|
|
|
Included Topics |
Network Address Translation (NAT) is a fundamental aspect of the way ClusterXL works.
When a cluster member establishes an outgoing connection towards the Internet, the source address in the outgoing packets, is the physical IP address of the cluster member interface. The source IP address is changed using NAT to that of the external virtual IP address of the cluster. This address translation is called "Cluster Hide".
For OPSEC certified clustering products, this corresponds to the default setting in the 3rd Party Configuration page of the cluster object, of Hide Cluster Members' outgoing traffic behind the Cluster IP address being checked.
When a client establishes an incoming connection to external (virtual) address of the cluster, ClusterXL changes the destination IP address using NAT to that of the physical external address of one of the cluster members. This address translation is called "Cluster Fold".
For OPSEC certified clustering products, this corresponds to the default setting in the 3rd Party Configuration page of the cluster object, of Forward Cluster incoming traffic to Cluster Members' IP addresses being checked.
Network Address Translation (NAT) can be performed on a Cluster, in the same way as it is performed on a Security Gateway. This NAT is in addition to the automatic "Cluster Fold" and "Cluster Hide" address translations.
To configure NAT, edit the Cluster object, and in the Cluster Properties window, select the NAT page. Do NOT configure the NAT tab of the cluster member object.
It is possible to perform Network Address Translation (NAT) on a non-cluster interface of a cluster member.
A possible scenario for this is if the non-Cluster interface of the cluster member is connected to another (non-cluster) internal Security Gateway, and you wish to hide the address of the non-Cluster interface of the cluster member.
Performing this NAT means that when a packet originates behind or on the non-Cluster interface of the cluster member, and is sent to a host on the other side of the internal Security Gateway, the source address of the packet will be translated.
To configure NAT on a non-cluster interface of a cluster member Security Gateway:
