< Home

Web: Example for Configuring NAT Server for Internet Users to Access Servers on an Intranet with Two Egresses in the Same Security Zone

This section provides an example for configuring NAT Server for Internet users to access servers on an intranet with two egresses in the same security zone.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. To enable intranet FTP servers to provide services to Internet users, configure NAT Server with no-reverse specified on the FW. In addition to public interface IP addresses, the intranet has applied for IP address 1.1.1.10 from ISP1 and 2.2.2.10 from ISP2 for intranet servers to provide services to Internet users. Figure 1 shows the networking. The routers are the access gateways provided by ISP1 and ISP2.

Figure 1 Networking diagram for configuring NAT Server on an intranet with two egresses in the same security zone

Data Planning

Item

Data

Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: untrust

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/7

IP address: 2.2.2.2/24

Security zone: untrust

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: dmz

-

NAT Server

Name: policy_ftp1

Public IP address: 1.1.1.10

Private IP address: 10.2.0.8

Public port: 21

Private port: 21

When Internet users send traffic to 1.1.1.10, the FW can forward the traffic to the FTP server based on this mapping entry.

Name: policy_ftp2

Public IP address: 2.2.2.10

Private IP address: 10.2.0.8

Public port: 21

Private port: 21

When Internet users send traffic to 2.2.2.10, the FW can forward the traffic to the FTP server based on this mapping entry.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy for traffic between Internet users and intranet servers.
  3. Configure NAT Server.

  4. On the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7, configure sticky load balancing and default gateway.

    Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function.

  5. Configure static routes destined for public addresses of intranet servers on the router.

Procedure

  1. Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
    1. Set the IP address of GigabitEthernet 0/0/2 and assign the interface to a security zone.

      1. Choose Network > Interface.

      2. In Interface List, click of GigabitEthernet 0/0/2 and set the parameters as follows:

        Zone

        dmz

        IPv4

        IP Address

        10.2.0.1/24

      3. Click OK.

    2. Set the IP address of GigabitEthernet 0/0/1 and assign the interface to a security zone.

      1. Choose Network > Interface.

      2. In Interface List, click on the line of GigabitEthernet 0/0/1 and set the following parameters.

        Zone

        untrust

        IPv4

        IP Address

        1.1.1.1/24

      3. Click OK.

    3. Set the IP address of GigabitEthernet 0/0/7 and assign the interface to a security zone.

      1. Choose Network > Interface.

      2. In Interface List, click on the line of GigabitEthernet 0/0/7 and set the following parameters.

        Zone

        untrust

        IPv4

        IP Address

        2.2.2.2/24

      3. Click OK.

  2. Configure a security policy for traffic between Internet users and intranet servers.

    1. Choose Policy > Security Policy > Security Policy.

    2. In Security Policy List, click Add, select Add Security Policy, and configure a security policy based on the following parameter values.

      Name

      policy1

      Source Zone

      untrust

      Destination Zone

      dmz

      Destination Address/Region

      10.2.0.0/24

      Action

      Permit

    3. Click OK.

  3. Configure NAT Server.
    1. Choose Policy > NAT Policy > Server Mapping.

    2. Click Add and configure a server mapping based on the following parameter values.

    3. Click OK.
    4. Repeat the preceding steps to configure another server mapping.

    5. Click OK.
  4. Enable NAT ALG for FTP.
    1. Choose Policy > ASPF Configuration.

    2. Select FTP.
  5. Configure the sticky load balancing function and default gateway.
    1. Choose Network > Interface.
    2. In Interface List, click of GigabitEthernet 0/0/1 and set the parameters as follows:

    3. Repeat the preceding steps to configure GE 1/0/7.
  6. On the router, configure a static route.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 nat server policy_ftp1 protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp no-reverse unr-route
 nat server policy_ftp2 protocol tcp global 2.2.2.10 ftp inside 10.2.0.8 ftp no-reverse unr-route
#
interface GigabitEthernet0/0/1
 undo shutdown
 gateway 1.1.1.254
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254

#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 gateway 2.2.2.254
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust 
 detect ftp 
#  
security-policy   
  rule name policy1
    source-zone untrust 
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return
Parent Topic: Configuration NAT Server
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >