Carrier Access Multi-Service Router (MSR) Card MSR/Adit 3K GUI User Manual

4-38

Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) GUI

Security

Firewall Implementation

Routing Mode

The routing mode determines whether NAPT (Network Address Port Translation) is applied to
sessions that are created through this interface.

NAPT

When set to NAPT mode, dynamic sessions initiated by hosts in the LAN subnets to hosts
reachable through this interface will have NAPT applied to them. For these sessions, the local
IP address will be translated to the WAN IP address of the Adit, and the local port will be
retained if possible. If there is already a session using this combination of translated IP address
and port, then a dynamically selected port will be assigned to the session and the port will be
translated as well.
It should be noted that even with NAPT enabled, sessions initiated from public hosts on the
WAN interfaces to the private local addresses are allowed unless the firewall is enabled and
configured to block these connection attempts. This behavior differs from that of some typical
routers.

Route

When set to Route mode, no NAPT behavior is applied to dynamic sessions initiated by hosts
in the LAN subnets. It should be noted, however, that NAPT, can still be applied to sessions
initiated from public hosts on the WAN if they are directed to the Adit's own IP address and
there is a matching Local Server or DMZ Host configuration.

Internet Connection Firewall

The Internet Connection Firewall setting enables or disables firewall processing on the interface. If
enabled, all of the packets arriving or departing through this interface are examined against the
configured firewall policies. If not enabled, the packets pass though this interface without
examination.
In the most typical configuration of the Adit, providing Internet access to hosts on a private LAN,
both NAPT routing mode and firewall should be enabled on the WAN interface, and the firewall
can be disabled on the LAN interface. In such a configuration, packets are transmitted and received
freely at the LAN interface, but are scrutinized as they enter or leave through the WAN interface.
If NAPT routing mode is configured on the interface, the dynamic NAPT behavior is applied
whether or not the firewall is enabled on the interface. It should be noted that, unlike some routers,
even if NAPT is enabled, sessions initiated from public hosts on the WAN interfaces to the private
local addresses are allowed unless the firewall is enabled and configured to block these connection
attempts.
For the reasons above, it is highly recommended that the user enable the firewall when using NAPT
on WAN interfaces.