CLI: Example for Configuring NAT Server for Internet Users to Access Servers on an Intranet with Two Egresses in the Same Security Zone

This section provides an example for configuring NAT Server for Internet users to access servers on an intranet with two egresses in the same security zone.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. To enable intranet FTP servers to provide services to Internet users, configure NAT Server with no-reverse specified on the FW. In addition to public interface IP addresses, the intranet has applied for IP address 1.1.1.10 from ISP1 and 2.2.2.10 from ISP2 for intranet servers to provide services to Internet users. Figure 1 shows the networking. The routers are the access gateways provided by ISP1 and ISP2.

Figure 1 Networking diagram for configuring NAT Server on an intranet with two egresses in the same security zone

Data Planning

Item	Data	Description
GigabitEthernet 0/0/1	IP address: 1.1.1.1/24 Security zone: Untrust	Obtain the public IP address from the ISP.
GigabitEthernet 0/0/7	IP address: 2.2.2.2/24 Security zone: Untrust	Obtain the public IP address from the ISP.
GigabitEthernet 0/0/2	IP address: 10.2.0.1/24 Security zone: DMZ	-
NAT Server	Name: policy_ftp1 Public IP address: 1.1.1.10 Private IP address: 10.2.0.8 Public port: 21 Private port: 21	When Internet users send traffic to 1.1.1.10, the FW can forward the traffic to the FTP server based on this mapping entry.
NAT Server	Name: policy_ftp2 Public IP address: 2.2.2.10 Private IP address: 10.2.0.8 Public port: 21 Private port: 21	When Internet users send traffic to 2.2.2.10, the FW can forward the traffic to the FTP server based on this mapping entry.

Configuration Roadmap

The configuration roadmap is as follows:

Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
Configure a security policy for traffic between Internet users and intranet servers.
Configure NAT Server.
On the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7, configure sticky load balancing and default gateway.

Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function.
Configure static routes destined for public addresses of intranet servers on the router.

Procedure

Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.

# Assign an IP address to GigabitEthernet 0/0/1.

<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet 0/0/1] quit

# Assign an IP address to GigabitEthernet 0/0/2.

[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet 0/0/2] quit

# Assign an IP address to GigabitEthernet 0/0/7.

[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet 0/0/7] ip address 2.2.2.2 24
[FW-GigabitEthernet 0/0/7] quit

# Add GigabitEthernet 0/0/2 to the DMZ zone.

[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

# Add GigabitEthernet 0/0/1 to the untrust zone.

[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

# Add GigabitEthernet 0/0/7 to the untrust zone.

[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/7
[FW-zone-untrust] quit

Configure a security policy for traffic between Internet users and intranet servers.

[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone dmz
[FW-policy-security-rule-policy1] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

Configure NAT Server.

[FW] nat server policy_ftp1 protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp no-reverse unr-route
[FW] nat server policy_ftp2 protocol tcp global 2.2.2.10 ftp inside 10.2.0.8 ftp no-reverse unr-route

Enable NAT ALG for FTP.

[FW] firewall interzone dmz untrust
[FW-interzone-dmz-untrust] detect ftp
[FW-interzone-dmz-untrust] quit

Configure the sticky load balancing function and default gateway.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] redirect-reverse next-hop 1.1.1.254
[FW-GigabitEthernet 0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet 0/0/1] quit
[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet 0/0/7] redirect-reverse next-hop 2.2.2.254
[FW-GigabitEthernet 0/0/7] gateway 2.2.2.254
[FW-GigabitEthernet 0/0/7] quit

On the router, configure a static route.
Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 nat server policy_ftp1 protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp no-reverse unr-route
 nat server policy_ftp2 protocol tcp global 2.2.2.10 ftp inside 10.2.0.8 ftp no-reverse unr-route
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254
 gateway 1.1.1.254
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
 gateway 2.2.2.254
 #
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust 
 detect ftp 
#  
security-policy   
  rule name policy1
    source-zone untrust 
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return