HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Transcription

1 HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Configuration Guide Part number: Document version: 6PW

2 Legal and notice information Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents NAT configuration 1 NAT overview 1 Introduction to NAT 1 NAT control 2 NAT operation 2 Low-priority address pool 5 Configuring NAT in the web interface 6 Configuration overview 6 Creating an address pool 7 Configuring dynamic NAT 8 Creating a static address mapping 9 Enabling static NAT on an interface 11 Creating an internal server 11 Configuring a dns mapping 13 NAT configuration example 14 Internal server configuration example 17 Configuring NAT at the CLI 20 NAT configuration task list at the CLI 20 Configuring address translation 21 Introduction to address translation 21 Configuring static NAT 21 Configuring dynamic NAT 22 Configuring an internal server 24 Introduction to internal server 24 Configuring a common internal server 24 Configuring DNS mapping 25 Displaying and maintaining NAT 25 One-to-one static NAT configuration example 26 Dynamic NAT configuration example 26 Common internal server configuration example 27 NAT DNS mapping configuration example 28 Troubleshooting NAT 30 Symptom 1: abnormal translation of IP addresses 30 Symptom 2: internal server functions abnormally 30 Configuration guidelines 30 NAT-PT configuration 31 NAT-PT overview 31 Application scenario 31 Basic concepts 31 Implementing NAT-PT 32 NAT-PT limitations 33 Protocols and standards 33 NAT-PT configuration task list 34 NAT-PT configuration task list on the IPv6 side 34 NAT-PT configuration task list on the IPv4 side 34 Configuring NAT-PT 34 Configuration prerequisites 34 Enabling NAT-PT 35 i

4 Configuring a NAT-PT prefix 35 Configuring IPv4/IPv6 address mappings on the IPv6 side 35 Configuring IPv4/IPv6 address mappings on the IPv4 side 37 Setting the ToS field after NAT-PT translation 38 Setting the traffic class field after NAT-PT translation 38 Configuring static NAPT-PT mappings of IPv6 servers 39 Displaying and maintaining NAT-PT 39 NAT-PT configuration examples 40 Configuring dynamic mapping on the IPv6 side 40 Configuring static mappings on the IPv4 side and the IPv6 side 41 Troubleshooting NAT-PT 43 ALG configuration 44 ALG overview 44 Configuring ALG in the web interface 46 ALG configuration examples in the web interface 46 FTP ALG configuration example 46 SIP/H.323 ALG configuration example 50 NBT ALG configuration example 54 Configuring ALG at the CLI 57 ALG configuration examples at the CLI 57 FTP ALG configuration example 57 SIP/H.323 ALG configuration example 58 NBT ALG configuration example 59 Support and other resources 61 Contacting HP 61 Subscription service 61 Related information 61 Documents 61 Websites 61 Conventions 62 Index 64 ii

5 NAT configuration NAT overview Introduction to NAT Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a small number of public IP addresses are used to enable a large number of internal hosts to access the Internet. Thus, NAT effectively alleviates the depletion of IP addresses. NOTE: A private or internal IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique. According to RFC 1918, three blocks of IP addresses are reserved for private networks: In Class A: to , In Class B: to , In Class C: to No host with an IP address in the three ranges exists on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or a registration center. In addition to translating private addresses to public addresses, NAT can also perform address translation between any two networks. In this document, the two networks refer to an internal network and an external network. Generally a private network is an internal network, and a public network is an external network. Figure 1 NAT operation 1. The internal host with an IP address of sends an IP packet to the external server with an IP address of through the NAT device. 2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the external network. Then it translates the private address to the globally unique public address and then forwards the packet to the server on the external network. Meanwhile, the NAT device adds the mapping of the two addresses into its NAT table. 1

6 3. The external server responds to the internal host with an IP packet whose destination IP address is Upon receiving the packet, the NAT device checks the IP header, looks into its NAT table for the mapping, replaces the destination address with the private address of , and then sends the new packet to the internal host. The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is and is unaware of the private address As such, NAT hides the private network from the external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages: As NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to the application protocol packets when the contained IP address or port number needs to be translated. For example, you cannot encrypt an FTP connection, or its port command cannot work correctly. Network debugging becomes more difficult. For example, when a host in a private network tries to attack other networks, it is harder to pinpoint the attacking host as the host IP address has been hidden. NAT control In practice, an enterprise needs to allow some hosts in the internal network to access external networks and prohibit others. This can be achieved through the NAT control mechanism. If a source IP address is among addresses denied, the NAT device does not translate the address. In addition, the NAT device only translates private addresses to specified public addresses. NAT control can be achieved through an access control list (ACL) and an address pool. Only packets matching the ACL rules are served by NAT. An address pool is a collection of consecutive public IP addresses for address translation. You can specify an address pool based on the number of available public IP addresses, the number of internal hosts, and network requirements. The NAT device selects an address from the address pool as the public address of an IP packet. NAT operation Basic NAT As depicted in Figure 1, when an internal host accesses an external network, the NAT device uses a public IP address to replace the private source IP address. In Figure 1, NAT uses the IP address of the outgoing interface as the public IP address. All internal hosts use the same public IP address to access external networks and only one host is allowed to access external networks at a given time. A NAT device can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, the NAT device chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks simultaneously. 2

7 NOTE: The number of public IP addresses that a NAT device needs is usually far less than the number of internal hosts because not all internal hosts access external networks at the same time. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours. NAPT Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT or address multiplexing. NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 2 Diagram for NAPT operation As shown in Figure 2, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 1 and 3 are from different internal addresses but have the same source port number. NAPT maps the three IP packets to the same external address but with different source port numbers. Therefore, the packets can still be differentiated. When receiving the response packets, the NAT device forwards them to the corresponding hosts according to the destination addresses and port numbers. NAPT can better utilize IP address resources, enabling more internal hosts to access the external network at the same time. NAPT supports two NAT mapping behavior modes: Endpoint-Independent Mapping and Endpoint-Dependent Mapping. Endpoint-Independent Mapping In this mode, the NAT device uses entries, each of which comprises the source IP address, source port number, and protocol type to translate addresses and filter packets. The same NAPT mapping applies to packets sent from the same internal IP address and port to any external IP address and port. The NAT device also allows external hosts to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT devices. 3

8 Internal server Address and Port-Dependent Mapping In this mode, the NAT device uses entries each comprising the source IP address, source port number, protocol type, destination IP address, and destination port number to translate addresses and filter packets. For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAPT mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers. The NAT device allows the hosts only on the corresponding external networks where these destination addresses reside to access the internal network. This mode is secure but inconvenient for communication among hosts that connect to different NAT devices. NAT hides the internal network structure, including the identities of internal hosts. However, some internal hosts such as an internal web server or FTP server may need to be accessed by external hosts. NAT satisfies this need by supporting internal servers. You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like :8080 as an internal web server s external address and port number. In Figure 3, when the NAT device receives a packet destined for the public IP address of an internal server, it looks in the NAT entries and translates the destination address and port number in the packet to the private IP address and port number of the internal server. When the NAT device receives a response packet from the internal server, it translates the source private IP address and port number of the packet into the public IP address and port number of the internal server. Figure 3 Internal server operation DNS mapping Generally, the DNS server and users that need to access internal servers reside on the public network. You can specify an external IP address and port number for an internal server on the public network interface of a NAT device, so that external users can access the internal server using its domain name or pubic IP address. In Figure 4, an internal host wants to access an internal web server by using its domain name, when the DNS server is located on the public network. Typically, the DNS server replies with the public address of the internal server to the host and thus the host cannot access the internal server. The DNS mapping feature can solve the problem. 4

9 Figure 4 Operation of NAT DNS mapping A DNS mapping entry records the domain name, public address, public port number, and protocol type of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name in the message against the DNS mapping entries. If a match is found, the private address of the internal server is found and the interface replaces the public IP address in the reply with the private IP address. Then, the host can use the private address to access the internal server. Easy IP Easy IP uses the public IP address of an interface on the firewall as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed. NAT support for VPNs NAT allows users from different VPNs to access external networks through the same outbound interface, and allows the VPN users to use the same private address space. 1. Upon receiving a request from an MPLS VPN to an external network, NAT replaces the private source IP address and port number with a public IP address and port number, and records the MPLS VPN information, such as the protocol type and router distinguisher (RD). 2. When the response packet arrives, NAT replaces the public destination IP address and port number with the internal IP address and port number, and sends the packet to the target VPN. This feature can also apply to internal servers so that external users can access an internal host of a VPN. For example, suppose a host in VPN 1 needs to provide web services for the Internet. It has a private address of To achieve this purpose, configure NAT to use as the public IP address of the host so that the Internet users can use this IP address to access web services on the host. NAT allows hosts in multiple VPNs to access each other by using the VPN information carried in the external IP address. Low-priority address pool An address pool is a set of consecutive public IP addresses used for dynamic NAT. A NAT gateway selects addresses from the address pool and uses them as the translated source IP addresses. When two devices in a stateful failover implementation carry out NAT, identical address pools must be configured on both devices, to make sure that service traffic is successfully taken over by the other device if one device fails. However, if the devices select the same IP addresses from their address pool and assign them the same port numbers, reverse sessions on the two devices are the same. As a result, session data cannot be backed up between the devices. 5

10 To solve the problem, the low-priority address pool attribute is introduced to NAT. You can configure address pools on the two devices to have different priorities. For example, suppose that two addresses pools, through (A), and through (B), are configured on the two devices. You can configure A as the low-priority address pool on a device and configure B as the low-priority address pool on the other device. Because addresses in the low-priority address pool are not selected by NAT. The two devices use different addresses as translated source addresses, and thus session data can be backed up successfully. NOTE: For more information about stateful failover, see High Availability Configuration Guide. Configuring NAT in the web interface Configuration overview Configuring address translation A NAT gateway can be configured with or dynamically generate mapping entries to translate between internal and external network addresses. Generally, address translation can be classified into two types, dynamic and static. Dynamic NAT A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface s address) to access the external network. Dynamic NAT is applicable when a large number of internal users need to access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Table 1 Dynamic NAT configuration task list Task Creating an address pool Configuring dynamic NAT Remarks Required for configuring NAPT and many-to-many NAT Required Configure dynamic NAT on an interface. Static NAT The mapping relationships between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Perform the tasks in Table 2 to configure static NAT. Table 2 Static NAT configuration task list Task Creating a static address mapping Enabling static NAT on an interface Remarks Required Static NAT supports two modes, one-to-one and net-to-net. Required Configure static NAT on an interface. 6

11 Configuring an internal server Table 3 Internal server configuration task list Task Creating an internal server Configuring a dns mapping Remarks Required After you map the private IP address/port number of an internal server to a public IP address/port number, hosts in external networks can access the server located in the private network. Optional The DNS mapping feature enables an internal host to use the domain name to access an internal server located on the same private network, while the DNS server resides on the public network. IMPORTANT: Up to 16 DNS mappings are supported on the firewall. Creating an address pool Select Firewall > NAT Policy > Dynamic NAT from the navigation tree to enter the page shown in Figure 5. In the Address Pool field where all NAT address pools are displayed, click Add to enter the Add NAT Address Pool page shown in Figure 6. Figure 5 Dynamic NAT configuration page Figure 6 Add NAT Address Pool page 7

12 Table 4 Configuration items Item Index Start IP Address End IP Address Description Specify the index of an address pool. Specify the start IP address of the address pool. Specify the end IP address of the address pool. The end IP address must be identical to or higher than the start IP address. Configure the address pool as a low-priority or a non low-priority address pool. Low priority IMPORTANT: This configuration item is applicable to the stateful failover networking only. You cannot configure the same address pool as the low-priority address pool on the local and peer devices. Configuring dynamic NAT Select Firewall > NAT Policy > Dynamic NAT from the navigation tree to enter the page shown in Figure 5. In the Dynamic NAT field where all dynamic NAT policies are displayed, click Add to enter the Add Dynamic NAT page shown in Figure 7. Figure 7 Add Dynamic NAT page Table 5 Configuration items Item Interface Description Specify an interface on which dynamic NAT is to be enabled. Specify an ACL for dynamic NAT. You cannot associate an ACL with multiple NAT address pools, or associate an ACL with both Easy IP and an address pool. ACL IMPORTANT: On some devices, the rules of an ACL applied on an interface cannot conflict with one another, that is, rules with the same source IP address, destination IP address, and VPN instance are considered as a conflict. In a basic ACL (numbering 2000 to 2999), rules with the same source IP address and VPN instance are considered as a conflict. 8

13 Item Address Transfer Description Select an address translation mode: PAT: Refers to NAPT. In this mode, associating an ACL with an address pool translates both IP addresses and port numbers. No-PAT: Refers to many-to-many NAT. In this mode, associating an ACL with an address pool translates only IP addresses. Easy IP: In this mode, the NAT gateway directly uses an interface s public IP address as the translated IP address, and uses an ACL to match IP packets. Only one mode can be selected for an address pool. Specify the index of a NAT address pool for dynamic NAT. Address Pool Index The NAT address pool must have been configured through NAT address configuration. If Easy IP is selected for Address Transfer, you do not need to enter an address pool index. Global VPN Instance Specify the name of the instance to which the external IP addresses (that is, the NAT address pool) belong. Enable track to VRRP VRRP Group Configure whether to associate dynamic NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate dynamic NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, Make sure that each address pool on an interface is associated with one VRRP group only; otherwise, the system associates the address pool with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Creating a static address mapping Select Firewall > NAT Policy > Static NAT from the navigation tree to enter the page, as shown in Figure 8. In the Static Address Mapping field where static address mappings are displayed, click Add to enter the Add Static Address Mapping page shown in Figure 9. 9

14 Figure 8 Static NAT configuration page Figure 9 Add Static Address Mapping page Table 6 Configuration item Item Internal VPN Instance Internal IP Address Global VPN Instance Global IP Address Network Mask Description Specify a name of the VPN instance to which the internal IP addresses belong. If no internal VPN instance is specified, this indicates that the internal address is a common private network address. Enter an internal IP address for the static address mapping. Specify a name of the VPN instance to which the external IP addresses belong. If no global VPN instance is specified, this indicates that the external address is a common public network address. Enter a public IP address for the static address mapping. Specify the network mask for internal and public IP addresses. If the network mask is specified, net-to-net static NAT is implemented. If no network mask is specified, the default mask is used. In this case, one-to-one static NAT is delivered. 10

15 Enabling static NAT on an interface Select Firewall > NAT Policy > Static NAT from the navigation tree to enter the page shown in Figure 8. In the Interface Static Translation field where static NAT entries configured for interfaces are displayed, click Add to enter the Enable Interface Static Translation page shown in Figure 10. Figure 10 Enable Interface Static Translation page Table 7 Configuration items Item Interface Name Description Select an interface to which static NAT is applied. Enable track to VRRP VRRP Group Configure whether to associate static NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate static NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, Make sure the public address of an internal server on an interface is associated with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Creating an internal server Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 11. In the Internal Server field where all internal server information is displayed, click Add to enter the Add Internal Server page shown in Figure

16 Figure 11 Internal server configuration page Figure 12 Add Internal Server page Table 8 Configuration items Item Interface Protocol Type Global VPN Instance External IP Address Description Specify an interface to which the internal server policy is applied. Select or specify the type of the protocol to be carried by IP. Specify a name of the VPN instance to which the external address belongs. If no global VPN instance is specified, this indicates that the external IP address is a common public network address that does not belong to any VPN instance. Specify the public IP address for the internal server. You can enter an IP address, or use the IP address of an interface. 12

17 Item Description Specify the global port number(s) for the internal server. Global Port This option is available when 6(TCP) or 17(UDP) is selected as the protocol type. You can: Use the single box to specify a global port. Use the double boxes to specify a range of global ports each of which has a one-to-one correspondence with the specified internal IP address. The number you entered in the right box should be higher than that in the left box. If you use the single box and specify a port of 0, all types of services are provided. This configuration indicates a static connection between external IP addresses and internal IP addresses. Internal VPN Instance Internal IP Specify a name of the VPN instance to which the internal server belongs. If no internal VPN instance is specified, this indicates that the internal server is a common private network server that does not belong to any VPN instance. Specify the internal IP address(es) for the internal server. Single box: Used to specify an internal IP address when 6(TCP) or 17(UDP) is not selected for the protocol type or you specify a single global port. Double boxes: Used to specify a range of internal IP addresses each of which has a one-to-one correspondence with a port in the specified range. The IP address in the right box must be higher than that in the left box, and the number of addresses must be identical to the number of specified global ports. Specify the internal port number of the internal server. Internal Port This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you enter 0 in the text box, all types of services are provided. This configuration indicates a static connection between internal addresses and external addresses. Enable track to VRRP VRRP Group Configure whether to associate the internal server on an interface with a VRRP group, and specify the VRRP group to be associated if you associate the internal server on an interface with a VRRP group. When two network devices deliver both stateful failover and dynamic NAT, to ensure normal switchovers between the two devices, you need to add devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Configuring a dns mapping Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 11. In the DNS-MAP field where all DNS mappings are displayed, click Add to enter the Add DNS-MAP page shown in Figure

18 Figure 13 Add DNS-MAP page Table 9 Configuration items Item Protocol Global IP Global Port Domain Description Select the protocol supported by an internal server. Specify the external IP address of the internal server. Specify the port number of the internal server. Specify the domain name of the internal server. NAT configuration example Network requirements As illustrated in Figure 14, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. Figure 14 Network diagram Configuration procedure # Configure an ACL to permit internal users in subnet /24 to access the Internet. Select Firewall > ACL from the navigation tree, click Add, and then perform the following operations, as shown in Figure

19 Figure 15 Define ACL 2001 Enter 2001 in ACL Number. Select Config in Match Order. Click Apply. Click the icon in the Operation column corresponding to ACL 2001 to enter the ACL 2001 configuration page, click Add, and then perform the following operations, as shown in Figure 16. Figure 16 Configure ACL 2001 to permit users on network /24 to access the Internet Select Permit in Operation. Select the Source IP Address box and then enter Enter in Source Wildcard. Click Apply. Click Add on the ACL 2001 configuration page and perform the following operations, as shown in Figure

20 Figure 17 Configure ACL 2001 to prohibit other users to access the Internet Select Deny for Operation. Click Apply. # Configure a NAT address pool. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree, click Add, and then perform the following operations, as shown in Figure 18. Figure 18 Configure NAT address pool 0 Enter 0 in Index. Enter in Start IP Address. Enter in End IP Address. Click Apply. # Configure dynamic NAT. Click Add in the Dynamic NAT field and perform the following operations, as shown in Figure

21 Figure 19 Configure dynamic NAT Select GigabitEthernet0/1 for Interface. Enter 2001 in ACL. Select PAT for Address Transfer. Enter 0 in Address Pool Index. Click Apply. Internal server configuration example Network requirements As illustrated in Figure 20, a company provides two Web servers and one FTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for the Web server 1 is /16, and for the Web server 2 is /16. The company has three public IP addresses from /24 through /24. Specifically, the company has the following requirements: External hosts can access internal servers using public address /24. Port 8080 is used for Web server 2. Figure 20 Network diagram /16 Web server /16 Web server 2 GE0/ /16 GE0/ /24 Internet Firewall Host FTP server /16 Configuration procedure # Configure the FTP server. 17

22 Select Firewall > NAT Policy > Internal Server from the navigation tree, click Add in the Internal Server field, and then perform the following operations, as shown in Figure 21. Figure 21 Configure an internal FTP server Select GigabitEthernet0/1 for Interface. Select 6(TCP) for Protocol Type. Select the option next to Assign IP Address, and then enter in Global IP. Select the upper option next to Global Port and enter 21. Enter in Internal IP. Enter 21 in Internal Port. Click Apply. # Configure the Web server 1. Click Add in the Internal Server field and perform the following operations, as shown in Figure

23 Figure 22 Configure internal Web server 1 Select GigabitEthernet0/1 for Interface. Select 6(TCP) for Protocol Type. Select the option next to Assign IP Address, and then enter for Global IP. Select the upper option next to Global Port and enter 80. Enter in Internal IP. Enter 80 in Internal Port. Click Apply. # Configure Web server 2. Click Add in the Internal Server field and perform the following operations, as shown in Figure

24 Figure 23 Configure internal Web server 2 Select GigabitEthernet0/1 for Interface. Select 6(TCP) for Protocol Type. Select the option next to Assign IP Address, and then enter for Global IP. Select the upper option next to Global Port and enter Enter in Internal IP. Enter 80 in Internal Port. Click Apply. Configuring NAT at the CLI NAT configuration task list at the CLI Complete the following tasks to configure NAT: Task Configuring address translation Configuring an internal server Configuring DNS mapping Configuring static NAT Configuring dynamic NAT Remarks Either is required Required Optional 20

25 NOTE: If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and reboot the device (or use the reset nat session command to manually clear the relevant NAT entries), to avoid problems. The following problems may occur: After you delete the NAT-related configuration, address translation can still work for sessions already created; if you configure NAT when NAT is running, the same configuration may have different results because of different configuration orders. Configuring address translation Introduction to address translation A NAT device can be configured with or dynamically generate mappings to translate between internal and external network addresses. Address translation can be classified into static and dynamic NAT. Static NAT Mappings between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Dynamic NAT A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface s address) to access the external network. Dynamic NAT is applicable to the network environment where a large number of internal users need to access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Both static NAT and dynamic NAT support NAT multiple-instance as long as the VPN instance of an IP address is provided. Configuring static NAT You need to configure static NAT in system view, and make it effective in interface view. Static NAT supports two modes: one-to-one and net-to-net. Configuring one-to-one static NAT One-to-one static NAT translates a private IP address into a public IP address. Follow these steps to configure one-to-one static NAT: To do Use the command Remarks Enter system view system-view Configure a one-to-one static NAT mapping nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] Required Enter interface view interface interface-type interface-number Enable static NAT on the interface nat outbound static [ track vrrp virtual-router-id ] Required 21

26 Configuring net-to-net static NAT Net-to-net static NAT translates a private network into a public network. Follow these steps to configure net-to-net static NAT: To do Use the command Remarks Enter system view system-view Configure a net-to-net static NAT mapping nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { netmask-length netmask } Required Return to system view quit Enter interface view interface interface-type interface-number Enable static NAT on the interface nat outbound static Required Configuring dynamic NAT Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an interface) on an interface. To select the address of an interface as the translated address, use Easy IP. To select an address from an address pool as the translated address, use No-PAT or NAPT for dynamic address translation. No-PAT is used in many-to-many address translation but does not translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating also TCP/UDP port numbers. Typically, a NAT entry is configured on the outbound interface of the NAT device. If it is the first packet and an address pool is associated with an outbound interface, NAT determines whether to translate the packet based on the ACL. If yes, NAT chooses an address from the associated address pool or gets the associated interface address, performs address translation, and then saves the address mapping in the address translation table. All subsequent packets from the internal host are serviced by NAT directly according to the mapping entry. Configuration prerequisites Configure an ACL to specify IP addresses permitted to be translated. Decide whether to use an interface s IP address as the translated source address. Determine a public IP address pool for address translation. Decide whether to translate port information. NOTE: For more information about ACL, see Access Control Configuration Guide. Configuring NAT address pools You can configure NAT address pools in two ways: Configure an address pool that consists of a set of consecutive addresses. Configure an address group that can contain several members. Each member specifies an address pool that consists of a set of consecutive addresses. The address pools of members may not be consecutive. 22

27 The NAT device selects an IP address from a specified NAT address pool as the source address of a packet. Follow these steps to configure an address pool: To do Use the command Remarks Enter system view system-view Configure an address pool nat address-group group-number start-address end-address Required Not necessary when the router provides only Easy IP, where an interface s public IP address is used as the translated IP address. Follow these steps to configure an address group: To do Use the command Remarks Enter system view system-view Create an address group and enter its view Add a member to the address group nat address-group group-number address start-address end-address Required Required NOTE: Address pools must not overlap. The IP address pools of address group members must not overlap with each other or with other address pools. Configuring Easy IP Easy IP allows the firewall to use the IP address of one of its interfaces as the source address of NATed packets. Follow these steps to configure Easy IP: To do Use the command Remarks Enter system view system-view Enter interface view Enable Easy IP by associating an ACL with the IP address of the interface interface interface-type interface-number nat outbound [ acl-number ] [ track vrrp virtual-router-id ] Required Configuring No-PAT With a specific ACL associated with an address pool or interface address, No-PAT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, without using the port information. Follow these steps to configure No-PAT: To do Use the command Remarks Enter system view system-view 23

28 To do Use the command Remarks Enter interface view Configure No-PAT by associating an ACL with an IP address pool on the outbound interface for translating only IP addresses interface interface-type interface-number nat outbound [ acl-number ] address-group group-number [ vpn-instance vpn-instance-name ] no-pat [ track vrrp virtual-router-id ] Required Configuring NAPT With a specific ACL associated with an address pool or interface address, NAPT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, with using the port information. Follow these steps to configure NAPT: To do Use the command Remarks Enter system view system-view Enter interface view Configure NAPT by associating an ACL with an IP address pool on the outbound interface for translating both IP address and port number interface interface-type interface-number nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] ] [ track vrrp virtual-router-id ] Required Configuring an internal server Introduction to internal server To configure an internal server, you need to map an external IP address and port number to the internal server. This is done through executing the nat server command on an interface. Internal server configurations include external network information (external IP address global-address), internal network information (internal IP address local-address), and internal server protocol type. Both internal servers and their external IP addresses can support L3VPN. If an internal server belongs to an L3VPN, you also need to specify the vpn-instance-name argument. Without this argument specified, the internal server does not belong to any VPN. NOTE: When you configure an internal server on the NAT service interface, the configuration takes effect on all Layer 3 interfaces bound to this NAT service interface. Configuring a common internal server After mapping the internal IP address of a common internal server to an external IP address, hosts in external networks can access the server located in the internal network. Follow these steps to configure a common internal server: 24

29 To do Use the command Remarks Enter system view system-view Enter interface view interface interface-type interface-number Configure a common internal server nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] } Required CAUTION: The firewall supports using the interface address as the external address of an internal server, which is the Easy IP feature. If you want to specify an interface, the interface must be a loopback interface and must already exist. If you configure an internal server using Easy IP but do not configure an IP address for the interface, the internal server configuration does not take effect. Configuring DNS mapping With DNS mapping, an internal host can access an internal server on the same private network by using the domain name of the internal server when the DNS server resides on the public network. Follow these steps to configure a DNS mapping: To do Use the command Remarks Enter system view system-view Configure a DNS mapping nat dns-map domain domain-name protocol pro-type ip global-ip port global-port Required Displaying and maintaining NAT To do Use the command Remarks Display information about NAT address pools display nat address-group [ group-number ] [ { begin exclude include } regular-expression ] Available in any view Display all NAT configuration information Display the NAT configuration information Display DNS mapping configuration information display nat all [ { begin exclude include } regular-expression ] display nat bound [ { begin exclude include } regular-expression ] display nat dns-map [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view 25

30 To do Use the command Remarks Display the internal server information Display static NAT information Display NAT statistics display nat server [ { begin exclude include } regular-expression ] display nat static [ { begin exclude include } regular-expression ] display nat statistics [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view One-to-one static NAT configuration example Network requirements An internal host /24 uses public address to access the Internet. Figure 24 Network diagram Configuration procedure # As shown in Figure 24, configure the IP addresses for the interfaces. (Details not shown) # Configure a one-to-one static NAT mapping <Firewall> system-view [Firewall] nat static # Enable static NAT on interface GigabitEthernet 0/2. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] nat outbound static [Firewall-GigabitEthernet0/2] quit Dynamic NAT configuration example Network requirements As shown in Figure 25, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. 26

31 Figure 25 Network diagram Configuration procedure # As shown in Figure 25, configure the IP addresses for the interfaces. (Details not shown) # Configure address pool 1. <Firewall> system-view [Firewall] nat address-group # Configure ACL 2001, permitting only users from network segment /24 to access the Internet. [Firewall] acl number 2001 [Firewall-acl-basic-2001] rule permit source [Firewall-acl-basic-2001] rule deny [Firewall-acl-basic-2001] quit # Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 0/2. No-PAT [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] nat outbound 2001 address-group 1 no-pat [Firewall-GigabitEthernet0/2] quit NAPT [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] nat outbound 2001 address-group 1 [Firewall-GigabitEthernet0/2] quit Common internal server configuration example Network requirements As shown in Figure 26, a company provides two web servers, one FTP server, and one SMTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for web server 1 is /16, for web server 2 is /16, and for the SMTP server /16. The company has three public IP addresses ranging from /24 to /24. Specifically, the company has the following requirements: External hosts can access internal servers with public address /24. Port 8080 is used for web server 2. 27

32 Figure 26 Network diagram Configuration procedure # As shown in Figure 26, configure the IP addresses for the interfaces. (Details not shown) # Enter interface GigabitEthernet 0/2 view. <Firewall> system-view [Firewall] interface gigabitethernet 0/2 # Configure the internal FTP server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside ftp # Configure the internal web server 1. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal web server 2. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal SMTP server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global smtp inside smtp [Firewall-GigabitEthernet0/2] quit # Bind the NAT service interface 5/1 with GigabitEthernet 0/2. [Firewall] interface nat 5/1 [Firewall-NAT5/1] nat binding interface gigabitethernet 0/2 [Firewall-NAT5/1] quit NAT DNS mapping configuration example Network requirements As shown in Figure 27, a company provides Web and FTP services to external users, and uses internal IP network segment /16. The IP addresses of the Web and FTP servers are /16 and /16 respectively. The company has three public addresses /24 through /24. The DNS server is at /24. The public IP address is used to provide services to external users. External users can use the public address or domain name of internal servers to access them. 28

33 Internal users can access the internal servers by using their domain names. Figure 27 Network diagram /16 Web server /16 FTP server /24 DNS server GE0/ /16 GE0/ /24 Internet Firewall Host A /16 Host B /24 Configuration procedure # As shown in Figure 27, configure the IP addresses for the interfaces. (Details not shown) # Enter the view of interface GigabitEthernet 0/2. <Firewall> system-view [Firewall] interface gigabitethernet 0/2 # Configure the internal web server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal FTP server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside ftp [Firewall-GigabitEthernet0/2] quit # Configure two DNS mapping entries: map the domain name of the web server to , and ftp.server.com of the FTP server to [Firewall] nat dns-map domain protocol tcp ip port www [Firewall] nat dns-map domain ftp.server.com protocol tcp ip port ftp [Firewall] quit Verifying the configuration # After completing the configurations, display the DNS mapping configuration information. <Firewall> display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: Global-IP : Global-port: 80(www) Protocol : 6(TCP) Domain-name: ftp.server.com Global-IP : Global-port: 21(ftp) Protocol : 6(TCP) 29

34 Host A and Host B can use the domain name to access the web server, and use ftp.server.com to access the FTP server. Troubleshooting NAT Symptom 1: abnormal translation of IP addresses Solution: Enable debugging for NAT. Try to locate the problem based on the debugging display. Use other commands, if necessary, to further identify the problem. Pay special attention to the source address after the address translation and make sure that this address is the address that you intend to change to. If not, there may be an address pool bug. Also make sure a route is available between the destination network and the address pool segment. Be aware of the possible effects that the firewall or the ACLs have to NAT, and also note the route configurations. Symptom 2: internal server functions abnormally Solution: Check whether the internal server host is properly configured; whether the router is correctly configured with respect to the internal server parameters, such as the internal server IP address. It is also possible that the firewall that has denied external access to the internal network. You can use the display acl command to verify this. For more information about firewall, see Attack Protection Configuration Guide. Configuration guidelines 1. When configuring address pools, note the following: An address pool cannot include addresses in other address pools or IP addresses of interfaces with Easy IP enabled. Low-priority address pools cannot include addresses in non low-priority address pools or IP address of interfaces with Easy IP enabled. 2. If 6(TCP) or 17(UDP) is not selected as the protocol type when configuring an internal server, you can only configure the mapping between Internal IP and Global IP. In this case, the Internal Port and Global Port options are not available. 3. The address pool, dynamic NAT, static NAT, and internal server configurations can be modified through Web pages. Note that the modification you make takes effect after the former configuration is removed by the system. 30

35 NAT-PT configuration NOTE: The NAT-PT configuration is available only at the command line interface (CLI). NAT-PT overview Application scenario Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network. As shown in Figure 28, NAT-PT runs on the device between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can communicate without changing their configurations. Figure 28 Network diagram Basic concepts NAT-PT mechanism There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: static mapping, dynamic mapping, and NAPT-PT. 1. Static mapping Static mappings are manually configured for translation between IPv6 and IPv4 addresses. 2. Dynamic mapping Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses. Different from static mappings, dynamic mappings are not fixed one-to-one mappings between IPv6 and IPv4 addresses. 3. NAPT-PT 31

36 NAT-PT prefix Network Address Port Translation Protocol Translation (NAPT-PT) realizes the TCP/UDP port number translation besides static or dynamic address translation. With NAPT-PT, different IPv6 addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address translation and save IPv4 addresses. The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases: Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device will translate source and destination IPv6 addresses of the packet into IPv4 addresses. After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the translated source IPv6 address is the configured NAT-PT prefix. Implementing NAT-PT Session initiated by an IPv6 host Figure 29 NAT-PT implementation (session initiated by an IPv6 host) NAT-PT works as follows: 1. Determines whether to perform NAT-PT or not Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device considers that the packet needs to be forwarded to the IPv4 network and NAT-PT needs to be performed. 2. Translates the source IP address The NAT-PT device translates the source IPv6 address of the packet into an IPv4 address according to the static or dynamic mapping on the IPv6 side. 3. Translates the destination IP address The NAT-PT device translates the destination IPv6 address of the packet into an IPv4 address according to the static mapping, if configured, on the IPv4 network side. Without any static mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is translated into that IPv4 address. Otherwise, the translation fails. 4. Forwards the packet and stores the mappings After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses, the NAT-PT device forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT device. 32

37 5. Forwards the reply packet according to the stored mappings Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT device swaps the source and destination IPv4 addresses according to the stored mappings and forwards the packet to the IPv6 host. Session initiated by an IPv4 host The NAT-PT implementation process for a session initiated by an IPv4 host is as follows: 1. Determines whether to perform NAT-PT or not Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT device checks the destination IPv4 address in the packet against the static mappings configured on the IPv6 network side. If a match is found, the device considers that the packet needs to be forwarded to the IPv6 network and NAT-PT needs to be performed. 2. Translates the source IP address The NAT-PT device translates the source IPv4 address of the packet into an IPv6 address according to the static or dynamic mapping on the IPv4 side. If no mapping is configured on the IPv4 side, the source IPv4 address with the first configured NAT-PT prefix is used as the translated source IPv6 address. 3. Translates the destination IP address The NAT-PT device translates the destination IPv4 address of the packet into an IPv6 address according to the static mapping on the IPv6 side. 4. Forwards the packet and stores the mappings After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses, the NAT-PT device forwards the packet to the IPv6 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT device. 5. Forwards the reply packet according to the stored mappings Upon receiving a reply packet from the IPv6 host to the IPv4 host, the NAT-PT device swaps the source and destination IPv6 addresses according to the stored mappings and forwards the packet to the IPv4 host. NAT-PT limitations NAT-PT has the following limitations: In NAT-PT translation, the request and response packets of a session must be processed by the same NAT-PT device. The Options field in the IPv4 packet header cannot be translated. NAT-PT does not provide end-to-end security. Therefore, NAT-PT is not recommended in some applications. For example, tunneling is recommended in the case where an IPv6 host needs to communicate with another IPv6 host across an IPv4 network. Currently, NAT-PT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS), File Transfer Protocol (FTP), and other protocols that employ the network layer protocol but have no address information in the protocol messages. Protocols and standards RFC 2765, Stateless IP/ICMP Translation Algorithm RFC 2766, Network Address Translation - Protocol Translation (NAT-PT) 33

38 NAT-PT configuration task list NAT-PT configuration task list on the IPv6 side Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Enabling NAT-PT Configuring a NAT-PT prefix Configuring IPv4/IPv6 address mappings on the IPv6 side Configuring a static mapping on the IPv4 side Setting the ToS field after NAT-PT translation Remarks Required Required Required Optional If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address. Optional NAT-PT configuration task list on the IPv4 sidecomplete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Enabling NAT-PT Remarks Required Configuring a NAT-PT prefix Configuring IPv4/IPv6 address mappings on the IPv4 side Configuring IPv4/IPv6 address mappings on the IPv4 side Configuring static NAPT-PT mappings of IPv6 servers Setting the traffic class field after NAT-PT translation Required Optional If no IPv4/IPv6 address mapping is configured, the source IPv4 address added with the first configured NAT-PT prefix is used as the translated source IPv6 address. Required Complete either task. Optional Configuring NAT-PT Configuration prerequisites Before implementing NAT-PT, you need to: Enable IPv6 on the firewall. For more information, see Network Management Configuration Guide. Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT. 34

39 Enabling NAT-PT After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the firewall can implement translation between IPv4 and IPv6 addresses. Follow these steps to enable NAT-PT: To do Use the command Remarks Enter system view system-view Enter interface view interface interface-type interface-number Enable NAT-PT on the interface natpt enable Required Disabled by default. NOTE: The natpt enable command enables both NAT-PT and Address Family Translation (AFT). For information about AFT, see VPN Configuration Guide. Do not configure NAT-PT and AFT on a same device. Configuring a NAT-PT prefix Follow these steps to configure a NAT-PT prefix: To do Use the command Remarks Enter system view system-view Configure a NAT-PT prefix natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ] Required CAUTION: The NAT-PT prefix must not be the same as the IPv6 address prefix of the NAT-PT enabled interface on the IPv6 network. To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt v6bound dynamic command, you must cancel the referenced configuration first. Configuring IPv4/IPv6 address mappings on the IPv6 side IPv4/IPv6 address mappings on the IPv6 side can be static or dynamic. Configuring a static mapping on the IPv6 side A static mapping on the IPv6 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address. If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static mapping, the source IPv6 address is translated into the corresponding IPv4 address. If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static mapping, the destination IPv4 address is translated into the corresponding IPv6 address. Follow these steps to configure a static IPv4/IPv6 address mapping on the IPv6 side: 35

40 To do Use the command Remarks Enter system view system-view Configure a static IPv4/IPv6 address mapping on the IPv6 side natpt v6bound static ipv6-address ipv4-address Required Configuring a dynamic mapping policy on the IPv6 side A dynamic IPv4/IPv6 mapping policy on the IPv6 side is that if the source IPv6 address matches a specified IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4 address of a specified interface. The firewall provides four dynamic mapping policies. Policy 1: Associate an IPv6 ACL with an address pool. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address in the specified address pool. Policy 2: Associate an IPv6 ACL with an interface address. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into the IPv4 address of the specified interface. Policy 3: Associate a NAT-PT prefix with an address pool. If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in the specified address pool. Policy 4: Associate a NAT-PT prefix with an interface address. If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into the IPv4 address of the specified interface. To use policy 1 or 3, you must configure a NAT-PT address pool first. A NAT-PT address pool is a group of contiguous IPv4 addresses and is used to translate an IPv6 address into an IPv4 address dynamically. When an IPv6 packet is sent from an IPv6 network to an IPv4 network, if policy 1 or 3 is set, the NAT-PT device will select an IPv4 address from the NAT-PT address pool as the source IPv4 address of the IPv6 packet. Follow these steps to configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side: To do Use the command Remarks Enter system view system-view Configure a NAT-PT address pool natpt address-group group-number start-ipv4-address end-ipv4-address Required for the first type and third type in which the source IPv6 address is translated into an IPv4 address in the specified address pool. This configuration is not needed in the second type and fourth type. 36

41 To do Use the command Remarks Associate an IPv6 ACL with an address pool: If the source IPv6 address of an IPv6 packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address of the specified address pool. Associate an IPv6 ACL with an interface address: If the source IPv6 address of an IPv6 packet matches the specified IPv6 ACL, the source IPv6 address will be translated into the IPv4 address of the specified interface. Associate a NAT-PT prefix with an address pool: If the destination IPv6 address of an IPv6 packet matches the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address of the specified address pool. Associate a NAT-PT prefix with an interface address: If the destination IPv6 address of an IPv6 packet matches the specified NAT-PT prefix, the source IPv6 address will be translated into the IPv4 address of the specified interface. natpt v6bound dynamic acl6 number acl-number address-group address-group [ no-pat ] natpt v6bound dynamic acl6 number acl-number interface interface-type interface-number natpt v6bound dynamic prefix natpt-prefix address-group address-group [ no-pat ] natpt v6bound dynamic prefix natpt-prefix interface interface-type interface-number Use one of the commands. NOTE: The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with the natpt prefix command. If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses, and the end IPv4 address in the address pool is used for NAPT-PT. For ACL configuration, see Access Control Configuration Guide. Configuring IPv4/IPv6 address mappings on the IPv4 side IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic. Configuring a static mapping on the IPv4 side A static IPv4/IPv6 address mapping on the IPv4 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address. If the source IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches a static IPv4/IPv6 address mapping, the source IPv4 address is translated into the corresponding IPv6 address. 37

42 If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4 address. Follow these steps to configure a static IPv4/IPv6 address mapping on the IPv4 side: To do Use the command Remarks Enter system view system-view Configure a static IPv4/IPv6 address mapping on the IPv4 side natpt v4bound static ipv4-address ipv6-address Required Configuring a dynamic mapping policy on the IPv4 side A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches a specified ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address. Follow these steps to configure a dynamic IPv4/IPv6 mapping policy on the IPv4 side: To do Use the command Remarks Enter system view system-view Configure a dynamic IPv4/IPv6 source address mapping policy on the IPv4 side natpt v4bound dynamic acl number acl-number prefix natpt-prefix Required NOTE: The natpt-prefix argument specified in the natpt v6bound dynamic acl number acl-number prefix natpt-prefix command must have been configured with the natpt prefix command. For more information about ACL, see Access Control Configuration Guide.. Setting the ToS field after NAT-PT translation You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. Follow these steps to set the ToS field in packets after NAT-PT translation: To do Use the command Remarks Enter system view system-view Set the ToS field in IPv4 packets translated from IPv6 packets to 0 natpt turn-off tos Required By default, the value of the ToS field of IPv4 packets is the same as that of the Traffic Class field in corresponding IPv6 packets. Setting the traffic class field after NAT-PT translation You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. Follow these steps to set the Traffic Class field in packets after NAT-PT translation: 38

43 To do Use the command Remarks Enter system view system-view Set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 natpt turn-off traffic-class Required By default, the value of the Traffic Class field of IPv6 packets is the same as that of the ToS field in corresponding IPv4 packets. Configuring static NAPT-PT mappings of IPv6 servers Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of the IPv6 server. Upon receiving an access request to an IPv6 server from an IPv4 host, the NAT-PT device checks the destination address and port number of the packet against the static address/port mapping of the IPv6 server. If they match, the firewall translates the source IPv4 address of the packet into the corresponding IPv6 address according to the IPv4/IPv6 address mapping on the IPv4 side, and translates the destination IPv4 address and port number in the request to the corresponding IPv6 address and port number according to the static address/port mapping of the IPv6 server. When configuring a static address/port mapping of an IPv6 server, you need to specify the following: Protocol type, that is, the type of the transport layer protocol used by the server. It can be TCP or UDP. IPv4 address and port number of the server. They are used by IPv4 hosts to access the server. IPv6 address and port number of the server. Follow these steps to configure a static NAPT-PT mapping for an IPv6 server: To do Use the command Remarks Enter system view system-view Configure a static address and port number mapping for an IPv6 server natpt v4bound static v6server protocol protocol-type ipv4-address ipv4-port-number ipv6-address ipv6-port-number Required Displaying and maintaining NAT-PT To do Use the command Remarks Display all NAT-PT configuration information Display NAT-PT address pool configuration information Display the static and dynamic NAT-PT address mappings display natpt all [ { begin exclude include } regular-expression ] display natpt address-group [ { begin exclude include } regular-expression ] display natpt address-mapping [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view 39

44 To do Use the command Remarks Display NAT-PT statistics information display natpt statistics [ { begin exclude include } regular-expression ] Available in any view Clear all NAT-PT statistics information reset natpt statistics Available in user view NAT-PT configuration examples Configuring dynamic mapping on the IPv6 side Network requirements As shown in Figure 30, Firewall C with IPv6 address 2001::2/64 on an IPv6 network wants to access Firewall A with IPv4 address /24 on an IPv4 network, whereas Firewall A cannot actively access Firewall C. To meet the preceding requirements, you need to configure Firewall B that is deployed between the IPv4 network and IPv6 network as a NAT-PT device, and configure dynamic mapping policies on the IPv6 side on Firewall B so that IPv6 hosts can access IPv4 hosts but IPv4 hosts cannot access IPv6 hosts. Figure 30 Network diagram Firewall A GE0/ /24 Firewall B GE0/1 Firewall C 2001::2/64 IPv4 network GE0/ /24 GE0/2 2001::1/64 IPv6 network Configuring Firewall B (NAT-PT device) # Configure interface addresses and enable NAT-PT on the interfaces. <FirewallB> system-view [FirewallB] ipv6 [FirewallB] interface GigabitEthernet 0/1 [FirewallB-GigabitEthernet0/1] ip address [FirewallB-GigabitEthernet0/1] natpt enable [FirewallB-GigabitEthernet0/1] quit [FirewallB] interface GigabitEthernet 0/2 [FirewallB-GigabitEthernet0/2] ipv6 address 2001::1/64 [FirewallB-GigabitEthernet0/2] natpt enable [FirewallB-GigabitEthernet0/2] quit # Configure a NAT-PT prefix. [FirewallB] natpt prefix 3001:: # Configure a NAT-PT address pool. [FirewallB] natpt address-group # Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts. [FirewallB] natpt v6bound dynamic prefix 3001:: address-group 1 40

45 Configuring Firewall A on the IPv4 side # Configure a static route to subnet /24. <FirewallA> system-view [FirewallA] ip route-static Configuring Firewall C on the IPv6 side # Enable IPv6. <FirewallC> system-view [FirewallC] ipv6 # Configure a static route to the subnet with the NAT-PT prefix. [FirewallC] ipv6 route-static 3001:: ::1 Verifying the configuration If you carry out the ping ipv6 3001::0800:0002 command on Firewall C after completing the configurations, response packets can be received. You can see on Firewall B the established NAT-PT session. <FirewallB>display session table verbos Initiator: Source IP/Port : 2001::0002/32768 Dest IP/Port : 3001::0800:0002/43984 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : /0 Dest IP/Port : /12289 VPN-Instance/VLAN ID/VLL ID: Pro: ICMPv6(58) App: unknown State: ICMP-CLOSED Start time: :41:29 TTL: 26s Root Zone(in): Zone(out): Received packet(s)(init): 5 packet(s) 520 byte(s) Received packet(s)(reply): 5 packet(s) 420 byte(s) Configuring static mappings on the IPv4 side and the IPv6 side Network requirements As shown in Figure 31, Firewall C with IPv6 address 2001::2/64 on an IPv6 network can communicate with Firewall A with IPv4 address /24 on an IPv4 network. To meet the preceding requirement, you need to configure Firewall B that is deployed between the IPv4 network and IPv6 network as a NAT-PT device, and configure static mappings on the IPv4 side and IPv6 side on Firewall B, so that Firewall A and Firewall C can communicate with each other. 41

46 Figure 31 Network diagram Firewall A GE0/ /24 Firewall B GE0/1 Firewall C 2001::2/64 IPv4 network GE0/ /24 GE0/1 2001::1/64 IPv6 network Configuring Firewall B # Configure interface addresses and enable NAT-PT on the interfaces. <FirewallB> system-view [FirewallB] ipv6 [FirewallB] interface GigabitEthernet 0/1 [FirewallB-GigabitEthernet0/1] ip address [FirewallB-GigabitEthernet0/1] natpt enable [FirewallB-GigabitEthernet0/1] quit [FirewallB] interface GigabitEthernet 0/2 [FirewallB-GigabitEthernet0/2] ipv6 address 2001::1/64 [FirewallB-GigabitEthernet0/2] natpt enable [FirewallB-GigabitEthernet0/2] quit # Configure a NAT-PT prefix. [FirewallB] natpt prefix 3001:: # Configure a static IPv4/IPv6 mapping on the IPv4 side. [FirewallB] natpt v4bound static ::5 # Configure a static IPv4/IPv6 mapping on the IPv6 side. [FirewallB] natpt v6bound static 2001:: Configuring Firewall A # Configure a static route to subnet /24. <FirewallA> system-view [FirewallA] ip route-static Configuring Firewall C on the IPv6 side # Enable IPv6. <FirewallC> system-view [FirewallC] ipv6 # Configure a static route to the subnet with the NAT-PT prefix. [FirewallC] ipv6 route-static 3001:: ::1 Verifying the configuraiton After the above configurations, using the ping command on Firewall A can receive responses, and you can view the following NAT-PT session information on Firewall B using the display command. [FirewallB]display session table verbose Initiator: Source IP/Port : /2048 Dest IP/Port : /1 VPN-Instance/VLAN ID/VLL ID: 42

47 Responder: Source IP/Port : 2001::0002/33024 Dest IP/Port : 3001::0005/1 VPN-Instance/VLAN ID/VLL ID: Pro: ICMP(1) App: unknown State: ICMP-CLOSED Start time: :08:44 TTL: 10s Root Zone(in): Zone(out): Received packet(s)(init): 5 packet(s) 420 byte(s) Received packet(s)(reply): 5 packet(s) 520 byte(s) Using the ping ipv6 3001::5 command on Firewall C can receive response packets, and you can view the following NAT-PT session information on Firewall B by using the display command. [FirewallB]display session table verbose Initiator: Source IP/Port : 2001::0002/32768 Dest IP/Port : 3001::0005/43986 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : /0 Dest IP/Port : /43986 VPN-Instance/VLAN ID/VLL ID: Pro: ICMPv6(58) App: unknown State: ICMP-CLOSED Start time: :09:48 TTL: 25s Root Zone(in): Zone(out): Received packet(s)(init): 5 packet(s) 520 byte(s) Received packet(s)(reply): 5 packet(s) 420 byte(s) Troubleshooting NAT-PT Symptom Solution NAT-PT fails when a session is initiated on the IPv6 side. Enable debugging for NAT-PT and locate the fault according to the debugging information of the firewall. During debugging, check whether the source address of a packet is translated successfully. If not, it is possible that the address pool has no sufficient IP addresses. You can configure a larger address pool, or use NAPT-PT to perform NAT-PT. 43

48 ALG configuration ALG overview The application level gateway (ALG) feature is used to process application layer packets. Usually, Network Address Translation (NAT) translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which, if not translated, may cause problems. For example, a File Transfer Protocol (FTP) application involves both data connection and control connection, and data connection establishment dynamically depends on the payload information of the control connection. ALG can process the payload information to make sure that the corresponding data connections can be established. Currently, ALG can work with NAT and Application Specific Packet Filter (ASPF) to implement the following functions: Address translation Resolving the source IP address, port, protocol type (TCP or UDP), and remote IP address information in packet payloads. Data connection detection Extracting information required for data connection establishment and establishing data connections for data exchange. Application layer status checking Inspecting the status of the application layer protocol in packets. If the status is right, updating the packet state machine and performing further processing; otherwise, dropping packets with incorrect states. Support for the functions depends on the application layer protocol. ALG can be used to process packets of the following protocols: Internet Control Message Protocol (ICMP) File Transfer Protocol (FTP) Domain Name System (DNS) Real Time Streaming Protocol (RTSP) H.323, including Registration, Admission, Status (RAS), H.225, and H.245 Session Initiation Protocol (SIP) SQLNET (a language in Oracle) Point-to-Point Tunneling Protocol (PPTP) Internet Locator Service (ILS) Network Basic Input/Output System (NBT) MSN/QQ Trivial File Transfer Protocol (TFTP) Skinny Client Control Protocol (SCCP) GPRS Tunneling Protocol (GTP) 44

49 The following describes the operation of an ALG-enabled device, taking FTP as an example. As shown in Figure 32, the host in the outside network accesses the FTP server in the inside network in passive mode through the ALG-enabled device. Figure 32 Network diagram for ALG-enabled FTP application in PASV mode The communication process includes the following stages: 1. Establishing a control connection The host sends a TCP connection request to the server. If a TCP connection is established, the server and the host enter the user authentication stage. 2. Authenticating the user The host sends to the server an authentication request, which contains the FTP commands (user and password) and the contents. When the request passes through the ALG-enabled device, the commands in the payload of the packet will be resolved and used to check whether the state machine transition is going on correctly. If not, the request will be dropped. In this way, ALG protects the server against clients that send packets with state machine errors or log into the server with illegal user accounts. An authentication request with a correct state is forwarded by the ALG-enabled device to the server, which authenticates the host according to the information in the packet. 3. Establishing a data connection If the host passes the authentication, a data connection is established between it and the server. If the host is accessing the server in passive mode, the data connection process is different. In passive mode, the server sends to the host a PASV response using its private network address and port number (IP1, Port1). When the response arrives at the ALG-enabled device, the device resolves the packet and translates the server s private network address and port number into the server s public network address and port number (IP2, Port2) respectively. Then, the device uses the public network address and port number to establish a data connection with the host. 4. Exchanging data The host and the FTP server exchange data through the established data connection. 45

50 Configuring ALG in the web interface NOTE: By default, the ALG function is enabled for all protocols. In the navigation tree, select Firewall > ALG to enter the page as shown in Figure 33. Figure 33 ALG configuration page To add selected application protocols, select them in the Optional Application Protocols list and click the << button. Then the protocols will be added to the Selected Application Protocols list. To remove selected application protocols, select them in the Selected Application Protocols list and click the >> button. Then the protocols will be removed to the Optional Application Protocols list. ALG configuration examples in the web interface NOTE: The following examples describe only ALG-related configurations, assuming that other required configurations on the server and client have been done. FTP ALG configuration example Network requirements As shown in Figure 34, a company uses the private network segment /24, and has four public network addresses: , , , and The company wants to provide FTP services to the outside. Configure NAT and ALG on the Firewall so that hosts on the external network can access the FTP server on the internal network. 46

51 Figure 34 Network diagram Configuration procedure 1. Configure ALG. # Configure FTP ALG. (By default, the FTP ALG function is enabled, and this step is optional.) Select Firewall > ALG from the navigation tree. Add the FTP protocol to the selected protocol list as shown in Figure 35. Figure 35 Configure FTP ALG Select ftp in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list. Click OK. 2. Configure an ACL. # Create a basic ACL. Select Firewall > ACL from the navigation tree and then on the page that appears, click Add. Create ACL 2001 as shown in Figure

52 Figure 36 Add ACL 2001 Enter 2001 in the ACL Number field. Select Config as the match order. Click Apply. # Configure an ACL rule. Click the icon of ACL 2001 to enter the ACL rule configuration page. Then click Add. Create an ACL rule as shown in Figure 37. Figure 37 Add an ACL rule Select Permit as the operation. Click Apply. 3. Configure dynamic NAT and the internal server. # Configure the address pool. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Address Pool area, click Add. Add a NAT address pool as shown in Figure

53 Figure 38 Add a NAT address pool Enter 1 in the Index field. Enter as the start IP address. Enter as the end IP address. Click Apply. # Configure dynamic NAT. In the Dynamic NAT area, click Add. Configure dynamic NAT as shown in Figure 39. Figure 39 Configure dynamic NAT Select GigabitEthernet0/1. Enter 2001 for the ACL field. Select PAT as the address translation. Enter 1 as the address pool index. Click Apply. # Configure the internal FTP server. Select Firewall > NAT > Internal Server from the navigation tree. Then in the Internal Server area, click Add. Configure an internal FTP server as shown in Figure

54 Figure 40 Configure an internal FTP server Select GigabitEthernet0/1. Select 6(TCP) as the protocol type, Enter as the external IP address. Enter 21 as the global port. Enter as the internal IP address. Enter 21 as the internal port. Click Apply. SIP/H.323 ALG configuration example NOTE: H.323 ALG configuration is similar to SIP ALG configuration. The following takes SIP ALG configuration as an example. Network requirements As shown in Figure 41, a company uses the private network segment /24, and has four public network addresses: , , , and SIP UA 1 is on the internal network and SIP UA 2 is on the external network. Configure NAT and ALG on the FIrewall so that SIP UA 1 and SIP UA 2 can communicate by using their aliases, and SIP UA 1 selects an IP address from the range to when registering with the SIP server on the external network. 50

55 Figure 41 Network diagram GE0/ /24 GE0/ /24 Internet UA 1 Firewall UA 2 SIP server Configuration procedure 1. Configure ALG. # Configure SIP ALG. (By default, the SIP ALG function is enabled, and this step is optional.) Select Firewall > ALG from the navigation tree. Add the SIP protocol to the selected protocol list as shown in Figure 42. Figure 42 Configure SIP ALG Select sip in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list. Click OK. 2. Configure an ACL. # Create a basic ACL. Select Firewall > ACL from the navigation tree and then on the page that appears, click Add. Create ACL 2001 as shown in Figure

56 Figure 43 Add ACL 2001 Enter 2001 in the ACL Number field. Select Config as the match order. Click Apply. # Create an ACL rule. Click the icon of ACL 2001 to enter the ACL rule configuration page. Then click Add. Crate an ACL rule as shown in Figure 44. Figure 44 Configure an ACL rule to permit packets sourced from /24 Select Permit as the operation. Select Source IP Address, and enter as the source IP address, and as the source wildcard. Click Apply. Click Add. Create an ACL rule as shown in Figure

57 Figure 45 Configure an ACL rule to deny packets Select Deny as the operation. Click Apply. 3. Configure dynamic NAT. # Configure the address pool. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. In the Address Pool area, click Add. Add a NAT address pool as shown in Figure 46. Figure 46 Configure a NAT address pool Enter 1 in the Index field. Enter as the start IP address. Enter as the end IP address. Click Apply. # Configure dynamic NAT. In the Dynamic NAT area, click Add. Configure dynamic NAT as shown in Figure

58 Figure 47 Configure dynamic NAT Select GigabitEthernet0/1. Enter 2001 for the ACL field. Select PAT as the address translation. Enter 1 as the address pool index. Click Apply. NBT ALG configuration example Network requirements As shown in Figure 48, a company using the private network segment /24 wants to provide NBT services to the outside. Configure NAT and ALG on the Firewall so that Host A uses as its external IP address, the WINS server uses as its external IP address, and Host B can access the WINS server and Host A by using host names. Figure 48 Network diagram Configuration procedure 1. Configure ALG. # Configure NBT ALG. (By default, the NBT ALG function is enabled, and this step is optional.) Select Firewall > ALG from the navigation tree. Configure the NBT protocol as the selected protocol as shown in Figure

59 Figure 49 Configure NBT ALG Select nbt in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list. Click OK. 2. Configure static NAT and the internal server. # Configure a static address mapping. Select Firewall > NAT > Static NAT from the navigation tree. In the Static Address Mapping area, click Add. Configure static address mapping as shown in Figure 50. Figure 50 Configure static address mapping Enter as the internal IP address. Enter as the global IP address. Click Apply. # Configure static NAT for interface GigabitEthernet 0/1. In the Interface Static Translation area, click Add. Configure interface static translation as shown in Figure

60 Figure 51 Configure interface static translation Select GigabitEthernet0/1. Click Apply. # Configure the internal WINS server. Select Firewall > NAT > Internal Server from the navigation tree. Then in the Internal Server area, click Add. Configure an interval WINS server as shown in Figure 52. Figure 52 Configure an internal WINS server Select GigabitEthernet0/1. Select 17(UDP) as the protocol type, Enter as the external IP address. Enter 137 as the global port. Enter as the internal IP address. Enter 137 as the internal port. Click Apply. In the Internal Server area, click Add. Configure an interval WINS server, which is similar to the configuration shown in Figure 52. Select GigabitEthernet0/1. Select 17(UDP) as the protocol type, Enter as the external IP address. Enter 138 as the global port. 56