Shulou(Shulou.com)06/01 Report--

Basic Concepts of "area", "routing" and "Policy" under NetScreen

The concept of "zone" is defined by NetScreen itself, and it is the unit used in many NetScreen setting operations. This parameter is in every

Set by physical interface properties (main menu-> Network- > Interfaces), or by:

-> set interface interface number zone area type name

Changes, the common areas are Trust and Untrust. Here are some guidelines to keep in mind:

1) the default Trust and Untrust areas are mounted on the trust-vr virtual route

2) if we mount two physical ports in the Trust area at the same time, they can be accessed directly (that is, routing and policy default)

It's all through)

3) but if we mount two physical ports in the Untrust area at the same time, they cannot directly access each other (routing, but policy

To access each other, you need to add a policy of "object: Untrust- > Untrust, address: Any- > Any, behavior: Permit"

4) but if two physical ports are mounted in the Trust and Untrust areas respectively, even if the routing between them is connected (this is not required

Any configuration, because they are all on the same routing table by default-Trust virtual routing table), cannot access each other, and needs to be found in Policie.

Add mutual access policies on s (that is, their policies are "all impassable" by default).

"routing" is named virtual route in NetScreen, and there are trust-vr and untrust-vr by default. There are several ways to set up a virtual routing table

Its settings can be found in Network- > Routing on the main menu on WEB UI. The correspondence between the current route and the area can be found in WEB UI

It can be found on Network- > Binding on the (actually, these corresponding relationships can be set by us). There is one thing to note: in

In the case of shielding other factors (mainly "policy" factors), the routes between all physical ports under the same virtual routing table are all

It works.

"Policy" is mostly used in packet filtering and NAT function implementation. We can set it directly through the Policies of the main menu on the WEB UI, which

Mainly "area" as the object unit. It must be used when you need to configure cross-area mutual access and network address NAT camouflage. There are two.

Examples:

1) two rules need to be added when you want to configure the mutual access between the physical port in Trust area and the physical port in Untrust area:

Rule 1:

Object: Trust- > Untrust

Address: Any- > Any

Behavior: Permit

Rule 2:

Object: Untrust- > Trust

Address: Any- > Any

Behavior: Permit

2) configure the Trust region to connect the Untrust region by camouflage:

Object: Trust- > Untrust

Address: Any- > Any

Advanced (the "Advanced" button in the rule settings interface is activated): the Destination Translation address is set to the network segment of Untrust

Behavior: Permit

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.