beautypg.com

Netflow – Amer Networks WLO220T CLI User Manual

Page 65

background image

C O M M A N D D E S C R I P T I O N S

policy

2

62

CLI Reference Guide



src Performs NAT-src on traffic to which the policy applies. The device can perform

NAT-src using the egress interface IP address (in which case, you do not specify a DIP
pool) or with addresses from a Dynamic IP (DIP) pool:

„

dip-id id_num Specifies the ID number of a DIP pool. This number can be

between 4 and 255.



dst Performs NAT-dst on traffic to which the policy applies. The following three options
for NAT-dst are supported:

„

ip addr1 Translates the original destination address to the address specified in

the policy. The device does not translate the original port number.

„

ip addr1 addr2 Translates the original destination IP address from one range of

addresses to an address in another range of addresses. The device maintains a
consistent mapping of an original destination address to a translated address
within the specified range using a technique called address shifting.

„

ip addr1 port port_num Translates the original destination address and port

number to the address and port number specified in the policy.

Example

The following command creates a policy that applies NAT-src on all traffic from any address in the
Trust zone to any address in the Untrust zone and specifies DIP pool 8:

set policy from trust to untrust any any any nat src dip-id 8 permit

Example

The following commands create an address (1.1.1.5/32) named v-addr1 in the DMZ zone and a
policy that applies NAT-dst on HTTP traffic from any address in the Untrust zone to the virtual
destination address v-addr1 in the DMZ zone. The device translates the destination address from
1.1.1.5 to 10.2.2.5:

set address dmz v-addr1 1.1.1.5/32

set policy from untrust to dmz any v-addr1 http nat dst ip 10.2.2.5 permit

Example

The following command combines NAT src (source) and dst (destination):

set policy from trust to untrust any any any nat src dip-id 8 dst ip 10.2.2.5 permit

netflow

set policy ... [netflow] schedule schedule-name

netflow

This commands marks the policy as a netflow candidate.

Example

The following command creates the policy to allow the https traffic from any address at the
untrust zone to web-server (10.10.10.100) at the trust zone and marks this policy as a netflow
candidate.

set address trust web-server 10.10.10.100

set policy from untrust to trust any web-server https permit netflow

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: