Chapter 5: Configuring the CopperJet

5.7.3.1 Configuring NAT global addresses

Global address pools allow you to create a pool of outside network addresses that is visible

outside your network. Before you can configure global addresses, you need to configure

NAT.

If you want to set up a global address pool on your existing NAT enabled interfaces:

From the

NAT Security Interfaces

table, click on the

Advanced NAT Configuration

hyperlink

for the interface that you want to add a global pool to.

Click on

Add Global Address Pool

The

Firewall Add Global Address Pool

page is displayed:

This page allows you to create a pool of network IP addresses that are visible outside your

network. Add values for the following table entries:

•

Interface type

; the internal address type that you want to map your

external global IP addresses to. Click on the drop-down list and select

an interface type.

•

Use Subnet Configuration

; there are two ways to specify a range of IP

addresses. You can either

Use Subnet Mask

(specify the subnet mask

address of the IP address) or

Use IP Address Range

(specify the first and

last IP address in the range). Click on the drop-down list and select a

method.

• Type in the

IP Address

that is visible outside the network.

•

Subnet Mask/IP Address 2

; the value you specify here depends on the

subnet configuration that you are using. If you chose

Use Subnet Mas

k,

type in the subnet mask of the IP address. If you chose

Use IP Address

Range

, type in the last IP address in the range of addresses that make

up the global address pool.

Once you have configured the table, click on

Add global address pool

. The table is

refreshed and the global address pool is added to your NAT configuration.

To delete a global address pool, click on the

Delete

hyperlink, then click on the

Delete

Global Address Pool

button.

5.7.3.2 Configuring NAT reserved mapping

Reserved mapping allows you to map an outside security interface or an IP address from a

global pool to an individual IP address inside the network. Mapping is based on transport

type and port number. Before you can configure reserved mapping, you need to configure

NAT. See section 0 Configuring Network Address Translation (NAT)

Page 34

Chapter 5: Configuring the CopperJet

To set up a reserved mapping on your existing NAT enabled interfaces, go to the

Configuration

menu and select

Security

. From the

Security Interfaces

table, click on the

Advanced NAT Configuration

hyperlink for the interface that you want to add the reserved

mappings to. The

Advanced NAT Configuration:

page is displayed.

Click on the

Add Reserved Mapping

hyperlink. The

Add Reserved Mapping

page is

displayed.

This page allows you to configure your reserved mapping. Add specific values for the

following table entries.

Global IP Addres

s:

If you are mapping from a global IP address, type the

address here. If you are mapping from a security interface,

type

0.0.0

.

0

.

Internal IP Addres

s:

The IP address of an individual host inside your network.

Transport Typ

e:

Specify the transport type that you want to map from the

outside interface to the inside.

External Port Range

:

The external port range that your transport uses. Can also

be a single port as Start and End port.

Internal Port Range

:

The internal port range that your transport uses. Can also

be a single port as Start and End port.

Once you have configured the table, click on

Add reserved mappin

g. The table is refreshed

and the reserved mapping is added to your NAT configuration.

Page 35

Chapter 5: Configuring the CopperJet

Important: Make sure the Internal IP address is in the same subnet as your

CopperJet LAN IP address.

To delete a reserved mapping, click on the

Delete

hyperlink. The

Delete Reserved Mapping

Confirmation

page is displayed. Click on the

Delete Reserved Mapping

button. The

reserved mapping is deleted.

Don’t forget to save the changes. Go to the

Configuration

menu and click on

Save config

to

save the new settings into the CopperJet.

5.7.4 Enabling Firewall

Before enabling the firewall, you must have Security enabled and you must have at least

1

internal interface or 1 external interface

configured. Be sure that the WAN and/or LAN

connection and the Security Interfaces are defined and configured.

To enable the Firewall go to the

Security State

section and select

Firewall Enabled.

Click on

Change State

to update the

Security State

section. The Firewall is now enabled on the

CopperJet.

Important: Enabling the Firewall will block ALL traffic going in and out of the

CopperJet. Firewall Policies need to be configured for allowing traffic

to pass through.

5.7.5 Enabling Intrusion Detection

Before enabling Intrusion Detection, you must have Security enabled and you must have

at least

1 internal interface or 1 external interface

configured. Be sure that the WAN

and/or LAN connections and the Security Interfaces are defined and configured.

To enable Intrusion Detection, go to the

Security State

section and select

Intrusion

Detection Enabled.

Click on

Change State

to update the

Security State

section. The

Intrusion Detection is now enabled on the CopperJet.

5.7.6

Set a Security level

When you have enabled the firewall, you can set a Security Level.

Select a

Security Level

and click on

Change State

.

The

high

,

medium, low and default

levels contain default policy and port filter

configurations for each of your network interface connections, so you do not need to set

your own individual policies and port filters. If you explicitly set the level to

none

, all traffic

is blocked.

By default, no security level is set in your default configuration.

Setting a Firewall default security level automatically clears all previous Firewall settings.

5.7.7 Configuring portfilters

A portfilter is an individual rule that determines what kind of traffic can pass between two

interfaces specified in an existing policy.

To configure a portfilter:

From the

Current Firewall Policies

table, click on the

Port Filters

link for the policy that you

want to configure. The page displayed contains three

Add Filter

hyperlinks that allow you

to create three different kinds of portfilter:

Page 36

Chapter 5: Configuring the CopperJet

For a TCP portfilter click on

Add TCP Filter

.

The

Firewall Add TCP Port Filter

page is displayed:

omplete the source/destination addresses, and the source/destination port range for the

or a non-TCP/UDP portfilter (Raw IP Filter) click on

Add Raw IP Filter.

The

Firewall Add

pecify the source/destination addresses and the IP protocol number in the relevant text

oxes. For example, for IGMP, enter protocol number 2.

he

Firewall Portfilters

page is

link assigned to

. To delete a portfilter, click on this link, then at the confirmation page, click on the

C

protocol (TCP or UDP selected from the protocol drop-down list) that you want to filter.

Use the

Direction

drop-down lists to specify whether you want to allow/block inbound

traffic, and allow/block outbound traffic. Click

Apply

. The

Firewall Port Filters

page is

displayed, containing details of the TCP/UDP port filter that you have just added.

F

Raw IP Filter

page is displayed:

S

b

Then use the

Direction

drop-down lists to specify whether you want to allow/block inbound

traffic, and allow/block outbound traffic. Click on

Apply

. T

displayed, containing details of the IP port filter that you have just added.

Each portfilter displayed in the

Firewall Port Filters

page has a

Delete

hyper

it

Delete

button. The portfilter is removed from the Firewall configuration.

Page 37

Chapter 5: Configuring the CopperJet

5.7.8 Configuring validators

A validator allows/blocks traffic based on the source/destination IP address and netmask.

Traffic will be allowed or blocked depending on the validator configuration specified when

the policy was created.

To configure a validator:

From the

Current Firewall Policies

table, click on the

Host Validators

link for the policy that

you want to configure. The

Configure Validators

page is displayed. Click on the

Add Host

Validator

link. The

Firewall Add Host Validator

page is displayed:

1

In the

Host IP Address

text box, type the IP address that you want to

allow/block.

2

In the

Host Subnet Mask

text box, type the IP mask address. If you want to

filter a range of addresses, you can specify the mask, for example,

255.255.255.0

. If you want to filter a single IP address, use the specific IP

mask address, for example,

255.255.255.255

.

3

Click on the

Direction

drop-down list and select the direction of traffic that you

want the validator to filter.

4

Click on

Apply

. The

Configure Validators

page is displayed, containing details of

the host validator that you have just added.

5

Each portfilter displayed in the

Configure Validators

page has a

Delete Host

Validator

hyperlink assigned to it. To delete a validator, click on this link, then

at the confirmation page, click on the

Delete Host Validator

button. The

validator is removed from the Firewall configuration.

Page 38