< Home

CLI: Example for Configuring NAT Policy for Internet Users to Access Servers on an Intranet with Two Egresses in the Same Security Zone

This section provides an example for configuring a NAT policy for Internet users to access servers on an intranet with two egresses in the same security zone.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway that connects to the Internet over two ISP networks. To enable intranet FTP servers to provide services to Internet users, configure NAT policy on the FW. In addition to public interface IP addresses, the intranet has applied for IP addresses 1.1.10.10 from ISP1 and 2.2.20.10 from ISP2 for intranet servers to provide services to Internet users. Figure 1 shows the networking. The routers are the access gateways provided by ISP1 and ISP2.

Figure 1 Networking diagram for configuring NAT policy on an intranet with two egresses in the same security zone

Data Planning

Item Data Description

GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: untrust

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/7

IP address: 2.2.2.2/24

Security zone: untrust

Obtain the public IP address from the ISP.

GigabitEthernet 0/0/2

IP address: 10.2.0.1/24

Security zone: DMZ

-

NAT Policy

Policy name: policy1

Source zone: untrust

Public address: 1.1.10.10

Destination address pool: 10.2.0.8

The NAT policy converts traffic whose destination address is 1.1.10.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.

Policy name: policy2

Source zone: untrust

Public address: 2.2.20.10

Destination address pool: 10.2.0.8

The NAT policy converts traffic whose destination address is 2.2.20.10 to traffic whose destination address is 10.2.0.8 so that the traffic can be sent to the intranet FTP server.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
  2. Configure a security policy for traffic between Internet users and intranet servers.
  3. Configure NAT policy.

  4. On the GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7, configure sticky load balancing and default gateway.

    Make clear the incoming interface of the traffic that may have different forward and return paths based on the configured routes and then configure the sticky load balancing function.

  5. Configure static routes destined for public addresses of intranet servers on the router.

Procedure

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.

    # Assign an IP address to GigabitEthernet 0/0/1. 

    <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet 0/0/1] quit

    # Assign an IP address to GigabitEthernet 0/0/2. 

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet 0/0/2] quit

    # Assign an IP address to GigabitEthernet 0/0/7. 

    [FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet 0/0/7] ip address 2.2.2.2 24
[FW-GigabitEthernet 0/0/7] quit

    # Add GigabitEthernet 0/0/2 to the DMZ zone. 

    [FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

    # Add GigabitEthernet 0/0/1 to the untrust zone. 

    [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

    # Add GigabitEthernet 0/0/7 to the untrust zone. 

    [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/7
[FW-zone-untrust] quit

  2. Configure a security policy for traffic between Internet users and intranet servers. 

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone dmz
[FW-policy-security-rule-policy1] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

  3. Configure a destination NAT address pool. 

    [FW] destination-nat address-group addressgroup1
[FW-dnat-address-group-addressgroup1] section 10.2.0.8 10.2.0.8
[FW-dnat-address-group-addressgroup1] quit

  4. Configure a NAT policy. 

    [FW] nat-policy
[FW-policy-nat] rule name policy1
[FW-policy-nat-rule-policy1] destination-address 1.1.10.10 32
[FW-policy-nat-rule-policy1] source-zone untrust
[FW-policy-nat-rule-policy1] service ftp
[FW-policy-nat-rule-policy1] action destination-nat static address-to-address address-group addressgroup1
[FW-policy-nat-rule-policy1] quit
[FW-policy-nat] rule name policy2
[FW-policy-nat-rule-policy2] destination-address 2.2.20.10 32
[FW-policy-nat-rule-policy2] source-zone untrust
[FW-policy-nat-rule-policy2] service ftp
[FW-policy-nat-rule-policy2] action destination-nat static address-to-address address-group addressgroup1
[FW-policy-nat-rule-policy2] quit
[FW-policy-nat] quit

  5. Configure black-hole routes destined to the destination address of traffic to prevent routing loops. 

    [FW] ip route-static 1.1.10.10 255.255.255.255 NULL0
[FW] ip route-static 2.2.20.10 255.255.255.255 NULL0

  6. Enable NAT ALG for FTP. 

    [FW] firewall interzone dmz untrust
[FW-interzone-dmz-untrust] detect ftp
[FW-interzone-dmz-untrust] quit

  7. Configure the sticky load balancing function and default gateway. 

    [FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] redirect-reverse next-hop 1.1.1.254
[FW-GigabitEthernet 0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet 0/0/1] quit
[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet 0/0/7] redirect-reverse next-hop 2.2.2.254
[FW-GigabitEthernet 0/0/7] gateway 2.2.2.254
[FW-GigabitEthernet 0/0/7] quit

  8. On the router, configure a static route.

    Contact your ISP administrator to perform this step.

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
 ip route-static 1.1.10.10 255.255.255.255 NULL0
 ip route-static 2.2.20.10 255.255.255.255 NULL0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 redirect-reverse next-hop 1.1.1.254
 gateway 1.1.1.254
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/7
 undo shutdown
 ip address 2.2.2.2 255.255.255.0 
 redirect-reverse next-hop 2.2.2.254
 gateway 2.2.2.254
 #
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/7
# 
firewall interzone dmz untrust 
 detect ftp 
#
destination-nat address-group addressgroup1
 section 10.2.0.8 10.2.0.8
#
nat-policy
 rule name policy1
  source-zone untrust
  destination-address 1.1.10.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
 rule name policy2
  source-zone untrust
  destination-address 2.2.20.10 32
  service ftp
  action destination-nat static address-to-address address-group addressgroup1
#  
security-policy   
  rule name policy1
    source-zone untrust 
    destination-zone dmz 
    destination-address 10.2.0.0 24 
    action permit 
# 
return
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >