Scribd
Upload
247 views

SANGFOR - NGAF - v7.4 - Network Address Translation Configuration

Uploaded by

Arman Maukelana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
247 views

SANGFOR - NGAF - v7.4 - Network Address Translation Configuration

Uploaded by

Arman Maukelana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

SANGFOR_NGAF_v7.

4_
Network Address Translation
Configuration

SANGFOR Technologies Inc.


4th Dec 2017

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
Declaration
Copyright © SANGFOR Technologies Inc. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of SANGFOR Technologies Inc.

SANGFOR, SINFOR and logo are the trademarks of SANGFOR Technologies Inc. All other
trademarks and trade names mentioned in this document are the property of their respective holders.
Every effort has been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute a warranty of any
kind, express or implied.
The information in this document is subject to change without notice.
To obtain the latest version, contact the international service center of SANGFOR Technologies Inc.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
Table of contents

Declaration .............................................................................................................................................. 2
Table of contents ...................................................................................................................................... 3
1 Introduction ..................................................................................................................................... 4
1.1 Abbreviations and conventions .................................................................................................. 4
1.2 Feedback ..................................................................................................................................... 4
2 Scenarios ........................................................................................................................................... 4
3 Network Topology ........................................................................................................................... 4
4 Application Scenes ........................................................................................................................... 5
4.1 Source NAT ............................................................................................................................ 5
4.2 Destination NAT ..................................................................................................................... 7
4.3 Bidirectional NAT .................................................................................................................. 9
5 Precautions ..................................................................................................................................... 11

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
1 Introduction

1.1 Abbreviations and conventions


NGAF in this article refers to the SANGFOR NGAF device.

1.2 Feedback
If you find any questions of this documents, please feel free to give us feedback, email:
[email protected].

2 Scenarios
Network Address Translation includes [Source NAT], [Destination NAT] and [Bidirectional
NAT].
The main purposes of Source NAT are to act as agent for intranet user to access Internet by
translating source IP address to public IP address.
The main purpose of Destination NAT is to advertise and promote the internal server to public
network by translating the destination IP address to private IP address.
Bidirectional NAT is to allow intranet users to access internal server via public IP address or
domain name of the internal server.

3 Network Topology

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
4 Application Scenes

4.1 Source NAT


Requirements: Agent for intranet users to access Internet.
Explanations for configuration:
4.1 Ensure that the direction of data flow which needs address translation is correct.
4.2 Under [Network] – [NAT] click [Add] and choose [Source NAT] to define new SNAT rule.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
[Source Zone]: Zone where the users need to access Internet
[Source Network Objects]: IP addresses or IP range of users who need to access Internet.
[Destination Zone/Interface]: Destination zone or interface that needed to be accessed.
[Destination Network Objects]: IP group that want to access Internet. By default it is filled with
“All” and it can be changed manually.
[Source Translation To]: To specify IP addresses from intranet to be translated to which outgoing
interface. Normally, “Egress interface” is chosen.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
4.2 Destination NAT
Requirements: When users from WAN need to access internal server or when there is internal
server that is needed to be advertised or promoted to the Internet such as web server.
Explanations for configuration:
4.3 Ensure that the direction of data flow which needs address translation is correct.
4.4 Under [Network] – [NAT] click [Add] and choose [DNAT] to define new DNAT rule.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
[Source Zone]: Zone where data transmission being initiated. Normally, it is WAN area.
[Destination IP]: Public IP address of the internal server. Normally, it is the outgoing interface.
[Protocol]: Protocol used when users from WAN access to internal server. Normally, “All” is
chosen and it can be changed manually according to the need.
[Dst Port]: Port number used when internal server being accessed from WAN.
[Translate IP To]: The options include “IP Address”, “IP range”, “Network Objects” and
“Unchanged”. Normally, “IP Address” is chosen and it can be changed manually.
[IP Address]: IP address of internal server.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
4.3 Bidirectional NAT
Requirements: Intranet users want to access internal server via public IP address.
Explanations for configuration:
4.3.1 Ensure that the direction of data flow which needs address translation is correct.
4.3.2 [Network ] – [NAT] click [Add] and choose [Bidirectional NAT] to define new Bi-
NAT.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
[Source Zone]: Zone where the users need to access internal server.
[Source Network Objects]: IP address or the IP range of the users that need to access internal
server.
[Destination Zone/Interface]: Zone or the destination interface that will be accessed.
[Destination IP]: IP address of internal server that needed to be accessed.
[Protocol]: Protocol used when users access to internal server. Normally, it is configured to
“All” and it can be changed manually according to the needs.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com
[Source Translation To]: To specify the outgoing interface’s IP address that the intranet users’
IP addresses would be translated to. Normally, it is configured to “Egress interface”.
[Destination Translation]: The options include “IP Address”, “IP range”, “Network Objects”
and “Unchanged”. Normally, “IP Address” is chosen and it can be changed manually.
[IP Address]: IP address of internal server.

5 Precautions
5.1 NGAF must be able to communicate with server’s port but not only able to ping the server.
5.2 Ensure that the ISP does not block the port of the server. It could be verified by capturing
request packets from testing source IP at WAN interface.
5.3 Bidirectional NAT will translate both the source and destination IP, therefore the filtering rule
when capturing packets at server zone can only be server’s IP address.
5.4 Ensure that NGAF device can access Internet and access policy must allow.
5.5 Intranet PC must be able to access NGAF’s LAN interface.

Sangfor Technologies
Block A1, Nanshan iPark, No.1001 Xueyuan Road,Nanshan District, Shenzhen, China
T.: +60 12711 7129 (7511) | E.: [email protected] | W.: www.sangfor.com

You might also like