NAT mode

In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B
  3. Configure the VDOM link

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/255.255.255.0

    Interface

    port1
  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10
  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-A
        config router static
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source

    internal-network

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled
  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-A
        config firewall policy
            edit 1
                set name "VDOM-A-Internet"
                set srcintf "port1"
                set dstintf "wan1"
                set srcaddr "internal-network"
                set dstaddr "all"
                set action accept
                set schedule "always"
                set service "ALL"
                set nat enable
            next
        end
    next
end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A virtual IP address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    192.168.20.10/32

    Interface

    port2

    Show in Address List

    enabled
  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
To add the virtual IP address in the GUI:
  1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
  2. Enter the following information:

    Name

    FTP-server-VIP

    Interface

    wan2

    External IP Address/Range

    172.25.177.42

    Internal IP Address/Range

    192.168.20.10
  3. Click OK.
To add the virtual IP address with the CLI:
config vdom
    edit VDOM-B
        config firewall vip 
            edit FTP-server-VIP
                set extip 172.25.177.42
                set extintf wan2
                set mappedip 192.168.20.10
            next
        end 
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

    Interface

    wan2

    Distance

    10
  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
                set device wan2
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source

    all

    Destination

    FTP-server-VIP

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    enabled
  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-B
        config firewall policy
            edit 1
                set name "Access-server"
                set srcintf "wan2"
                set dstintf "port2"
                set srcaddr "all"
                set dstaddr "FTP-server-VIP"
                set action accept
                set schedule "always"
                set service "FTP"
                set nat enable
            next
        end
    next
end

Configu