动手配置防火墙PPT.ppt

Step 1: 定义MIP Network Interface (Select Interface – click on MIP) set int name mip publicIP host privateIP ns208 set int e8 mip 5 host Step 2: 配置MIP策略 Policies Edit set policy from zone to zone SA MIP(addr) service permit Verifying MIP Operation – WebUI Policies Verifying MIP Operation - CLI Ping to MIP from external host Ping from internal host to external host Packet egress is the interface where the MIP is defined ns208- get session alloc 225/max 128000, alloc failed 0 id 292/s**,vsys 0,flag00/00,policy 2,time 1 10(01):/1728-5/1024,1,0010db21c041,vlan 0,tun 0,vsd 0 0(20):/1728-/1024,1,0010db12cea1,vlan 0,tun 0,vsd 0 ns208- get session alloc 2/max 128000, alloc failed 0 id 38/s**,vsys 0,flag00/00,policy 1,time 1 0(01):/7936-/512,1,0010db12cea1,vlan 0,tun 0,vsd 0 10(20):5/7936-/512,1,0010db21c041,vlan 0,tun 0,vsd 0 e1 e2 e3 e7 e8 ???????? MIP “Shortcut” – Using Masks A mask specifies which bits in the network portion of the IP address are translated What public address does 00 map to? Hint: binary for 100 isDotted Decimal Binary 26 Bits =0101011100XXXXXX 4 =0000101101XXXXXX Convert only this side 4/26 E8: 00/16 ? 5 ? 6 ? 7 ? 8 Etc. A Host A: 00 MIP(/26) MIPs 使用掩码 Network Interface (Select Interface – click on MIP) set int name mip publicIP host privateIP netmask mask ns208 set int e8 mip 2 host 2 netmask 48 MIP Complications – Other Interfaces? What if Host C wants to communicate with Host A using MIP defined on E8? External Zone Private Zone 50 /24 /24 B /24 Public Zone .254 A B C D /24 /24 .1 .254 .1 .254 /24 /24 .254 .1 MIP = 5 The Solution – Two Policies Policy 1 from Public to External – permits routing/forwarding to IP address 5 Policy 2 is existing policy (from external to private or external to global) – invokes MIP to translate 5 to External Zone Private Zone 50 /24 /24 B /24 Public Zone .254 A B