H3C SecPath Series High-End Firewalls

Transcription

1 H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206 Document version: 6PW

2 Copyright , Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C SecPath series high-end firewalls configuration guides describe the software features, the software configuration procedures, and the configuration examples for the H3C SecPath series firewalls and the SecBlade series firewall modules. The NAT and ALG Configuration Guide describes how to configure NAT and application layer gateway. This preface includes: Audience Conventions About the H3C SecPath series high-end firewalls documentation set Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the H3C high-end firewall products Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

4 Convention &<1-n> Description The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Boldface Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Convention Description < > Button names are inside angle brackets. For example, click <OK>. [ ] Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a SecPath firewall chassis or a SecBlade firewall module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.

5 About the H3C SecPath series high-end firewalls documentation set The H3C SecPath series high-end firewalls documentation set includes: Category Documents Purposes F1000-E Product description and specifications Marketing brochures F5000-A5 Firewall modules Describe product specifications and benefits. Compliance and safety manuals F1000-E F5000-A5 Provide regulatory information and the safety instructions that must be followed during installation. Hardware specifications and installation Installation guides Card manuals F1000-E F5000-A5 F5000-A5 Firewall modules Provide a complete guide to hardware installation and hardware specifications. Provide the hardware specifications of the firewall chassis and modules. Software configuration Configuration guides Configuration examples Software upgrade guide Describe software features and configuration procedures, and all available commands. Describe typical network scenarios and provide configuration examples and instructions. Describes the software upgrade procedures. Operations and maintenance Release notes F1000-E F5000-A5 Firewall modules Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version.

6 Technical support Documentation feedback You can your comments about product documentation to We appreciate your comments.

7 Contents NAT configuration 1 Overview 1 Introduction to NAT 1 NAT implementation 2 Low-priority address pool 5 Configuring a NAT policy in the web interface 6 Configuration overview 6 Creating an address pool 7 Configuring dynamic NAT 8 Creating a static address mapping 9 Enabling static NAT on an interface 11 Creating an internal server 11 Configuring a DNS mapping 14 NAT configuration examples 14 Configuring a NAT in the CLI 17 NAT configuration task list 17 Configuring address translation 17 Configuring an internal server 20 Configuring DNS mapping 21 Setting NAT connection limits 21 Displaying and maintaining NAT 21 NAT configuration examples 22 Troubleshooting NAT 26 Symptom 1: abnormal translation of IP addresses 26 Symptom 2: internal server functions abnormally 26 Configuration guidelines 26 Application level gateway configuration 27 ALG overview 27 Configuring ALG in the web interface 29 Enabling ALG 29 ALG configuration examples 29 FTP ALG configuration example 29 SIP/H.323 ALG configuration example 31 NBT ALG configuration example 32 Configuring ALG in the command line interface 34 Enabling ALG 34 ALG configuration examples 34 Index 38 i

8 NAT configuration This chapter includes these sections: Overview Configuring a NAT policy in the web interface Configuring a NAT in the CLI Troubleshooting NAT Configuration guidelines Overview Introduction to NAT Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a smaller number of public IP addresses are used to meet public network access requirements from a larger number of private hosts, and thus NAT effectively alleviating the depletion of IP addresses. NOTE: A private IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique. According to RFC 1918, three blocks of IP addresses are reserved for private networks: Class A: through , Class B: through , Class C: through No host with an IP address in the above three ranges exists on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or registration center. Figure 1 depicts the operation of NAT. 1

9 Figure 1 NAT operation A NAT gateway lies between the private network and the public network. The internal host at sends an IP packet (IP packet 1) to the external server at through the NAT gateway. Upon receipt of the packet, the NAT gateway checks the IP header. Finding that the packet is destined to the external network, the NAT gateway translates the private source IP address to the globally unique IP address and then forwards the resulting packet to the external server. Meanwhile, the NAT gateway records the mapping between the two addresses in its NAT table. After receiving a response from the external server, the NAT gateway uses the destination IP address of the packet to find the mapping, replaces the destination address with the private address , and then sends the packet to the internal host. The above NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is and is unaware of the private address As such, NAT hides the private network from external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT has the following disadvantages: As NAT involves translation of IP addresses, the IP header cannot be encrypted. This is also true for some application protocol packets containing IP addresses or port numbers which need to be translated. For example, you cannot encrypt FTP packets, or its port command cannot work correctly. Network debugging becomes more difficult. For example, when a host in a private network tries to attack other networks, it is hard to pinpoint the attacking host because its internal IP address is hidden. NAT implementation One-to-one NAT, Many-to-many NAT and NAT control As depicted in Figure 1, when an internal host accesses an external network, NAT uses an external or public IP address to replace the original internal IP address. In Figure 1, NAT uses the IP address of the outbound interface on the NAT gateway. This means that all internal hosts use the same external IP address to access external networks and only one host is allowed to access external networks at a given time. This is called one-to-one NAT. 2

10 A NAT gateway can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, NAT chooses an available public IP address (if any) to replace the source IP address, forwards the packet, and records the mapping between the two addresses. In this way, multiple internal hosts can access external networks simultaneously. This is called many-to-many NAT. NOTE: The number of public IP addresses that a NAT gateway needs is usually far less than the number of internal hosts because not all internal hosts will access external networks at the same time. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours. In practice, an enterprise may need to allow some internal hosts to access external networks while prohibiting others. This can be achieved through the NAT control mechanism. If a source IP address is among addresses denied, the NAT gateway will not translate the address. Many-to-many NAT can be implemented by using an address pool, which is a collection of consecutive public IP addresses. The NAT gateway selects addresses from the address pool for packets. The number of addresses in the pool is determined according to the number of available public IP addresses, the number of internal hosts, and network requirements. NAT control can be achieved through ACLs. Only packets matching the ACL rules are served by NAT. NAPT Network Address Port Translation (NAPT) is a variation of NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT or address multiplexing. NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 2 depicts NAPT operation. Figure 2 Diagram for NAPT operation IP packet 1 Source IP : Source port : 1537 IP packet 1 Source IP : Source port : 2001 Host IP packet 2 Source IP : Source port : IP packet 2 Source IP : Source port : 2002 Internet Server B IP packet 3 Source IP : Source port : 1111 Server A IP packet 4 Source IP : Source port : 1111 IP packet 3 Source IP : Source port : 2003 IP packet 4 Source IP : Source port : 2004 Host As illustrated in Figure 2, four IP packets arrive at the NAT gateway. Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 3 and 4 are from different internal addresses but have the same source port number. NAPT maps their source IP addresses to the same external address but with different source port numbers. Therefore, the packets can still be discriminated. 3

11 When response packets arrive, the NAT gateway can forward them to corresponding hosts based on the destination addresses and port numbers. Easy IP Internal server DNS mapping Easy IP uses the public IP address of an interface on the firewall as the translated source address and uses ACLs to permit only certain internal IP addresses to be NATed. NAT hides the internal network structure as well as the identities of internal hosts. However, internal hosts such as a Web server or an FTP server may need to be accessed by external hosts in practice. NAT satisfies this requirement by supporting internal servers. With NAT, you can deploy an internal server easily and flexibly. For instance, you can use as the Web server s external address and as the FTP server s external address. You can even use an address like :8080 as the Web server s external address. With an internal server configured, the NAT device, when receiving a packet to the server, translates the destination address of the packet to the internal IP address of the internal server. When a response packet from the internal server arrives, the NAT device translates the private source address of the packet into the public IP address. As introduced above, you can specify a public IP address and port number for an internal server on the public network interface of a NAT gateway, so that external users can access the internal server using its domain name or pubic IP address. Figure 3 Diagram for NAT DNS mapping operation In Figure 3, an internal host wants to access an internal server on the same private network by using its domain name, while the DNS server is located on the public network. Typically, the DNS server replies with the public address of the internal server to the host. However, without relevant processing of the NAT device, the host cannot access the internal server using its domain name. In this case, the DNS mapping feature can solve the problem. A DNS mapping entry records the domain name, public address, public port number, and protocol type of an internal server. Upon receiving a DNS reply, the NAT-enabled device matches the domain name in the message against the DNS mapping entries. If a match is found, the private address of the internal server is found and NAT replaces the public IP address in the reply with the private IP address. Then, the host can use the private address to access the internal server. 4

12 Support for special protocols Besides basic address translation functions, NAT also provides a perfect application layer gateway (ALG) mechanism that supports address/port translation for some special application protocols (IP addresses or port numbers contained in such protocol messages may need address translation) without requiring the NAT platform to be modified, featuring high scalability. The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling Protocol (PPTP), Internet Control Message Protocol (ICMP), Domain Name System (DNS), Internet Locator Service (ILS), Real-Time Streaming Protocol (RTSP), H.323, Session Initiation Protocol (SIP), Netmeeting 3.01, and NetBIOS over TCP/IP (NBT). NOTE: The firewall supports FTP and DNS. NAT multiple-instance This feature allows users from different VPNs to access external networks through the same outbound interface. It also allows them to have the same internal address. NAT multiple-instance operates as follows: When a VPN host sends a packet to a public host, NAT replaces its private source IP address and port number with a public IP address and port number, and records the NAT entry with the relevant VPN information, such as the protocol type and router distinguisher (RD). When a response packet arrives, the NAT gateway translates its public destination IP address and port number to the private ones and sends it to the VPN host. Both NAT and NAPT support multiple-instance. NAT also supports internal server multiple-instance to allow external users to access VPN hosts. For example, in VPN 1, a Web server has a private address of You can assign public IP address to the server on the NAT device so that Internet hosts can access it. Low-priority address pool An address pool is a set of consecutive public IP addresses. A NAT gateway selects addresses from the address pool and uses them as the translated source addresses. When two devices in a stateful failover implementation carry out NAT, identical address pools must be configured on both devices, helping ensure that service traffic is successfully taken over by the other device if one device fails. However, if the devices select the same IP addresses from their address pool and assign them the same port numbers, reverse sessions on the two devices are the same. As a result, session data cannot be backed up between the devices. To solve the problem, the low-priority address pool attribute is introduced to NAT. You can configure address pools on the two devices to have different priorities. For example, suppose that two addresses pools, through (A), and through (B), are configured on the two devices. You can configure A as the low-priority address pool on a device and configure B as the low-priority address pool on the other device. Because addresses in the low-priority address pool are not selected by NAT. The two devices use different addresses as translated source addresses, and thus session data can be backed up successfully. NOTE: For information about stateful failover configuraiton, see the High Availability Configuration Guide. 5

13 Configuring a NAT policy in the web interface Configuration overview Configuring address translation A NAT gateway can be configured with or dynamically generate mapping entries to translate between internal and external network addresses. Generally, address translation can be classified into two types, dynamic and static. Dynamic NAT A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface s address) to access the external network. Dynamic NAT is applicable when a large number of internal users need to access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Perform the tasks in Table 1 to configure dynamic NAT. Table 1 Dynamic NAT configuration task list Task Creating an address pool Configuring dynamic NAT Remarks Required for configuring NAPT and many-to-many NAT Required Configure dynamic NAT on an interface. Static NAT The mapping relationships between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Perform the tasks in Table 2 to configure static NAT. Table 2 Static NAT configuration task list Task Creating a static address mapping Enabling static NAT on an interface Remarks Required Static NAT supports two modes, one-to-one and net-to-net. Required Configure static NAT on an interface. Configuring an internal server Perform the tasks in Table 3 to configure an internal server. Table 3 Internal server configuration task list Task Creating an internal server Remarks Required Configure the internal server information. 6

14 Task Configuring a DNS mapping Remarks Optional The DNS mapping feature enables an internal host to use the domain name to access an internal server located on the same private network, while the DNS server resides on the public network. IMPORTANT: The firewall supports up to 16 DNS mappings. Creating an address pool Select Firewall > NAT Policy > Dynamic NAT from the navigation tree to enter the page shown in Figure 4. In the Address Pool field where all NAT address pools are displayed, click Add to enter the Add NAT Address Pool page shown in Figure 5. Figure 4 Dynamic NAT configuration page Figure 5 Add NAT Address Pool page 7

15 Table 4 NAT address pool configuration items Item Index Start IP Address End IP Address Description Specify the index of an address pool. Specify the start IP address of the address pool. Specify the end IP address of the address pool. The end IP address must be identical to or higher than the start IP address. Configure the address pool as a low-priority or a non low-priority address pool. Low priority IMPORTANT: This configuration item is applicable to the stateful failover networking only. You cannot configure the same address pool as the low-priority address pool on the local and peer devices. Return to Dynamic NAT configuration task list. Configuring dynamic NAT Select Firewall > NAT Policy > Dynamic NAT from the navigation tree to enter the page shown in Figure 4. In the Dynamic NAT field where all dynamic NAT policies are displayed, click Add to enter the Add Dynamic NAT page shown in Figure 6. Figure 6 Add Dynamic NAT page Table 5 Dynamic NAT configuration items Item Interface ACL Description Specify an interface on which dynamic NAT is to be enabled. Specify an ACL for dynamic NAT. You cannot associate an ACL with multiple NAT address pools, or associate an ACL with both Easy IP and an address pool. 8

16 Item Address Transfer Description Select an address translation mode: PAT: Refers to NAPT. In this mode, associating an ACL with an address pool translates both IP addresses and port numbers. No-PAT: Refers to many-to-many NAT. In this mode, associating an ACL with an address pool translates only IP addresses. Easy IP: In this mode, the NAT gateway directly uses an interface s public IP address as the translated IP address, and uses an ACL to match IP packets. Only one mode can be selected for an address pool. Specify the index of a NAT address pool for dynamic NAT. Address Pool Index Enable track to VRRP VRRP Group The NAT address pool must have been configured through NAT address configuration. If Easy IP is selected for Address Transfer, you do not need to type an address pool index. Configure whether to associate dynamic NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate dynamic NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, Make sure that each address pool on an interface is associated with one VRRP group only; otherwise, the system associates the address pool with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Return to Dynamic NAT configuration task list. Creating a static address mapping Select Firewall > NAT Policy > Static NAT from the navigation tree to enter the page, as shown in Figure 7. In the Static Address Mapping field where static address mappings are displayed, click Add to enter the Add Static Address Mapping page shown in Figure 8. 9

17 Figure 7 Static NAT configuration page Figure 8 Add Static Address Mapping page Table 6 Static NAT configuration item Item VPN Instance Internal IP Address Global IP Address Network Mask Description Specify a VPN instance name. Type an internal IP address for the static address mapping. Type a public IP address for the static address mapping. Specify the network mask for internal and public IP addresses. If the network mask is specified, net-to-net static NAT is implemented. If no network mask is specified, the default mask is used. In this case, one-to-one static NAT is delivered. Return to Static NAT configuration task list. 10

18 Enabling static NAT on an interface Select Firewall > NAT Policy > Static NAT from the navigation tree to enter the page shown in Figure 7. In the Interface Static Translation field where static NAT entries configured for interfaces are displayed, click Add to enter the Enable Interface Static Translation page shown in Figure 9. Figure 9 Enable Interface Static Translation page Table 7 Interface static NAT configuration items Item Interface Name Enable track to VRRP VRRP Group Description Select an interface to which static NAT is applied. Configure whether to associate static NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate static NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, you need to add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group to ensure normal switchovers between the two devices. Return to Static NAT configuration task list. Creating an internal server Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 10. In the Internal Server field where all internal server information is displayed, click Add to enter the Add Internal Server page shown in Figure

19 Figure 10 Internal server configuration page Figure 11 Add Internal Server page Table 8 Internal server configuration items Item Interface Description Specify an interface to which the internal server policy is applied. 12

20 Item Description Specify a VPN instance name to which the internal server belongs. VPN Instance Protocol Type If the internal server belongs to a VPN, you need to specify the VPN instance. You do not need to specify it if the internal server belongs to a normal private network. Select or specify the type of the protocol to be carried by IP. External IP Address Global Port Internal IP Assign IP Address Use IP Address of Interface Specify the public IP address for the internal server. You can type an IP address, or use the IP address of an interface. Specify the global port number(s) for the internal server. This option is available when 6(TCP) or 17(UDP) is selected as the protocol type. You can: Use the single box to specify a global port. Use the double boxes to specify a range of global ports each of which has a one-to-one correspondence with the specified internal IP address. The number you typed in the right box should be higher than that in the left box. If you use the single box and specify a port of 0, all types of services are provided. This configuration indicates a static connection between external IP addresses and internal IP addresses. Specify the internal IP address(es) for the internal server. Single box: Used to specify an internal IP address when 6(TCP) or 17(UDP) is not selected for the protocol type or you specify a single global port. Double boxes: Used to specify a range of internal IP addresses each of which has a one-to-one correspondence with a port in the specified range. The IP address in the right box must be higher than that in the left box, and the number of addresses must be identical to the number of specified global ports. Specify the internal port number of the internal server. Internal Port Enable track to VRRP VRRP Group This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you type 0 in the text box, all types of services are provided. This configuration indicates a static connection between internal addresses and external addresses. Configure whether to associate the internal server on an interface with a VRRP group, and specify the VRRP group to be associated if you associate the internal server on an interface with a VRRP group. When two network devices deliver both stateful failover and dynamic NAT, Make sure the public address of an internal server on an interface is associated with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Return to Internal server configuration task list. 13

21 Configuring a DNS mapping Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 10. In the DNS-MAP field where all DNS mappings are displayed, click Add to enter the Add DNS-MAP page shown in Figure 12. Figure 12 Add DNS-MAP page Table 9 DNS mapping configuration items Item Protocol Global IP Global Port Domain Description Select the protocol supported by an internal server. Specify the external IP address of the internal server. Specify the port number of the internal server. Specify the domain name of the internal server. Return to Internal server configuration task list. NAT configuration examples NAT configuration example 1. Network requirements As illustrated in Figure 13, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. 14

22 Figure 13 NAT network diagram 2. Configuration procedure # Configure an ACL to permit internal users in subnet /24 to access the Internet. Select Firewall > ACL from the navigation tree and then click Add. Type 2000 in ACL Number. Click the icon in the Operation column corresponding to ACL 2000 to enter the ACL 2000 configuration page, and then click Add. Select Permit in Operation. Select the Source IP Address checkbox and then type Type in Source Wildcard. Click Apply. Click Add on the ACL 2000 configuration page. Select Deny for Operation. Click Apply. # Configure a NAT address pool. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree, and then click Add. Type 0 in Index. Type in Start IP Address. Type in End IP Address. Click Apply. # Configure dynamic NAT. Click Add in the Dynamic NAT field. Select GigabitEthernet0/1 for Interface. Type 2000 in ACL. Select PAT for Address Transfer. Type 0 in Address Pool Index. Click Apply. Internal server configuration example 1. Network requirements 15

23 As illustrated in Figure 14, a company provides two Web servers and one FTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for the Web server 1 is /16, and for the Web server 2 is /16. The company has three public IP addresses from /24 through /24. Specifically, the company has the following requirements: External hosts can access internal servers using public address /24. Port 8080 is used for Web server 2. Figure 14 Internal server network diagram 2. Configuration procedure # Configure the FTP server. Select Firewall > NAT Policy > Internal Server from the navigation tree, and then click Add in the Internal Server field. Select GigabitEthernet0/2 for Interface. Select 6(TCP) for Protocol Type. Click the radio button next to Assign IP Address, and then type in Global IP. Select the upper radio button next to Global Port and type 21. Type in Internal IP. Type 21 in Internal Port. Click Apply. # Configure the Web server 1. Click Add in the Internal Server field. Select GigabitEthernet0/2 for Interface. Select 6(TCP) for Protocol Type. Click the radio button next to Assign IP Address, and then type for Global IP. Select the upper radio button next to Global Port and type 80. Type in Internal IP. Type 80 in Internal Port. Click Apply. # Configure Web server 2. Click Add in the Internal Server field. Select GigabitEthernet0/2 for Interface. 16

24 Select 6(TCP) for Protocol Type. Click the radio button next to Assign IP Address, and then type for Global IP. Select the upper radio button next to Global Port and type Type in Internal IP. Type 80 in Internal Port. Click Apply. Configuring a NAT in the CLI NAT configuration task list Complete the following tasks to configure NAT: Task Configuring address translation Configuring an internal server Configuring DNS mapping Setting NAT connection limits Configuring static NAT Configuring dynamic NAT Remarks Either is required Required Optional Optional NOTE: If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and reboot the device, to avoid problems. The following problems may occur: After you delete the NAT-related configuration, address translation can still work for sessions already created; if you configure NAT when NAT is running, the same configuration may have different results because of different configuration orders. Configuring address translation Introduction to address translation A NAT device can be configured with or dynamically generate mappings to translate between internal and external network addresses. Address translation can be classified into static and dynamic NAT. Static NAT Mappings between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Dynamic NAT A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface s address) to access the external network. Dynamic NAT is applicable to the network environment where a large number of internal users need to access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Both static NAT and dynamic NAT support NAT multiple-instance as long as the VPN instance of an IP address is provided. 17

25 Configuring static NAT You need to configure static NAT in system view, and make it effective in interface view. Static NAT supports two modes: one-to-one and net-to-net.at present, the device support one-to-one only. Configuring one-to-one static NAT: One-to-one static NAT translates a private IP address into a public IP address. Follow these steps to configure one-to-one static NAT: To do Use the command Remarks Enter system view system-view Configure a one-to-one static NAT mapping Enter interface view Enable static NAT on the interface nat static [ acl-number ] local-ip [ vpn-instance local-name ] global-ip interface interface-type interface-number nat outbound static [ track vrrp virtual-router-id ] Required Required Support for track vrrp virtual-router-id depends on the device model. Configuring dynamic NAT Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an interface) on an interface. To select the address of an interface as the translated address, use Easy IP. To select an address from an address pool as the translated address, use No-PAT or NAPT for dynamic address translation. No-PAT is used in many-to-many address translation but does not translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating also TCP/UDP port numbers. Typically, a NAT entry is configured on the outbound interface of the NAT device. If internal hosts need to access external networks through multiple outbound interfaces on the NAT device, you must configure NAT entries on each of the interfaces. To avoid this, the device supports configuring a NAT entry on the inbound interface on the NAT device. When hosts in a VPN want to access other VPNs through multiple outbound interfaces on a NAT device, you can configure a NAT entry on the inbound interface on the NAT device, simplifying NAT configuration. When a packet from an internal host to the external network arrives: If it is the first packet and an address pool is associated with an outbound interface, NAT determines whether to translate the packet based on the ACL. If yes, NAT chooses an address from the associated address pool or gets the associated interface address, performs address translation, and then saves the address mapping in the address translation table. All subsequent packets from the internal host are serviced by NAT directly according to the mapping entry. 1. Configuration prerequisites Configure an ACL to specify IP addresses permitted to be translated. Decide whether to use an interface s IP address as the translated source address. Determine a public IP address pool for address translation. Decide whether to translate port information. 18

26 NOTE: For more information about ACL, see the Access Control Configuration Guide. 2. Configuring NAT address pools The NAT device selects an IP address from a specified NAT address pool as the source address of a packet. Follow these steps to configure an address pool: To do Use the command Remarks Enter system view system-view Configure an address pool nat address-group group-number start-address end-address [ level level ] Required Not necessary when the device provides only Easy IP, where an interface s public IP address is used as the translated IP address. NOTE: Address pools must not overlap. 3. Configuring Easy IP Easy IP allows the device to use the IP address of one of its interfaces as the source address of NATed packets. Follow these steps to configure Easy IP: To do Use the command Remarks Enter system view system-view Enter interface view Enable Easy IP by associating an ACL with the IP address of the interface interface interface-type interface-number nat outbound [ acl-number ] [ track vrrp virtual-router-id ] Required 4. Configuring No-PAT With a specific ACL associated with an address pool or interface address, No-PAT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, without using the port information. Follow these steps to configure No-PAT: To do Use the command Remarks Enter system view system-view Enter interface view Configure No-PAT by associating an ACL with an IP address pool on the outbound interface for translating only IP addresses interface interface-type interface-number nat outbound [ acl-number ] address-group group-number no-pat [ track vrrp virtual-router-id ] Required Support for the optional acl-number argument depends on the device model. 5. Configuring NAPT 19

27 With a specific ACL associated with an address pool or interface address, NAPT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, with using the port information. Follow these steps to configure NAPT: To do Use the command Remarks Enter system view system-view Enter interface view Configure NAPT by associating an ACL with an IP address pool on the outbound interface for translating both IP address and port number interface interface-type interface-number nat outbound [ acl-number ] [ address-group group-number ] [ track vrrp virtual-router-id ] Required Return to system view quit Configuring an internal server 1. Introduction to internal server To configure an internal server, you need to map an external IP address and port number to the internal server. This is done through executing the nat server command on an interface. Internal server configurations include external network information (external IP address global-address and external port number global-port), internal network information (internal IP address local-address and internal port number local-port), and internal server protocol type. According to different internal/external network information configurations, internal servers can be classified into common internal servers and load sharing internal servers. Both internal servers and their external IP addresses can support VPN. If an internal server belongs to an VPN, you also need to specify the vpn-instance-name argument. Without this argument specified, the internal server does not belong to any VPN. 2. Configuring a common internal server After mapping the internal IP address/port number (local-address and local-port) of a common internal server to an external IP address/port number (global-address and global-port), hosts in external networks can access the server located in the internal network. Follow these steps to configure a common internal server (III): To do Use the command Remarks Enter system view system-view Enter interface view interface interface-type interface-number 20

28 To do Use the command Remarks Configure a common internal server nat server [ acl-number ] protocol pro-type global { global-address interface interface-type interface-number current-interface } global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] Required CAUTION: The device supports using the interface address as the external address of an internal server, which is the Easy IP feature. If you want to specify an interface, the interface must be a loopback interface and must already exist. If you configure an internal server using Easy IP but do not configure an IP address for the interface, the internal server configuration does not take effect. Support for internal server using Easy IP depends on the device model. Configuring DNS mapping With DNS mapping, an internal host can access an internal server on the same private network by using the domain name of the internal server when the DNS server resides on the public network. Follow these steps to configure a DNS mapping: To do Use the command Remarks Enter system view system-view Configure a DNS mapping nat dns-map domain domain-name protocol pro-type ip global-ip port global-port Required Setting NAT connection limits For more information about NAT connection limits, see the NATand ALG Configuration Guidee. Displaying and maintaining NAT To do Use the command Remarks Display information about NAT address pools display nat address-group [ group-number ] Available in any view Display all NAT configuration information Display the NAT configuration information Display DNS mapping configuration information display nat all display nat bound display nat dns-map Available in any view Available in any view Available in any view 21

29 To do Use the command Remarks Display the internal server information display nat server Available in any view Display static NAT information display nat static Available in any view Display NAT statistics display nat statistics Available in any view NAT configuration examples One-to-one static NAT configuration example 1. Network requirements An internal host /24 uses public address to access the Internet. Figure 15 Network diagram for one-to-one static NAT configuration GE0/ /24 GE0/ /16 Internet Host /24 SecPath Server 2. Configuration procedure # As shown in Figure 15, configure the IP addresses for the interfaces (omitted). Method I # Configure a one-to-one static NAT mapping. <Secpath> system-view [Secpath] nat static # Enable static NAT on interface GigabitEthernet 0/2. [Secpath] interface gigabitethernet 0/2 [Secpath-GigabitEthernet0/2] nat outbound static [Secpath-GigabitEthernet0/2] quit Dynamic NAT configuration example 1. Network requirements As shown in Figure 16, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. 22

30 Figure 16 Network diagram for dynamic NAT III 2. Configuration procedure # As shown in Figure 16, configure the IP addresses for the interfaces (omitted). # Configure address pool 1. <Secpath> system-view [Secpath] nat address-group # Configure ACL 2001, permitting only users from network segment /24 to access the Internet. [Secpath] acl number 2001 [Secpath-acl-basic-2001] rule permit source [Secpath-acl-basic-2001] rule deny [Secpath-acl-basic-2001] quit # Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 0/2. No-PAT [Secpath] interface gigabitethernet 0/2 [Secpath-GigabitEthernet0/2] nat outbound 2001 address-group 1 no-pat [Secpath-GigabitEthernet0/2] quit NAPT [Secpath] interface gigabitethernet 0/2 [Secpath-GigabitEthernet0/2] nat outbound 2001 address-group 1 [Secpath-GigabitEthernet0/2] quit Common internal server configuration example 1. Network requirements As shown in Figure 17, a company provides two web servers, one FTP server, and one SMTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for web server 1 is /16, for web server 2 is /16, and for the SMTP server /16. The company has three public IP addresses ranging from /24 to /24. Specifically, the company has the following requirements: External hosts can access internal servers with public address /24. Port 8080 is used for web server 2. 23

31 Figure 17 Network diagram for common internal server configuration /16 Web server /16 Web server 2 GE0/ /16 GE0/ /24 Internet SecPath Host FTP server /16 SMTP server /16 2. Configuration procedure # As shown in Figure 17, configure the IP addresses for the interfaces (omitted). # Enter interface GigabitEthernet 0/2 view. <Secpath> system-view [Secpath] interface gigabitethernet 0/2 # Configure the internal FTP server. [Secpath-GigabitEthernet0/2] nat server protocol tcp global inside ftp # Configure the internal web server 1. [Secpath-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal web server 2. [Secpath-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal SMTP server. [Secpath-GigabitEthernet0/2] nat server protocol tcp global smtp inside smtp [Secpath-GigabitEthernet0/2] quit NAT DNS mapping configuration example 1. Network requirements As shown in Figure 18, a company provides Web and FTP services to external users, and uses internal IP network segment /16. The IP addresses of the Web and FTP servers are /16 and /16 respectively. The company has three public addresses /24 through /24. The DNS server is at /24. The public IP address is used to provide services to external users. External users can use the public address or domain name of internal servers to access them. Internal users can access the internal servers by using their domain names. 24

32 Figure 18 Network diagram for NAT DNS mapping /16 Web server /16 FTP server /24 DNS server GE0/ /16 SecPath GE0/ /24 Internet Host A /16 Host B /24 2. Configuration procedure # As shown in Figure 18, configure the IP addresses for the interfaces (omitted). # Enter the view of interface GigabitEthernet 0/2. <Secpath> system-view [Secpath] interface gigabitethernet 0/2 # Configure the internal web server. [Secpath-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal FTP server. [Secpath-GigabitEthernet0/2] nat server protocol tcp global inside ftp [Secpath-GigabitEthernet0/2] quit # Configure two DNS mapping entries: map the domain name of the web server to , and ftp.server.com of the FTP server to [Secpath] nat dns-map domain protocol tcp ip port www [Secpath] nat dns-map domain ftp.server.com protocol tcp ip port ftp [Secpath] quit 3. Verification # After completing the configurations, display the DNS mapping configuration information. <Secpath> display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: Global-IP : Global-port: 80(www) Protocol : 6(TCP) Domain-name: ftp.server.com Global-IP : Global-port: 21(ftp) Protocol : 6(TCP) Host A and Host B can use the domain name to access the web server, and use ftp.server.com to access the FTP server. 25