CLI: Example for Configuring NAT No-PAT for Intranet Users to Access the Internet
This section provides an example for configuring NAT No-PAT for intranet users to access the Internet.
Networking Requirements
The FW serves as the security gateway at the border of a studio. A source NAT policy must be configured on the FW to allow users in network 10.1.1.0/24 to access the Internet. Only a small number of users need to access the Internet. Therefore, NAT No-PAT address translation mode can be configured on the FW to perform one-to-one translation between private and public addresses. The studio applied for six IP addresses (1.1.1.10 to 1.1.1.15) from the ISP for address translation. Figure 1 shows the network environment. The router is the access gateway provided by the ISP.
Data Planning
Item |
Data |
Description |
|
|---|---|---|---|
GigabitEthernet 0/0/1 |
IP address: 10.1.1.1/24 Security zone: Trust |
Set the default gateway address on each intranet host to 10.1.1.1. |
|
GigabitEthernet 0/0/2 |
IP address: 1.1.1.1/24 Security zone: Untrust |
1.1.1.1/24 is a public address provided by the ISP. |
|
Intranet segment that is allowed to access the Internet |
10.1.1.0/24 |
- |
|
Public addresses mapped to private addresses |
1.1.1.10 to 1.1.1.15 |
Only a small number of users need to access the Internet. Therefore, NAT NO-PAT is configured on the FW. |
|
Routing information |
FW's default route | Destination address: 0.0.0.0 Next hop address: 1.1.1.254 |
Configure a default route on the FW to direct intranet traffic to the ISP network. |
| Router's static route | Destination address: 1.1.1.10 to 1.1.1.15 Next hop address: 1.1.1.1 |
The public addresses mapped to private addresses are not assigned to physical ports. As a result, the router cannot use a routing protocol to discover routes to the public addresses. Ask the ISP network administrator to configure a static route destined for the network segment address of the address pool on the router. |
|
Configuration Roadmap
The configuration roadmap is as follows:
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
- Configure a security policy to allow a specific intranet segment to access the Internet.
- Configure a NAT address pool and disable port translation.
- Configure a source NAT policy for translating source addresses between private and public address realms when hosts on the specific intranet segment access the Internet.
- Configure a default route on the FW to direct intranet traffic to the ISP router.
- Configure the IP address of the FW interface connected to the intranet as the default gateway address on each intranet host so that intranet traffic is directed to the FW when intranet hosts access the Internet.
- Configure a static route on the ISP router for forwarding Internet traffic to the FW.
Procedure
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
# Assign an IP address to GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 10.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit
# Assign an IP address to GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/2] quit
# Add GigabitEthernet 0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GigabitEthernet 0/0/2 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/2 [FW-zone-untrust] quit
- Configure a security policy to allow a specific intranet segment to access the Internet.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone untrust [FW-policy-security-rule-policy1] source-address 10.1.1.0 24 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
- Configure a NAT address pool and disable port translation.
[FW] nat address-group addressgroup1 [FW-address-group-addressgroup1] mode no-pat global [FW-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.15 [FW-address-group-addressgroup1] route enable [FW-address-group-addressgroup1] quit
- Configure a source NAT policy for translating source addresses between private and public address realms when hosts on the specific intranet segment access the Internet.
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] source-zone trust [FW-policy-nat-rule-policy_nat1] destination-zone untrust [FW-policy-nat-rule-policy_nat1] source-address 10.1.1.0 24 [FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] quit
- Configure a default route on the FW to direct intranet traffic to the ISP router.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 - On each PC, configure the IP address of the FW interface connected to the intranet as the default gateway address to direct intranet traffic to the FW. The detailed configuration process is omitted.
- On the router, configure a static route destined for the network segment of the address pool (1.1.1.10 to 1.1.1.15) and set the next-hop address of the static route to 1.1.1.1 so that Internet traffic destined for the intranet server can be
forwarded by the FW.
Contact your ISP administrator to perform this step.
Configuration Scripts
Configuration script for the FW:
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 # nat address-group addressgroup1 0 mode no-pat global route enable section 0 1.1.1.10 1.1.1.15 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.1.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.1.1.0 24 action source-nat address-group addressgroup1 # return