CLI: Example for Configuring NAT Server for Internet Users to Access Intranet Servers
This section provides an example for configuring NAT Server for Internet users to access intranet servers.
Networking Requirements
An enterprise has deployed a FW as a security gateway on the intranet border. NAT Server is configured on the FW for the intranet web and File Transfer Protocol (FTP) servers to provide services for Internet users. The enterprise is allocated a public address 1.1.1.10 by an Internet service provider (ISP). Public address 1.1.1.10 is mapped to the intranet server addresses. Figure 1 illustrates the static mapping networking. The router is an access gateway on the ISP network.
Data Planning
Item |
Data |
Description |
|
|---|---|---|---|
GigabitEthernet 0/0/1 |
IP address: 1.1.1.1/24 Security zone: Untrust |
1.1.1.1/24 is a public address provided by the ISP. |
|
GigabitEthernet 0/0/2 |
IP address: 10.2.0.1/24 Security zone: DMZ |
Intranet servers use 10.2.0.1 as the default gateway address. |
|
NAT Server |
Name: policy_web Public IP address: 1.1.1.10 Private IP address: 10.2.0.7 Public port: 8080 Private port: 80 |
When Internet users send traffic to 1.1.1.10 through port 8080, the FW can forward the traffic to the web server based on this mapping entry. On the web server, the private address is 10.2.0.7, and the private port number is 80. |
|
Name: policy_ftp Public IP address: 1.1.1.10 Private IP address: 10.2.0.8 Public port: 21 Private port: 21 |
When Internet users send traffic to 1.1.1.10 through port 21, the FW can forward the traffic to the FTP server based on this mapping entry. On the FTP server, the private address is 10.2.0.8, and the private port number is 21. |
||
Routing information |
Default route |
Destination address: 0.0.0.0 Next hop address: 1.1.1.254 |
Configure a default route defined for the ISP router on the FW to direct intranet traffic to the router. |
Configuration Roadmap
The configuration roadmap is as follows:
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
- Configure a security policy for traffic between Internet users and intranet servers.
- Configure NAT Server.
- Configure a default route on the FW to direct intranet traffic to the ISP router.
- Configure a blackhole route on the FW to prevent routing loops between the FW and router.
- Configure static routes destined for public addresses of intranet servers on the router.
Procedure
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
# Assign an IP address to GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit
# Assign an IP address to GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 10.2.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Add GigabitEthernet 0/0/1 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/1 [FW-zone-untrust] quit
# Add GigabitEthernet 0/0/2 to the DMZ zone.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
- Configure a security policy for traffic between Internet users and intranet servers.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone untrust [FW-policy-security-rule-policy1] destination-zone dmz [FW-policy-security-rule-policy1] destination-address 10.2.0.0 24 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
- Configure NAT Server.
[FW] nat server policy_web protocol tcp global 1.1.1.10 8080 inside 10.2.0.7 www unr-route [FW] nat server policy_ftp protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp unr-route
If the global address configured in NAT Server and the WAN interface address are on different network segments, a blackhole route is required. If they are on the same network segment, a blackhole route is recommended. If the global address of NAT Server is consistent with the WAN interface address, no routing loop occurs and no black-hole route is required.
- Enable NAT ALG for FTP.
[FW] firewall interzone dmz untrust [FW-interzone-dmz-untrust] detect ftp [FW-interzone-dmz-untrust] quit
- Configure a default route to direct intranet traffic to the ISP router.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 - On the router, configure a static route, in which the destination address is 1.1.1.10 and the next-hop address is 1.1.1.1. The router directs traffic destined for 1.1.1.10 to the FW based on the static route so that the FW can forward the traffic to the intranet server.
Contact your ISP administrator to perform this step.
Configuration Scripts
Configuration script for the FW:
# sysname FW # nat server policy_web protocol tcp global 1.1.1.10 8080 inside 10.2.0.7 www unr-route nat server policy_ftp protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp unr-route # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.2.0.1 255.255.255.0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # firewall interzone dmz untrust detect ftp # ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 # security-policy rule name policy1 source-zone untrust destination-zone dmz destination-address 10.2.0.0 24 action permit # return