Knowledgebase
Configure one-to-one mapping of IP address to access devices on Internal network
Posted by Julius Montealegre on 25 June 2010 06:59 PM
Configure one-to-one mapping of IP address to access devices on Internal network
 
Applicable to Version: 10
 
This article describes a detailed configuration example that demonstrates how to configure 
Cyberoam to provide the access of internal resources.

Configuration steps are provided assuming that you are using factory default settings of the 
appliance. If your appliance is not using factory defaults, you can use IP address as per your 
requirement.

Article covers how to

   ·       Create virtual host
   ·       Create firewall rule to allow the inbound traffic
 

Virtual host

Virtual host implementation is based on the Destination NAT concept of older versions 
of Cyberoam.

Virtual Host maps services of a public IP address to services of a host in a private network. 
In other words, it is a mapping of public IP address to an internal IP address. This virtual host 
is used as the Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. 
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external 
IP address of Virtual host.


Sample schema
 
Throughout the article we will use the network parameters displayed in the below given network 
diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The 
public servers - mail and web server are hosted in DMZ. 

Network components

External IP address (Public)

IP address (Internal)

Web server

203.88.135.208

192.168.1.4 (Mapped)

Mail server

204.88.135.192

192.168.1.15 (Mapped)

For virtual host: External IP: IP address through which Internet user’s access internal server. Mapped IP: IP address bound to the internal server. Email This ArticlePrintPrint Current Article and All Sub-Articles Configure one-to-one mapping of IP address to access devices on Internal network Applicable to Version: 10 This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources. Configuration steps are provided assuming that you are using factory default settings of the appliance. If your appliance is not using factory defaults, you can use IP address as per your requirement. Article covers how to · Create virtual host · Create firewall rule to allow the inbound traffic Virtual host Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam. Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server. A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host. Sample schema Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail and web server are hosted in DMZ. Network components External IP address (Public) IP address (Internal) Web server 203.88.135.208 192.168.1.4 (Mapped) Mail server 204.88.135.192 192.168.1.15 (Mapped) For virtual host: External IP: IP address through which Internet user’s access internal server. Mapped IP: IP address bound to the internal server. Configuration Entire configuration is to be done from Web Admin Console unless specified. Step 1: Create virtual host for Web server Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified in sample schema In our example, Internet users (203.88.135.208) will access internal web server using 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4. Step 2: Create virtual host for Mail server Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified in sample schema In our example, Internet users (203.88.135.192) will access internal mail server using 192.168.1.15. In other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15. Step 3: Loopback firewall rule Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host. If port forwarding is not enabled in virtual host then firewall rule with “All Services” is created. Loopback rules allow internal users to access the internal resources using its public IP (external IP) or FQDN. For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ interface subnet. Check creation of loopback rule from Firewall --> Rule Step 4: Add Firewall rules Create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN Go to Firewall ® Rule and add a firewall rule for each server with the parameters as displayed in the below given screens. Email This ArticlePrintPrint Current Article and All Sub-Articles Configure one-to-one mapping of IP address to access devices on Internal network Applicable to Version: 10 This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources. Configuration steps are provided assuming that you are using factory default settings of the appliance. If your appliance is not using factory defaults, you can use IP address as per your requirement. Article covers how to · Create virtual host · Create firewall rule to allow the inbound traffic Virtual host Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam. Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server. A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host. Sample schema Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail and web server are hosted in DMZ. Network components External IP address (Public) IP address (Internal) Web server 203.88.135.208 192.168.1.4 (Mapped) Mail server 204.88.135.192 192.168.1.15 (Mapped) For virtual host: External IP: IP address through which Internet user’s access internal server. Mapped IP: IP address bound to the internal server. Configuration Entire configuration is to be done from Web Admin Console unless specified. Step 1: Create virtual host for Web server Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified in sample schema In our example, Internet users (203.88.135.208) will access internal web server using 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4. Step 2: Create virtual host for Mail server Go to Firewall --> Virtual Host --> Virtual Host and add a virtual host with the parameters as specified in sample schema In our example, Internet users (203.88.135.192) will access internal mail server using 192.168.1.15. In other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15. Step 3: Loopback firewall rule Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in virtual host. If port forwarding is not enabled in virtual host then firewall rule with “All Services” is created. Loopback rules allow internal users to access the internal resources using its public IP (external IP) or FQDN. For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ interface subnet. Check creation of loopback rule from Firewall --> Rule Step 4: Add Firewall rules Create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN Go to Firewall ® Rule and add a firewall rule for each server with the parameters as displayed in the below given screens. Create firewall rules to allow external host (from the Internet) to access a virtual host that maps to internal servers - Web server or Mail server. You must add the virtual host to a firewall policy to actually implement the mapping configured in the virtual host i.e. create firewall rule that allows or denies inbound traffic to virtual host. Go to Firewall --> Rule and add a firewall rule for each server with the parameters as displayed in the below given screens.
(9 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).