|
Topology:
User Machine <--------> FW <-------> Internet
Tested IPs in LAB on version 7.0.9:
Server IP: 10.222.3.129
Interface IP: 10.5.22.121
VIP Created: 10.5.22.122 <-------> 10.222.3.129
Outgoing interface: Port1
Incoming interface: Port3
SNAT with VIP.
CLI Configuration:
1) Create a normal Firewall Policy for the internet.
# config firewall policy
edit 1
set name "internet"
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
end
2) Config firewall policy to activate VIP:
# config firewall policy
edit 2
set name “TEST-VIP”
set srcintf "port1"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "Test-VIP"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
end
3) VIP configuration:
# config firewall vip
edit "Test-VIP"
set extip 10.5.22.122
set mappedip "10.222.3.129"
set extintf "any"
next
end
4) Traffic Flow in different scenarios.
Traffic Flow While using the one-to-one mapping without port forwarding and ip-pool.
id=20085 trace_id=125 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-42949
67295"
id=20085 trace_id=125 func=get_new_addr line=1221 msg="find DNAT: IP-10.5.22.122, port-0(fixed port)"
id=20085 trace_id=125 func=__iprope_check_one_reverse_dnat_policy line=1255 msg="new-ip=10.5.22.122, new-port=0"
id=20085 trace_id=125 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=125 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=125 func=__ip_session_run_tuple line=3497 msg="SNAT 10.222.3.129->10.5.22.122:1"
id=20085 trace_id=126 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 1.1.1.1:1->10.5.22
.122:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=1, seq=57346."
Traffic Flow Without port-forwarding and using an IP-POOL:
id=20085 trace_id=109 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.222.3.129:1->1.1.1.1:2048)
tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=57327."
id=20085 trace_id=109 func=init_ip_session_common line=6050 msg="allocate a new session-0049434f, tun_id=0.0.0.0"
id=20085 trace_id=109 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.5.31.254 via port1"
id=20085 trace_id=109 func=get_new_addr line=1221 msg="find SNAT: IP-10.5.22.121(from IPPOOL), port-60417"
id=20085 trace_id=109 func=get_new_addr line=1221 msg="find DNAT: IP-10.5.22.122, port-0(fixed port)"
id=20085 trace_id=109 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=109 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=109 func=__ip_session_run_tuple line=3497 msg="SNAT 10.222.3.129->10.5.22.121:60417"
id=20085 trace_id=110 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 1.1.1.1:60417->10.5.22.121:0) tun_id=0.0.0.0 from por
t1. type=0, code=0, id=60417, seq=57327."
Traffic Flow While using the port-forwarding but excluding the IP pool:
id=20085 trace_id=117 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-42949
67295"
id=20085 trace_id=117 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=117 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=117 func=__ip_session_run_tuple line=3497 msg="SNAT 10.222.3.129->10.5.22.121:60417"
id=20085 trace_id=118 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 1.1.1.1:60417->10.
5.22.121:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=60417, seq=57339."
Note.
When the VIP is created without port forwarding, the outgoing IP address will be the VIP external IP address instead of the interface IP address as the Firewall first checks the DNAT and SNAT enabled on the user machine as per the VIP.
|
