< Home

CLI:Configuring the Device as a DDNS Client (Using the Update Mode Defined by the RFC2136)

Networking Requirements

As shown in Figure 1, the Web Server is deployed at the border of the enterprise intranet. The FW functions as the gateway to connect the intranet to the Internet. The Internet users can access to the intranet Web server through the function of NAT server of the FW. The domain name of the Web Server is www.example.com, which is mapped to the IP address of the interface of the FW. However, the interface of the FW that connects to the Internet obtain the public address through dialer-up, which can result in frequent changes of the IP address.

Configure the FW as a DDNS Client using the update mode of ddns defined by the RFC2136, In this way, when the IP address of the FW changes, it can dynamically update the information on the DNS server, that is, the mapping between the interface IP address of the FW and the domain name of the internal Web server. The Internet user can access to the Web server in the enterprise intranet normally.

Figure 1 Networking diagram of configuring FW as a DDNS Client

Configuration Roadmap

By configuring the FW to function as a DDNS client using the update mode of ddns, you can realize to dynamically update the mapping between the IP address and the domain name of the Web server on the DNS server, when the interface IP address of the FW changes.

Procedure

  1. Configure the IP address of the interface and assign it to the security zone.

    <sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.1.1.1 34
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit

  2. Configure a security policy to allow users of external networks to access the internal Web server.

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone trust
[FW-policy-security-rule-policy1] destination-address 10.1.1.3 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

  3. Configure a static mapping based on interface to map the public IP address of GigabitEthernet 0/0/1 to the private IP address of the Web server 10.1.1.3, with the public port of 80 and the private port of 8080.

    [FW] nat server policy_web protocol tcp global interface GigabitEthernet 0/0/1 80 inside 10.1.1.3 8080

  4. Configure a DDNS policy.

    # Create a DDNS policy.

    <FW> system-view
[FW] ddns policy mypolicy
[FW-ddns-policy-mypolicy] method ddns both
[FW-ddns-policy-mypolicy] name-server 2.2.2.2
[FW-ddns-policy-mypolicy] interval 3600
[FW-ddns-policy-mypolicy] quit

    # Apply the DDNS policy to GigabitEthernet 0/0/1.

    [FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ddns apply policy mypolicy fqdn www.example.com
[FW-GigabitEthernet0/0/1] quit

    After the configuration is completed, when the IP address of GigabitEthernet 0/0/1 changes, theFW notifies the DNS server to update the mapping between the domain name www.example.com and the new IP address. In this way, users on the Internet can access the new IP address by the domain name www.example.com.

  5. Configure the default route on the FW to the DNS server. Assume the IP address of the peer of the FW is 1.1.1.254/24.

    [FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

Configuration Verification

Run the command display ddns policy mypolicy on the FW to display the information of the DDNS policy named mypolicy.

<FW> display ddns policy mypolicy
 Policy name          : mypolicy                                                
 Server               : 2.2.2.2                                                 
 User name            : -                                                       
 Password             : -                                                       
 Update method        : ddns both                                               
 Update interval      : 3600 seconds                                            
 Apply interface      : GigabitEthernet0/0/1

Configuration Script

#                                                                               
ddns policy mypolicy                                                            
 method ddns both                                                               
 name-server 2.2.2.2
#
interface GigabitEthernet0/0/1
 ddns apply policy mypolicy fqdn www.example.com
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#                                                                               
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254   
#
 nat server policy_web 0 protocol tcp global interface GigabitEthernet0/0/1 www inside 10.1.1.3 8080
# 
security-policy
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.1.1.3 32
  action permit 
# 
return
Parent Topic: Configuration Examples
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >