CLI: Example for Configuring Bidirectional NAT for Internet Users to Access Intranet Servers (Source NAT+Dynamic Destination NAT)
This section provides an example for configuring bidirectional NAT for Internet users to access intranet servers.
Networking Requirements
The FW serves as a security gateway at the border of an enterprise network. Dynamic destination NAT needs to be configured on the FW to prevent a large number of Internet users for accessing a specific server. In addition to the IP addresses of Internet interfaces, the enterprise applies for another public IP address (1.1.10.10) for the intranet server to provide services. In addition, a source NAT policy is required to simplify the return route configuration for the intranet servers, so that the intranet servers send response packets to the FW by default. Figure 1 illustrates the networking. The router is an access gateway on the ISP network.
Data Planning
| Item | Data | Description | |
|---|---|---|---|
GigabitEthernet 0/0/1 |
IP address: 1.1.1.1/24 Security zone: untrust |
1.1.1.1/24 is a public address provided by the ISP. |
|
GigabitEthernet 0/0/2 |
IP address: 10.2.0.1/24 Security zone: dmz |
Intranet servers use 10.2.0.1 as the default gateway address. |
|
Addresses in the source NAT address pool |
10.10.10.10 to 10.10.10.15 |
- |
|
Addresses in the destination NAT address pool |
10.2.0.7 to 10.2.0.8 |
- |
|
Routing information |
Default route |
Destination address: 0.0.0.0 Next hop address: 1.1.1.254 |
Configure a default route defined for the ISP router on the FW to direct intranet traffic to the router. |
Configuration Roadmap
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
- Configure a security policy for traffic between Internet users and intranet servers.
- Configure a destination NAT policy to translate the destination addresses of packets sent from the Internet to an intranet server to addresses in the destination NAT address pool.
- Configure a source NAT policy to translate the source addresses of packets sent from the Internet to an intranet server to addresses in the source NAT address pool.
- Configure a default route on the FW to direct intranet traffic to the ISP router.
- Configure static routes destined for public addresses of intranet servers on the router.
Procedure
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
# Assign an IP address to GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit
# Assign an IP address to GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 10.2.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Add GigabitEthernet 0/0/1 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/1 [FW-zone-untrust] quit
# Add GigabitEthernet 0/0/2 to the DMZ zone.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
- Configure a security policy for traffic between Internet users and intranet servers.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone untrust [FW-policy-security-rule-policy1] destination-zone dmz [FW-policy-security-rule-policy1] destination-address 10.2.0.0 24 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
- Configure a source NAT address pool.
[FW] nat address-group addressgroup1 [FW-address-group-addressgroup1] mode pat [FW-address-group-addressgroup1] section 0 10.10.10.10 10.10.10.15 [FW-address-group-addressgroup1] route enable [FW-address-group-addressgroup1] quit
- Configure a destination NAT address pool.
[FW] destination-nat address-group addressgroup2 [FW-dnat-address-group-addressgroup1] section 10.2.0.7 10.2.0.8 [FW-dnat-address-group-addressgroup1] quit
- Configure a NAT policy.
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] source-zone untrust [FW-policy-nat-rule-policy_nat1] destination-address 1.1.10.10 32 [FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 [FW-policy-nat-rule-policy_nat1] action destination-nat address-group addressgroup2 [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] quit
- Configure black-hole routes destined to the destination address of traffic to prevent routing loops.
[FW] ip route-static 1.1.10.10 255.255.255.255 NULL0 - Enable NAT ALG for FTP.
[FW] firewall interzone dmz untrust [FW-interzone-dmz-untrust] detect ftp [FW-interzone-dmz-untrust] quit
- Configure a default route to direct intranet traffic to the ISP router.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 - Configure a blackhole route to prevent routing loops between the FW and router.
[FW] ip route-static 1.1.10.10 32 NULL 0 - Configure a static route to public address (1.1.10.10) with the next hop being 1.1.1.1 on the router so that traffic destined for the server can be sent to the FW.
Contact your ISP administrator to perform this step.
Configuration Scripts
Configuration script for the FW:
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.2.0.1 255.255.255.0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # firewall interzone dmz untrust detect ftp # ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 ip route-static 1.1.10.10 255.255.255.255 NULL0 # nat address-group addressgroup1 0 mode pat route enable section 0 10.10.10.10 10.10.10.15 # destination-nat address-group addressgroup2 0 section 10.2.0.7 10.2.0.8 # security-policy rule name policy1 source-zone untrust destination-zone dmz destination-address 10.2.0.0 24 action permit # nat-policy rule name policy_nat1 source-zone untrust destination-address 1.1.10.10 32 action source-nat address-group addressgroup1 action destination-nat address-group addressgroup2 # return