CHAPTER 9: Security Policy Examples
The following illustration shows the internal, private net-
work (with private IP addresses assigned to the three com-
puters) as connected to the Private interface of the Firebox
Vclass appliance. This interface has its own IP address, and
the Public interface (through which all communications
with the external networks are routed) has a separate IP
address.
You can meet Westchester's requirements by doing the fol-
lowing:
1
Create two firewall policies with these parameters:
# Name
Src
1
Allow_
ANY
Private
2
Deny_
ANY
Public
2
Have all the users in the private network reconfigure
their computers' default gateway to the IP address of
the Private interface on the Firebox Vclass appliance.
Note that Dynamic NAT is applicable only to firewall poli-
cies for outgoing traffic.
Example 2: Restricting Internet access
Stillbrook Corporation has a branch office similar to that in
example 1: it has a limited number of public IP addresses.
212
Dst
Srvc
Intrfc
ANY
ANY
0
ANY
ANY
1
Action
NAT/LB
Pass
DYNAMIC_NAT
Block
Vcontroller