![]() ![]() The host-inbound services for the prefix-list. Specific management-services, then write a ruleset, with one term, that allowsĪll but the management-services on udp/tcp and a second term, that allows One can use prefix-list for source addresses, that are able to access the Why not use the stateless firewall filters for access limiting on interfaces? ![]() [edit security policies from-zone untrust to-zone trust policy show (Offcourse you can limit the traffic again to a certain source) [edit security zones security-zone trust showĬreate a security policy to allow traffic to the server: ![]() [edit security zones security-zone untrust interfaces showĮxample config of natting port 22 to a server with ip 10.50.2.50: Do keep in mind that you have to disable the host-inbound-services on the physical interface!! Now you can use port 22 to nat to a server behind the firewall (yes i tested it). [edit security policies from-zone untrust to-zone show I choose source any and application any for this test, but you can limit this offcourse!!! [edit security nat destination rule-set dnat-untrust rule showĭestination-address x.x.x.x/32 //x.x.x.x = public ip address!!Ĭreate a policy from zone untrust to mgmt to allow the management traffic: Use destination-port on which you want managment to listen (in this case 1022), use destination-nat pool we created in step 5: [edit security nat destination pool showĬreate a destination nat policy with destination address the public interface ip address. (This rule enables source nat from zone trust and zone mgmt from any address to any address to the interface IP address)Ĭreate a pool with the address of the loopback interface and the destination port of the service (in this case SSH): (not sure if this is mandetory) set source-nat enabled for traffic initiated from the new zone: I don't see any limitation in doing this with other services like http/https or ftp, but did not yet test this.Ĭreate a loopback interface with a dummy ip address:Įnable management services on the loopback interface:Ĭreate a new zone with a logical name, like mgmt, put the loopback int in the zone and create an address book entry for the loopback interface. This example is based on ssh/port 22 which i want available from port 1022 on the public ip. All seems to work fine and i want to share it with you, for a few kudos □ When i was in bed last night, an idea popped in my head, which i just tested. I've been breaking my head on how to change managment to different ports and limit it to th correct source-ip's. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |