ESR service routers. ESR-Series. Functionality description. Version 1.12.0
366
To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules allowing traffic
transfer in this direction. Additionally, there is a check in place to ensure that data source address belongs to
'LOCAL_NET' address range in order to limit the access to public network. Rules are applied with the
enable
command.
esr(config)# security zone-pair TRUST UNTRUST
esr(config-zone-pair)# rule
1
esr(config-zone-pair-rule)# match source-address LOCAL_NET
esr(config-zone-pair-rule)# action permit
esr(config-zone-pair-rule)# enable
esr(config-zone-pair-rule)# exit
esr(config-zone-pair)# exit
Configure SNAT service. First step is to create public network address pool for use with SNAT.
esr(config)# nat sour
с
e
esr(config-snat)# pool TRANSLATE_ADDRESS
esr(config-snat-pool)# ip address-range
100.0
.
0.100
-
100.0
.
0.249
esr(config-snat-pool)# exit
Second step is to create SNAT rule set. In the set attributes, specify that the rules are applying only to packets
transferred to public network–into the 'UNTRUST' zone. Rules include a check which ensures that data source
address belongs to 'LOCAL_NET' pool.
esr(config-snat)# ruleset SNAT
esr(config-snat-ruleset)# to zone UNTRUST
esr(config-snat-ruleset)# rule
1
esr(config-snat-rule)# match source-address LOCAL_NET
esr(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS
esr(config-snat-rule)# enable
esr(config-snat-rule)# exit
esr(config-snat-ruleset)# exit
In order the router could response to the ARP requests for addresses from the public pool, you should launch
ARP Proxy service. ARP Proxy service is configured on the interface that IP address from 'PUBLIC_POOL'
public network address profile subnet belongs to.
esr(config)#
interface
tengigabitethernet
1
/
0
/
1
esr(config-
if
-te)# ip nat proxy-arp PUBLIC_POOL
To enable public network access for LAN devices, they should be configured for routing–10.1.2.1 should be
defined as a gateway address.
On the router, you should create the route for public network. Specify this route as a default using the following
command.
esr(config)# ip route
0.0
.
0.0
/
0
100.0
.
0.1
esr(config)# exit