< Home

CLI: Example for Configuring Source NAT in a Load Balancing Scenario (Active and Standby Devices Share One Address Pool)

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to routers. The FWs and directly connected routers run OSPF.

The FWs are required to work in load balancing mode. In normal cases, FW_A forwards traffic from Dept. A, and FW_B forwards traffic from Dept. B. If either FW fails, the other FW forwards all traffic to ensure service continuity.

In this load balancing networking, FWs connect to routers in both upstream and downstream directions. On live networks, you must determine whether OSPF is required based on the upstream and downstream devices and interfaces. The Source NAT configuration remains unchanged.

This example does not apply when uplink interfaces connect to different ISP networks.

Figure 1 Network diagram for configuring source NAT in a load balancing scenario.

Data Planning

Item

FW_A

FW_B

Interface

GigabitEthernet 0/0/1

IP address: 10.2.0.1/24

Security zone: Untrust

GigabitEthernet 0/0/3

IP address: 10.3.0.1/24

Security zone: Trust

GigabitEthernet 0/0/7

IP address: 10.10.0.1/24

Security zone: DMZ

GigabitEthernet 0/0/1

IP address: 10.2.1.1/24

Security zone: Untrust

GigabitEthernet 0/0/3

IP address: 10.3.1.1/24

Security zone: Trust

GigabitEthernet 0/0/7

IP address: 10.10.0.2/24

Security zone: DMZ

OSPF

Process ID: 10

Area ID: 0

Network segment for the area: 10.2.0.0/24, 10.3.0.0/24 and 1.1.1.10/32

Process ID: 10

Area ID: 0

Network segment for the area: 10.2.0.0/24, 10.3.0.0/24 and 1.1.1.10/32

Configuration Roadmap

  1. Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity on FW_A and FW_B.
  2. Configure OSPF on FW_A and FW_B.
  3. If FW_A and FW_B share one NAT address pool and work properly, they may translate the source IP addresses and source ports of the packets sent from different hosts into the same pair of public IP address and port. To prevent port conflicts, you must specify different port ranges for the active and standby devices.
  4. Configure hot standby on FW_A and FW_B. To be specific, configure interface monitoring, specify heartbeat interfaces, and enable quick session backup.
  5. Configure a security policy on FW_A to allow OSPF packet exchange between FWs and Internet access from the intranet. The security policy configured on FW_A is automatically backed up to FW_B.
  6. Configure a NAT address pool on FW_A. The NAT address pool configured on FW_A is automatically backed up to FW_B.
  7. Configure a Source NAT policy on FW_A to implement source address translation for Internet access from the intranet. The Source NAT policy configured on FW_A is automatically backed up to FW_B.
  8. Configure the downstream devices, so that traffic from department A is forwarded through FW_A, and traffic from department B is forwarded through FW_B.
  9. On the upstream router, configure an interface address and a static route destined for the ISP, and configure OSPF so that the FW and router can learn routes from each other. On the downstream router, configure an interface address and configure OSPF so that the FW and router can learn routes from each other.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Configure interfaces on FW_A.

      # Set interface IP addresses.

      <FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet 0/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet 0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet 0/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet 0/0/3] quit
[FW_A] interface GigabitEthernet 0/0/7
[FW_A-GigabitEthernet 0/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet 0/0/7] quit

      # Assign interfaces to security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 
[FW_A-zone-dmz] quit

    2. Configure interfaces on FW_B.

      # Set interface IP addresses.

      <FW_B> system-view
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet 0/0/1] ip address 10.2.1.1 24
[FW_B-GigabitEthernet 0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet 0/0/3] ip address 10.3.1.1 24
[FW_B-GigabitEthernet 0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/7
[FW_B-GigabitEthernet 0/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet 0/0/7] quit

      # Assign interfaces to security zones.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 
[FW_B-zone-untrust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit

  2. Configure OSPF on FW_A and FW_B.

    # Configure OSPF on FW_A.

    [FW_A] ospf 10
[FW_A-ospf-100] import-route unr
[FW_A-ospf-100] area 0
[FW_A-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.0.255
[FW_A-ospf-100-area-0.0.0.0] network 10.3.0.0 0.0.0.255

    # Configure OSPF on FW_B.

    [FW_B] ospf 10
[FW_B-ospf-100] import-route unr
[FW_B-ospf-100] area 0
[FW_B-ospf-100-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[FW_B-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255

  3. Configure NAT address pool port allocation in the load balancing scenario.

    In the hot standby load balancing scenario, If NAPT is configured, the FWs may have conflicting public ports. To prevent such conflicts, configure respective NAT resources (including public IP addresses and ports) for the FWs. You can run the hrp nat resource primary-group command on the active FW. The standby FW will automatically generate the hrp nat resource secondary-group command (if you run the hrp nat resource secondary-group command on the active FW, the standby FW will automatically generate the hrp nat resource primary-group command).

    [FW_A] hrp nat resource primary-group

  4. Configure hot standby.
    1. Configure hot standby on FW_A.

      # Configure interface monitoring.

      [FW_A] hrp track interface GigabitEthernet 0/0/1
[FW_A] hrp track interface GigabitEthernet 0/0/3

      # Specify a heartbeat interface.

      [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2

      # Enable quick session backup.

      [FW_A] hrp mirror session enable

      When the FWs work in load-balancing mode, the forward and return packets may pass through different FWs. To ensure service continuity, you must enable quick session backup to ensure that the session information on one FW is synchronized to the otherFW.

      # Enable hot standby.

      [FW_A] hrp enable

    2. Configure hot standby on FW_B.

      # Configure interface monitoring.

      [FW_B] hrp track interface GigabitEthernet 0/0/1
[FW_B] hrp track interface GigabitEthernet 0/0/3

      # Specify a heartbeat interface.

      [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1

      # Enable quick session backup.

      [FW_B] hrp mirror session enable

      # Enable hot standby.

      [FW_B] hrp enable

  5. Configure a security policy on FW_A to allow OSPF packet exchange between FWs and Internet access from the intranet.

    The security policy configured on FW_A is automatically backed up to FW_B.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec_1
HRP_M[FW_A-policy-security-rule-policy_sec_1] source-zone local trust untrust
HRP_M[FW_A-policy-security-rule-policy_sec_1] destination-zone local trust untrust
HRP_M[FW_A-policy-security-rule-policy_sec_1] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_1] quit
HRP_M[FW_A-policy-security] quit

  6. Configure a NAT address pool and permit port conversion to reuse public network addresses.

    The NAT address pool configured on FW_A is automatically backed up to FW_B.

    HRP_M[FW_A] nat address-group addressgroup1
HRP_M[FW_A-nat-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.10
HRP_M[FW_A-nat-address-group-addressgroup1] mode pat
HRP_M[FW_A-nat-address-group-addressgroup1] route enable
HRP_M[FW_A-nat-address-group-addressgroup1] quit

  7. Configure a NAT policy to allow intranet users to access the Internet by using post-NAT public IP addresses.

    The NAT policy configured on FW_A is automatically backed up to FW_B.

    HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat_1
HRP_M[FW_A-policy-nat-policy_nat_1] source-zone trust
HRP_M[FW_A-policy-nat-policy_nat_1] destination-zone untrust
HRP_M[FW_A-policy-nat-policy_nat_1] action source-nat address-group addressgroup1
HRP_M[FW_A-policy-nat-policy_nat_1] quit
HRP_M[FW_A-policy-nat] quit

  8. Configure the downstream devices, so that traffic from department A is forwarded through FW_A, and traffic from department B is forwarded through FW_B.
  9. On the upstream router, configure an interface address and a static route destined for the ISP, and configure OSPF so that the FW and router can learn routes from each other. On the downstream router, configure an interface address and configure OSPF so that the FW and router can learn routes from each other.

Configuration Verification

  1. Run the display hrp state command on FW_A and FW_B respectively to check the HRP status. The following command output shows that HRP is configured successfully.

    HRP_M[FW_A] display hrp state
 Role: active, peer: active                                                    
 Running priority: 49010, peer: 49010                                           
 Backup channel usage: 3%                                                       
 Stable time: 0 days, 5 hours, 1 minutes 
    HRP_S[FW_B] display hrp state
 Role: active, peer: active                                                    
 Running priority: 49010, peer: 49010                                           
 Backup channel usage: 3%                                                       
 Stable time: 0 days, 5 hours, 1 minutes
  2. If intranet PCs can access the Internet, the security policies are successfully configured.
  3. Run the display nat-policy rule rule-name command on FW_A and FW_B respectively to check the NAT policy match count. If the value is 1 or greater, data flows have even matched the NAT policy.

  4. Run the display firewall session table command on FW_A and FW_B respectively to search for an entry whose source address is the private address of an intranet PC. If the entry exists and the post-NAT IP address exists in the NAT address pool, the NAT policy is successfully configured. Information in the brackets ([]) is the post-NAT or IP address.

    HRP_M<FW> display firewall session table
Current Total Sessions : 1
 http  VPN:public --> public  10.3.2.55:2474[1.1.1.10:3761]-->3.3.3.3:80

  5. When FW_A becomes faulty, run the display hrp state command on FW_A and FW_B respectively to check the HRP status. The following command output shows a successful active/standby device switchover.

    HRP_M[FW_A] display hrp state
 Role:standby, peer:  active (shoule be "active-active")                                                  
 Running priority: 49012, peer: 49010                                           
 Backup channel usage: 0%                                                       
 Stable time: 0 days, 0 hours, 0 minutes 
    HRP_S[FW_B] display hrp state
 Role: active, peer: standby  (shoule be "active-active")                                                 
 Running priority: 49010, peer: 49012                                           
 Backup channel usage: 0%                                                       
 Stable time: 0 days, 0 hours, 1 minutes

Configuration Scripts

FW_A

FW_B

 
#
 hrp mirror session enable
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
#
hrp nat resource primary-group
#
hrp track interface GigabitEthernet 0/0/1
hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#  
ospf 10 
 import-route unr
 area 0.0.0.0
  network 10.2.0.0 0.0.0.255
  network 10.3.0.0 0.0.0.255
#    
 nat address-group addressgroup1
 mode pat 
 route enable 
 section 0 1.1.1.10 1.1.1.10
#    
security-policy  
 rule name policy_sec_1
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust  
  destination-zone untrust
  action permit    
#    
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1
 
#
 hrp mirror session enable
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
#
hrp nat resource secondary-group
#
hrp track interface GigabitEthernet 0/0/1
hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/7
#  
ospf 10 
 import-route unr
 area 0.0.0.0
  network 10.2.1.0 0.0.0.255
  network 10.3.1.0 0.0.0.255
#    
 nat address-group addressgroup1
 mode pat 
 route enable 
 section 0 1.1.1.10 1.1.1.10
#    
security-policy  
 rule name policy_sec_1
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust  
  destination-zone untrust
  action permit    
#    
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  action source-nat address-group addressgroup1
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >