I'm going to talking about MIP feature
on Nescreen via a sample network design. This network uses private
addresses in the Internal Side and has got public addresses to use
external side. The network structure is shown below,
As shown on network design, we have a
computer which has got 172.16.100.11 ip address and we want to map it
to 21x.xxx.xx.236 public IP address. What we want is shown below:
When computer sends any request to
public Internet side, devices which are located on Internet side will
see it as 21x.xxx.xx.236 and when a request is sent from Internet to
21x.xxx.xx.236 IP address, FW redirects it to 172.16.100.11 IP
address. So 172.16.100.11 means 21x.xxx.xx.236 and 21x.xxx.xx.236
means 172.16.100.11.
We will set MIP configuration on
Netscreen for this purpose.
(The external side is defined as
Internet zone and the internal network is defined as system zone on
firewall before. Following configurations are illustrating as that
zone names)
First of all, 21x.xxx.xx.236 is an IP
address which is located in the segment between FW and Main router.
This segment is not behind of a firewall, conversely, front of the
firewall. The firewall should be taken on itself like a
sub-interface. Anyway we have to see 21x.xxx.xx.236 IP address in the
main router ARP Table with a MAC address which is got from firewall.
Otherwise, packages which contains 21x.xxx.xx.236 in the destination
field is not able to arrive to target. I will explain this background
info at the end of this article. Let's continue to configuration.
1)
Select “Interfaces” item on
the menu which is located on left side of the netscreen
configuration web-interface.
2)
When Interfaces item is clicked, we can
see a page as shown below on the right side of page.
3)
Clicking to Edit link which is marked
on above picture. When It is clicked, following page will be opened.
4)
Clicking to MIP link, this page is
listing already created MIPs.
5)
Clicking to New button on the right
side.
6)
When clicking to OK and check MIP list
again, we will see our configuration on the MIP list,
7)
Right now, Mapped IP configuration is
done. But we have to create the policy to permit traffic. It should
have both directions. The following one is about Internet to system
direction.
When
you are clicking to policies under the policy menu, you can see
policy list on the right side of the page. There
are “from” and “to” commands at top of the right side. Select
the “Internet” option from the combobox “from” and select
system using the “to” part.
Right now, The
firewall is listing policies from internet to
system. Clicking to “New” buttom on the top-right side.
These two points are important at this step. First, destination address should be MIP. Second, action should be “Permit”.
These two points are important at this step. First, destination address should be MIP. Second, action should be “Permit”.
8)
Select “system” for 'from' part and
select “Internet” for 'to' part on top side and click “go”
button after than click to “New” button.
Source address should be 172.16.100.11
and destination address should be “any”. Than select permit for
action.
This step permits access to Internet
side for 172.16.100.11 addressed computer. If you want to permit
access from internet to your internal workstation only, you don't
need this step.
Let's analyse communication background
on this scenario.
Telnet to Main router (It's Cisco 3661)
and run “show arp” command. Getting output like below,
UGC_Topkapi_3661#show arp Protocol Address Age (min) Hardware Addr Type Interface .. Internet 21x.xxx.xx.250 0 0010.dbff.22e0 ARPA FastEthernet4/0 …. Internet 21x.xxx.xx.236 161 0010.dbff.22e0 ARPA FastEthernet4/0 … ...
As you know, 21x.xxx.xx.236 and
21x.xxx.xx.250 ip addresses has got exactly same MAC address. The
Main router should be send 21.x.xxx.xx.236 packages to firewall mac.
The firewall know already how to access to main router.
If you understand any step, let me know please.
No comments:
Post a Comment
Thanks