< Home

Web: Example for Configuring Source NAT in Load Balancing Scenarios (Active and Standby FWs Using the Same Address Pool)

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to routers. The FWs and directly connected routers run OSPF.

The FWs are required to work in load balancing mode. In normal cases, FW_A forwards traffic from Dept. A (IP address range: 10.3.0.51 to 10.3.0.100), and FW_B forwards traffic from Dept. B (IP address range: 10.3.0.101 to 10.3.0.150). If either FW fails, the other FW forwards all traffic to ensure service continuity.

To enable private network users to access the Internet, you need to configure a source NAT policy on FW_A and FW_B.

If FW_A and FW_B share one NAT address pool (1.1.1.10) and work properly, they may translate the source IP addresses and source ports of the packets sent from different hosts into the same pair of public IP address and port. To prevent port conflicts, you must specify different port ranges for the active and standby devices.

In this load balancing networking, FWs connect to routers in both upstream and downstream directions. On live networks, you must determine whether OSPF is required based on the upstream and downstream devices and interfaces. The Source NAT configuration remains unchanged.

This example does not apply when uplink interfaces connect to different ISP networks.

Figure 1 Network diagram for configuring source NAT in a load balancing scenario

Data Planning

Item

FW_A

FW_B

Interface

GigabitEthernet 0/0/1

IP address: 10.2.0.1/24

Security zone: Untrust

GigabitEthernet 0/0/3

IP address: 10.3.0.1/24

Security zone: Trust

GigabitEthernet 0/0/7

IP address: 10.10.0.1/24

Security zone: DMZ

GigabitEthernet 0/0/1

IP address: 10.2.1.1/24

Security zone: Untrust

GigabitEthernet 0/0/3

IP address: 10.3.1.1/24

Security zone: Trust

GigabitEthernet 0/0/7

IP address: 10.10.0.2/24

Security zone: DMZ

OSPF

Process ID: 10

Area ID: 0

Network segment for the area: 10.2.0.0/24, 10.3.0.0/24 and 1.1.1.10/32

Process ID: 10

Area ID: 0

Network segment for the area: 10.2.0.0/24, 10.3.0.0/24 and 1.1.1.10/32

Configuration Roadmap

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity on FW_A and FW_B.
  2. Configure OSPF on FW_A and FW_B.
  3. If FW_A and FW_B share one NAT address pool and work properly, they may translate the source IP addresses and source ports of the packets sent from different hosts into the same pair of public IP address and port. To prevent port conflicts, you must specify different port ranges for the active and standby devices.
  4. Configure hot standby on FW_A and FW_B. To be specific, configure interface monitoring, specify heartbeat interfaces, and enable quick session backup.
  5. Configure a security policy on FW_A to allow OSPF packet exchange between FWs and Internet access from the intranet. The security policy configured on FW_A is automatically backed up to FW_B.
  6. Configure a NAT address pool on FW_A. The NAT address pool configured on FW_A is automatically backed up to FW_B.
  7. Configure a Source NAT policy on FW_A to implement source address translation for Internet access from the intranet. The Source NAT policy configured on FW_A is automatically backed up to FW_B.
  8. Configure the downstream devices, so that traffic from department A is forwarded through FW_A, and traffic from department B is forwarded through FW_B.
  9. Configure interface addresses, static routes, and OSPF on the upstream and downstream routers. For information about the configurations, see the router product documentation. The configurations are omitted here.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.

    1. Set interface IP addresses on FW_A and assign the interfaces to security zones.
      1. Choose Network > Interface.

      2. Click of GE0/0/1 and set the parameters as follows:

        Zone

        untrust

        IPv4

        IP Address

        10.2.0.1/24
      3. Click OK.

      4. Repeat the preceding steps to configure GE0/0/3.

        Zone

        trust

        IPv4

        IP Address

        10.3.0.1/24

      5. Repeat the preceding steps to configure GE0/0/7.

        Zone

        dmz

        IPv4

        IP Address

        10.10.0.1/24
    2. Set interface IP addresses on FW_A and assign the interfaces to security zones.
      1. Choose Network > Interface.

      2. Click of GE0/0/1 and set the parameters as follows:

        Zone

        untrust

        IPv4

        IP Address

        10.2.1.1/24
      3. Click OK.

      4. Repeat the preceding steps to configure GE0/0/3.

        Zone

        trust

        IPv4

        IP Address

        10.3.1.1/24

      5. Repeat the preceding steps to configure GE0/0/7.

        Zone

        dmz

        IPv4

        IP Address

        10.10.0.2/24

  2. Configure OSPF on FW_A and FW_B.

    1. Configure OSPF on FW_A.
      1. Choose Network > Route > OSPF.
      2. Click Add in the OSPF list.
      3. Create an OSPF process and set the parameters as follows:
        • Process ID: 10
        • Router ID: 1.1.1.1
      4. Click of OSPF process 1. In the navigation tree, choose Basic Configuration > Area Settings.
      5. Click Add to create an area.
      6. Set area parameters as follows:

        Area

        0.0.0.0

        IP Network

        10.2.0.0

        Mask/Wildcard Mask

        255.255.255.0

        Area

        0.0.0.0

        IP Network

        10.3.0.0

        Mask/Wildcard Mask

        255.255.255.0
      7. Import a static route into OSPF and import the NAT address pool route to the upstream router.

        Choose Advanced Setting > Route Import and click Add.

        Set Route Type to UNR.

    2. Configure OSPF on FW_B.
      1. Choose Network > Route > OSPF.
      2. Click Add in the OSPF list.
      3. Create an OSPF process and set the parameters as follows:
        • Process ID: 10
        • Router ID: 1.1.1.2
      4. Click of OSPF process 10. In the navigation tree, choose Basic Configuration > Area Settings.
      5. Click Add to create an area.
      6. Set area parameters as follows:

        Area

        0.0.0.0

        IP Network

        10.2.1.0

        Mask/Wildcard Mask

        255.255.255.0

        Area

        0.0.0.0

        IP Network

        10.3.1.0

        Mask/Wildcard Mask

        255.255.255.0
      7. Import a static route into OSPF and import the NAT address pool route to the upstream router.

        Choose Advanced Setting > Route Import and click Add.

        Set Route Type to UNR.

  3. Configure hot standby.
    1. Configure hot standby on FW_A.

      1. Choose System > High Availability > Dual-System Hot Standby.

      2. Click Edit.

      3. Select the Enable check box and configure hot standby as follows:

      4. Click OK.

    2. Configure hot standby on FW_B.

      1. Choose System > High Availability > Dual-System Hot Standby.
      2. Click Edit.

      3. Select the Enable check box and configure hot standby as follows:

      4. Click OK.

  4. Configure NAT address pool port allocation in the load balancing scenario.

    In the hot standby load balancing scenario, If NAPT is configured, the FWs may have conflicting public ports. To prevent such conflicts, configure respective NAT resources (including public IP addresses and ports) for the FWs. You can run the hrp nat resource primary-group command on the active FW. The standby FW will automatically generate the hrp nat resource secondary-group command (if you run the hrp nat resource secondary-group command on the active FW, the standby FW will automatically generate the hrp nat resource primary-group command).

    HRP_M[FW_A] hrp nat resource primary-group

  5. Configure a security policy on FW_A to allow OSPF packet exchange between FWs and Internet access from the intranet.

    The NAT policy configured on FW_A is automatically backed up to FW_B.

    1. Choose Policy > Security Policy > Security Policy.

    2. Click Add and select Add Security.

      Name

      policy1

      Source Zone

      local,trust,untrust

      Destination Zone

      local,trust,untrust

      Action

      Permit

  6. Configure a NAT address pool and permit port conversion to reuse public network addresses.

    The NAT address pool configured on FW_A is automatically backed up to FW_B.

    1. Choose Policy > NAT Policy > NAT Policy > Source Translation Address Pool.

    2. In Source Translation Address Pool List, click Add and configure a NAT address pool based on the following parameter values.

  7. Configure a NAT policy to allow intranet users to access the Internet by using post-NAT public IP addresses.

    The NAT policy configured on FW_A is automatically backed up to FW_B.

    1. Choose Policy > NAT Policy > NAT Policy > NAT Policy.

    2. In NAT Policy List, click Add and configure a NAT policy based on the following parameter values.

  8. Configure the downstream devices, so that traffic from department A is forwarded through FW_A, and traffic from department B is forwarded through FW_B.
  9. Configure interface addresses, static routes, and OSPF on the upstream and downstream routers. For information about the configurations, see the router product documentation. The configurations are omitted here.

Configuration Verification

  1. On FW_A and FW_B, choose System > High Availability > Duality-System Hot Back to view hot standby status. If the following information is displayed, HRP is successfully configured. Normally, Working Mode is Load Sharing for both FW_A and FW_B; Current Status is Active for FW_A and Standby for FW_B. In this case, both FW forward traffic.

  2. On FW_A and FW_B, check the match count of the Source NAT policy. If the match count is greater than 1, there are data flows that match the NAT policy.

    Choose Policy > NAT Policy > NAT Policy and check Matching Count.

  3. On FW_A and FW_B, view the session table. If the post-NAT IP address is an IP address in the NAT address pool, the NAT policy is successfully configured.

    To view the session table, choose Monitor > Report > Session Table.

  4. The services are still available even if an interface fault occurs on FW_A. Working Mode is Active/Standby Backup for both FW_A and FW_B; Current Status is Standby for FW_A and Active for FW_B. In this case, FW_B only forwards traffic.

Configuration Scripts

FW_A

FW_B

 
#
 hrp mirror session enable
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
#
hrp nat resource primary-group
#
hrp track interface GigabitEthernet 0/0/1
hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#  
ospf 10 
 import-route unr
 area 0.0.0.0
  network 10.2.0.0 0.0.0.255
  network 10.3.0.0 0.0.0.255
#    
 nat address-group addressgroup1
 mode pat 
 route enable 
 section 0 1.1.1.10 1.1.1.10
#    
security-policy  
 rule name policy_sec_1
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust  
  destination-zone untrust
  action permit    
#    
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  action- source-nat address-group addressgroup1
 
#
 hrp mirror session enable
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
#
hrp nat resource secondary-group
#
hrp track interface GigabitEthernet 0/0/1
hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#  
ospf 10 
 import-route unr
 area 0.0.0.0
  network 10.2.1.0 0.0.0.255
  network 10.3.2.0 0.0.0.255
#    
 nat address-group addressgroup1
 mode pat 
 route enable 
 section 0 1.1.1.10 1.1.1.10
#    
security-policy  
 rule name policy_sec_1
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust  
  destination-zone untrust
  action permit    
#    
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  action- source-nat address-group addressgroup1
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >