Manualshelf

R3166-R3206-HP High-End Firewalls NAT and ALG Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
12345678910
4
DNS mapping
As introduced above, you can specify a public IP address and port number for an internal server on the
public network interface of a NAT gateway, so that external users can access the internal server using its
domain name or pubic IP address.
Figure 3 Diagram for NAT DNS mapping operation
In Figure 3, an internal host wants to access an internal server on the same private network by using its
domain name, while the DNS server is located on the public network. Typically, the DNS server replies
with the public address of the internal server to the host. However, without relevant processing of the NAT
device, the host cannot access the internal server using its domain name. In this case, the DNS mapping
feature can solve the problem.
A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. Upon receiving a DNS reply, the NAT-enabled device matches the domain name in
the message against the DNS mapping entries. If a match is found, the private address of the internal
server is found and NAT replaces the public IP address in the reply with the private IP address. Then, the
host can use the private address to access the internal server.
Support for special protocols
Besides basic address translation functions, NAT also provides a perfect application layer gateway (ALG)
mechanism that supports address/port translation for some special application protocols (IP addresses
or port numbers contained in such protocol messages may need address translation) without requiring
the NAT platform to be modified, featuring high scalability.
The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling
Protocol (PPTP), Internet Control Message Protocol (ICMP), Domain Name System (DNS), Internet Locator
Service (ILS), Real-Time Streaming Protocol (RTSP), H.323, Session Initiation Protocol (SIP), Netmeeting
3.01, and NetBIOS over TCP/IP (NBT).
NOTE:
The firewall supports FTP and DNS.
NAT multiple-instance
This feature allows users from different VPNs to access external networks through the same outbound
interface. It also allows them to have the same internal address. NAT multiple-instance operates as
follows: