Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Routing Traffic to Vsys Using IP Classification (NSM Procedure)

    When using IP-based classification, you associate a subnet or range of IP addresses with the root or a specific vsys. The root system checks the source and destination IP addresses in IP packet headers to identify the device (root or vsys) to which traffic belongs.

    You configure IP classification at the root level, on the untrust interface, which is shared by default with all vsys. In the device navigation tree of the root system, select Network > Interfaces, and then double-click the untrust interface. In the interface navigation tree, select IP Classification, and then select Enabled. Right-click and select New to display the New IP Classification List, and then configure a subnet or IP address range for the root and/or each vsys.

    In this example, you configure IP-based traffic classification for three virtual systems (vsys1, vsys3, and vsys3). You define the trust-vr as sharable, and then create a shared zone called internal that is bound to the trust-vr (both internal and untrust zones are in the shared trust-vr routing domain). Within the internal zone, configure a subnet for each vsys (10.1.1.0/24 for vsys1, 10.1.2.0/24 for vsys2, and 10.1.3.0/24 for vsys3).

    Next, bind the interfaces. Configure ethernet1/1 in the shared internal zone, assign IP address 10.1.0.1/16, and select NAT mode. Configure ethernet1/2 in the shared untrust zone and assign it IP address 210.1.1.1/24. Finally, configure the default gateway in the untrust zone as 210.1.1.250.

    1. Add an ISG2000 security device running ScreenOS 5.2 as the root system, and then configure the network module:
      • Double-click the device to open the device configuration. In the device navigation tree, select Network > Slot.
      • Double-click slot 1 to display the slot configuration dialog box. For Card Type, select 8 Interfaces (10/100).
    2. Click OK to save the slot configuration.
    3. Add the following vsys devices (all use default virtual router):
      • vsys1
      • vsys2
      • vsys3
      • In the device navigation tree, select Network > Virtual Routers, and then double-click trust-vr. Ensure that Shared Virtual Router is selected, and then click OK.
    4. In the device navigation tree, select Network > Zones. Click the Add icon and select New Security Zone. In the Zone General Properties, configure the following settings:
      • For Name, enter internal.
      • For Virtual Router, select trust-vr.
      • Select Shared. When selected, the option IP Classification appears in the zone navigation tree.
      • In the zone navigation tree, select IP Classification, and then configure the following settings:
      • Select Enabled.
    5. Right-click in the IP Classification screen and select New. The New IP Classification list appears. Configure the following settings, and then click OK:
      • For Vsys, select vsys1.
      • Select Subnet.
      • For IP Address and Netmask, enter 10.1.1.0/24.
      • Right-click in the IP Classification screen and select New. The New IP Classification list appears. Configure the following settings, and then click OK:
      • For Vsys, select vsys2.
      • Select Subnet.
      • For IP Address and Netmask, enter 10.1.2.0/24.
    6. Right-click in the IP Classification screen and select New. The New IP Classification list appears. Configure the following settings, and then click OK:
      • For Vsys, select vsys3.
      • Select Subnet.
      • For IP Address and Netmask, enter 10.1.3.0/24.
      • In the device navigation tree, select Network >Interfaces
    7. Double-click ethernet 1/1. In the Interface General Properties, configure the following settings, and then click OK:
      • For Zone, select internal.
      • For IP Address and Netmask, enter 10.1.0.1/16.
    8. Double-click ethernet 1/2. In the Interface General Properties, configure the following settings, and then click OK:
      • For Zone, select Untrust.
      • For IP Address and Netmask, enter 210.1.1.1/24.
      • In the device navigation tree, select Network > Virtual Routers, and then double-click trust-vr.
      • In the virtual router navigation tree, select Routing Table.
    9. In the Destination-based Routing Table area, click the Add icon. Configure the following route, and then click OK:
      • For IP Address and Netmask, enter 0.0.0.0/0.
      • For Next Hope, select Gateway.
      • For Interface, select ethernet1/2.
      • For Gateway IP Address, enter 210.1.1.250.

    Published: 2013-01-02