CLI: Example for Configuring NAPT for Intranet Users to Access the Internet (Limiting the Number of Private Addresses Corresponding to a Public Address)

This section provides an example for configuring NAPT for intranet users to access the Internet.

Networking Requirements

An enterprise has deployed a FW as a security gateway on the intranet border. A source NAT policy needs to be configured on the FW so that users on the intranet 10.1.1.0/24 can access the Internet. In addition to the public IP address of the WAN interface on the FW, the enterprise has also been allocated public addresses 1.1.1.10 through 1.1.1.15 by the Internet service provider (ISP). The FW uses source NAT to map private addresses of the intranet (10.1.1.0/24) to these public addresses. If there are many intranet users access the Internet, port conflicts may occur during NAT. To reduce the possibility of port conflicts, you can set the maximum number of private addresses corresponding to a public address. Figure 1 illustrates the source NAT policy networking. The router is an access gateway on the ISP network.

Figure 1 Source NAT policy networking

Data Planning

Item		Data	Description
GigabitEthernet 0/0/1		IP address: 10.1.1.1/24 Security zone: Trust	Set the default gateway address on each intranet host to 10.1.1.1.
GigabitEthernet 0/0/2		IP address: 1.1.1.1/24 Security zone: Untrust	1.1.1.1/24 is a public address provided by the ISP.
Intranet segment that is allowed to access the Internet		10.1.1.0/24	-
Public addresses mapped to private addresses		1.1.1.10 to 1.1.1.15	As private addresses far outnumber public addresses, one-to-one mapping cannot be implemented. To translate all private addresses into public addresses, enable port translation.
Maximum number of private addresses corresponding to a public address		256	-
Routing information	FW's default route	Destination address: 0.0.0.0 Next hop address: 1.1.1.254	Configure a default route on the FW to direct intranet traffic to the ISP network.
Routing information	Router's static route	Destination address: 1.1.1.10 to 1.1.1.15 Next hop address: 1.1.1.1	The public addresses mapped to private addresses are not assigned to physical ports. As a result, the router cannot use a routing protocol to discover routes to the public addresses. Ask the ISP network administrator to configure a static route destined for the network segment address of the address pool on the router.

Configuration Roadmap

The configuration roadmap is as follows:

Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
Configure a security policy to allow a specific intranet segment to access the Internet.
Configure a NAT address pool and enable port translation for public address multiplexing. Allow a maximum of 256 private addresses to be translated into one public address.
Configure a source NAT policy for translating source addresses between private and public address realms when hosts on the specific intranet segment access the Internet.
Configure a default route on the FW to direct intranet traffic to the ISP router.
Configure the IP address of the FW interface connected to the intranet as the default gateway address on each intranet host so that intranet traffic is directed to the FW when intranet hosts access the Internet.
Configure a static route on the ISP router for forwarding Internet traffic to the FW.

Procedure

Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.

# Assign an IP address to GigabitEthernet 0/0/1.

<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 10.1.1.1 24
[FW-GigabitEthernet 0/0/1] quit

# Assign an IP address to GigabitEthernet 0/0/2.

[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 1.1.1.1 24
[FW-GigabitEthernet 0/0/2] quit

# Add GigabitEthernet 0/0/1 to the Trust zone.

[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/1
[FW-zone-trust] quit

# Add GigabitEthernet 0/0/2 to the Untrust zone.

[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-zone-untrust] quit

Configure a security policy to allow a specific intranet segment to access the Internet.

[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

Configure a NAT address pool and enable port translation for public address multiplexing. Allow a maximum of 256 private addresses to be translated into one public address.

[FW] nat address-group addressgroup1
[FW-address-group-addressgroup1] mode pat
[FW-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.15
[FW-address-group-addressgroup1] srcip-car-num 256
[FW-address-group-addressgroup1] route enable
[FW-address-group-addressgroup1] quit

Configure a source NAT policy for translating source addresses between private and public address realms when hosts on the specific intranet segment access the Internet.

[FW] nat-policy
[FW-policy-nat] rule name policy_nat1
[FW-policy-nat-rule-policy_nat1] source-zone trust
[FW-policy-nat-rule-policy_nat1] destination-zone untrust
[FW-policy-nat-rule-policy_nat1] source-address 10.1.1.0 24
[FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 
[FW-policy-nat-rule-policy_nat1] quit
[FW-policy-nat] quit

Configure a default route on the FW to direct intranet traffic to the ISP router.
```
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
```
On each PC, configure the IP address of the FW interface connected to the intranet as the default gateway address to direct intranet traffic to the FW. The detailed configuration process is omitted.
On the router, configure a static route destined for the network segment of the address pool (1.1.1.10 to 1.1.1.15) and set the next-hop address of the static route to 1.1.1.1 so that Internet traffic destined for the intranet server can be forwarded by the FW.
Contact your ISP administrator to perform this step.

Verification

Configure the FW so that all intranet users can access the Internet.
When intranet users access the Internet, run the display firewall session table command to view sessions whose source addresses are the private addresses of intranet PCs. If such a session exists, the post-NAT IP address is in the NAT address pool, indicating that the NAT policy configuration succeeds. The post-NAT IP address and port are in the square brackets ([]).
```
Current Total Sessions : 1
 http  VPN:public --> public  10.1.1.55:2474[1.1.1.10:3761]-->3.3.3.3:80
```
After the public address usage reaches the threshold due to Internet access from intranet users, the FW sends logs and alarms.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 1.1.1.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 
# 
nat address-group addressgroup1 0
 mode pat
 route enable
 section 0 1.1.1.10 1.1.1.15 
 srcip-car-num 256
#  
security-policy   
  rule name policy1  
    source-zone trust 
    destination-zone untrust 
    source-address 10.1.1.0 24  
    action permit 
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 10.1.1.0 24   
    action source-nat address-group addressgroup1  
#                                          
return