< Home

Web: Example for Configuring Intranet Users to Access the Public Addresses of Intranet Servers (Source NAT+Static Destination NAT)

This section provides an example for configuring intranet users to access the public IP addresses of intranet servers.

Networking Requirements

An enterprise has deployed a FW as a security gateway on the intranet border. NAT Server is configured on the FW for the intranet web and File Transfer Protocol (FTP) servers to provide services for Internet users. PC D on the same network segment and security zone with the two servers. Source NAT is configured on the FW so that PC D can use a public address to access the two intranet servers.

The enterprise applies for two public IP addresses:
  • 1.1.10.10 used by intranet servers.
  • 1.1.1.11 into which PC D's private address is translated.
Figure 1 illustrates the networking for a source NAT policy in outbound interface mode. The router is an access gateway on the ISP network.
Figure 1 Networking diagram for NAT Server and source NAT

Data Planning

Item

Data

Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: untrust

1.1.1.1/24 is a public address provided by the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: dmz

Intranet servers use 10.2.0.1 as the default gateway address.

Addresses in the source NAT address pool

1.1.1.11

-

Addresses in the destination NAT address pool

10.2.0.7 to 10.2.0.8

-

Routing information

Default route

Destination address: 0.0.0.0

Next hop address: 1.1.1.254

Configure a default route on the FW to direct intranet traffic to the ISP network.

Configuration Roadmap

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy for traffic between intranet users and intranet servers.
  3. Configure NAT Server. Configure two server mapping entries, one for the web server and the other for the FTP server.
  4. Configure a source NAT policy to allow PC D to access the intranet servers based on the servers' public address.
  5. Configure a default route on the FW to direct intranet traffic to the ISP router.
  6. Configure static routes destined for public addresses of intranet servers on the router.

Procedure

  1. Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
    1. Set the IP address of GigabitEthernet 0/0/1 and assign the interface to a security zone.

      1. Choose Network > Interface.

      2. In Interface List, click of GigabitEthernet 0/0/1 and set the parameters as follows:

        Zone

        untrust

        IPv4

        IP Address

        1.1.1.1/24

      3. Click OK.

    2. Set the IP address of GigabitEthernet 0/0/2 and assign the interface to a security zone.

      1. In Interface List, click of GigabitEthernet 0/0/2 and set the parameters as follows:

        Zone

        dmz

        IPv4

        IP Address

        10.2.0.1/24

      2. Click OK.

  2. Configure a security policy for traffic between intranet users and intranet servers.

    1. Choose Policy > Security Policy > Security Policy.

    2. In Security Policy List, click Add, select Add Security Policy, and configure a security policy based on the following parameter values.

      Name

      policy1

      Source Zone

      dmz

      Destination Zone

      dmz

      Destination Address/Region

      10.2.0.0/24

      Action

      Permit

    3. Click OK.

  3. Configure NAT address pools and NAT policies.

    1. Choose Policy > NAT Policy > NAT Policy > Source Translation Address Pool.

    2. In Source Translation Address Pool List, click Add and configure a NAT address pool based on the following parameters.

    3. Click OK.

    4. Choose Policy > NAT Policy > NAT Policy > Destination Translation Address Pool.

    5. In Destination Translation Address Pool List, click Add and configure a NAT address pool based on the following parameters.

    6. Click OK.

    7. Choose Policy > NAT Policy > NAT Policy.

    8. In NAT Policy List, click Add and configure a NAT policy based on the following parameters.

    9. When configuring Service, right-click the input box in the column where Service resides and choose Add > Add Protocol or Protocol Number from the shortcut menu.

    10. Set a protocol number as follows:

    11. Click OK.

  4. Configure a black-hole route on the FW, so that traffic from intranet servers can be forwarded to the ISP router.
    1. Choose Network > Route > Static Route.
    2. In Static Route List, click Add and configure a black-hole route based on the following parameter values.

      Protocol

      IPv4

      Destination Address/Mask

      1.1.10.10/255.255.255.0

      Next Hop

      NULL0

    3. Click OK.
  5. Enable NAT ALG for FTP.
    1. Choose Policy > ASPF Configuration.

    2. Select FTP.
  6. Configure a default route on the FW, so that traffic from intranet servers can be forwarded to the ISP router.
    1. Choose Network > Route > Static Route.
    2. In Static Route List, click Add and configure a default route based on the following parameter values.

      Protocol

      IPv4

      Destination Address/Mask

      0.0.0.0/0.0.0.0

      Next Hop

      1.1.1.254

    3. Click OK.
  7. Configure a static route to public address (1.1.10.10) with the next hop being 1.1.1.1 on the router so that traffic destined for the server can be sent to the FW.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
 detect ftp
# 
firewall interzone dmz untrust 
 detect ftp 
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 
 ip route-static 1.1.10.10 255.255.255.255 NULL0 
# 
nat address-group addressgroup1 0
 mode pat
 route enable
 section 0 1.1.1.11 1.1.1.11 
# 
destination-nat address-group addressgroup2 0
 section 10.2.0.7 10.2.0.8 
#  
security-policy   
  rule name policy1  
    source-zone dmz 
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
#  
nat-policy  
  rule name policy_nat1 
    source-zone dmz 
    source-address 10.2.0.6 24
    destination-address 1.1.10.10 32
    service protocol tcp destination-port  3000 to 3001
    action source-nat address-group addressgroup1 
    action destination-nat static port-to-address address-group addressgroup2 2000
# 
return
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >