Web: Example for Configuring Internet Users of Different ISPs to Access the Same Public IP Address of a Server on a Dual-Egress Intranet (Sticky Load Balancing)

This section provides an example for configuring Internet users of different ISPs to access the same public IP address of a server on a dual-egress intranet in case of sticky load balancing.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. The intranet FTP server applies for a public IP address (1.1.10.10) only from ISP1 to provide services for Internet users. Internet users on ISP1 and ISP2 networks must use this public IP address to access the FTP server.

Figure 1 Networking diagram for configuring NAT policy on a dual-egress intranet in the case of sticky load balancing

Data Planning

Item	Data	Description
GigabitEthernet 0/0/1	IP address: 1.1.1.1/24 Security zone: untrust1	Set the parameters according to the requirement of the ISP.
GigabitEthernet 0/0/7	IP address: 2.2.2.2/24 Security zone: untrust2	Set the parameters according to the requirement of the ISP.
GigabitEthernet 0/0/2	IP address: 10.2.0.1/24 Security zone: DMZ	-
NAT Policy	Policy name: policy1 Source zones: untrust1 and untrust2 Public address: 1.1.10.10 Destination address pool: 10.2.0.8	The NAT policy converts traffic whose destination address is 1.1.10.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.

Configuration Roadmap

Configure a NAT policy for Internet users to access the intranet FTP server using a public IP address.
Configure sticky load balancing and the default gateway on the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7.

Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function on the interface.

Procedure

Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
1. Set an IP address for GigabitEthernet 0/0/2 and assign the interface to a security zone.
  1. Choose Network > Interface.
  2. In Interface List, click on the line of GigabitEthernet 0/0/2 and set the following parameters.
    
    Security Zone
    
    dmz
    
    IPv4
    
    IP Address
    
    10.2.0.1/24
  3. Click OK.
2. Set an IP address for GigabitEthernet 0/0/1 and assign the interface to a security zone.
  1. Choose Network > Zone.
  2. Click Add and create security zone untrust1 based on the following parameter values.
    
    Name
    
    untrust1
    
    Priority
    
    10
  3. Click OK.
  4. Choose Network > Interface.
  5. In Interface List, click on the line of GigabitEthernet 0/0/1 and set the following parameters.
    
    Security Zone
    
    untrust1
    
    IPv4
    
    IP Address
    
    1.1.1.1/24
  6. Click OK.
3. Set an IP address for GE0/0/7 and assign the interface to a security zone.
  1. Choose Network > Zone.
  2. Click Add and create security zone untrust2 based on the following parameter values.
    
    Name
    
    untrust2
    
    Priority
    
    20
  3. Click OK.
  4. Choose Network > Interface.
  5. In Interface List, click on the line of GE0/0/7 and set the following parameters.
    
    Security Zone
    
    untrust2
    
    IPv4
    
    IP Address
    
    2.2.2.2/24
  6. Click OK.
Configure a security policy to allow Internet users to access the intranet server.
1. Choose Policy > Security Policy > Security Policy.
2. In Security Policy List, click Add and choose Add Security Policy. Set the following parameters to configure a security policy.
  
  Name
  
  policy1
  
  Source Zone
  
  untrust1, untrust2
  
  Destination Zone
  
  dmz
  
  Destination Address/Region
  
  10.2.0.0/24
  
  Action
  
  Permit
3. Click OK.
Configure a NAT address pool and NAT policy.
1. Choose Policy > NAT Policy > NAT Policy > Destination Translation Address Pool.
2. In Destination Translation Address Pool List, click Add and set the following parameters to configure a NAT address pool.
3. Click OK.
4. Choose Policy > NAT Policy > NAT Policy.
5. In NAT Policy List, click Add and set the following parameters to configure a NAT policy.
6. Click OK.
Configure a blackhole route on the FW to prevent route loops.
1. Choose Network > Router > Static Route.
2. In Static Route List, click Add and set the following parameters.
  
  Protocol Type
  
  IPv4
  
  Destination IP Address/Mask
  
  1.1.10.10/255.255.255.0
  
  Next Hop
  
  NULL0
3. Click OK.
Enable NAT ALG for FTP.
1. Choose Policy > ASPF Configuration.
2. Select FTP.
Configure sticky load balancing and the default gateway.
1. Choose Network > Interface.
2. In Interface List, click on the line of GigabitEthernet 0/0/1 and set the following parameters.
3. Repeat the preceding step to configure GE0/0/7.
On the routers, configure static routes to the public address of the intranet server so that traffic to the server can be sent to the FW.
Contact the ISP's network administrator to perform this step.

Security Zone	dmz
IPv4
IP Address	10.2.0.1/24

Name	untrust1
Priority	10

Security Zone	untrust1
IPv4
IP Address	1.1.1.1/24

Name	untrust2
Priority	20

Security Zone	untrust2
IPv4
IP Address	2.2.2.2/24

Name	policy1
Source Zone	untrust1, untrust2
Destination Zone	dmz
Destination Address/Region	10.2.0.0/24
Action	Permit

Protocol Type	IPv4
Destination IP Address/Mask	1.1.10.10/255.255.255.0
Next Hop	NULL0

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 ip route-static 1.1.10.10 255.255.255.255 NULL0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254
 gateway 1.1.1.254
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
 gateway 2.2.2.254
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone name untrust1 id 4
 set priority 10
 add interface GigabitEthernet0/0/1
#
firewall zone name untrust2 id 5
 set priority 20
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust1 
 detect ftp 
#
destination-nat address-group addressgroup1
 section 10.2.0.8 10.2.0.8
#
nat-policy
 rule name policy1
  source-zone untrust1
  source-zone untrust2
  destination-address 1.1.10.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
#  
security-policy   
  rule name policy1
    source-zone untrust1 
    source-zone untrust2
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return