< Home

CLI: Example for Configuring Easy IP for Intranet Users to Access the Internet

This section provides an example for configuring Easy IP for intranet users to access the Internet.

Networking Requirements

An enterprise has deployed a FW as a security gateway on the intranet border. The enterprise applies for a public IP address from an ISP to connect the FW to the ISP router. The router is an access gateway on the ISP network. A source NAT policy working in WAN interface mode must be configured on the FW. This policy allows the FW to translate the IP addresses of intranet users on the network 10.1.1.0/24 into the public IP address so that intranet users can access the Internet. Figure 1 illustrates the networking for a source NAT policy working in WAN interface mode.

Figure 1 Source NAT policy networking

Data Planning

Item

Data

Description

GigabitEthernet 0/0/1

IP address: 10.1.1.1/24

Security zone: Trust

Set the default gateway address on each intranet host to 10.1.1.1.

GigabitEthernet 0/0/2

IP address: 1.1.1.1/24

Security zone: Untrust

1.1.1.1/24 is a public address provided by the ISP.

Intranet segment that is allowed to access the Internet

10.1.1.0/24

-
FW's default route

Destination address: 0.0.0.0

Next hop address: 1.1.1.254

Configure a default route on the FW to direct intranet traffic to the ISP network.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy to allow a specific intranet segment to access the Internet.
  3. Configure a default route on the FW to direct intranet traffic to the ISP router.
  4. Configure a NAT policy working in WAN interface mode so that intranet users can use the FW's public IP address to access the Internet.

    To enable NAT in outbound interface mode, set easy-ip parameter, which enables the FW to automatically map intranet packet addresses to a WAN interface address based on routing information.

  5. On each PC, configure the IP address of the FW interface connected to the intranet as the default gateway address to direct intranet traffic to the FW. The detailed configuration process is omitted.

Procedure

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.

    # Assign an IP address to GigabitEthernet 0/0/1. 

    <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 10.1.1.1 24
[FW-GigabitEthernet 0/0/1] quit

    # Assign an IP address to GigabitEthernet 0/0/2. 

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 1.1.1.1 24
[FW-GigabitEthernet 0/0/2] quit

    # Add GigabitEthernet 0/0/1 to the Trust zone. 

    [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/1
[FW-zone-trust] quit

    # Add GigabitEthernet 0/0/2 to the Untrust zone. 

    [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-zone-untrust] quit

  2. Configure a security policy to allow a specific intranet segment to access the Internet. 

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

  3. Configure a default route on the FW to direct intranet traffic to the ISP router. 

    [FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

  4. Configure a NAT policy working in outbound interface address mode so that intranet users can use the FW's public IP address to access the Internet. 

    [FW] nat-policy
[FW-policy-nat] rule name policy_nat1
[FW-policy-nat-rule-policy_nat1] source-zone trust
[FW-policy-nat-rule-policy_nat1] destination-zone untrust
[FW-policy-nat-rule-policy_nat1] source-address 10.1.1.0 24
[FW-policy-nat-rule-policy_nat1] action source-nat easy-ip
[FW-policy-nat-rule-policy_nat1] quit
[FW-policy-nat] quit

  5. On each PC, configure the IP address of the FW interface connected to the intranet as the default gateway address to direct intranet traffic to the FW. The detailed configuration process is omitted.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 1.1.1.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 
#  
security-policy   
  rule name policy1  
    source-zone trust 
    destination-zone untrust 
    source-address 10.1.1.0 24  
    action permit 
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 10.1.1.0 24   
    action source-nat easy-ip 
#                                          
return
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >