Web: Example for Configuring NAT Policy for Internet Users to Access Servers on an Intranet with Two Egresses in Different Security Zones

This section provides an example for configuring NAT policy for Internet users to access servers on an intranet with two egresses in different security zones.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. To enable intranet FTP servers to provide services to Internet users, configure NAT policy on the FW. In addition to public interface IP addresses, the intranet has applied for IP addresses 1.1.10.10 from ISP1 and 2.2.20.10 from ISP2 for intranet servers to provide services to Internet users. Figure 1 shows the networking. The routers are the access gateways provided by ISP1 and ISP2.

Figure 1 Networking diagram for configuring NAT policy on an intranet with two egresses in different security zones

Data Planning

Item	Data	Description
GigabitEthernet 0/0/1	IP address: 1.1.1.1/24 Security zone: untrust1	Set the parameters according to the requirement of the ISP.
GigabitEthernet 0/0/7	IP address: 2.2.2.2/24 Security zone: untrust2	Set the parameters according to the requirement of the ISP.
GigabitEthernet 0/0/2	IP address: 10.2.0.1/24 Security zone: dmz	-
NAT Policy	Policy name: policy1 Source zone: untrust1 Public address: 1.1.10.10 Destination address pool: 10.2.0.8	The NAT policy converts traffic whose destination address is 1.1.10.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.
NAT Policy	Policy name: policy2 Source zone: untrust2 Public address: 2.2.20.10 Destination address pool: 10.2.0.8	The NAT policy converts traffic whose destination address is 2.2.20.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.

Configuration Roadmap

Set interface IP addresses and assign the interfaces to security zones.
Configure a security policy to allow Internet users to access the intranet server.
Configure a NAT policy.
Configure sticky load balancing and the default gateway on the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7.

Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function on the interface.
On the routers, configure static routes to the public address.

Procedure

Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
1. Set an IP address for GigabitEthernet 0/0/2 and assign the interface to a security zone.
  1. Choose Network > Interface.
  2. In Interface List, click on the line of GigabitEthernet 0/0/2 and set the following parameters.
    
    Security Zone
    
    dmz
    
    IPv4
    
    IP Address
    
    10.2.0.1/24
  3. Click OK.
2. Set an IP address for GigabitEthernet 0/0/1 and assign the interface to a security zone.
  1. Choose Network > Zone.
  2. Click Add and create security zone untrust1 based on the following parameter values.
    
    Name
    
    untrust1
    
    Priority
    
    10
  3. Click OK.
  4. Choose Network > Interface.
  5. In Interface List, click on the line of GigabitEthernet 0/0/1 and set the following parameters.
    
    Security Zone
    
    untrust1
    
    IPv4
    
    IP Address
    
    1.1.1.1/24
  6. Click OK.
3. Set an IP address for GE0/0/7 and assign the interface to a security zone.
  1. Choose Network > Zone.
  2. Click Add and create security zone untrust2 based on the following parameter values.
    
    Name
    
    untrust2
    
    Priority
    
    20
  3. Click OK.
  4. Choose Network > Interface.
  5. In Interface List, click on the line of GE0/0/7 and set the following parameters.
    
    Security Zone
    
    untrust2
    
    IPv4
    
    IP Address
    
    2.2.2.2/24
  6. Click OK.
Configure a security policy to allow Internet users to access the intranet server.
1. Choose Policy > Security Policy > Security Policy.
2. In Security Policy List, click Add and choose Add Security Policy. Set the following parameters to configure a security policy.
  
  Name
  
  policy1
  
  Source Zone
  
  untrust1, untrust2
  
  Destination Zone
  
  dmz
  
  Destination Address/Region
  
  10.2.0.0/24
  
  Action
  
  Permit
3. Click OK.
Configure a NAT address pool and NAT policy.
1. Choose Policy > NAT Policy > NAT Policy > Destination Translation Address Pool.
2. In Destination Translation Address Pool List, click Add and set the following parameters to configure a NAT address pool.
3. Click OK.
4. Choose Policy > NAT Policy > NAT Policy.
5. In NAT Policy List, click Add and set the following parameters to configure a NAT policy.
6. Click OK.
7. Repeat the preceding substeps to configure policy2.
8. Click OK.
Configure a blackhole route on the FW to prevent route loops.
1. Choose Network > Router > Static Route.
2. In Static Route List, click Add and set the following parameters.
  
  Protocol Type
  
  IPv4
  
  Destination IP Address/Mask
  
  1.1.10.10/255.255.255.0
  
  Next Hop
  
  NULL0
3. Repeat the preceding substeps to configure the default route based on the following parameter values.
  
  Protocol Type
  
  IPv4
  
  Destination IP Address/Mask
  
  2.2.20.10/255.255.255.0
  
  Next Hop
  
  NULL0
4. Click OK.
Enable NAT ALG for FTP.
1. Choose Policy > ASPF Configuration.
2. Select FTP.
Configure sticky load balancing and the default gateway.
1. Choose Network > Interface.
2. In Interface List, click on the line of GigabitEthernet 0/0/1 and set the following parameters.
3. Repeat the preceding step to configure GE0/0/7.
On the routers, configure static routes to the public address of the intranet server so that traffic to the server can be sent to the FW.
Contact the ISP's network administrator to perform this step.

Security Zone	dmz
IPv4
IP Address	10.2.0.1/24

Name	untrust1
Priority	10

Security Zone	untrust1
IPv4
IP Address	1.1.1.1/24

Name	untrust2
Priority	20

Security Zone	untrust2
IPv4
IP Address	2.2.2.2/24

Name	policy1
Source Zone	untrust1, untrust2
Destination Zone	dmz
Destination Address/Region	10.2.0.0/24
Action	Permit

Protocol Type	IPv4
Destination IP Address/Mask	1.1.10.10/255.255.255.0
Next Hop	NULL0

Protocol Type	IPv4
Destination IP Address/Mask	2.2.20.10/255.255.255.0
Next Hop	NULL0

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 ip route-static 1.1.10.10 255.255.255.255 NULL0
 ip route-static 2.2.20.10 255.255.255.255 NULL0 
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254
 gateway 1.1.1.254
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
 gateway 2.2.2.254
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone name untrust1 id 4
 set priority 10
 add interface GigabitEthernet0/0/1
#
firewall zone name untrust2 id 5
 set priority 20
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust1 
 detect ftp 
# 
firewall interzone dmz untrust2 
 detect ftp 
#
destination-nat address-group addressgroup1
 section 10.2.0.8 10.2.0.8
#
nat-policy
 rule name policy1
  source-zone untrust1
  destination-address 1.1.10.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
 rule name policy2
  source-zone untrust2
  destination-address 2.2.20.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
#  
security-policy   
  rule name policy1
    source-zone untrust1 
    source-zone untrust2
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return