No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Huawei Firewall Security Policy Essentials
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How to Configure Security Policies to Allow Source NAT

How to Configure Security Policies to Allow Source NAT

Source NAT includes NAT involving only source address translation (NAT No-PAT) and NAT involving both source IP address translation and source port translation (NAPT, smart NAT, easy IP, and 3-tuple NAT). The methods for configuring NAT policies are the same regardless of the source NAT type. The only difference is the source NAT address pool.

Source NAT policies and security policies have similar configuration logic. Table 10-1 describes the comparison between source NAT policies and security policies. The matching conditions of both the source NAT policy and security policy are the characteristics of the original data packets for which NAT has not been performed.

Table 10-1 Comparison between a source NAT policy and a security policy

Item

Source NAT Policy

Security Policy

Source security zone

Source security zone of traffic

Source security zone of traffic

Destination security zone

Destination security zone of traffic or outbound interface of traffic

Destination security zone of traffic, that is, the security zone where the outbound interface of the traffic resides

Source address

Source IP address of traffic (before NAT)

Source IP address of traffic (before NAT)

Destination address

Destination IP address of traffic

Destination IP address of traffic

Service

Service type of traffic

Service type of traffic

Action

Specify the source address pool (post-NAT address) or outbound interface.

Permit

For example, the private network segment 10.1.1.0/24 accesses the Internet (the destination address is uncertain) through NAT. The corresponding source NAT policy and security policy are configured as follows.

Table 10-2 Source NAT policy and security policy examples

Source NAT Policy

Security Policy

 
nat-policy  
  rule name SNAT_for_Internet 
    source-zone trust 
    destination-zone untrust  
    source-address 10.1.1.0 24   
    action source-nat address-group Public_Address
 
security-policy   
  rule name Policy_for_Internet  
    source-zone trust 
    destination-zone untrust 
    source-address 10.1.1.0 24  
    action permit

For 3-tuple NAT, you also need to enable the endpoint-independent filtering function. 3-tuple NAT is mainly used for services initiated by external devices, such as P2P-based voice communication and video transmission. After the endpoint-independent filtering function is enabled, the access requests initiated by an external device are forwarded based on the server mapping table, and security policy check is not performed. If this function is not enabled, you need to configure a reverse security policy from the public network to the private network. By default, the endpoint-independent filtering function is enabled.

[sysname] firewall endpoint-independent filter enable
Translation
简体中文
Download
Updated: 2023-04-06

Document ID: EDOC1100172313

Views: 124679

Downloads: 564

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :