16.3.3 Configuration example 2
Objective:
Configure access for users in LAN 21.12.2.0/24 to public network using Source NAT function without the
firewall. Public network address range for SNAT 200.10.0.100-200.10.0.249.
Solution:
Begin configuration with network interface configuration and disabling the firewall:
esr(config)# interface gigabitethernet 1/0/1
esr(config-if-gi)# ip address 21.12.2.1/24
esr(config-if-gi)# ip firewall disable
esr(config-if-gi)# exit
esr(config)# interface tengigabitethernet 1/0/1
esr(config-if-te)# ip address 200.10.0.1/24
esr(config-if-te)# ip firewall disable
esr(config-if-te)# exit
For SNAT function configuration, create 'LOCAL_NET' LAN address profile that includes addresses which are
allowed to access the public network and 'PUBLIC_POOL' public network address profile.
esr(config)# object-group network LOCAL_NET
esr(config-object-group-network)# ip address-range 21.12.2.2-21.12.2.254
esr(config-object-group-network)# exit
esr(config)# object-group network PUBLIC_POOL
esr(config-object-group-network)# ip address-range 200.10.0.100-200.10.0.249
esr(config-object-group-network)# exit
Configure SNAT service.
First step is to create public network address pool for use with SNAT:
esr(config)# nat source
esr(config-snat)# pool TRANSLATE_ADDRESS
esr(config-snat-pool)# ip address-range 200.10.0.100-200.10.0.249
esr(config-snat-pool)# exit
Second step is to create SNAT rule set. In the set attributes, specify that the rules are applying only to packets
transferred to public network through te1/0/1 port. Rules include a check which ensures that data source
address belongs to 'LOCAL_NET' pool:
To Next Page
Loading...
