The Inbound Tunnels facility allows a host on an external network to be able to initiate a protocol from the Protocol List, e.g., TCP, UDP, ICMP, IGMP, ESP or AH session, with an otherwise inaccessible host, for a specific service. Tunnels can be defined for both the External Network and the PSN; tunnels are only associated with inbound connections, so they are not normally used on a Protected Network interface. See product guides for the number of tunnels available on a specific GTA Firewall.
Tunnels can be created for these inbound connections:
From the External Network interface to a host on the PSN.
From the External Network interface to a host on the Protected Network.
From the PSN interface to a host on the Protected Network.
Tunnels are defined by an Interface object/port and a destination IP address/port. (See Appendix D ñ GNAT Box Terms for more information about using interface objects.) The source and destination port of the tunnel definition need not be the same: it is possible to provide access to multiple hosts for the same service using a single IP address. For example, telnet operates on port 23, but a tunnel could be defined with a source port of 99 and a destination port of 23.
Only the source side of a tunnel is visible. Since GTA Firewall tunnels use Network Address Translation, a user on the source network side will never see the ultimate destination of the tunnel. The tunnel appears to be a service operating on a server with the tunnelís source IP address.
If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias using Static Address Mapping so that secondary connections appear to originate from the same address as the tunnel.
To create a new tunnel, first select the protocol the tunnel will use from the dropdown list. In the INTERFACE field, select the Interface Object that represents the source of the tunnel, and in the Port field, enter the number of the port through which this tunnel will operate on the source side.
For the destination of the tunnel, enter the IP address of the selected destination and then select the port through which the tunnel will operate on the destination side. See Appendix A ñ Ports and Services, for some of the common ports.
A tunnel is a mapping from one IP address/port to another IP address/port. The tunnel source will not be usable unless an appropriate filter allows access. There are two methods to allow access to an inbound tunnel: selecting AUTOMATIC ACCEPT ALL FILTERS on the tunnel or setting Remote Access Filters.
Unless further restriction is desired on a tunnel, selecting AUTOMATIC ACCEPT ALL FILTERS will allow traffic between the designated interfaces and addresses. If logging for these filters is desired, activate logging for automatic filters in Filter Preferences. When activated, automatic filters will be recorded in the Active Filters table of the System Activity section.
A Remote Access Filter can also be created to allow traffic between the designated interfaces and addresses. These filters can be activated and logged individually, if close observation of tunnel use it required. The DEFAULT button on the Remote Access Filter set screen will auto-configure filters for all defined tunnels. The filters generated by this method are broad in scope and may require modification to meet your security policy.
¨ Caution
A tunnel with a source and destination port of zero means "tunnel all ports for the specified protocol." It is possible to totally expose a host by creating a zero tunnel with the protocol type set to ALL. It is not recommended to expose a host in this way, especially a host on a Protected Network.