Multi Service Edge Device HL950
Administrator’s Guide
Page 75 (159)
EN/LZT 108 5995 R3
June
2003
allow=false, log=true, ppos=begin;
HL950> add security firewall:type=lanout, ipss=172.16.0.0,
ipse=172.31.255.255, ipdn=any, psn=any, pdn=any, prot=all,
allow=false, log=true, ppos=begin;
Add the corresponding WANtoLAN policies:
HL950> add security firewall:type=lanin, ipsn=any,
ipds=10.0.0.0, ipde=10.255.255.255.255, psn=any, pdn=any,
prot=all, allow=false, log=true, ppos=begin;
HL950> add security firewall:type=lanin, psn=any, pdn=any,
prot=all, allow=false, log=true, ppos=begin, ipds=127.0.0.0,
ipde=127.255.255.255, ipsn=any;
HL950> add security firewall:type=lanin, psn=any, pdn=any,
prot=all, allow=false, log=true, ppos=begin, ipds=172.16.0.0,
ipde=172.31.255.255, ipsn=any;
Use the
show security firewall
to see the PNUM’s for each policy. By using these PNUM’s
you can change configuration parameters and move policies priorities in the list as the following:
HL950> set security firewall:pnum=19, ppos=end;
HL950> set security firewall:pnum=22, move=true;
4.6.2
NAT with ALG support
By enabling NAT the HL950 hides the IP addresses of machines from the WAN before the data goes
out from inside the firewall. By performing NAT, internal machines in a LAN can access the Internet
from a local server as if they were logged on to the Internet.
When NAT is started, traffic between LAN and WAN that are not being translated is disallowed, for
security reasons. If you want to allow not translated traffic you must explicitly allow that traffic using
the firewall.
4.6.2.1 NAT
Use the SECURITY NAT command to configure NAT policies. The following types of NAT can be
configured:
!
One to One NAT
One to One NAT is used when you want to map an internal (private) IP address to a single
public IP address on a one-to-one basis. Particularly useful when a device needs to be
accessible from outside the network. One to One NAT can do the IP address translation but it
will not perform port translation.
Figure 32
Example of One to One NAT