ESR Series Routers Operation Manual 43
7.6 Destination NAT configuration
Destination NAT (DNAT) function includes destination IP address translation for packets transferred
through the network gateway.
DNAT is used for redirection of traffic, coming to a specific 'virtual' address in a public network, to a
'real' server in LAN located behind the network gateway. This function may be used for establishing a
public access to servers located within the private network without any public network address.
Objective: Establish access from the public network, that belongs to the 'UNTRUST' zone, to LAN
server in 'TRUST' zone. Server address in LAN—10.1.1.100. Server should be accessible from outside the
network—address 1.2.3.4, access port 80.
Fig. 7.4—Network structure
Solution:
Create 'UNTRUST' and 'TRUST' security zones. Define the inherence of the network interfaces being
used to zones. Assign IP addresses to interfaces simultaneously.
esr# configure
esr(config)# security zone UNTRUST
esr(config-zone)# exit
esr(config)# security zone TRUST
esr(config-zone)# exit
esr(config)# interface gigabitethernet 1/0/1
esr(config-if-gi)# security-zone TRUST
esr(config-if-gi)# ip address 10.1.1.1/25
esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1
esr(config-if-te)# ip address 1.2.3.4/29
esr(config-if-te)# security-zone UNTRUST
esr(config-if-te)# exit
Create IP address and port profiles required for configuration of the Firewall and DNAT rules.
NET_UPLINK—public network address profile
SERVER_IP—local area network address profile
SRV_HTTP—port profile
esr(config)# object-group network NET_UPLINK
esr(config-object-group-network)# ip address 1.2.3.4
esr(config-object-group-network)# exit
esr(config)# object-group service SRV_HTTP
esr(config-object-group-network)# port 80
esr(config-object-group-network)# exit
esr(config)# object-group network SERVER_IP
esr(config-object-group-network)# ip address 10.1.1.100
esr(config-object-group-network)# exit
To Next Page
Loading...
