- Enterasys Security Router User's Guide
Configuring Policy Based Routing Example
5-44 Configuring IP
+ The above optional NAPT commands use ACL 101 for the 200.2.2.0 network and ACL 102 for the
201.2.2.0 network
XSR(config-if<F2>)#ip nat source intf-static 10.1.1.1 203.2.2.1
+ The above optional command statically NATs packets from 10.1.1.1 to 203.2.2.1
NAT Port Forwarding
This scenario, as shown in Figure 5-16, illustrates NAT port forwarding. The connection is
initiated by the PC at 172.20.2.1 to port 4003 on 200.2.2.1. The XSR’s static NAT table is first
checked for mappings. An entry is found for 200.2.2.1 (which happens to be the interface IP
address, but is not required) with port 4003 mapping it to the PC at 10.1.1.1:23. The packet is then
translated and forwarded to 10.1.1.1 destined for port 23.
The reply packet from the Telnet server once again passes to the static NAT at interface F2 and is
forwarded to 172.20.2.1 as being from 200.2.2.1:4003.
Figure 5-16 NAT Port Forwarding
Enter the following commands to enable NAT Port Forwarding:
XSR(config)#interface fastethernet2
XSR(config-if<F2>)#ip address 200.2.2.1/24
XSR(config-if<F2>)#ip nat source intf-static tcp 10.1.1.1 23 200.2.2.1 4003
XSR(config-if<F2>)#ip nat source assigned overload
Configuring Policy Based Routing Example
The following example configures PBR to forward to a next-hop router:
XSR(config)#access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
The commands below configure GigabitEthernet interface 1 with an IP address, and enable PBR
with the
ip policy command:
XSR(config)#interface GigabitEthernet 1
XSR(config-if<G1>)#ip address 192.168.5.1 255.255.255.0
Internet
Outside
Inside
Reply
DA: 10.1.1.1
Telnet SYN Pkt
DA: 172.20.2.1
SA: 200.2.2.1
SA: 172.20.2.1
172.20.2.1
10.1.1.1
172.21.2.2
NAT Table
10.1.1.1:23 200.2.2.1:4003
10.1.1.2
DA: 200.2.2.1:4003
Request
SA: 172.20.2.1
XSR
Internal
interface
Inside local
IP Address
Inside global
IP Address
Protocol
TCP
Runs Telnet Server at Port 23
External
interface
F2