D-Link DFL-2500 User Manual

An example of when this is useful is when having several protected servers in a DMZ, and where
each server should be accessible using a unique public IP address.

Example 7.5. Translating Traffic to Multiple Protected Web Servers

In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web
servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public
IP addresses to use are in the range of 195.55.66.77 to 195.55.66.81. The web servers have IP addresses in the
range 10.10.10.5 to 10.10.10.9, and they are reachable through the dmz interface.

To accomplish the task, the following steps need to be performed:

•

Define an address object containing the public IP addresses.

•

Define another address object for the base of the web server IP addresses.

•

Publish the public IP addresses on the wan interface using the ARP publish mechanism.

•

Create a SAT rule that will perform the translation.

•

Create an Allow rule that will permit the incoming HTTP connections.

CLI
Create an address object for the public IP addresses:

gw-world:/> add Address IP4Address wwwsrv_pub Address=195.55.66.77-195.55.66.81

Now, create another object for the base of the web server IP addresses:

gw-world:/> add Address IP4Address wwwsrv_priv_base Address=10.10.10.5

Publish the public IP addresses on the wan interface using ARP publish. One ARP item is needed for every IP
address:

gw-world:/> add ARP Interface=wan IP=195.55.66.77 mode=Publish

Repeat for all the five public IP addresses. Create a SAT rule for the translation:

gw-world:/> add IPRule Action=SAT Service=http SourceInterface=any

SourceNetwork=all-nets DestinationInterface=core
DestinationNetwork=wwwsrv_pub SATTranslateToIP=wwwsrv_priv_base
SATTranslate=DestinationIP

Finally, create a corresponding Allow Rule:

gw-world:/> add IPRule Action=Allow Service=http SourceInterface=any

SourceNetwork=all-nets DestinationInterface=core
DestinationNetwork=wwwsrv_pub

Web Interface

Create an address object for the public IP address:

1.

Go to Objects > Address Book > Add > IP address

2.

Specify a suitable name for the object, eg. wwwsrv_pub

3.

Enter 195.55.66.77-195.55.66.77.81 as the IP Address

4.

Click OK

Now, create another address object for the base of the web server IP addresses:

1.

Go to Objects > Address Book > Add > IP address

2.

Specify a suitable name for the object, eg. wwwsrv_priv_base

3.

Enter 10.10.10.5 as the IP Address

7.3.2. Translation of Multiple IP
Addresses (M:N)

Chapter 7. Address Translation

214