Shulou(Shulou.com)06/01 Report--

172.18.18.42 port 2020 、 2009 ISP_IP Port XXXX 、 XXXX

172.18.18.45 port 2020 、 2009 ISP_IP Port XXXX 、 XXXX

Step 1: define a global address

Set security address-book global address Nutanix_Cluster 172.18.18.50/32

Step 2: define the protocol port

Set applications application tcp-2020 protocol tcp

Set applications application tcp-2020 destination-port 2020

Set applications application tcp-2009 protocol tcp

Set applications application tcp-2009 destination-port 2009

Step 3: define the destination NAT+Port. Define the private network IP matching port.

Set security nat destination pool DP_Nutanix_Cluster_2020 address 172.18.18.50/32

Set security nat destination pool DP_Nutanix_Cluster_2020 address port 2020

Set security nat destination pool DP_Nutanix_Cluster_2009 address 172.18.18.50/32

Set security nat destination pool DP_Nutanix_Cluster_2009 address port 2009

Step 3: define the destination NAT+Port. Define the private and public network NAT rules.

Set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2020_Owenli match destination-address-name WAN3006_162

Set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2020_Owenli match destination-port 2020

Set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2020_Owenli then destination-nat pool DP_Nutanix_Cluster_2020

Set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2009_Owenli match destination-address-name WAN3006_162

Set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2009_Owenli match destination-port 2009

Set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2009_Owenli then destination-nat pool DP_Nutanix_Cluster_2009

Step 4: define the control policy for the source area to access a specific area of the intranet

Set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT match source-address any destination-address Nutanix_Cluster application tcp-2020 application tcp-2009

Set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then permit

Set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then log session-init

Set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then log session-close

Set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then count

Step 5: adjust the policy priority before the newly defined policy is inserted into the reject policy

Insert security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT before policy DENY

Set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT match source-address Nutanix_Cluster destination-address any application tcp-2020 application tcp-2009

Set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then permit

Set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then log session-init

Set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then log session-close

Set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then count

Step 6: define the network segment or specific IP to access the external network resources from which ISP line

INGRESS_FROM_TRUST---- applies filter filter to the intranet interface [reth4.500 zone trust]

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.45/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.50/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.42/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.48/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.52/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.55/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.58/32

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from destination-address 0.0.0.0/0

Set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster then routing-instance FORWARD_TO_ISP6

Step 7: the newly defined firewall filter policy executes then acceppt, if you have previously skipped to step 8

Set firewall family inet filter INGRESS_FROM_TRUST term ACCEPT_ALL then accept

Step 8: insert step 6 before step 7, that is, adjust the policy priority

Insert firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster before term ACCEPT_ALL

Step 9: query the NAT session to determine whether the IN AND OUT two-way policy is correct

Show security flow session nat destination-port 2020

Node0:

Session ID: 91904, Policy name: LEGACY_ID_15/89, State: Backup, Timeout: 14342, Valid

In: 172.18.18.45 If: 46082-> 202.82.130.199 *

Out: 202.82.130.199Unix 2020-> 119.145.16.241 Universe 24323 ash TCP, If: reth25.3001, Pkts: 0, Bytes: 0

Session ID: 234948, Policy name: Nutanix_Cluster-OWEN-EDIT/263, State: Backup, Timeout: 14292, Valid

In: 202.82.130.199mm6688-- > 210.21.218.163Universe 2020 witch TCP, If: reth25.3006, Pkts: 0, Bytes: 0

Out: 172.18.18.50 If 2020-> 202.82.130.199Universe 6688X TCP, If: reth4.500, Pkts: 0, Bytes: 0

Total sessions: 2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.