< Home

CLI: Example for Configuring Destination NAT for Internet Users to Access Intranet Servers (One-to-one Mappings Between Public and Private Interfaces)

This section provides an example for configuring destination NAT for Internet users to access intranet servers.

Networking Requirements

The FW serves as a security gateway at the border of an enterprise network. Destination NAT needs to be configured on the FW so that intranet servers can provide different services externally. In addition to the IP addresses of Internet interfaces, the enterprise applies for public IP addresses (1.1.10.10 and 1.1.10.11) for the intranet server to provide services. Figure 1 illustrates the networking. The router is an access gateway on the ISP network.

Figure 1 Network diagram for configuring destination NAT

Data Planning

Item Data Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

1.1.1.1/24 is a public address provided by the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: DMZ

Intranet servers use 10.2.0.1 as the default gateway address.

Destination NAT

Destination address pool: 10.2.0.7

With the destination NAT function, the FW can send traffic to intranet servers.

Routing information

Default route

Destination address: 0.0.0.0

Next hop address: 1.1.1.254

Configure a default route defined for the ISP router on the FW to direct intranet traffic to the router.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy for traffic between Internet users and intranet servers.
  3. Configure the destination NAT function so that the FW can send traffic to intranet servers.
  4. Configure a default route on the FW to direct intranet traffic to the ISP router.
  5. Configure a blackhole route on the FW to prevent routing loops between the FW and router.
  6. Configure static routes destined for public addresses of intranet servers on the router.

Procedure

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.

    # Assign an IP address to GigabitEthernet 0/0/1. 

    <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet 0/0/1] quit

    # Assign an IP address to GigabitEthernet 0/0/2. 

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet 0/0/2] quit

    # Add GigabitEthernet 0/0/1 to the Untrust zone. 

    [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

    # Add GigabitEthernet 0/0/2 to the DMZ zone. 

    [FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

  2. Configure a security policy for traffic between Internet users and intranet servers. 

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone dmz
[FW-policy-security-rule-policy1] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

  3. Configure a destination NAT address pool. 

    [FW] destination-nat address-group addressgroup1
[FW-dnat-address-group-addressgroup1] section 0 10.2.0.7 10.2.0.7
[FW-dnat-address-group-addressgroup1] quit

  4. Configure a NAT policy. 

    [FW] nat-policy
[FW-policy-nat] rule name policy_nat1
[FW-policy-nat-rule-policy_nat1] source-zone untrust
[FW-policy-nat-rule-policy_nat1] destination-address range 1.1.10.10 1.1.10.11
[FW-policy-nat-rule-policy_nat1] service protocol tcp destination-port 2000
[FW-policy-nat-rule-policy_nat1] action destination-nat static address-to-port address-group addressgroup1 80 to 81
[FW-policy-nat-rule-policy_nat1] quit
[FW-policy-nat] quit

  5. Configure black-hole routes destined to the destination address of traffic to prevent routing loops. 

    [FW] ip route-static 1.1.10.10 255.255.255.255 NULL0 
[FW] ip route-static 1.1.10.11 255.255.255.255 NULL0

  6. Enable NAT ALG for FTP. 

    [FW] firewall interzone dmz untrust
[FW-interzone-dmz-untrust] detect ftp
[FW-interzone-dmz-untrust] quit

  7. Configure a default route to direct intranet traffic to the ISP router. 

    [FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

  8. Configure a static route to public address (1.1.10.10 and 1.1.10.11) with the next hop being 1.1.1.1 on the router so that traffic destined for the server can be sent to the FW.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
# 
firewall interzone dmz untrust 
 detect ftp 
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 
 ip route-static 1.1.10.10 255.255.255.255 NULL0 
 ip route-static 1.1.10.11 255.255.255.255 NULL0
# 
destination-nat address-group addressgroup1 0
 section 0 10.2.0.7 10.2.0.7
#  
security-policy   
  rule name policy1  
    source-zone untrust 
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
#  
nat-policy  
  rule name policy_nat1 
    source-zone untrust 
    destination-address range 1.1.10.10 1.1.10.11
    service protocol tcp destination-port 2000
    action destination-nat static address-to-port address-group addressgroup1 80 to 81
# 
return
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >