[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

Route Policy

What's the meaning of this rule ?
What's the difference between NAT Policies (under Network) and Access rules (under Firewall) ?

For the rule defined in NAT polices (Inbound & outbound interface), does it mean a rule will be written in Access rule to allow the flow between different zone (eg. Inbound (LAN) and Outbound (WAN) ?  Do I need to manually define it under Access rule ?


Tks
Route-Policy.png
0
AXISHK
Asked:
AXISHK
  • 4
  • 3
2 Solutions
 
Skyler KincaidNetwork/Systems EngineerCommented:
Typically the Access Rules define the ports, IPs and services that are blocked or allowed.

NAT Policies define where the traffic goes and if it is translated at all.

For Example:

You could have an Access Rule that would allow port 80000 from the WAN and a NAT Policy that would take port 80000, translate it to 3389 and send it to your Terminal Server at a specified IP.

But to answer your question:

It basically allows HTTP FTP and VNC to whatever is on 10.0.23.210 from within the internal HP Office Network. I am guessing the x.x.x.x from Translated and Des Original means that no translation takes place.
0
 
ltechsolutionsCommented:
To over-simplify:

A NAT policy is a router function that allows you to map one IP address to another (inside = outside):

    For example - 192.168.1.5 (inside) could be mapped to 216.93.183.57 (outside)

Access rules are a firewall function that permits traffic to bass between zones:

    For example - You could permit traffic on TCP 80 (HTTP) from the outside to 216.93.183.57, which would translate to 192.168.1.5.
0
 
AXISHKAuthor Commented:
So, Access Rule will be proceeded before NAT Policy and I need to add entries in Access Rule first , correct ?

A NAT rule in NAT policy need a corresponding entry in Access Rule to allow traffic flow between two zones involved in NAT, correct ?

For the attached file,

For HK network (Source) connect to x.x.x.x (public IP - a internal FTP server) , Sonicwall will replace the source header to x.x.x.x (public IP of ftp server) while the destination public IP will be replaced to internal IP of the FTP. Why the NAT appear so strange ?

Tks
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Skyler KincaidNetwork/Systems EngineerCommented:
Correct. Create the access rules that will be referenced in the NAT policy.
0
 
AXISHKAuthor Commented:
Thanks, any idea for the rule defined in the attached file.

"For HK network (Source) connect to x.x.x.x (public IP - a internal FTP server) , Sonicwall will replace the source header to x.x.x.x (public IP of ftp server) while the destination public IP will be replaced to internal IP of the FTP. "

Tks
0
 
Skyler KincaidNetwork/Systems EngineerCommented:
It is really difficult to answer your questions with x.x.x.x substituted for everything.
0
 
AXISHKAuthor Commented:
Please refer to the attached file.

Column "Translated" & "Destination Original" are referring to the same IP address.

Tks
NATPolicy.png
0
 
Skyler KincaidNetwork/Systems EngineerCommented:
Okay so that helps me visualize it more.

For some reason whoever set this up is having any HTTP (port 80), VNC (ports 5800 and 5900), FTP (port 21) that is going to 10.0.23.210 (which I am assuming is server) from inside the network be translated to what appears to be your public IP address.

So if I am on one of your computers using any of the protocols listed (HTTP, VNC, or FTP) and connecting to your server the firewall is going to make it appear as though it is coming from your public IP address instead of from the internal private IP of the computer being used.

I am not sure why they would do this or what the point is. This outline is assuming that the HK Office Network is your internal network.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now