< Home

Web: Example for Configuring Internet Users of Different ISPs to Access the Same Public IP address of a Server on a Dual-Egress Intranet (Sticky Load Balancing)

This section provides an example for configuring internet users of different ISPs to access the same public IP address of a server on a dual-egress intranet in the case of sticky load balancing.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. The intranet FTP server applies a public IP address (1.1.1.10) only from ISP1 to provide services for Internet users. Internet users on ISP1 and ISP2 networks must use this public IP address to access the FTP server.

Figure 1 Networking diagram for configuring NAT Server on a dual-egress intranet in the case of sticky load balancing

Data Planning

Item

Data

Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: untrust1

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/7

IP address: 2.2.2.2/24

Security zone: untrust2

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: dmz

-

NAT Server

Name: policy_ftp

Public IP address: 1.1.1.10

Private IP address: 10.2.0.8

Public port: 21

Private port: 21

When Internet users send traffic to 1.1.1.10 through port 21, the FW can forward the traffic to the FTP server based on this mapping entry.

Configuration Roadmap

  1. Configure NAT Server for Internet users to access the intranet FTP server using a public IP address.

  2. On the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7, configure sticky load balancing and default gateway.

    Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function.

Procedure

  1. Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
    1. Set the IP address of GigabitEthernet 0/0/2 and assign the interface to a security zone.

      1. Choose Network > Interface.

      2. In Interface List, click of GigabitEthernet 0/0/2 and set the parameters as follows:

        Zone

        dmz

        IPv4

        IP Address

        10.2.0.1/24

      3. Click OK.

    2. Set the IP address of GigabitEthernet 0/0/1 and assign the interface to a security zone.

      1. Choose Network > Zone.

      2. Click Add and create security zone untrust1 based on the following parameter values.

        Zone Name

        untrust1

        Priority

        10

      3. Click OK.

      4. Choose Network > Interface.

      5. In Interface List, click on the line of GigabitEthernet 0/0/1 and set the following parameters.

        Zone

        untrust1

        IPv4

        IP Address

        1.1.1.1/24

      6. Click OK.

    3. Set the IP address of GigabitEthernet 0/0/7 and assign the interface to a security zone.

      1. Choose Network > Zone.

      2. Click Add and create security zone untrust2 based on the following parameter values.

        Zone Name

        untrust2

        Priority

        20

      3. Click OK.

      4. Choose Network > Interface.

      5. In Interface List, click on the line of GE0/0/7 and set the following parameters.

        Zone

        untrust2

        IPv4

        IP Address

        2.2.2.2/24

      6. Click OK.

  2. Configure a security policy for traffic between Internet users and intranet servers.

    1. Choose Policy > Security Policy > Security Policy.

    2. In Security Policy List, click Add, select Add Security Policy, and configure a security policy based on the following parameter values.

      Name

      policy1

      Source Zone

      untrust1 and untrust2

      Destination Zone

      dmz

      Destination Address/Region

      10.2.0.0/24

      Action

      Permit

    3. Click OK.

  3. Configure NAT Server.
    1. Choose Policy > NAT Policy > Server Mapping.

    2. Click Add and configure a server mapping based on the following parameter values.

    3. Click OK.
  4. Enable NAT ALG for FTP.
    1. Choose Policy > ASPF Configuration.

    2. Select FTP.
  5. Configure the sticky load balancing function and default gateway.
    1. Choose Network > Interface.
    2. In Interface List, click of GigabitEthernet 0/0/1 and set the parameters as follows:

    3. Repeat the preceding steps to configure GE0/0/7.
  6. On the router, configure a static route.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 nat server policy_ftp protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp no-reverse unr-route
#
interface GigabitEthernet0/0/1
 undo shutdown
 gateway 1.1.1.254
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 gateway 2.2.2.254
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone name untrust1 id 4
 set priority 10
 add interface GigabitEthernet0/0/1
#
firewall zone name untrust2 id 5
 set priority 20
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust1 
 detect ftp 
#  
security-policy   
  rule name policy1
    source-zone untrust1 
    source-zone untrust2
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return
Parent Topic: Configuration NAT Server
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >