44 ESR Series Routers Operation Manual
Proceed to DNAT configuration mode and create destination address and port pool that will be used
for translation of packet addresses coming to address 1.2.3.4 from the external network.
esr(config)# nat destination
esr(config-dnat)# pool SERVER_POOL
esr(config-dnat-pool)# ip address 10.1.1.100
esr(config-dnat-pool)# ip port 80
esr(config-dnat-pool)# exit
Create 'DNAT' rule set which will be used for address translation. In the set attributes, specify that
the rules are applying only to packets coming from the 'UNTRUST' zone. Rule set includes data matching
requirements for destination address and port (match destination-address, match destination-port) and
for the protocol. Also, the set includes an action that applies to the data that satisfy all of the rules (action
destination-nat). The rule set is applied with 'enable' command.
esr(config-dnat)# ruleset DNAT
esr(config-dnat-ruleset)# from zone UNTRUST
esr(config-dnat-ruleset)# rule 1
esr(config-dnat-rule)# match destination-address NET_UPLINK
esr(config-dnat-rule)# match protocol tcp
esr(config-dnat-rule)# match destination-port SERV_HTTP
esr(config-dnat-rule)# action destination-nat pool SERVER_POOL
esr(config-dnat-rule)# enable
esr(config-dnat-rule)# exit
esr(config-dnat-ruleset)# exit
esr(config-dnat)# exit
To transfer the traffic coming from 'UNTRUST' zone into 'TRUST' zone, create the respective pair of
zones. Only DNAT-translated traffic with the destination address matching the 'SERVER_IP' specified in the
profile should be transferred.
esr(config)# security zone-pair UNTRUST TRUST
esr(config-zone-pair)# rule 1
esr(config-zone-rule)# match source-address any
esr(config-zone-rule)# match destination-address SERVER_IP
esr(config-zone-rule)# match protocol any
esr(config-zone-rule)# match destination-nat
esr(config-zone-rule)# action permit
esr(config-zone-rule)# enable
esr(config-zone-rule)# exit
esr(config-zone-pair)# exit
esr(config)# exit
Configuration changes will take effect when the configuration is applied:
esr# commit
Configuration has been successfully committed
esr# confirm
Configuration has been successfully confirmed
To view the performed settings, use the following command:
esr# show ip nat destination pools
esr# show ip nat destination rulesets
esr# show ip nat proxy-arp
esr# show ip nat translations
To Next Page
Loading...
