How to Configure Security Policies to Allow Destination NAT
Destination NAT can be classified into NAT policy-based destination NAT, ACL-based destination NAT, and NAT Server based on the configuration mode.
NAT Policy-based Destination NAT
The matching conditions of the destination NAT policy are the characteristics of the original data packets before NAT. The destination IP address and service in the matching conditions of the security policy are the destination IP address and port number after NAT. In addition, you cannot specify a destination security zone in a destination NAT policy.
Table 10-3 describes the comparison between a destination NAT policy and a security policy.
Item |
Destination NAT Policy |
Security Policy |
|---|---|---|
Source security zone |
Source security zone of traffic, which is often the security zone where the public network is located. |
Source security zone of traffic, which is often the security zone where the public network is located. |
Destination security zone |
NA |
Destination security zone of traffic, which is the security zone where the device provides external services is located. |
Source address |
Source IP address of traffic |
Source IP address of traffic |
Destination address |
Destination IP address of traffic (before NAT) |
Destination IP address of traffic (after NAT) |
Service |
Service type of traffic (service or port number before NAT) |
Service type of traffic (port number after NAT) |
Action |
Specify the destination address pool (post-NAT address) and port number after NAT. |
Permit |
For example, the enterprise intranet server at 10.1.1.1 provides web services for external systems, and the external service address is 192.0.2.1. The destination NAT policy and security policy are configured as follows.
Destination NAT Policy |
Security Policy |
|---|---|
nat-policy
rule name DNAT_for_HTTP_Server
source-zone untrust
destination-address 192.0.2.1 mask 32
service http
action destination-nat static address-to-port address-group HTTP_Server 8080
destination-nat address-group HTTP_Server 1
section 10.1.1.1 10.1.1.1
|
security-policy
rule name Policy_for_HTTP
source-zone untrust
destination-zone dmz
destination-address 10.1.1.1 32
//Post-NAT IP address, which is within the NAT address pool.
service protocol tcp source-port 0 to 65535 destination-port 8080
//Post-NAT port number, which is the same as the port number specified in the action of the NAT policy.
action permit
|
ACL-based Destination NAT
ACL-based destination NAT uses an ACL to define the traffic whose destination address and port number need to be translated, and associates the ACL with the IP address and port number after NAT in the source security zone of the traffic. Therefore, the ACL and security zone are equivalent to the matching conditions in the NAT policy.
The following uses destination NAT [192.0.2.1:80-->203.0.113.1:8080] as an example to describe the configuration.
acl number 3000 rule 5 permit tcp destination 192.0.2.1 0 destination-port eq 80 //Specify the service flow that requires translation. # firewall zone trust //Enter the source security zone view of the service flow. destination-nat 3000 address 203.0.113.1 port 8080 //Specify the IP address and port number after NAT for the service flow that comes from the Trust zone and matches ACL 3000.
The corresponding security policy is configured as follows:
security-policy
rule name Policy_for_ACL3000
source-zone trust
destination-zone untrust
destination-address 203.0.113.1 32 //IP address after NAT.
service protocol tcp source-port 0 to 65535 destination-port 8080 //Port number after NAT.
action permit
NAT Server
NAT Server uses one command to specify all information about address translation. The following uses the enterprise intranet server at 10.1.1.1 as an example to describe how to configure NAT Server. In this example, the external service address is 192.0.2.1.
nat server Web_Server zone untrust protocol tcp global 192.0.2.1 80 inside 10.1.1.1 8080 unr-route
In the preceding command, zone indicates that only users from a specified security zone can access the web service, global specifies the public IP address and port number before NAT, and inside specifies the private IP address and port number after NAT.
security-policy
rule name Policy_for_WebServer
source-zone untrust //Specified by the zone parameter.
destination-zone dmz
destination-address 10.1.1.1 32 //IP address after NAT, which is specified by the inside parameter.
service protocol tcp source-port 0 to 65535 destination-port 8080
//Port number after NAT, which is specified by the inside parameter.
action permit
You can also run the public-ip destination match enable command to enable the public IP address matching function. The firewall uses the public IP address of the server to match the destination IP address of the security policy.
In this case, the security policy configuration is as follows:
security-policy
rule name Policy_for_WebServer
source-zone untrust //Specified by the zone parameter.
destination-zone dmz
destination-address 192.0.2.1 32 //IP address before NAT, which is specified by the global parameter.
service protocol tcp source-port 0 to 65535 destination-port 80
//Port number before NAT, which is specified by the global parameter.
action permit