Functions in the Pass Through section allow the user to route protocols through the firewall. IP Pass Through, found in the Filters and Hosts/Networks sections, route protocols through the firewall without Network Address Translation.
The Bridged Protocols section allows the user to route specified Ethernet protocols through the firewall in bridging mode, bypassing all firewall filtering on specified ports.
By default, all packets going outbound through the firewall that are destined for the External or PSN interfaces are translated to the IP address of that interface (Network Address Translation or NAT). IP Pass Through is the GTA term for ìno NAT,î and the Pass Through Filters and Hosts/Networks allow the administrator to define a host, subnet or network and port that will not have NAT applied to packets from specified IP addresses. IP Pass Through filters support all IP protocols.
When you can define IP Pass Through:
From the Protected Network to the PSN, External or another Protected network.
From a PSN to the External or another PSN network.
IP Pass Through can be defined for packets from a host on a:
Protected Network outbound through PSN and External Interface.
Protected Network outbound through a PSN Interface only.
Protected Network outbound through an External Interface only.
PSN outbound through an External Interface only.
Protected Network to a host on another Protected Network.
IP Pass Through requires a routable address on the internal subnet if the Pass Through tunnel goes to the Internet through the External interface. Otherwise, the address can be a non-routable (RFC 1918) public address. For more information on RFC 1918 addresses, go to http://www.gnatbox.com/Pages/text/rfc1918.txt.
NAT is not performed on inbound connections: from the External network to the PSN or Protected Network; and from the PSN to the Protected network.
A Pass Through requires the following to operate correctly:
Define the IP address in Hosts/Networks or set up a bridging interface.
An IP Pass Through filter must be created to allow packets to flow from and/or to the IP Pass Through IP address.
If the IP Pass Through is going to the Internet, a static route must be added to the Internet router pointing to the External Interface of the GTA Firewall as the gateway to the internal network. This is a key point, without this route the pass through will fail. Return packets will not know how to get back to the internal network.
By default, Pass Through-designated IP addresses are configured for outbound only. Stateful packet inspection information is maintained about sessions that originate from hosts on a PSN or a Protected Network outbound to guarantee that only IP packets that are replies to the initiated connections are accepted. If the connection protocol calls for a secondary inbound connection from an external host to the originating internal host, virtual cracks are created to allow the secondary connection. This allows protocols such as FTP to be used without arbitrary, semi-permanent inbound connections.
IP Pass Through provides great flexibility. For example, an IP address on the Protected Network can be defined so that no NAT is applied to packets with a destination on the Private Service Network, but packets from the same IP address which are going to the Internet will have NAT applied.
¨ Note
If an IP Pass Through address is configured to use the External Network interface and the GTA Firewall is connected to the Internet, the IP Pass Through address must be registered.