CLI: Example for Configuring NAPT for Users on a Dual-Egress Intranet to Access the Internet
This section provides an example for configuring NAPT for users on a dual-egress intranet to access the Internet.
Networking Requirements
As shown in Figure 1, an enterprise deploys a FW as a security gateway on the intranet and purchases broadband services from ISP1 and ISP2.
The networking requirements are as follows:
- PCs of the R&D and marketing departments access the Internet through ISP1 and ISP2 networks. Intranet traffic is forwarded through ISP1 or ISP2 network to specified destination network segments.
- If the link to one ISP network fails, traffic is immediately switched to the link connected to the other ISP network.
The following information is used as an example. Obtain the desired service information from your local ISP.
Item |
Data |
Description |
|
|---|---|---|---|
Enterprise addresses |
1.1.1.1/24 |
Public network address that ISP1 assigns to the enterprise |
|
2.2.2.2/24 |
Public network address that ISP2 assigns to the enterprise |
||
Default gateway addresses |
1.1.1.254 |
Provided by ISP1 |
|
2.2.2.254 |
Provided by ISP2 |
||
DNS server addresses |
9.9.9.9 |
Provided by ISP1 |
|
11.11.11.11 |
Provided by ISP2 |
||
Addresses in an address pool |
1.1.1.10 - 1.1.1.12 |
Provided by ISP1 |
|
2.2.2.10 - 2.2.2.12 |
Provided by ISP2 |
||
Configuration Roadmap
The configuration roadmap is as follows:
- Assign IP addresses to interfaces and add the interfaces to security zones. Set the default gateway address to 1.1.1.254 for GigabitEthernet 0/0/1 and 2.2.2.254 for GigabitEthernet 0/0/7.
- Configure static routes to ISP networks.
- Configure security policies to allow PCs to access the Internet.
- Configure NAT policies for translating source addresses.
- Configure return routes on ISP devices. This step is performed by ISPs. The configuration details are not provided.
- Plan IP addresses for intranet PCs. Set the gateway address used by PCs to 10.3.0.1 and DNS server addresses to 9.9.9.9 and 11.11.11.11. This step is performed by a network administrator. Therefore, the configuration details are not provided.
Procedure
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
# Assign an IP address to GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit
# Assign an IP address to GigabitEthernet 0/0/3.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet 0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet 0/0/3] quit
# Assign an IP address to GigabitEthernet 0/0/7.
[FW] interface GigabitEthernet 0/0/7 [FW-GigabitEthernet 0/0/7] ip address 2.2.2.2 24 [FW-GigabitEthernet 0/0/7] quit
# Add GigabitEthernet 0/0/3 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
# Add GigabitEthernet 0/0/1 to the isp1 zone.
[FW] firewall zone name isp1 [FW-zone-isp1] set priority 10 [FW-zone-isp1] add interface GigabitEthernet 0/0/1 [FW-zone-isp1] quit
# Add GigabitEthernet 0/0/7 to the isp2 zone.
[FW] firewall zone name isp2 [FW-zone-isp2] set priority 20 [FW-zone-isp2] add interface GigabitEthernet 0/0/7 [FW-zone-isp2] quit
- Configure a security policy to allow a specific intranet segment to access the Internet.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone isp1 [FW-policy-security-rule-policy1] source-address 10.3.0.0 24 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] rule name policy2 [FW-policy-security-rule-policy2] source-zone trust [FW-policy-security-rule-policy2] destination-zone isp2 [FW-policy-security-rule-policy2] source-address 10.3.0.0 24 [FW-policy-security-rule-policy2] action permit [FW-policy-security-rule-policy2] quit [FW-policy-security] quit
- Configure a NAT address pool.
[FW] nat address-group addressgroup1 [FW-address-group-addressgroup1] mode pat [FW-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.12 [FW-address-group-addressgroup1] route enable [FW-address-group-addressgroup1] quit [FW] nat address-group addressgroup2 [FW-address-group-addressgroup2] mode pat [FW-address-group-addressgroup2] section 0 2.2.2.10 2.2.2.12 [FW-address-group-addressgroup2] route enable [FW-address-group-addressgroup2] quit
- Configure a source NAT policy for translating source addresses between private and public address realms when hosts on the specific intranet segment access the Internet.
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] source-zone trust [FW-policy-nat-rule-policy_nat1] destination-zone isp1 [FW-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 [FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] rule name policy_nat2 [FW-policy-nat-rule-policy_nat2] source-zone trust [FW-policy-nat-rule-policy_nat2] destination-zone isp2 [FW-policy-nat-rule-policy_nat2] source-address 10.3.0.0 24 [FW-policy-nat-rule-policy_nat2] action source-nat address-group addressgroup2 [FW-policy-nat-rule-policy_nat2] quit [FW-policy-nat] quit
- Configure static routes.
In the example, the packets destined for 1.1.2.0/24 and 1.1.3.0/24 are forwarded over ISP1 network, and the packets destined for 2.2.3.0/24 and 2.2.4.0/24 are forwarded over ISP2 network. Four static routes are configured in this example. In actual service configurations, you may need more static routes. Obtain the desired ISP network segment information from your local ISP.
To improve configuration efficiency, you can also use ISP link selection to quickly import ISP routes. For details, see Key Points for Configuring ISP Link Selection.
[FW] ip route-static 1.1.2.0 24 1.1.1.254 [FW] ip route-static 1.1.3.0 24 1.1.1.254 [FW] ip route-static 2.2.3.0 24 2.2.2.254 [FW] ip route-static 2.2.4.0 24 2.2.2.254
Configuration Scripts
Configuration script for the FW:
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # interface GigabitEthernet0/0/7 undo shutdown ip address 2.2.2.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone name isp1 id 4 set priority 10 add interface GigabitEthernet0/0/1 # firewall zone name isp2 id 5 set priority 20 add interface GigabitEthernet0/0/7 # ip route-static 1.1.2.0 255.255.255.0 1.1.1.254 ip route-static 1.1.3.0 255.255.255.0 1.1.1.254 ip route-static 2.2.3.0 255.255.255.0 2.2.2.254 ip route-static 2.2.4.0 255.255.255.0 2.2.2.254 ip route-static 0.0.0.0 255.255.255.0 1.1.1.254 ip route-static 0.0.0.0 255.255.255.0 2.2.2.254 # nat address-group addressgroup1 0 mode pat route enable section 0 1.1.1.10 1.1.1.12 # nat address-group addressgroup2 1 mode pat route enable section 0 2.2.2.10 2.2.2.12 # security-policy rule name policy1 source-zone trust destination-zone isp1 source-address 10.3.0.0 24 action permit rule name policy2 source-zone trust destination-zone isp2 source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone isp1 source-address 10.3.0.0 24 action source-nat address-group addressgroup1 rule name policy_nat2 source-zone trust destination-zone isp2 source-address 10.3.0.0 24 action source-nat address-group addressgroup2 # return