FAQ-After NAT Is Configured, How Do I Configure the Device to Prevent PCs with Specified Internal IP Addresses from Accessing the Website

Publication Date:  2015-05-06 Views:  213 Downloads:  0
Issue Description
After NAT Is Configured, How Do I Configure the Device to Prevent PCs with Specified Internal IP Addresses from Accessing the Website?
Solution
A traffic policy is configured on the device connected to the internal network in the inbound direction. The traffic policy rejects packets with the source IP address as the specified network segment and destination IP address as the website address.

As shown in Figure 1, the IP address of GE0/0/1 (outbound interface) on the router is 200.100.1.2/24, and the IP address of Eth0/0/1 is 192.168.0.1/24. The remote IP address of GE0/0/1 is 200.100.1.1/24. The intranet user uses Easy IP to access the Internet through GE0/0/1.

Figure 1 Easy IP configuration on the outbound interface



The configuration is as follows:

#
sysname Router  //Modify the device name.
#
acl number 2000  //Configure the internal address segment 192.168.0.0/24 that can be translated using NAT.
rule 5 permit source 192.168.0.0 0.0.0.255
#
interface Ethernet0/0/1
ip address 192.168.0.1 255.255.255.0  //Configure the internal gateway address.
#
interface GigabitEthernet0/0/1
ip address 200.100.1.2 255.255.255.0
nat outbound 2000  //Configure Easy IP on GE0/0/1.
#
ip route-static 0.0.0.0 0.0.0.0 200.100.1.1  //Configure a static route.
#

To prevent PCs with IP addresses 192.168.0.16 to 192.168.0.31 from accessing 211.1.1.6, perform the following operations:

[Router] acl 3000
[Router-acl-adv-3000] rule deny ip destination 211.1.1.6 0.0.0.0 source 192.168.0.16 0.0.0.15
[Router-acl-adv-3000] quit
[Router] traffic classifier c1
[Router-classifier-c1] if-match acl 3000
[Router-classifier-c1] quit
[Router] traffic behavior b1
[Router-behavior-b1] deny
[Router-behavior-b1] quit
[Router] traffic policy p1
[Router-trafficpolicy-p1] classifier c1 behavior b1
[Router-trafficpolicy-p1] quit
[Router] interface ethernet 0/0/1
[Router-Ethernet0/0/1] traffic-policy p1 inbound

END