O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

8.17. Deploy a Large-Office Firewall with DMZ

Problem

You want to deploy a firewall for a large office with one or more DMZs, and you own a static public IP address space (see Figure 8-3).

Solution

Configure a DIP for an outbound connection of hosts from the Trust side to perform outbound PAT:

	set interface ethernet0/1 dip 4 1.1.1.50
	set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src dip-id 4 permit

Then, configure a MIP for each server in the DMZ to perform bidirectional, one-to-one NAT:

	set interface "ethernet0/1" mip 1.1.1.100 host 192.168.2.100
	set interface "ethernet0/1" mip 1.2.2.100 host 192.168.2.200

Next, configure a policy for outside users to initiate an HTTP session to the two MIP hosts:

	set policy id 2 from "Untrust" to "DMZ" "Any" "MIP(1.1.1.100)" "HTTP" permit
	set policy id 2
	   set dst-address "MIP(1.2.2.100)"
	exit

Configure one single policy for DMZ hosts to make outside connections (the MIP is implied as outbound):

	set policy id 5 from "DMZ" to "Untrust" any any any permit log

Lastly, allow Trust side hosts to connect internally to DMZ servers:

	set policy id 4 from "Trust" to "DMZ" "Any" "Any" "Any" permit

Note that the preceding examples serve to explain the framework of the recipe. Production policies are usually tighter and more customized.

Discussion

In this recipe, we have one Trust network and one DMZ network, similar to the one shown in Figure 8-3. There could be multiple networks on the Trust or DMZ side, and there could be multiple DMZs.

Figure 8-3. NAT ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required