAT and reverse NAPT.
9.2.1
Static (One to One) NAT
Static NAT maps an internal host address to a globally valid Internet address (one-to-one). The IP address in
each packet is directly translated with a globally valid IP contained in the mapping. Figure 9.1 illustrates the IP
address mapping relationship between the four private IP addresses and the four globally valid IP addresses.
Note that this mapping is static, i.e. the mapping will not change over time until this mapping is manually
changed by the administrator. This means that a host will always use the same global valid IP address for all
its outgoing traffic.
each packet is directly translated with a globally valid IP contained in the mapping. Figure 9.1 illustrates the IP
address mapping relationship between the four private IP addresses and the four globally valid IP addresses.
Note that this mapping is static, i.e. the mapping will not change over time until this mapping is manually
changed by the administrator. This means that a host will always use the same global valid IP address for all
its outgoing traffic.