SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningConfiguration Examples

HiSecEngine USG6000F Typical Configuration Examples

CLI: Example for Configuring Bidirectional NAT (Source NAT + Dynamic Destination NAT) for Internet Users to Access Intranet Servers

CLI: Example for Configuring Bidirectional NAT (Source NAT + Dynamic Destination NAT) for Internet Users to Access Intranet Servers

Networking Requirements

An enterprise has deployed DeviceA as a security gateway at the intranet border. Dynamic destination NAT needs to be configured on DeviceA to prevent a large number of Internet users from accessing a specific server. In addition to the public IP address of the WAN interface on DeviceA, the enterprise has obtained another public IP address (1.1.10.10) from the ISP, which is used by intranet servers to provide services to Internet users. A source NAT policy is required so that intranet servers can send response packets to DeviceA, removing the need to configure return routes for intranet servers. Figure 15-40 shows the network diagram, in which the router is the access gateway provided by the ISP.

Figure 15-40 Network diagram of bidirectional NAT (source NAT + dynamic destination NAT) allowing Internet users to access intranet servers

In this example, interfaces 1 and 2 represent GE 0/0/1 and GE 0/0/2, respectively.


Item

Data

Description

GE0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

1.1.1.1/24 is a public address provided by the ISP.

GE0/0/2

IP address: 10.2.0.1/24

Security zone: DMZ

Intranet servers use 10.2.0.1 as the default gateway address.

Source NAT address pool

10.10.10.10 to 10.10.10.15

-

Destination NAT address pool

10.2.0.7 to 10.2.0.8

-

Default route

Destination address: 0.0.0.0

Next-hop address: 1.1.1.254

Configure a default route to the Internet on DeviceA to enable it to forward traffic from intranet servers to the ISP router.

Configuration Roadmap

  1. Configure IP addresses for interfaces and add them to security zones, enabling network connectivity.
  2. Configure a security policy so that Internet users can access intranet servers.
  3. Configure a destination NAT policy to translate the destination addresses of packets sent from Internet users to intranet servers into addresses in the destination NAT address pool.
  4. Configure a source NAT policy to translate the source addresses of packets sent from Internet users to intranet servers into addresses in the source NAT address pool.
  5. Configure a default route on DeviceA to enable it to forward traffic from intranet servers to the ISP router.
  6. Configure a static route to the public address of intranet servers on the ISP router.

Procedure

  1. Configure IP addresses for interfaces and add them to security zones, enabling network connectivity.

    # Configure an IP address for GE 0/0/1.

    <HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] interface ge 0/0/1
[DeviceA-GE0/0/1] ip address 1.1.1.1 24
[DeviceA-GE0/0/1] quit

    # Configure an IP address for GE 0/0/2.

    [DeviceA] interface ge 0/0/2
[DeviceA-GE0/0/2] ip address 10.2.0.1 24
[DeviceA-GE0/0/2] quit

    # Add GE 0/0/2 to the Untrust zone.

    [DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface ge 0/0/1
[DeviceA-zone-untrust] quit

    # Add GE 0/0/2 to the DMZ zone.

    [DeviceA] firewall zone dmz
[DeviceA-zone-dmz] add interface ge 0/0/2
[DeviceA-zone-dmz] quit

  2. Configure a security policy so that Internet users can access intranet servers.

    [DeviceA] security-policy
[DeviceA-policy-security] rule name policy1
[DeviceA-policy-security-rule-policy1] source-zone untrust
[DeviceA-policy-security-rule-policy1] destination-zone dmz
[DeviceA-policy-security-rule-policy1] destination-address 10.2.0.0 24
[DeviceA-policy-security-rule-policy1] action permit
[DeviceA-policy-security-rule-policy1] quit
[DeviceA-policy-security] quit

  3. Configure a source NAT address pool.

    [DeviceA] nat address-group addressgroup1
[DeviceA-address-group-addressgroup1] mode pat
[DeviceA-address-group-addressgroup1] section 0 10.10.10.10 10.10.10.15
[DeviceA-address-group-addressgroup1] route enable
[DeviceA-address-group-addressgroup1] quit

  4. Configure a destination NAT address pool.

    [DeviceA] destination-nat address-group addressgroup2
[DeviceA-dnat-address-group-addressgroup1] section 10.2.0.7 10.2.0.8
[DeviceA-dnat-address-group-addressgroup1] quit

  5. Configure a NAT policy.

    [DeviceA] nat-policy
[DeviceA-policy-nat] rule name policy_nat1
[DeviceA-policy-nat-rule-policy_nat1] source-zone untrust
[DeviceA-policy-nat-rule-policy_nat1] destination-address 1.1.10.10 32
[DeviceA-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1
[DeviceA-policy-nat-rule-policy_nat1] action destination-nat address-group addressgroup2
[DeviceA-policy-nat-rule-policy_nat1] quit
[DeviceA-policy-nat] quit

  6. Configure a blackhole route to the public address of intranet servers to prevent routing loops.

    [DeviceA] ip route-static 1.1.10.10 255.255.255.255 NULL0

  7. Enable the NAT ALG function for FTP.

    [DeviceA] firewall interzone dmz untrust
[DeviceA-interzone-dmz-untrust] detect ftp
[DeviceA-interzone-dmz-untrust] quit

  8. Configure a default route on DeviceA to enable it to forward traffic from intranet servers to the ISP router.

    [DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

  9. On the ISP router, configure a static route to the public address (1.1.10.10) of intranet servers, with the next-hop address set to 1.1.1.1. The ISP router can then forward traffic destined for the intranet servers to DeviceA.

    Contact the ISP network administrator to perform this step.

Verifying the Configuration

  1. Verify that Internet users can access intranet servers.
  2. Run the display firewall session table command on DeviceA to check for the session entries with the destination addresses being the public addresses of intranet servers. If such an entry is found and the post-NAT IP address is an IP address in the NAT address pool, the NAT policy has been configured successfully. In the command output, the post-NAT IP address and port number are enclosed in square brackets ([ ]).
    <DeviceA> display firewall session table
Current Total Sessions : 2
 http  VPN:public --> public  1.1.1.9:2474[10.10.10.11:2674]-->1.1.10.10:8080[10.2.0.7:80]
 http  VPN:public --> public  1.1.1.25:3685[10.10.10.12:3625]-->1.1.10.10:9748[10.2.0.8:8542]

Configuration Scripts

#
 sysname DeviceA
#
interface GE0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GE0/0/2
 ip address 10.2.0.1 255.255.255.0 
#
firewall zone untrust
 set priority 5
 add interface GE0/0/1
#
firewall zone dmz
 set priority 50
 add interface GE0/0/2
# 
firewall interzone dmz untrust 
 detect ftp 
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 
 ip route-static 1.1.10.10 255.255.255.255 NULL0 
# 
nat address-group addressgroup1 0
 mode pat
 route enable
 section 0 10.10.10.10 10.10.10.15 
# 
destination-nat address-group addressgroup2 0
 section 10.2.0.7 10.2.0.8 
#  
security-policy   
 rule name policy1  
  source-zone untrust 
  destination-zone dmz 
  destination-address 10.2.0.0 24 
  action permit 
#  
nat-policy  
 rule name policy_nat1 
  source-zone untrust 
  destination-address 1.1.10.10 32   
  action source-nat address-group addressgroup1  
  action destination-nat address-group addressgroup2
# 
return
Translation
Favorite
Download
Update Date:2024-07-17
Document ID:EDOC1100387632
Views:44128
Downloads:1075
Average rating:0.0Points

Related Version

Related Documents

Digital Signature File

digtal sigature tool