Live Chat Software by Kayako |
Knowledgebase
|
Configure one-to-one mapping of IP address to access devices on Internal network
Posted by Julius Montealegre on 25 June 2010 06:59 PM
|
||||||||||
Configure one-to-one mapping of IP address to access devices on Internal network Applicable to Version: 10 This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources. Configuration steps are provided assuming that you are using factory default settings of the appliance. If your appliance is not using factory defaults, you can use IP address as per your requirement. Article covers how to · Create virtual host · Create firewall rule to allow the inbound traffic Virtual host Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam. Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server. A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host. Sample schema Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail and web server are hosted in DMZ.
Email This ArticlePrintPrint Current Article and All Sub-Articles
Configure one-to-one mapping of IP address to access devices on Internal network
Applicable to Version: 10
This article describes a detailed configuration example that demonstrates how to configure
Cyberoam to provide the access of internal resources.
Configuration steps are provided assuming that you are using factory default settings of the
appliance. If your appliance is not using factory defaults, you can use IP address as per your
requirement.
Article covers how to
· Create virtual host
· Create firewall rule to allow the inbound traffic
Virtual host
Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.
Virtual Host maps services of a public IP address to services of a host in a private network. In
other words, it is a mapping of public IP address to an internal IP address. This virtual host is used
as the Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam
will automatically respond to the ARP request received on the WAN zone for the external IP address of
Virtual host.
Sample schema
Throughout the article we will use the network parameters displayed in the below given network diagram.
Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail
and web server are hosted in DMZ.
Network components
External IP address (Public)
IP address (Internal)
Web server
203.88.135.208
192.168.1.4 (Mapped)
Mail server
204.88.135.192
192.168.1.15 (Mapped)
For virtual host:
External IP: IP address through which Internet user’s access internal server.
Mapped IP: IP address bound to the internal server.
Configuration
Entire configuration is to be done from Web Admin Console unless specified.
Step 1: Create virtual host for Web server
Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified
in sample schema
In our example, Internet users (203.88.135.208) will access internal web server using 192.168.1.4. In
other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4.
Step 2: Create virtual host for Mail server
Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified in
sample schema
In our example, Internet users (203.88.135.192) will access internal mail server using 192.168.1.15. In
other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15.
Step 3: Loopback firewall rule
Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for
the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual
host. If port forwarding is not enabled in virtual host then firewall rule with “All Services” is created.
Loopback rules allow internal users to access the internal resources using its public IP (external IP) or FQDN.
For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to
DMZ interface subnet.
Check creation of loopback rule from Firewall --> Rule
Step 4: Add Firewall rules
Create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP)
or FQDN
Go to Firewall ® Rule and add a firewall rule for each server with the parameters as displayed in the
below given screens.
Email This ArticlePrintPrint Current Article and All Sub-Articles
Configure one-to-one mapping of IP address to access devices on Internal network
Applicable to Version: 10
This article describes a detailed configuration example that demonstrates how to configure Cyberoam
to provide the access of internal resources.
Configuration steps are provided assuming that you are using factory default settings of the appliance.
If your appliance is not using factory defaults, you can use IP address as per your requirement.
Article covers how to
· Create virtual host
· Create firewall rule to allow the inbound traffic
Virtual host
Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.
Virtual Host maps services of a public IP address to services of a host in a private network. In other
words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the
Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam
will automatically respond to the ARP request received on the WAN zone for the external IP address of
Virtual host.
Sample schema
Throughout the article we will use the network parameters displayed in the below given network diagram.
Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail
and web server are hosted in DMZ.
Network components
External IP address (Public)
IP address (Internal)
Web server
203.88.135.208
192.168.1.4 (Mapped)
Mail server
204.88.135.192
192.168.1.15 (Mapped)
For virtual host:
External IP: IP address through which Internet user’s access internal server.
Mapped IP: IP address bound to the internal server.
Configuration
Entire configuration is to be done from Web Admin Console unless specified.
Step 1: Create virtual host for Web server
Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified
in sample schema
In our example, Internet users (203.88.135.208) will access internal web server using 192.168.1.4. In
other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4.
Step 2: Create virtual host for Mail server
Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified in
sample schema
In our example, Internet users (203.88.135.192) will access internal mail server using 192.168.1.15. In
other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15.
Step 3: Loopback firewall rule
Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for
the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host.
If port forwarding is not enabled in virtual host then firewall rule with “All Services” is created.
Loopback rules allow internal users to access the internal resources using its public IP (external IP) or FQDN.
For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ
interface subnet.
Check creation of loopback rule from Firewall --> Rule
Step 4: Add Firewall rules
Create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN
Go to Firewall ® Rule and add a firewall rule for each server with the parameters as displayed in the below given
screens.
Create firewall rules to allow external host (from the Internet) to access a virtual host that maps to internal
servers - Web server or Mail server. You must add the virtual host to a firewall policy to actually implement the
mapping configured in the virtual host i.e. create firewall rule that allows or denies inbound traffic to virtual host.
Go to Firewall --> Rule and add a firewall rule for each server with the parameters as displayed in the below
given screens.
| ||||||||||
 (9 vote(s)) Helpful Not helpful |
||||||||||
Comments (0)