esr(config-dnat)# ruleset DNAT
esr(config-dnat-ruleset)# from zone UNTRUST
esr(config-dnat-ruleset)# rule 1
esr(config-dnat-rule)# match destination-address NET_UPLINK
esr(config-dnat-rule)# match protocol tcp
esr(config-dnat-rule)# match destination-port SRV_HTTP
esr(config-dnat-rule)# action destination-nat pool SERVER_POOL
esr(config-dnat-rule)# enable
esr(config-dnat-rule)# exit
esr(config-dnat-ruleset)# exit
esr(config-dnat)# exit
To transfer the traffic coming from 'UNTRUST' zone into 'TRUST' zone, create the respective pair of zones. Only
DNAT-translated traffic with the destination address matching the 'SERVER_IP' specified in the profile should
be transferred.
esr(config)# security zone-pair UNTRUST TRUST
esr(config-zone-pair)# rule 1
esr(config-zone-pair-rule)# match destination-address SERVER_IP
esr(config-zone-pair-rule)# match destination-nat
esr(config-zone-pair-rule)# action permit
esr(config-zone-pair-rule)# enable
esr(config-zone-pair-rule)# exit
esr(config-zone-pair)# exit
esr(config)# exit
Configuration changes will take effect when the configuration is applied:
esr# show ip nat destination pools
esr# show ip nat destination rulesets
esr# show ip nat proxy-arp
esr# show ip nat translations
16.3 Source NAT configuration
Source NAT (SNAT) function substitutes source address for packets transferred through the network gateway.
When packets are transferred from LAN into public network, source address is substituted to one of the
gateway public addresses. Additionally, source port substitution may be added to the source address. When
packets are transferred back from public network to LAN, address and port are reverted to their original values.
SNAT function enables Internet access for computers located in LAN. At that, there is no need in assigning
public IP addresses for these computers.
16.3.1 Configuration algorithm
Step Description Command Keys
1 Switch to the configuration mode of
source address translation service.
esr(config)# nat source
To Next Page
Loading...
Need help?
General
