ESR series service routers.ESR-Series. User manual
16.3.2 Configuration example 1
Objective:
Configure access for users in LAN 10.1.2.0/24 to public network using Source NAT function. Specify public
network address range for SNAT 100.0.0.100-100.0.0.249.
Solution:
Begin configuration with creation of security zones, configuration of network interfaces and their inherence to
security zones. Create 'TRUST' zone for LAN and 'UNTRUST' zone for public network.
esr# configure
esr(config)# security zone UNTRUST
esr(config-zone)# exit
esr(config)# security zone TRUST
esr(config-zone)# exit
esr(config)# interface gigabitethernet 1/0/1
esr(config-if-gi)# ip address 10.1.2.1/24
esr(config-if-gi)# security-zone TRUST
esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1
esr(config-if-te)# ip address 100.0.0.99/24
esr(config-if-te)# security-zone UNTRUST
esr(config-if-te)# exit
For SNAT function configuration and definition of rules for security zones, create 'LOCAL_NET' LAN address
profile that includes addresses which are allowed to access the public network and 'PUBLIC_POOL' public
network address profile.
esr(config)# object-group network LOCAL_NET
esr(config-object-group-network)# ip address-range 10.1.2.2-10.1.2.254
esr(config-object-group-network)# exit
esr(config)# object-group network PUBLIC_POOL
esr(config-object-group-network)# ip address-range 100.0.0.100-100.0.0.249
esr(config-object-group-network)# exit
When using the not key, the rule will work for values which are not included in a specified profile.
Each 'match' command may contain 'not' key. When using the key, packets that do not meet the given
requirement will fall under the rule.
For more information about router configuration, see 'CLI command reference guide'.
To Next Page
Loading...
Need help?
General
