| Configure one-to-one IP address mapping to access devices on Internal network | |||||||||||||||||||||||||||||
Applicable to Version: 10.00 onwards
This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.
Article covers how to · Create virtual host · Create firewall rule to allow the inbound traffic
Virtual host Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam. Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server. A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host.
Sample schema Throughout the article we will use the network parameters displayed in the below given network diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public servers - mail and web server are hosted in DMZ.
For virtual host: External IP: IP address through which Internet user’s access internal server. Mapped IP: IP address bound to the internal server.
 ConfigurationThe entire configuration is to be done from Web Admin Console with user having “Administrator” profile. Step 1: Create virtual host for Web server Go to Firewall --> Virtual Host and click on "Add" button to add a virtual host with the parameters as specified in sample schema
In our example, Internet users will access internal web server using public IP 203.88.135.208 which is mapped to local IP 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be forwarded to 192.168.1.4. 
 Click on OK and the Virtual Host ‘WebServer’ has been added successfully. Note · If servers are hosted on LAN, change the Physical Zone to LAN. · In case you have custom zones, change the Physical Zones accordingly. · Public IP address is the IP address through which Internet user’s access internal server/host. If public IP address is already configured as main
Interface IP or alias IP, then use the option – Interface IP to select it as an external IP or else Create the host of the IP and select it from the IP address. Step 2: Create virtual host for Mail server Go to Firewall --> Virtual Host and click on “Add” button to add a virtual host with the parameters as specified in sample schema
In our example, Internet users will access internal mail server using public IP 203.88.135.192 which is mapped to local IP 192.168.1.15. In other words, all the inbound requests from 203.88.135.192 will be forwarded to 192.168.1.15.
 Click on OK and the Virtual Host ‘MailServer’ has been added successfully.  Step 3: Loopback firewall rule
Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. By default, Loopback firewall rule is created to allow all services. One can edit this rule and allow only required service or a group of services as per the need of application. Loopback rules allow same zone internal users to access the internal resources using its public IP (external IP) or FQDN. For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to DMZ interface subnet. Check creation of loopback rule from Firewall --> Rule
 Step 4: Add Firewall rules
Rule 1
Go to Firewall ® Rule and add a firewall rule for WebServer with the parameters as displayed in the below given screens.
For example, here we have created a rule to allow only HTTP services for WebServer.
   Click OK and the Firewall Rule will be created successfully.
Rule 2
Go to Firewall ® Rule and add a firewall rule for MailServer with the parameters as displayed in the below given screens.
For example, here we have created a rule to allow only SMTP services for MailServer.
  Click OK and the Firewall Rule will be created successfully.
Note · Change the Destination Zone according to the actual server Location (Zone) · Change the Services as per your application requirement. One can create rule and allow only required service or a group of services as per
the need of application. To allow a group or list of services, please create first a service/service group from Object à Services and select the same in above option while creating firewall rule. To create firewall rules to allow internal users to access resources in DMZ using its public IP (external IP) or FQDN, follow the below mentioned steps
Go to Firewall ® Rule and add a firewall rule for each server with the parameters as displayed in the below given screens
  Click OK and the Firewall Rule for Web Server will be created successfully.
  Click OK and the Firewall Rule for Mail Server will be created successfully.
 Document version -1.0-11/05/2011
|