Specifications
Appendix B: Network IP Topology
Non-NATed DMZ Configuration
Mitel
®
5000 Installation Manual – Issue 3.0, October 2008 Page B-33
• These commands define the policy for the interface to the private (trusted) network. Each
policy can specify more than one access list. From a security perspective, allow everything
from the trusted network. The “nat” commands define the behavior of outbound NAT. If the
packet is from the Mitel CS-5200/5400/5600, translate the source address to the specified
public address. The second NAT command uses PAT on IP 208.13.17.33, the address on
the public interface, for any other internal node.
ip policy-class Private
allow list self self
nat source list OutIT5KMain address 208.13.17.2 overload
nat source list PrivateHosts address 208.13.17.33 over-
load
!
• The following commands define the policies for the interface to the public (untrusted)
network. In the Public policy-class, you are only translating (and therefore allowing) the
ports required for ITP (endpoint) as defined in the access list
InIT5KMain.
ip policy-class Public
nat destination list InIT5KMain address 192.168.1.2
!
Non-NATed DMZ Configuration
The following examples illustrate the configuration for ITP endpoints and Private Networking.
• The following commands define the VLANs within the switch. This is necessary to be able
to route/firewall between the LAN and the DMZ.
vlan 1
name "Default"
vlan 2
name "DMZ"
!
• The following commands set up the Ethernet switch ports for specific VLANs. In this
example, take the first two ports and associate them with the DMZ VLAN.
interface eth 0/1
no shutdown
switchport access vlan 2
!
interface eth 0/2
no shutdown
switchport access vlan 2
!
Set up some of the ports in the default VLAN. This example shows
two ports.
interface eth 0/3
no shutdown
switchport access vlan 1
!
interface eth 0/4
no shutdown
switchport access vlan 1
!