Cisco Cisco IPS 4345 Sensor 백서
33
Firewall
August 2012 Series
33
Procedure 4
Configure address translation
Prior to completing this procedure, access to the Internet from within the
inside network is not possible. This procedure is required to permit Internet
traffic for the inside network and the DMZs; the inside and DMZ networks
are numbered using private (RFC 1918) addressing that is not Internet-
routable, so the appliances must translate the private addresses to outside
Internet-routable addresses. For this configuration, all inside addresses are
translated to the public address on the outside interface.
inside network is not possible. This procedure is required to permit Internet
traffic for the inside network and the DMZs; the inside and DMZ networks
are numbered using private (RFC 1918) addressing that is not Internet-
routable, so the appliances must translate the private addresses to outside
Internet-routable addresses. For this configuration, all inside addresses are
translated to the public address on the outside interface.
As the address translation configuration described in this portion
of the document is applied, the appliance enables its default
access rule set. Review the expected traffic carefully; if any traffic
allowed by the default rules should not be permitted, shut down
the interfaces until the firewall rule set is completely configured.
of the document is applied, the appliance enables its default
access rule set. Review the expected traffic carefully; if any traffic
allowed by the default rules should not be permitted, shut down
the interfaces until the firewall rule set is completely configured.
Tech Tip
NAT configuration varies depending on whether a Single or Dual ISP con-
figuration is used. Most of the configuration is common to both designs,
although there are some additional steps for configuring both outside
interfaces in the Dual ISP design.
figuration is used. Most of the configuration is common to both designs,
although there are some additional steps for configuring both outside
interfaces in the Dual ISP design.
Step 1:
Navigate to
Configuration > Firewall > Objects > Network
Objects/Groups
.
Step 2:
Click
Add > Network Object
.
Step 3:
In the Add Network Object dialog box, in the
Name box
, enter a
description for the address translation. (Example: internal-network-ISPa)
Step 4:
In the
Type
list, select
Network
.
Step 5:
In the
IP Address
box, enter the address that summarizes all
internal networks. (Example: 10.4.0.0)
Step 6:
In the
Netmask
box, enter the internal summary netmask. (Example:
255.254.0.0)
Step 7:
Click the two down arrows. The
NAT
pane expands.
Step 8:
Select
Add Automatic Address Translation Rules
.
Step 9:
In the
Type
list, select
Dynamic PAT (Hide).
Step 10:
In the
Translated Addr.
box, enter the name of the primary Internet
connection interface, and then click
OK
. (Example: outside-16)
Step 11:
On the Network Objects/Groups pane, click
Apply
.
Step 12:
If you are using a Single ISP design, continue to Procedure 5.
If you are using the Dual ISP design, repeat Step 1 - Step 11 for the resilient
Internet connection, using the correct input for the alternate Internet con-
nection. (Example: internal-network-ISPb, outside-17)
Internet connection, using the correct input for the alternate Internet con-
nection. (Example: internal-network-ISPb, outside-17)