46 ESR Series Routers Operation Manual
To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules
allowing traffic transfer in this direction. Additionally, there is a check in place to ensure that data source
address belongs to 'LOCAL_NET' address range in order to limit the access to public network. Rules are
applied with enable command.
esr(config)# security zone-pair TRUST UNTRUST
esr(config-zone-pair)# rule 1
esr(config-zone-rule)# match source-address LOCAL_NET
esr(config-zone-rule)# match destination-address any
esr(config-zone-rule)# match protocol any
esr(config-zone-rule)# action permit
esr(config-zone-rule)# enable
esr(config-zone-rule)# exit
esr(config-zone-pair)# exit
Configure SNAT service. First step is to create public network address pool for use with SNAT.
esr(config)# nat sourse
esr(config-snat)# pool TRANSLATE_ADDRESS
esr(config-snat-pool)# ip address-range 100.0.0.100-100.0.0.249
esr(config-snat-pool)# exit
Second step is to create SNAT rule set. In the set attributes, specify that the rules are applying only
to packets transferred to public network—into the 'UNTRUST' zone. Rules include a check which ensures
that data source address belongs to 'LOCAL_NET' pool.
esr(config-snat)# ruleset SNAT
esr(config-snat-ruleset)# to zone UNTRUST
esr(config-snat-ruleset)# rule 1
esr(config-snat-rule)# match source-address LOCAL_NET
esr(config-snat-rule)# match destination-address any
esr(config-snat-rule)# match destination-port any
esr(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS
esr(config-snat-rule)# enable
esr(config-snat-rule)# exit
esr(config-snat-ruleset)# exit
In order the router could response to the ARP requests for addresses from the public pool, you
should launch ARP Proxy service. ARP Proxy service is configured on the interface that IP address from
'PUBLIC_POOL' public network address profile subnet belongs to.
esr(config)# interface tengigabitethernet 1/0/1
esr(config-if-te)# ip nat proxy-arp PUBLIC_POOL
To enable public network access for LAN devices, they should be configured for routing—10.1.2.1
should be defined as a gateway address.
On the router, you should create the route for public network. Define this route as a default using
the following command.
esr(config)# ip route 0.0.0.0/0 100.0.0.100
esr(config)# exit
Configuration changes will take effect when commit command is executed:
esr# commit
Configuration has been successfully committed
esr# confirm
Configuration has been successfully confirmed
To Next Page
Loading...
