Policy based network address translation
First Claim
Patent Images
1. A method for performing policy-based network address translation in a system for protecting a network segment, the method comprising:
- a) identifying, by a network device deployed between an internal and external network, a first user from a first packet, the first packet having a first source internet protocol address of the external network and a first external internet protocol address of a network resource within the internal network;
b) identifying, by the network device, a second user from a second packet, the second packet having a second source internet protocol address of the external network and a second external internet protocol address of the network resource within the internal network;
c) identifying, by the network device, from plurality of user based network address translation maps a first network address translation map assigned to the first user and a second network address translation map assigned to the second user;
d) determining, by the network device, from the first network address translation map, an internal internet protocol address of the network resource based on the identified first external internet protocol address assigned to the first user and, from the second network address translation map, the internal internet protocol address of the network resource based on the identified second external internet protocol address assigned to the second user.
12 Assignments
0 Petitions
Accused Products
Abstract
A system and method is described for providing policy-based Network Address Translation (NAT) configurations wherein each user/resource policy within a network protection device may use a different set of address translation mappings.
208 Citations
26 Claims
-
1. A method for performing policy-based network address translation in a system for protecting a network segment, the method comprising:
-
a) identifying, by a network device deployed between an internal and external network, a first user from a first packet, the first packet having a first source internet protocol address of the external network and a first external internet protocol address of a network resource within the internal network; b) identifying, by the network device, a second user from a second packet, the second packet having a second source internet protocol address of the external network and a second external internet protocol address of the network resource within the internal network; c) identifying, by the network device, from plurality of user based network address translation maps a first network address translation map assigned to the first user and a second network address translation map assigned to the second user; d) determining, by the network device, from the first network address translation map, an internal internet protocol address of the network resource based on the identified first external internet protocol address assigned to the first user and, from the second network address translation map, the internal internet protocol address of the network resource based on the identified second external internet protocol address assigned to the second user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for performing policy-based network address translation and protecting a network segment, the system comprising:
-
a means for identifying, by a network device deployed between an internal and external network, a first user from a first internet protocol address of external network from a source of a first packet; a means for identifying, by the network device, a first external internet protocol address of a network resource within the internal network from a destination of the first packet; a means for identifying, by the network device, a second user from a second internet protocol address of the external network from a source of a second packet; a means for identifying, by the network device, a second external internet protocol address of the network resource within the internal network from a destination of the second packet; means for identifying, by the network device, from plurality of user based network address translation maps a first network address translation map assigned to the first user and a second network address translation map assigned to the second user; and a means for determining, by the network device, via the first network address translation map, an internal internet protocol address of the network resource based on the identified first external internet protocol address assigned to the first user; and a means for determining, by the network device, via the second network address translation map, the internal internet protocol address of the network resource based on the identified second external internet protocol address assigned to the second user. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification