CLI: Example for Configuring Source NAT for IPv6 Intranet Users to Access the Internet
Networking Requirements
The FW serves as a security gateway at the border of a studio network. A source NAT policy must be configured on the FW to allow users on the Intranet to access the Internet without exposing their intranet IP addresses. Figure 1 shows the network environment. The router is the access gateway provided by the ISP.
Data Planning
Item |
Data |
Description |
|
|---|---|---|---|
GigabitEthernet 0/0/1 |
IP address: FD01:0203:0405::5678/48 Security zone: Trust |
Configure the IP address of the GigabitEthernet 0/0/1 as the default gateway for intranet hosts. |
|
GigabitEthernet 0/0/2 |
IP address: 2001:0DB8:0506::1234/48 Security zone: Untrust |
Set the parameters according to the requirement of the ISP. |
|
Source network segment that is allowed to access the Internet |
FD01:0203:0405::/48 |
- |
|
Source address segment after translation |
2001:0DB8:0001::/48 |
- |
|
Route |
Default route of the FW | Destination address: 0:0::0:0 Next hop: 2001:0DB8:0506::5678/48 |
To ensure that traffic from the intranet can be forwarded to the ISP router, configure a default route destined for the Internet on the FW. |
| Router static route | Destination address: address after source NAT Next hop: IP address of GigabitEthernet 0/0/2 |
To ensure that the traffic returned by the Internet can be forwarded to the FW, manually configure static routes on the router. In most cases, you have to contact the ISP network administrator to configure the static routes. |
|
Configuration Roadmap
- Configure interface IP addresses and assign the interfaces to security zones.
- Configure a security policy to allow packet exchange between a specified intranet and the Internet.
- Configure a source NAT policy for Internet access from the specified intranet segment.
- Configure a default route on the FW, so that traffic from the intranet can be forwarded to the ISP router.
- Configure the default gateway on each host on the intranet, so that the hosts send traffic to the FW when they access the Internet.
- Configure static routes on the router, so that the router forwards return traffic from the Internet to the FW.
Procedure
- Enable the IPv6 packet forwarding function.
[FW] ipv6 - Configure interface IP addresses and assign the interfaces to security zones.
# Configure the IP address of GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ipv6 enable [FW-GigabitEthernet 0/0/1] ipv6 address FD01:0203:0405::5678 48 [FW-GigabitEthernet 0/0/1] quit
# Configure the IP address of GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ipv6 enable [FW-GigabitEthernet 0/0/2] ipv6 address 2001:0DB8:0506::1234 48 [FW-GigabitEthernet 0/0/2] quit
# Add GigabitEthernet 0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GigabitEthernet 0/0/2 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/2 [FW-zone-untrust] quit
- Configure a security policy to allow packet exchange between a specified intranet segment and the Internet.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone untrust [FW-policy-security-rule-policy1] source-address FD01:0203:0405:: 48 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
- Configure a source NAT policy for Internet access from the specified intranet segment.
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] nat-type nat66 [FW-policy-nat-rule-policy_nat1] source-zone trust [FW-policy-nat-rule-policy_nat1] destination-zone untrust [FW-policy-nat-rule-policy_nat1] source-address FD01:0203:0405:: 48 [FW-policy-nat-rule-policy_nat1] action source-nat static 2001:0DB8:0001:: 48 [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] quit
- Configure black-hole routes destined for the source address of traffic after translation to prevent routing loops. The following uses the source address of Host after translation as an example to describe how to configure a black-hole route.
[FW] ipv6 route-static 2001:0DB8:0001::1234 48 NULL 0 - Configure a default route on the FW, so that traffic from the intranet can be forwarded to the ISP router.
[FW] ipv6 route-static 0:0::0:0 0 2001:0DB8:0506::5678 - Configure the default gateway on each host on the intranet, so that the hosts send traffic to the FW when they access the Internet.
- Configure static routes on the router, so that the router forwards return traffic from the Internet to the FW.
Contact the ISP network administrator to perform this step.
Configuration Scripts
Configuration script for the FW:
# sysname FW # ipv6 # interface GigabitEthernet0/0/1 undo shutdown ipv6 enale ipv6 address FD01:0203:0405::5678 48 # interface GigabitEthernet0/0/2 undo shutdown ipv6 enable ipv6 address 2001:0DB8:0506::1234 48 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # ipv6 route-static 0:0::0:0 0 2001:0DB8:0506::5678 ipv6 route-static 2001:0DB8:0001::1234 48 NULL 0 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address FD01:0203:0405:: 48 action permit # nat-policy rule name policy_nat1 nat-type nat66 source-zone trust destination-zone untrust source-address FD01:0203:0405:: 48 action source-nat static 2001:0DB8:0001:: 48 # return