Foundry# config term, Foundry/configure# firewall global, Foundry/configure/firewall global# dos-protect – Foundry Networks AR3202-CL User Manual

Security Features

June 2004

© 2004 Foundry Networks, Inc.

15 - 57

Packet Reassembly

To configure the firewall to perform IP reassembly of oversized packets that have been fragmented, enter:

NAT Configurations

Network Address Translation (NAT) was defined to serve two purposes:

•

Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls

•

Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the
gateway with a very large pool of NAT addresses behind it.

In the most common NAT application (which is to provide secure networking behind a firewall), the device
(Foundry system) that connects the user LAN to the Internet will have two IP addresses:

•

A private IP address on the LAN side for the RFC 1918 address range

•

A public address, routable over the Internet, on the WAN side

Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in
the packet together with the destination IP address and port. When the packet arrives at the Foundry system it will
be de-encapsulated, modified, and re-encapsulated. The re-encapsulated packet sent by the Foundry system
destined for the Internet contains the Foundry system’s public IP address, a source port allocated from its list of
available ports, and the same destination IP address and port number generated by the PC. The Foundry system
also adds an entry into a table it keeps, which maps the internal address and source port number that the PC
generated against the port number it allocated to this session. Therefore, when some.server.com sends a reply
packet to the PC, the Foundry system can quickly determine how it needs to re-write the packet before
transmitting it back on to the LAN.

Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source
IP address assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing
services to the Internet from inside a LAN which requires the use of static NAT. Static NAT also requires a public
address from the upstream service provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP
addresses to enable access to other PCs within the LAN. The Foundry system is configured with static mapping,
which maps the internal RFC 1918 IP addresses for each PC to the appropriate public IP address. When traffic is
sent to the public address listed in the static mapping, the Foundry system forwards the packets to the correct PC
within the LAN, according to the mapping relationship established.

Foundry# config term

Foundry/configure# firewall global

Foundry/configure/firewall global# dos-protect

Foundry/configure/firewall global/dos-protect# enable-all

Foundry/configure/firewall global/dos-protect# exit 2

Foundry/configure#

Foundry# config term

Foundry/configure# firewall global

Foundry/configure/firewall global# ip-reassembly

Foundry/configure/firewall global/ip-reassembly# fragment-count

100

Foundry/configure/firewall global/ip-reassembly# fragment-size 56

Foundry/configure/firewall global/ip-reassembly# packet-size 2048

Foundry/configure/firewall global/ip-reassembly# timeout 20

Foundry/configure/firewall global/ip-reassembly# exit 2

Foundry/configure#