|
NAT/NAPT configuration task list 133IPLink Software Configuration Guide 12 • NAT/NAPT configurationUse no in front of the above commands to delete a specific entry or the whole profile.Note The command icmp default is obsolete.Example: Creating a NAPT ProfileThe following example shows how to create a new NAPT profile access that contains all settings necessary toimplement the examples in section “Introduction” on page 129.IPLink(cfg)#profile napt accessIPLink(pf-napt)[access]#range 192.168.1.10 192.168.1.19 131.1.1.2IPLink(pf-napt)[access]#static tcp 192.168.1.20 80IPLink(pf-napt)[access]#static tcp 192.168.1.20 23 131.1.1.3IPLink(pf-napt)[access]#range 192.168.1.30 192.168.1.39 131.1.1.10 131.1.1.15IPLink(pf-napt)[access]#static 192.168.1.40 131.1.1.20IPLink(pf-napt)[access]static ah 192.168.1.41 131.1.1.120Configuring a NAPT DMZ hostThe NAPT allows a DMZ host to be configured, which receives any inbound traffic on the global NAPTinterface, which:• Is not translated by any static or dynamic NAPT entry and• Is not handled by the device itself.The following procedure shows how a DMZ host can be configured.Mode: profile napt 4(optional)node(pf-napt)[name]#range local-ip-range-start local-ip-range-stopglobal-ip-start global-ip-stopConfigures and activates the Dynamic NAT: local-ip-range-start and local-ip-range-stop define the subsetof local hosts that use an address from the globalNAT address pool to access to global network. glo-bal-ip-start and global-ip -stop define the global NATaddress pool.(max. 20 entries)The IP ranges of different Dynamic NAT entries mustnot overlap each other.5(optional)node(pf-napt)[name]#static local-ip global-ipCreates a Static NAT entry: local-ip is mapped toglobal-ip.(max. 20 entries)6(optional)node(pf-napt)[name]#static{ ah|esp|gre|ipv6 } local_ip[global_ip].Creates a static NAT entry: traffic of the IP protocolAH, ESP, GRE, or IPv6 respectively directed to theglobal_ip is forwarded to the local_ip.Step Command Purpose1 [name] (pf-napt)[pf-name]# [no]dmz-host []Configures a DMZ host. The global-ip-address mustonly be specified, if the DMZ host shall handle theinbound traffic for a different NAPT global IP addressthan the gateways global interface IP address.Step Command Purpose
|
