IX. NAT Related Features
ExpiredHow do I forward protocols other than UDP/TCP?
Click here to return to your search results
When using NAT, you have only one public IP address. This means that incoming data which is not in response to an outgoing request from a local client does not know where to go. Port Forwarding can be used to direct UDP/TCP traffic on particular ports to specified internal clients. However other IP protocols, for example Protocols 50 (ESP) and 51 (AH) do not have port numbers so there is no unique detail to decide which local client to forward the data to.
In situations like this, the Vigor has a facilility called DMZ. In the DMZ setup, you can specify a single local client (private IP address) to which ALL unsolicited data on all protocols should be forwarded. Regular web browsing and other such actitivty from other clients will continue to work.
With a DMZ, the inherrent security properties of NAT are somewhat bypassed, so you may want to consider adding addional filter rules or a secondary firewall.
Another important point is that although a DMZ will pass all data through, some protocols are still not NAT friendly. The 'AH' extension to IPSec is designed in such a way that it prevents Network Address Translation - the header encodes the source IP address, which in this case would be your private IP address. The receiving end will see the packet as having come from your public IP address and thus reject the packet. AH protocol therefore will not work. ESP is more tolerant.
How do you rate this article?
- First Published: 18/03/2013
- Last Updated: 22/04/2021