Order of packet handling:
Ingress interface> MIP/VIP > Route lookup > Policy Lookup > Policy NAT >Create session >Egress Interface
Source NAT
Translates the Source IP address.
1. Interface Based Src NAT
Nats traffic as it passes through an interface. The traffic will get the source address of the egre interface. This setting is on by default however can be turned off by changing an interface form NAT to Route mode.
WebUI:
Network>Interfaces
Select EDIT next to the desired interface. Check NAT next to interface mode.
CLI:
Set interface ehternet2/1 nat
Notes:
The egress interface must be bound to the untrust zone.
User defined zones bound to the ingress interface mst be on a different VR than the untrust zone.
2. MIP
Static one to one translation
Typical NAT for publishing a web server (allowing the internet to reach a webserver with a non-routable IP).
WebUI:
Network>Interfaces>EDIT (select the Public interface)
Select MIP>NEW
Host IP = Internal IP
Select the VR that the host is routed though on the inside.
Next define a policy using the zone that the Host IP is in. For example, if the web server’s public IP is in the trust zone, the policy will be from Untrust to Trust.
The MIP should be select in the Advanced options of the policy.
CLI:
Set interface untrust mip 2.2.2.2 host 10.1.1.1 netmask 255.255.255.255 vr “trust-vr”
Set policy from untrust to trust any mip(2.2.2.2) http permit log
Since the MIP translation is done before the route lookup, a route may need to be added for the inside IP.
Set vrouter trust-vr route 10.1.1.1 255.255.255.255
Set vrouter trust-vr route 10.1.1.1 255.255.255.255 gateway 10.1.1.254 metric 1
3. Policy-based Source NAT
Implemented on a per policy basis. This adds additional granularity to NATTING.
WebUI:
When creating a policy based NAT, click on the Advanced button. Select Source Translation and enter the IP to hide behind or select NONE to use the Egress interface.
CLI:
Set policy from trust to untrust 10.1.1.1 2.2.2.1 http nat src permit log
Destination NAT
Translates the Destination IP address.
1. VIP
Translates the DST IP and port. Created at the interface level and must be allowed via the policy.
Port forwarding one to many NAT.
WebUI:
Network>Interfaces>EDIT (on egress)
Select VIP
Chose a Virtual IP>Add
Define a Virtual service and IP to Map to. For example to send http request to 10.1.1.5 define port 80 as “http-virtual” to 10.1.1.5.
You can send additional traffic to other addressed. For example, sent port 25 to 10.1.1.2 using a virtual service called “MAIL”
Note: Virtual services can be named any unused service name.
Next define a policy using the VIP
CLI:
Set interface untrust vip 2.2.2.3 80 “http-virtual” 10.1.1.5 manual
Set interface untrust vip 2.2.2.3 25 “MAIL” 10.1.1.2 manual
Set policy id 10 from untrust to trust any “VIP(2.2.2.3)” http permit log
Set pol id 10
Set service SMTP
2. MIP[u][/u]
Static one to one translation.
See Source MIP above
3. Policy based Destination NAT
Like Policy based Source NAT, it translates based on the policy. See Source Policy based NAT above
DIP
DIP defines a pool of contiguous addresses on interfaces that will be used for NAT. This translates a policy based NAT to several IPS.
WebUI:
Network>Interfaces>EDIT (Egress interface)
Define a new DIP range
Create a policy and choose Advanced>DIP and select the Dip created above.
CLI:
Set interface untrust dip 3 2.2.2.2 2.2.2.50 fix-port
Fix port turns off PAT
Set policy from trust to untrust 10.1.1.0/24 2.2.2.10 http nat dst dip-id 3 permit log
Ingress interface> MIP/VIP > Route lookup > Policy Lookup > Policy NAT >Create session >Egress Interface
Source NAT
Translates the Source IP address.
1. Interface Based Src NAT
Nats traffic as it passes through an interface. The traffic will get the source address of the egre interface. This setting is on by default however can be turned off by changing an interface form NAT to Route mode.
WebUI:
Network>Interfaces
Select EDIT next to the desired interface. Check NAT next to interface mode.
CLI:
Set interface ehternet2/1 nat
Notes:
The egress interface must be bound to the untrust zone.
User defined zones bound to the ingress interface mst be on a different VR than the untrust zone.
2. MIP
Static one to one translation
Typical NAT for publishing a web server (allowing the internet to reach a webserver with a non-routable IP).
WebUI:
Network>Interfaces>EDIT (select the Public interface)
Select MIP>NEW
Host IP = Internal IP
Select the VR that the host is routed though on the inside.
Next define a policy using the zone that the Host IP is in. For example, if the web server’s public IP is in the trust zone, the policy will be from Untrust to Trust.
The MIP should be select in the Advanced options of the policy.
CLI:
Set interface untrust mip 2.2.2.2 host 10.1.1.1 netmask 255.255.255.255 vr “trust-vr”
Set policy from untrust to trust any mip(2.2.2.2) http permit log
Since the MIP translation is done before the route lookup, a route may need to be added for the inside IP.
Set vrouter trust-vr route 10.1.1.1 255.255.255.255
Set vrouter trust-vr route 10.1.1.1 255.255.255.255 gateway 10.1.1.254 metric 1
3. Policy-based Source NAT
Implemented on a per policy basis. This adds additional granularity to NATTING.
WebUI:
When creating a policy based NAT, click on the Advanced button. Select Source Translation and enter the IP to hide behind or select NONE to use the Egress interface.
CLI:
Set policy from trust to untrust 10.1.1.1 2.2.2.1 http nat src permit log
Destination NAT
Translates the Destination IP address.
1. VIP
Translates the DST IP and port. Created at the interface level and must be allowed via the policy.
Port forwarding one to many NAT.
WebUI:
Network>Interfaces>EDIT (on egress)
Select VIP
Chose a Virtual IP>Add
Define a Virtual service and IP to Map to. For example to send http request to 10.1.1.5 define port 80 as “http-virtual” to 10.1.1.5.
You can send additional traffic to other addressed. For example, sent port 25 to 10.1.1.2 using a virtual service called “MAIL”
Note: Virtual services can be named any unused service name.
Next define a policy using the VIP
CLI:
Set interface untrust vip 2.2.2.3 80 “http-virtual” 10.1.1.5 manual
Set interface untrust vip 2.2.2.3 25 “MAIL” 10.1.1.2 manual
Set policy id 10 from untrust to trust any “VIP(2.2.2.3)” http permit log
Set pol id 10
Set service SMTP
2. MIP[u][/u]
Static one to one translation.
See Source MIP above
3. Policy based Destination NAT
Like Policy based Source NAT, it translates based on the policy. See Source Policy based NAT above
DIP
DIP defines a pool of contiguous addresses on interfaces that will be used for NAT. This translates a policy based NAT to several IPS.
WebUI:
Network>Interfaces>EDIT (Egress interface)
Define a new DIP range
Create a policy and choose Advanced>DIP and select the Dip created above.
CLI:
Set interface untrust dip 3 2.2.2.2 2.2.2.50 fix-port
Fix port turns off PAT
Set policy from trust to untrust 10.1.1.0/24 2.2.2.10 http nat dst dip-id 3 permit log
Posts
0 comments:
Post a Comment