Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
98 ServerIron ADX Security Guide
53-1002440-03
Configuring NAT
4
• Dynamic NAT — Maps private addresses to Internet addresses. The Internet addresses come
from a pool of addresses that you configure. For example, you can dynamically translate the
global pool 150.1.1.10 - 19 to private pool 10.1.1.1 - 254. In Figure 6, the pool is the range of
addresses from 209.157.1.2/24 – 209.157.1.254/24. With dynamic NAT, the software uses a
round robin technique to select a global IP address to map to a private address from a pool you
configure.
Dynamic NAT uses Port Address Translation (PAT). Otherwise, the return traffic cannot be
reliably de-multiplexed to the correct internal client.
NOTE
You can configure both dynamic and static NAT on the same device. When you configure both types
of NAT, static NAT takes precedence over dynamic NAT. Thus, if you configure a static NAT translation
for a private address, the ServerIron ADX always uses that translation instead of creating a dynamic
one.
Configuring static NAT
Use the ip nat inside source static command to explicitly map a private address to an Internet
address. Static NAT ensures a specific host in the private network is always mapped to the Internet
address you specify.
To map a private address 10.10.10.69 to an Internet address 209.157.1.69, enter the command
such as the following.
ServerIronADX(config)# ip nat inside source static 10.10.10.69 209.157.1.69
Syntax: [no] ip nat inside source static <private-ip> <global-ip> [<priority>] list [<acl-id>]
The <private-ip> variable specifies the private IP address.
The <global-ip> variable specifies the IP address. The ServerIron ADX supports up to 255 global IP
addresses.
The <priority> variable specifies a value of 1 or 2 and enables static NAT redundancy. A value of 2
means higher priority, and will be the owner of the NAT IP as long as the system is up.
The list parameter specifies the access list identified by the <acl-id> variable that will permit only
the configured tcp or udp port numbers.
Configuring dynamic NAT
To configure dynamic NAT, perform the following tasks:
• Configure a standard or extended ACL for each private address range for which you want to
provide NAT.
NOTE
Named ACLS are not supported with NAT. You must use a numbered ACL.
• Configure a pool for each consecutive range of Internet addresses to which you want NAT to be
able to map the private addresses specified in the ACLs. Each pool must contain a range with
no gaps. If your Internet address space has gaps, configure separate pools for each
consecutive range within the address space.
• Associate a range of private addresses (specified in a standard or extended ACL) with a pool.