< Home

Web: Example for Configuring NAPT and NAT Server for Internet Users to Access Intranet Servers

This section provides an example for configuring NAPT and NAT Server for Internet users to access intranet servers.

Networking Requirements

An enterprise has deployed a FW as a security gateway on the intranet border. Static mapping is configured on the FW for the intranet web and File Transfer Protocol (FTP) servers to provide services for Internet users. The enterprise is allocated a public address 1.1.1.10 by an Internet service provider (ISP). Public address 1.1.1.10 is mapped to the intranet server addresses. In addition, a source NAT policy is required to simplify the return route configuration for the intranet servers, so that the intranet servers send response packets to the FW by default. Figure 1 illustrates the static mapping networking. The router is an access gateway on the ISP network.

Figure 1 NAT Server and source NAT networking

Data Planning

Item

Data

Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: untrust

1.1.1.1/24 is a public address provided by the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: dmz

Intranet servers use 10.2.0.1 as the default gateway address.

NAT Server

Name: policy_web

Public IP address: 1.1.1.10

Private IP address: 10.2.0.7

Public port: 8080

Private port: 80

When Internet users send traffic to 1.1.1.10 through port 8080, the FW can forward the traffic to the web server based on this mapping entry.

On the web server, the private address is 10.2.0.7, and the private port number is 80.

Name: policy_ftp

Public IP address: 1.1.1.10

Private IP address: 10.2.0.8

Public port: 21

Private port: 21

When Internet users send traffic to 1.1.1.10 through port 21, the FW can forward the traffic to the FTP server based on this mapping entry.

On the FTP server, the private address is 10.2.0.8, and the private port number is 21.

NAT address pool

10.2.0.10-10.2.0.15

-

Routing information

Default route

Destination address: 0.0.0.0

Next hop address: 1.1.1.254

Configure a default route defined for the ISP router on the FW to direct intranet traffic to the router.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy for traffic between Internet users and intranet servers.
  3. Configure NAT Server. Configure two server mapping entries, one for the web server and the other for the FTP server.
  4. Configure a source NAT policy to translate the source addresses of packets accessing intranet servers into addresses in the NAT address pool.
  5. Configure a default route on the FW to direct intranet traffic to the ISP router.
  6. Configure static routes destined for public addresses of intranet servers on the router.

Procedure

  1. Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
    1. Set the IP address of GigabitEthernet 0/0/1 and assign the interface to a security zone.

      1. Choose Network > Interface.

      2. In Interface List, click of GigabitEthernet 0/0/1 and set the parameters as follows:

        Zone

        untrust

        IPv4

        IP Address

        1.1.1.1/24

      3. Click OK.

    2. Set the IP address of GigabitEthernet 0/0/2 and assign the interface to a security zone.

      1. In Interface List, click of GigabitEthernet 0/0/2 and set the parameters as follows:

        Zone

        dmz

        IPv4

        IP Address

        10.2.0.1/24

      2. Click OK.

  2. Configure a security policy for traffic between Internet users and intranet servers.

    1. Choose Policy > Security Policy > Security Policy.

    2. In Security Policy List, click Add, select Add Security Policy, and configure a security policy based on the following parameter values.

      Name

      policy1

      Source Zone

      untrust

      Destination Zone

      dmz

      Destination Address/Region

      10.2.0.0/24

      Action

      Permit

    3. Click OK.

  3. Configure a NAT address pool and a NAT policy.

    1. Choose Policy > NAT Policy > NAT Policy > Source Translation Address Pool.

    2. In Source Translation Address Pool List, click Add and configure a NAT address pool based on the following parameters.

    3. Click OK.

    4. Choose Policy > NAT Policy > NAT Policy.

    5. In Source NAT Policy List, click Add and configure a NAT policy based on the following parameter values.

    6. Click OK.

  4. Configure NAT Server. Configure two server mapping entries, one for the web server and the other for the FTP server.
    1. Choose Policy > NAT Policy > Server Mapping.

    2. Click Add and set the following parameters for a server mapping policy named policy_web used for directing traffic to the web server.

    3. Click OK.
    4. Repeat the preceding substeps and set the following parameters for another server mapping policy named policy_ftp used for directing traffic to the FTP server.

  5. Enable NAT ALG for FTP.
    1. Choose Policy > ASPF Configuration.

    2. Select FTP.
  6. Configure a default route on the FW, so that traffic from intranet servers can be forwarded to the ISP router.
    1. Choose Network > Route > Static Route.
    2. In Static Route List, click Add and configure a default route based on the following parameter values.

      Protocol

      IPv4

      Destination Address/Mask

      0.0.0.0/0.0.0.0

      Next Hop

      1.1.1.254

    3. Click OK.
  7. On the router, configure a static route, in which the destination address is 1.1.1.10 and the next-hop address is 1.1.1.1. The router directs traffic destined for 1.1.1.10 to the FW based on the static route so that the FW can forward the traffic to the intranet server.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 nat server policy_web protocol tcp global 1.1.1.10 8080 inside 10.2.0.7 www unr-route
 nat server policy_ftp protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp unr-route
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
# 
firewall interzone dmz untrust 
 detect ftp 
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 
# 
nat address-group addressgroup1 0
 mode pat
 section 0 10.2.0.10 10.2.0.15 
 route enable
#  
security-policy   
  rule name policy1  
    source-zone untrust 
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
#  
nat-policy  
  rule name policy_nat1 
    source-zone untrust 
    destination-zone dmz  
    destination-address range 10.2.0.7 10.2.0.8   
    service http
    service ftp
    action source-nat address-group addressgroup1  
# 
return
Parent Topic: Configuration NAT Server
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >