Version 1.0 ScreenOS 5.0.0 and higher.



Similar documents
Configuring Network Address Translation (NAT)

Concepts & Examples ScreenOS Reference Guide

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Configuring a Lan-to-Lan VPN with SSG5 and Check Point Appliance Safe@Office 500

Creating a VPN with overlapping subnets

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Configuring PA Firewalls for a Layer 3 Deployment

Juniper Networks Integrated Firewall and IPSec VPN Evaluators Guide

Darstellung Unterschied ZyNOS Firmware Version 4.02 => 4.03

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

- Introduction to Firewalls -

Firewall Defaults and Some Basic Rules

Multi-Homing Security Gateway

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

How to Configure the Juniper NetScreen 5GT to Support Avaya H.323 IP Telephony Issue 1.0

Policy Based Forwarding

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Using IPsec VPN to provide communication between offices

Lab Configuring Access Policies and DMZ Settings

UIP1868P User Interface Guide

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Abstract. Avaya Solution & Interoperability Test Lab

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Chapter 2 Connecting the FVX538 to the Internet

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG5 How-To Guide. Network Address Translation. July 2011 Revision 1.0

Chapter 10 Troubleshooting

How To Configure Syslog over VPN

Third Party Integration

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Implementing Network Address Translation and Port Redirection in epipe

About Firewall Protection

Barracuda Link Balancer

Network Address Translation (NAT)

Section 4 Application Description - LDAP

Evaluation guide. Vyatta Quick Evaluation Guide

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Barracuda Link Balancer Administrator s Guide

Topic 7 DHCP and NAT. Networking BAsics.

Broadband Phone Gateway BPG510 Technical Users Guide

L2TP Configuration without IPSec

Securing Networks with PIX and ASA

Multi-Homing Dual WAN Firewall Router

Configuring WAN Failover & Load-Balancing

Chapter 7. Address Translation

SonicOS Enhanced 4.0: NAT Load Balancing

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

How To Set Up An H.323 Application Layer Gateway (Alg) On A Pc Or Macbook

NAT (Network Address Translation)

Prestige 202H Plus. Quick Start Guide. ISDN Internet Access Router. Version /2004

Chapter 4 Firewall Protection and Content Filtering

Setting up VPN connection: DI-824VUP+ with Windows PPTP client

FIREWALLS & CBAC. philip.heimer@hh.se

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

(91) FortiOS 5.2

SonicWALL NAT Load Balancing

Deployment Guide: Transparent Mode

Guideline for setting up a functional VPN

nexvortex Setup Guide

Getting Started Guide

Check Point Security Administrator R70

21.4 Network Address Translation (NAT) NAT concept

Load Balance Mechanism

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

How To Configure Virtual Host with Load Balancing and Health Checking

Configuring the PIX Firewall with PDM

ASA/PIX: Load balancing between two ISP - options

Setting Up Scan to SMB on TaskALFA series MFP s.

Understanding and Configuring NAT Tech Note PAN-OS 4.1

SSL-VPN 200 Getting Started Guide

Chapter 3 Security and Firewall Protection

NEFSIS DEDICATED SERVER

Configuring Global Protect SSL VPN with a user-defined port

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Lab Configuring Access Policies and DMZ Settings

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Multi-Homing Gateway. User s Manual

Configuring SSL VPN on the Cisco ISA500 Security Appliance

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Scenario: IPsec Remote-Access VPN Configuration

Layer 2 Networking. Overview. VLANs. Tech Note

Chapter 4 Security and Firewall Protection

Chapter 9 Monitoring System Performance

Identity-Based Traffic Logging and Reporting

nexvortex Setup Guide

Chapter 5 Customizing Your Network Settings

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Hillstone Multi-Core Security Appliance Easy Configuration Guide

- Network Address Translation -

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Setting up an icap Server for ISG- 1000/2000 AV Support

nexvortex Setup Template

Integrating Juniper Netscreen (ScreenOS)

Security Technology: Firewalls and VPNs

Cisco Secure PIX Firewall with Two Routers Configuration Example

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Transcription:

Configuration guide to NAT Destination Version 1.0 ScreenOS 5.0.0 and higher. NAT DESTINATION The objective of the document is to describe step-by-step procedure on how to configure NAT- DST on the Netscreen firewall. This applies to any ScreenOS currently available. INTRODUCTION: You can define policies to translate the destination address from one IP address to another. Perhaps you need the NetScreen device to translate one or more public IP addresses to one or more private addresses. The relationship of the original destination address to the translated destination address can be any of the following. One-to-one mapping maps a single public IP address (as defined in an Address Book entry) to a single private IP address. Many-to-one mapping translates a group of public addresses (as defined in an Address Book entry) to a single private IP address. Many-to-many mapping translates a group of public addresses (as defined in an Address Book entry) to a contiguous range of private IP addresses, using the address shifting mechanism. Port mapping allows you to add port translation to NAT-Dst configurations. In this document we will be discussing about how to configure a One-to-One relation of a public IP with a private IP using NAT-DST. The same can be accomplished using a MIP on the untrust zone. Note that when a MIP is configured, the private IP will be translated to the public IP for both incoming and outgoing traffic; whereas when NAT-Dst is configured in a policy, the translation is only restricted to incoming traffic For more configuration examples with different NAT-DST options mentioned above, kindly refer the Concepts and Example guide. http://www.juniper.net/techpubs/software/screenos/screenos5.2.0/ce_v7.pdf REQUIREMENTS for NAT-DST: 1. In order for NAT-Dst to work, the public address needs to be mapped to the correct internal/private zone. You can accomplish this through either:

Configuring the public address as a secondary address on one of the internal interfaces on which the server or computer is installed which is used for NAT- DST. (Refer step 4 (a) in the CLI configuration) By configuring a static route to the public address range with the Outbound interface being one of the internal interfaces as explained previously. (Refer step 4 in the WEBUI / CLI configuration) 2. Additionally, the addresses to be translated need to be configured as address book entries in the internal zone. It is not possible to use any as the pre-translation destination when using NAT-Dst. (Refer step 2 in the WEBUI / CLI configuration) 3. Ensure proper routing is configured from the ISP to direct traffic to the firewall for any Request coming in to the NAT-DST public address. 4. The original destination IP address and the translated destination IP address must be in the same security zone. NAT-DST Configuration Procedure: 1. Configure Address book entry for public address (es). 2. Configure Route / reachability. a) Secondary Interface address b) Static Route. 3. Configure Policy. a) Single post-translation address (xxx to one) b) Multiple post-translation address (xxx to many) c) Port Mapping. Example: One-to-One Destination Translation: In this example, you set a policy to provide one-to-one destination network address translation (NAT-Dst) without changing the destination port addresses. The policy instructs the NetScreen device to perform the following tasks: Permit both FTP and HTTP traffic (defined as the service group http-ftp ) from any address in The Untrust zone to a the original destination address named oda2 with address 1.2.1.8 in the DMZ zone Translate the destination IP address in the IP packet header from 1.2.1.8 to 10.2.1.8 Leave the original destination port number in the TCP segment header as is (80 for HTTP, and 21 for FTP) Forward HTTP and FTP traffic to 10.2.1.8 in the DMZ zone You bind ethernet3 to the Untrust zone, and assign it IP address 1.1.1.1/24. You bind ethernet2 to the DMZ, and assign it IP address 10.2.1.1/24. You also define a route to the original destination address 1.2.1.8 through ethernet2. Both the Untrust zone and the DMZ zone are in the trust-vr routing domain.

WebUI 1. Interfaces Network > Interfaces > Edit (for ethernet3): Enter the following, and then click OK: Zone Name: Untrust Static IP: (select this option when present) IP Address/Netmask: 1.1.1.1/24 Network > Interfaces > Edit (for ethernet2): Enter the following, and then click OK: Zone Name: DMZ Static IP: (select this option when present) IP Address/Netmask: 10.2.1.1/24 2. Address Objects > Addresses > List > New: Enter the following information, and then click OK: Address Name: oda2 IP Address/Domain Name: IP/Netmask: (select), 1.2.1.8/32 Zone: DMZ 3. Service Group Objects > Services > Group: Enter the following group name, move the following services, and then click OK: Group Name: HTTP-FTP Select HTTP and use the << button to move the service from the Available Members column to the Group Members column. Select FTP and use the << button to move the service from the Available Members column to the Group Members column. 4. Route Network > Routing > Routing Entries > trust-vr New: Enter the following, and then click OK: Network Address / Netmask: 1.2.1.8/32 Gateway: (select) Interface: ethernet2 Gateway IP Address: 0.0.0.0 5. Policy Policies > (From: Untrust, To: DMZ) New: Enter the following, and then click OK: Source Address: Address Book Entry: (select), Any Destination Address: Address Book Entry: (select), oda2 Service: HTTP-FTP Action: Permit > Advanced: Enter the following, and then click Return to set the advanced options and return to the basic configuration page:

NAT: Destination Translation: (select) Translate to IP: (select), 10.2.1.8 Map to Port: (clear) CLI: 1. Interfaces set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24 set interface ethernet2 zone dmz set interface ethernet2 ip 10.2.1.1/24 2. Address set address dmz oda2 1.2.1.8/32 3. Service Group set group service http-ftp set group service http-ftp add http set group service http-ftp add ftp 4. Route set vrouter trust-vr route 1.2.1.8/32 interface ethernet2 a) Secondary IP on the Interface set interface ethernet2 ip 1.2.1.0/24 secondary 5. Policy set policy from untrust to dmz any oda2 http-ftp nat dst ip 10.2.1.8 permit save Verifying Nat-DST-WEBUI You can verify that translation has been added to the policy by looking at the action icon. A blue checkmark indicates that translation has been added via the advanced policy options. The logging feature only captures source translation, so no destination translation will be visible via the WebUI Verifying Nat-DST-CLI Using the CLI, you can verify that translation has been added to the policy. ns5gt-> get pol id 2 name:"none" (id 2), zone Untrust -> DMZ,action Permit, status "enabled" src "Any", dst "oda2", serv "http-ftp" Policies on this vpn tunnel: 0 nat dst map to 10.2.1.8, serv_timeout 0 (minute) vpn unknown vpn, policy flag 00000000, session backup: on

traffic shapping off, scheduler n/a, serv flag 00 log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/0 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set ns5gt-> You can also view any currently established sessions and the associated translation with the get session command. Note in this example that the destination IP address 1.2.1.8 is translated to the IP address 10.2.1.8: ns5gt-> get session alloc 3/max 2064, alloc failed 0, mcast alloc 0, di alloc failed 0 id 2061/s**,vsys 0,flag 00000040/0080/21,policy 320000,time 180, dip 0 3(0011):2.2.2.5/25611->1.2.1.8/80,6,000000000000,8,vlan 0,tun 0,vsd 0,route 2 2(100600):2.2.2.5/25611<-10.2.1.8/80,6,0003ba5ba68f,4,vlan 0,tun 0,vsd 0,route 1 Total 1 sessions shown ns5gt-> get session alloc 3/max 2064, alloc failed 0, mcast alloc 0, di alloc failed 0 id 2061/s**,vsys 0,flag 00000040/0080/21,policy 320000,time 180, dip 0 3(0011):2.2.2.5/40365->1.2.1.8/21,6,000000000000,8,vlan 0,tun 0,vsd 0,route 2 2(100600):2.2.2.5/40365<-10.2.1.8/21,6,0003ba5ba68f,4,vlan 0,tun 0,vsd 0,route 1 Total 1 sessions shown.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information