|
•
|
See How to Allow Public Access to a Web Server for an example of how to configure NAT to allow web traffic from the WAN to a server on the DMZ.
|
|
•
|
See How to Allow Incoming H.323 Peer-to-peer Calls for an example of how to configure NAT to allow H.323 traffic from the WAN to the LAN.
|
|
•
|
See How to Use an IPPBX on the DMZ for an example of how to configure NAT to allow SIP traffic from the WAN to an IPPBX or SIP server on the DMZ.
|
|
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
|
|
|
To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
|
|
|
To turn on an entry, select it and click Activate.
|
|
|
To turn off an entry, select it and click Inactivate.
|
|
|
This field displays the original destination IP address (or address object) of traffic that matches this NAT entry. It displays any if there is no restriction on the original destination IP address.
|
|
|
This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the services.
|
|
|
This field displays the original destination port(s) of packets for the NAT entry. This field is blank if there is no restriction on the original destination port.
|
|
|
This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port.
|
|
|
Create new Object
|
|
|
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
|
|
|
Virtual Server - This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet).
1:1 NAT - If the private network server will initiate sessions to the outside clients, select this to have the ZyWALL translate the source IP address of the server’s outgoing traffic to the same public IP address that the outside clients use to access the server.
Many 1:1 NAT - If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses, select this to have the ZyWALL translate the source IP address of each server’s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server. The private and public ranges must have the same number of IP addresses.
One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule.
|
|
|
Incoming Interface
|
Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface.
|
|
Specify the destination IP address of the packets received by this NAT rule’s specified incoming interface.
any - Select this to use all of the incoming interface’s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface.
User Defined - Select this to manually enter an IP address in the User Defined field. For example, you could enter a static public IP assigned by the ISP without having to create a virtual interface for it.
Host address - select a host address object to use the IP address it specifies. The list also includes address objects based on interface IPs. So for example you could select an address object based on a WAN interface even if it has a dynamic IP address.
|
|
|
User Defined Original IP
|
This field is available if Original IP is User Defined. Type the destination IP address that this NAT rule supports.
|
|
Original IP Subnet/Range
|
This field displays for Many 1:1 NAT. Select the destination IP address subnet or IP address range that this NAT rule supports. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
|
|
HOST address - the drop-down box lists all the HOST address objects in the ZyWALL. If you select one of them, this NAT rule supports the IP address specified by the address object.
|
|
|
User Defined Original IP
|
This field is available if Mapped IP is User Defined. Type the translated destination IP address that this NAT rule supports.
|
|
Mapped IP Subnet/Range
|
This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
|
|
Port Mapping Type
|
Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (Original IP). Choices are:
Any - this NAT rule supports all the destination ports.
Port - this NAT rule supports one destination port.
Ports - this NAT rule supports a range of destination ports. You might use a range of destination ports for unknown services or when one server supports more than one service.
|
|
This field is available if Mapping Type is Port or Ports. Select the protocol (TCP, UDP, or Any) used by the service requesting the connection.
|
|
|
This field is available if Mapping Type is Port. Enter the original destination port this NAT rule supports.
|
|
|
This field is available if Mapping Type is Port. Enter the translated destination port if this NAT rule forwards the packet.
|
|
|
Original Start Port
|
This field is available if Mapping Type is Ports. Enter the beginning of the range of original destination ports this NAT rule supports.
|
|
This field is available if Mapping Type is Ports. Enter the end of the range of original destination ports this NAT rule supports.
|
|
|
Mapped Start Port
|
This field is available if Mapping Type is Ports. Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet.
|
|
This field is available if Mapping Type is Ports. Enter the end of the range of translated destination ports if this NAT rule forwards the packet. The original port range and the mapped port range must be the same size.
|
|
|
Enable NAT Loopback
|
Enable NAT loopback to allow users connected to any interface (instead of just the specified Incoming Interface) to use the NAT rule’s specified Original IP address to access the Mapped IP device. For users connected to the same interface as the Mapped IP device, the ZyWALL uses that interface’s IP address as the source address for the traffic it sends from the users to the Mapped IP device.
For example, if you configure a NAT rule to forward traffic from the WAN to a LAN server, enabling NAT loopback allows users connected to other interfaces to also access the server. For LAN users, the ZyWALL uses the LAN interface’s IP address as the source address for the traffic it sends to the LAN server.
If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface.
|
|
By default the firewall blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Firewall link to configure a firewall rule to allow the NAT rule’s traffic to come in.
The ZyWALL checks NAT rules before it applies To-ZyWALL firewall rules, so To-ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules. The ZyWALL still checks other firewall rules according to the source IP address and mapped IP address.
|
|
|
Click OK to save your changes back to the ZyWALL.
|
|
|
Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists).
|