CLI: Example for Configuring ESP NAT in a Source NAT Scenario

This section provides an example for configuring ESP NAT in a source NAT scenario.

Networking Requirements

A user on LAN 1 proactively accesses LAN 2. For information transmission security, an IPSec tunnel shall be established between the LANs. However, devices on the LANs, such as PCs, do not support the NAT traversal function, and UDP headers cannot be used to encapsulate ESP packets. Therefore, faults may occur during NAT for ESP packets without port numbers. In this case, you shall configure ESP NAT on the FW to set port numbers for ESP packets during source NAT to differentiate various ESP packets, so that the IPSec tunnel can be successfully established.

Figure 1 shows the networking:

LAN 1 belongs to subnet 10.1.1.0/24 and connects to the FW.
LAN 2 belongs to subnet 10.1.2.0/24 and connects to the Internet.
The LANs are reachable to each other.
The FW serves as the NAT device. Users on LAN 1 must use a public address through source NAT to access LAN 2. The enterprise applies for one IP address (1.1.1.10) towards the ISP as the public address.

Figure 1 ESP NAT networking

Data Planning

Item	Data
Devices on LAN 1, such as PC1	IPSec configuration Peer address: 10.1.2.1 Authentication mode: pre-shared key Pre-shared key: Test!1234 Local ID type: IP address Peer ID type: IP address Peer ID: 10.1.2.1
FW	Source NAT configuration Source address: 10.1.1.0/24 Address pool: 1.1.1.10 NAT mode: NAPT
Devices on LAN 2, such as PC2	IPSec configuration Peer address: 1.1.1.10 Authentication mode: pre-shared key Pre-shared key: Test!1234 Local ID type: IP address Peer ID type: IP address Peer ID: 1.1.1.10

Item

Data

Devices on LAN 1, such as PC1

IPSec configuration

Peer address: 10.1.2.1

Authentication mode: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Peer ID: 10.1.2.1

Source NAT configuration

Source address: 10.1.1.0/24

Address pool: 1.1.1.10

NAT mode: NAPT

Devices on LAN 2, such as PC2

IPSec configuration

Peer address: 1.1.1.10

Authentication mode: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Peer ID: 1.1.1.10

Configuration Roadmap

Complete interface, security policy, route, and IPSec configurations on devices on LANs 1 and 2.
Perform basic configurations, such as interface and security policy configurations, on the FW.
Configure source NAT and ESP NAT on the FW.

Procedure

Detailed configurations of PC1 and PC2 are not described in this example.
Huawei FW supports NAT traversal. If Huawei FW is used to establish an IPSec tunnel, you do not need to configure ESP NAT. You need to enable ESP NAT on the intermediate NAT device only when the IPSec initiator and recipient do not support NAT traversal.
Configure interfaces, security policies, and routes for the FW.
1. Complete basic interface configurations.
  Set the IP addresses according to Figure 1 and the table that follows.
  
  Assign GE0/0/0 to the trust zone and GigabitEthernet 0/0/1 to the untrust zone.
2. Configure security policies.
  
  The source and destination addresses of security policies are the addresses of both ends of the IPSec tunnel. If the gateway device exists between the FW and LAN 1 as well as in front of the Internet and LAN 2, and the IPSec tunnel is established on the gateway device, the match conditions of security policies shall be modified.
```
[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
```

Configure ESP NAT and source NAT.

Configure ESP NAT.
```
[FW] firewall esp nat enable
[FW] quit
```

Configure source NAT.

The source address of the source NAT policy is the address of the IPSec tunnel initiator. If the gateway device exists between the FW and LAN 1 as well as in front of the Internet and LAN 2, and the IPSec tunnel is established on the gateway device, the match conditions of source NAT policies shall be modified.

[FW] nat address-group nataddr 1
[FW-address-group-nataddr] section 0 1.1.1.10
[FW-address-group-nataddr] quit
[FW] nat-policy
[FW-policy-nat-rule-policy_nat1] rule name policy_nat1
[FW-policy-nat-rule-policy_nat1] source-zone trust
[FW-policy-nat-rule-policy_nat1] destination-zone untrust
[FW-policy-nat-rule-policy_nat1] source-address 10.1.1.0 24
[FW-policy-nat-rule-policy_nat1] action source-nat address-group nataddr
[FW-policy-nat-rule-policy_nat1] quit
[FW-policy-nat] quit

Verification

After the preceding configurations are complete, PC1 can proactively access PC2.

When PC1 accesses PC2, you can view NAT session entries on the FW.

<FW> display firewall session table
  Current Total Sessions : 
  esp  VPN:public --> public 10.1.1.1:34673[1.1.1.10:43068]-->10.1.2.1:22174[10.1.2.1:2956]

Configuration Scripts

Configuration script for the FW:

#
 sysname FW
#
interface GigabitEthernet 0/0/0
  ip address 10.1.1.254 255.255.255.0
#
interface GigabitEthernet 0/0/1
 ip address 10.1.5.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/0
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet 0/0/1
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 24
    destination-address 10.1.2.0 24
    action permit
#
firewall esp nat enable
#
nat address-group nataddr 1
 section 0 1.1.1.10
#
nat-policy
  rule name policy_nat1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 24
    action source-nat address-group nataddr
#
return