There have been address translation techniques (network address translation (NAT) techniques), which are provided between a global network and a private network, for example between a wide area network (WAN) such as the Internet and a local area network (LAN) such as an Ethernet (registered trademark) network, translate the destination address of a packet sent from the WAN to a terminal device on the LAN from a global IP address to a private address, and translate the source address of a packet sent from a terminal device on the LAN to the WAN from a private address to a global IP address, thereby enabling multiple terminals having only a private address internal to the LAN to share one global IP address to access the WAN. There also have been access control techniques (firewall techniques) which check the destination and the sender of packets from a WAN and allow only the packets that are authorized in accordance with an established security policy to enter a LAN in order to protect the resources within the LAN. Also known are relay apparatuses having an address translating function and an access control function, address translation apparatuses having only an address translation function, and firewall apparatuses having only an access control function.
Some conventional address translation techniques direct access from the Internet to terminal devices on a LAN according to TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) port numbers, thereby enabling the access from the Internet to the terminal devices (see Patent literature 1, for example). However, such address translation apparatuses that direct access from the Internet to terminal devices according to TCP or UDP port numbers can associate only one terminal device with one port number and cannot enable multiple terminal devices to be accessed by using the same port number, because they use TCP or UDP port numbers to enable access from the Internet to terminal devises on a LAN. For example, there is a problem that the http (Hyper Text Transport Protocol) default number 80 cannot be used to publish multiple servers. Also, in the case of communications using protocols other than TCP and UDP that do not have a port number (such as IPsec (Security Architecture for Internet Protocol) and ICMP (Internet Control Message Protocol)), multiple terminal devices cannot be published. For example, an IPsec packet cannot be used by multiple terminal devices at a time because an IPsec packet cannot be set so as to be sent to more than one terminal device. The same holds true with communication from a LAN to the Internet and therefore it is difficult for terminal devices on a LAN to use IPsec packet. To solve the problem, some techniques encapsulate IPsec packets into UDP packets and send it (see Patent literature 2, for example). However, such address translation techniques using encapsulation require that both parties that perform IPsec communication support encapsulation into UDT packets. They do not enable communication with terminals that do not support encapsulation into UDP packets.
On the other hand, some access control techniques enable a security policy established on a firewall apparatus to be modified through access from the Internet by a user identified through authentication (see Patent literature 3, for example). The technique disclosed in Patent literature 3 will be described with reference to FIG. 1. If a user of a user terminal 220 connected to the Internet (WAN) 200 wants to modify an access control rule in an access control table 900a in a firewall apparatus 900, the user requests from the user terminal 220 authentication to an authentication server 390 connected with LAN 300. The port number of the authentication sever 390 is recorded in the access control table 900a as a condition for permitting any packets to pass through. The authentication request contains the ID (identification information) of the user, signature data of the user and, as information about access to make, the IP address and port number of the user and the IP address and port number of the destination.
The authentication server 900 verifies the authentication request it received. If the request passes the verification, the authentication server 900 requests the firewall apparatus 900 to set, in the access control table 900a, the information about access to be made, contained in the authentication request. Consequently, if the request is to access a Web server 310, for example, on the LAN 300 from the user terminal 220, the user is allowed to access the Web server 310 from the user terminal 220 to download a content, for example. The access control table 900a in which access permission is set from the outside of the firewall apparatus in this way is reset to its original state after a predetermined time period elapses or the duration of access exceeds a predetermined time period.    Patent literature 1: Japanese Patent Application Laid-Open No. 2002-185517    Patent literature 2: Japanese Patent Application Laid-Open No. 2002-232450    Patent literature 3: Japanese Patent Application Laid-Open No. 2003-132020