I can't get my SAT-rules to work properly. What am I doing wrong?

    This Knowledge Base article applies to:
      Amaranten Firewall v8.0 and up

Question:
I can't get my static address translation (SAT) rules to work properly. What am I doing wrong?

Answer:
Common mistakes made in setting up SAT rules are:

  • Forgetting that the SAT rule does not in and of itself do anything to a packet. When a packet matches a
    SAT rule, the firewall remembers that a static address translation is to be performed at a later point and
    continues to look for a matching FwdFast, Allow, NAT, Drop or Reject rule. The reason for this is that you
    should only need to set up one single SAT rule, even if you use more than two interfaces. If, for example,
    you have a DMZ on a third interface, you probably employ separate rules for traffic from external networks
    (usually Allow rules) and the protected network (usually NAT rules).

  • If you use FwdFast, rules must also be set up for return traffic. Consequently, these also require that you employ two sets of SAT rules; one for traffic in each direction.

  • Static address translation does not take place until a matching FwdFast, Allow or NAT rule has been
    encountered. This means that a SAT rule that translates destination address 1.1.1.1 to 2.2.2.2, must have a
    corresponding to a FwdFast or NAT rule with a destination address of 1.1.1.1, not 2.2.2.2!

  • If you have a SAT rule that translate a destination adress on <core>to a adress on dmz the corresponding rule must also use <core> and not dmz.

    		•