Белая книга для Cisco Cisco IPS 4520 Sensor
37
Firewall
August 2012 Series
37
Step 14:
Select
Monitored
, and then click
Apply
.
Procedure 3
Configure Network Address Translation
The DMZ network uses private network (RFC 1918) addressing that is not
Internet-routable, so the firewall must translate the DMZ address of the web
server to an outside public address. If there is a resilient Internet connection,
the web server can have an address translation for each ISP. This resilient
configuration, shown here for completeness, relies on the modification of
DNS records in order to point incoming requests to the resilient web server
address when the primary Internet connection is unavailable.
Internet-routable, so the firewall must translate the DMZ address of the web
server to an outside public address. If there is a resilient Internet connection,
the web server can have an address translation for each ISP. This resilient
configuration, shown here for completeness, relies on the modification of
DNS records in order to point incoming requests to the resilient web server
address when the primary Internet connection is unavailable.
The example DMZ address to public IP address mapping is shown in the
following table.
following table.
Table 3 - DMZ address mapping
Web server DMZ address
Web server public address (externally
routable after NAT)
routable after NAT)
192.168.16.100
172.16.130.100 (ISP-A)
172.17.130.100 (ISP-B for Dual ISP only)
172.17.130.100 (ISP-B for Dual ISP only)
Step 1:
Navigate to
Configuration > Firewall > Objects > Network
Objects/Groups
.
First, you will add a network object for the web server’s IP address on the
primary Internet connection.
primary Internet connection.
Step 2:
Click
Add > Network Object
.
Step 3:
On the Add Network Object dialog box, in the
Name box
,
enter a description for the web server’s public IP address. (Example:
outside-webserver-ISPa)
outside-webserver-ISPa)
Step 4:
In the
Type
list, select
Host
.
Step 5:
In the
IP Address
box, enter the web server’s public IP address, and
then click
OK
. (Example: 172.16.130.100)
Step 6:
On the Network Objects/Groups pane, click
Apply
.