< Home

CLI: Example for Configuring NAT Policy for Internet Users to Access Servers on an Intranet with Two Egresses in Different Security Zones

This section provides an example for configuring NAT policy for Internet users to access servers on an intranet with two egresses in different security zones.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. To enable intranet FTP servers to provide services to Internet users, configure NAT policy on the FW. In addition to public interface IP addresses, the intranet has applied for IP addresses 1.1.10.10 from ISP1 and 2.2.20.10 from ISP2 for intranet servers to provide services to Internet users. Figure 1 shows the networking. The routers are the access gateways provided by ISP1 and ISP2.

Figure 1 Networking diagram for configuring NAT policy on an intranet with two egresses in different security zones

Data Planning

Item Data Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust1

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/7

IP address: 2.2.2.2/24

Security zone: Untrust2

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: DMZ

-

NAT Policy

Policy name: policy1

Source zone: untrust1

Public address: 1.1.10.10

Destination address pool: 10.2.0.8

The NAT policy converts traffic whose destination address is 1.1.10.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.

Policy name: policy2

Source zone: untrust2

Public address: 2.2.20.10

Destination address pool: 10.2.0.8

The NAT policy converts traffic whose destination address is 2.2.20.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy for traffic between Internet users and intranet servers.
  3. Configure NAT policy.

  4. On the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7, configure sticky load balancing and default gateway.

    Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function.

  5. Configure static routes destined for public addresses of intranet servers on the router.

Procedure

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.

    # Assign an IP address to GigabitEthernet 0/0/1. 

    <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet 0/0/1] quit

    # Assign an IP address to GigabitEthernet 0/0/2. 

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet 0/0/2] quit

    # Assign an IP address to GigabitEthernet 0/0/7. 

    [FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet 0/0/7] ip address 2.2.2.2 24
[FW-GigabitEthernet 0/0/7] quit

    # Add GigabitEthernet 0/0/2 to the DMZ zone. 

    [FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

    # Add GigabitEthernet 0/0/1 to the untrust1 zone. 

    [FW] firewall zone name untrust1
[FW-zone-untrust1] set priority 10
[FW-zone-untrust1] add interface GigabitEthernet 0/0/1
[FW-zone-untrust1] quit

    # Add GigabitEthernet 0/0/7 to the untrust2 zone. 

    [FW] firewall zone name untrust2
[FW-zone-untrust2] set priority 20
[FW-zone-untrust2] add interface GigabitEthernet 0/0/7
[FW-zone-untrust2] quit

  2. Configure a security policy for traffic between Internet users and intranet servers. 

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust1
[FW-policy-security-rule-policy1] source-zone untrust2
[FW-policy-security-rule-policy1] destination-zone dmz
[FW-policy-security-rule-policy1] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

  3. Configure a destination NAT address pool. 

    [FW] destination-nat address-group addressgroup1
[FW-dnat-address-group-addressgroup1] section 10.2.0.8 10.2.0.8
[FW-dnat-address-group-addressgroup1] quit

  4. Configure a NAT policy. 

    [FW] nat-policy
[FW-policy-nat] rule name policy1
[FW-policy-nat-rule-policy1] source-zone untrust1
[FW-policy-nat-rule-policy1] destination-address 1.1.10.10 32
[FW-policy-nat-rule-policy1] service ftp
[FW-policy-nat-rule-policy1] action destination-nat static address-to-address address-group addressgroup1
[FW-policy-nat-rule-policy1] quit
[FW-policy-nat] rule name policy2
[FW-policy-nat-rule-policy2] source-zone untrust2
[FW-policy-nat-rule-policy2] destination-address 2.2.20.10 32
[FW-policy-nat-rule-policy2] service ftp
[FW-policy-nat-rule-policy2] action destination-nat static address-to-address address-group addressgroup1
[FW-policy-nat-rule-policy2] quit

  5. Configure black-hole routes destined to the destination address of traffic to prevent routing loops. 

    [FW] ip route-static 1.1.10.10 255.255.255.255 NULL0
[FW] ip route-static 2.2.20.10 255.255.255.255 NULL0

  6. Enable NAT ALG for FTP. 

    [FW] firewall interzone dmz untrust1
[FW-interzone-dmz-untrust1] detect ftp
[FW-interzone-dmz-untrust1] quit
[FW] firewall interzone dmz untrust2
[FW-interzone-dmz-untrust2] detect ftp
[FW-interzone-dmz-untrust2] quit

  7. Configure the sticky load balancing function and default gateway. 

    [FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] redirect-reverse next-hop 1.1.1.254
[FW-GigabitEthernet 0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet 0/0/1] quit
[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet 0/0/7] redirect-reverse next-hop 2.2.2.254
[FW-GigabitEthernet 0/0/7] gateway 2.2.2.254
[FW-GigabitEthernet 0/0/7] quit

  8. On the router, configure a static route.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 ip route-static 1.1.10.10 255.255.255.255 NULL0
 ip route-static 2.2.20.10 255.255.255.255 NULL0 
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254
 gateway 1.1.1.254
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
 gateway 2.2.2.254
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone name untrust1 id 4
 set priority 10
 add interface GigabitEthernet0/0/1
#
firewall zone name untrust2 id 5
 set priority 20
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust1 
 detect ftp 
# 
firewall interzone dmz untrust2 
 detect ftp 
#
destination-nat address-group addressgroup1
 section 10.2.0.8 10.2.0.8
#
nat-policy
 rule name policy1
  source-zone untrust1
  destination-address 1.1.10.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
 rule name policy2
  source-zone untrust2
  destination-address 2.2.20.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
#  
security-policy   
  rule name policy1
    source-zone untrust1 
    source-zone untrust2
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >