HP Firewalls and UTM Devices

Transcription

1 HP Firewalls and UTM Devices NAT and ALG Configuration Guide Part number: Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW

2 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Configuring NAT 1 Overview 1 NAT control 2 NAT operation 2 Address translation 5 Low-priority address pool 5 Configuration guidelines 6 Configuring NAT in the Web interface 6 Recommended configuration procedure 6 Creating an address pool 7 Configuring dynamic NAT on an interface 8 Creating a static address mapping 10 Enabling static NAT on an interface 11 Configuring an internal server 12 Configuring ACL-based NAT on the internal server 17 Configuring DNS mapping 18 NAT configuration example 18 Internal server configuration example 21 Configuring NAT at the CLI 24 NAT configuration task list 24 Configuring static NAT 25 Configuring dynamic NAT 25 Configuring an internal server 27 Configuring ACL-based NAT on an internal server 28 Configuring DNS mapping 29 Displaying and maintaining NAT 29 One-to-one static NAT configuration example 29 Dynamic NAT configuration example 30 Common internal server configuration example 31 NAT DNS mapping configuration example 32 Troubleshooting NAT 33 Symptom 1 33 Solution 33 Symptom 2 33 Solution 33 Configuring NAT-PT 34 Feature and hardware compatibility 34 Overview 34 Basic concepts 35 Implementing NAT-PT 35 NAT-PT limitations 37 Protocols and standards 37 NAT-PT configuration task list 37 Configuration prerequisites 38 Enabling NAT-PT 38 Configuring a NAT-PT prefix 38 Configuring IPv4/IPv6 address mappings on the IPv6 side 39 Configuring a static mapping on the IPv6 side 39 i

4 Configuring a dynamic mapping policy on the IPv6 side 39 Configuring IPv4/IPv6 address mappings on the IPv4 side 40 Configuring a static mapping on the IPv4 side 40 Configuring a dynamic mapping policy on the IPv4 side 41 Setting the ToS field after NAT-PT translation 41 Setting the traffic class field after NAT-PT translation 41 Configuring static NAPT-PT mappings of IPv6 servers 42 Displaying and maintaining NAT-PT 42 NAT-PT configuration examples 43 Configuring dynamic mapping on the IPv6 side 43 Configuring static mappings on the IPv4 side and the IPv6 side 44 Troubleshooting NAT-PT 45 Symptom 45 Solution 45 NAT Feature and hardware compatibility 46 Overview 46 Features 46 Assigning port blocks 46 Static mappings 47 NAT unlimited connection 47 User connection limit 48 Full cone NAT 48 Multiple routing protocols 48 NAT444 configuration task list 48 Configuring NAT444 static IP-port mappings 48 Configuring NAT444 dynamic IP-port mappings 49 Configuration prerequisites 49 Configuration procedure 50 Configuring Full cone NAT 50 Configuring NAT444 logging 51 Displaying and maintaining NAT NAT444 configuration examples 51 Network requirements 51 Configuration procedure 53 Configuring ALG 55 ALG process 56 Configuring ALG in the Web interface 57 Configuration procedure 57 FTP ALG configuration example 208H57 88HSIP/H.323 ALG configuration example 209H59 89HNBT ALG configuration example 210H62 90HConfiguring ALG at the CLI 211H66 91HFTP ALG configuration example 212H66 92HSIP/H.323 ALG configuration example 213H66 93HNBT ALG configuration example 214H67 94HSupport and other resources 215H69 95HContacting HP 216H69 96HSubscription service 217H69 97HRelated information 218H69 98HDocuments 219H69 99HWebsites 220H69 100HConventions 221H70 ii

5 Index 72 iii

6 1BConfiguring NAT 6BOverview Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to another IP address. NAT enables a large number of private users to access the Internet by using a small number of public IP addresses. NAT effectively alleviates the depletion of IP addresses. A private IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique. According to RFC 1918, three blocks of IP addresses are reserved for private networks: In Class A, to In Class B, to In Class C, to No host with an IP address in the three ranges exists on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or a registration center. In addition to translating private addresses to public addresses, NAT can also perform address translation between any two networks. In this document, the two networks refer to an internal network and an external network. Generally a private network is an internal network, and a public network is an external network. 223HFigure 1 shows the NAT operation. Figure 1 NAT operation Direction Outbound Before NAT After NAT Host Src : Dst : NAT Src : Dst : Server Src : Dst : Intranet Internet Src : Dst : The internal host with IP address sends an IP packet to the external server with IP address through the NAT device. 2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the external network. The NAT device then translates the private address to the globally unique public address and forwards the packet to the server on the external network. Meanwhile, the NAT device adds the mapping of the two addresses into its NAT table. 3. The external server responds to the internal host with an IP packet whose destination IP address is Upon receiving the packet, the NAT device checks the IP header, looks into its NAT table for the mapping, replaces the destination address with the private address of , and then sends the new packet to the internal host. 1

7 The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is and is unaware of the private address As such, NAT hides the private network from the external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages: Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to the application protocol packets when the contained IP address or port number needs to be translated. For example, you cannot encrypt an FTP connection, or its port command cannot work correctly. Network debugging becomes more difficult. For example, when a host in a private network tries to attack other networks, it is harder to pinpoint the attacking host because the host IP address has been hidden. 41BNAT control Typically, an enterprise allows some hosts in the internal network to access external networks and prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP address is among addresses denied, the NAT device does not translate the address. In addition, the NAT device only translates private addresses to specified public addresses. You can achieve NAT control through an access control list (ACL) and an address pool. Only packets matching the ACL rules are served by NAT. An address pool is a collection of consecutive public IP addresses for address translation. You can specify an address pool based on the number of available public IP addresses, the number of internal hosts, and network requirements. The NAT device selects an address from the address pool as the public address of an IP packet. 42BNAT operation 102Basic NAT 103BNAPT As shown in 224HFigure 1, when an internal host accesses an external network, the NAT device uses a public IP address to replace the private source IP address. In 225HFigure 1, NAT uses the IP address of the outgoing interface as the public IP address. All internal hosts use the same public IP address to access external networks and only one host can access external networks at a given time. A NAT device can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, the NAT device chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks simultaneously. The number of public IP addresses that a NAT device needs is usually far less than the number of internal hosts because not all internal hosts access external networks at the same time. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours. Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT. 2

8 NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 2 NAPT operation Direction Outbound Before NAT :1111 After NAT :1001 Outbound Outbound : : : :1003 Host A Packet 1 Src : :1111 Packet 1 Src : : Packet 2 Src : :2222 NAT Packet 2 Src : :1002 Server Host B Packet 3 Src : :1111 Intranet Internet Packet 3 Src : : BInternal server As shown in 226HFigure 2, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 1 and 3 are from different internal addresses but have the same source port number. NAPT maps the three IP packets to the same external address but with different source port numbers. Therefore, the packets can still be differentiated. When receiving the response packets, the NAT device forwards them to the corresponding hosts according to the destination addresses and port numbers. NAPT improves utilization of IP address resources, enabling more internal hosts to access the external network at the same time. NAPT supports the following NAT mapping behavior modes: Endpoint-Independent Mapping The NAT device uses entries, each of which comprises the source IP address, source port number, and protocol type to translate addresses and filter packets. The same NAPT mapping applies to packets sent from the same internal IP address and port to any external IP address and port. The NAT device also allows external hosts to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT devices. Address and Port-Dependent Mapping The NAT device uses entries each comprising the source IP address, source port number, protocol type, destination IP address, and destination port number to translate addresses and filter packets. For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAPT mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers. The NAT device allows the hosts only on the corresponding external networks where these destination addresses reside to access the internal network. This mode is secure but inconvenient for communication among hosts that connect to different NAT devices. NAT hides the internal network structure, including the identities of internal hosts. However, some internal hosts such as an internal Web server or FTP server may need to be accessed by external hosts. NAT satisfies this need by supporting internal servers. 3

9 You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like :8080 as an internal Web server's external address and port number. In 227HFigure 3, when the NAT device receives a packet destined for the public IP address of an internal server, it looks in the NAT entries and translates the destination address and port number in the packet to the private IP address and port number of the internal server. When the NAT device receives a response packet from the internal server, it translates the source private IP address and port number of the packet into the public IP address and port number of the internal server. Figure 3 Internal server operation Direction Inbound Before NAT :8080 After NAT :8080 Server Dst : :8080 Dst : :8080 NAT Intranet Internet Src : :8080 Src : :8080 Host BDNS mapping Generally, the DNS server and users that need to access internal servers reside on the public network. You can specify an external IP address and a port number for an internal server on the public network interface of a NAT device, so that external users can access the internal server using its domain name or pubic IP address. In 228HFigure 4, an internal host wants to access an internal Web server by using its domain name, when the DNS server is located on the public network. Typically, the DNS server replies with the public address of the internal server to the host and thus the host cannot access the internal server. The DNS mapping feature can solve the problem. Figure 4 Operation of NAT DNS mapping A DNS mapping entry records the domain name, public address, public port number, and protocol type of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name in the message against the DNS mapping entries. If a match is found, the private address of the internal server is found and the interface replaces the public IP address in the reply with the private IP address. Then, the host can use the private address to access the internal server. 4

10 106BEasy IP 107BNAT support Easy IP uses the public IP address of an interface on the device as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed. for VPNs NAT allows users from different VPNs to access external networks through the same outbound interface, and allows the VPN users to use the same private address space. 1. Upon receiving a request from an VPN to an external network, NAT replaces the private source IP address and port number with a public IP address and port number, and records the VPN information. 2. When the response packet arrives, NAT replaces the public destination IP address and port number with the internal IP address and port number, and sends the packet to the target VPN. This feature can also apply to internal servers so that external users can access an internal host of an VPN. For example, suppose a host in VPN 1 needs to provide Web services for the Internet. It has a private address of To achieve this purpose, configure NAT to use as the public IP address of the host so that the Internet users can use this IP address to access Web services on the host. 43BAddress translation 108BDynamic NAT 109BStatic NAT Address translation can be classified into dynamic and static NAT. A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface's address) to access the external network. Dynamic NAT is applicable when a large number of internal users must access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Dynamic NAT can meet external access requirements of a large number of users. Mappings between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. 44BLow-priority address pool The following matrix shows the feature and hardware compatibility: Hardware F1000-A-EI/F1000-S-EI F1000-E F5000 Firewall module U200-A U200-S Low-priority address pool compatible Yes Yes Yes Yes Yes No 5

11 An address pool is a set of consecutive public IP addresses used for dynamic NAT. A NAT gateway selects addresses from the address pool and uses them as the translated source IP addresses. To implement NAT for stateful failover (asymmetric-path), you must configure the same address pool on both devices so that one device can take over when the other device fails. However, if the two devices select the same IP address from their address pool and assign the same port number, reverse sessions on the two devices are the same. As a result, they cannot back up session data. To solve the problem, the low-priority address pool attribute is introduced to NAT. Configure a non-low-priority address pool on a device and configure a low-priority address pool on the other device. The two address pools have the same address range, but have different port number ranges so that the devices can back up session data. For more information about stateful failover, see High Availability Configuration Guide. 7BConfiguration guidelines An address pool can contain a maximum of 255 addresses. On certain types of devices, an address pool cannot include addresses in other address pools, IP addresses of interfaces with Easy IP enabled, or public addresses of internal servers. Low-priority address pools cannot include addresses in non low-priority address pools, external IP addresses for one-to-one NAT, and public addresses of internal servers. The address pool, dynamic NAT, static NAT, and internal server configurations can be modified through Web pages. The modification you make takes effect after the former configuration is removed by the system. 8BConfiguring NAT in the Web interface 45BRecommended configuration procedure 110BConfiguring dynamic NAT Task 229HCreating an address pool 230HConfiguring dynamic NAT Remarks Required for NAPT and NO-PAT modes. Required. 111BConfiguring static NAT Task 231HCreating a static address mapping 232HEnabling static NAT on an interface Remarks Required. Static NAT supports two modes, one-to-one and net-to-net. Required. 6

12 112BConfiguring an internal server Task 233HConfiguring an internal server 234HConfiguring DNS mapping Remarks Required. After you map the private IP address/port number of an internal server to a public IP address/port number, hosts in external networks can access the server located in the private network. Optional. The DNS mapping feature enables an internal host to use the domain name to access an internal server located on the same private network, while the DNS server resides on the public network. 46BCreating an address pool 1. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. The dynamic NAT configuration page appears. Figure 5 Dynamic NAT configuration page TIP: You can click the ID link of an ACL to view details about the ACL, and create and delete ACL rules. For more information about ACL configuration, see Access Control Configuration Guide. 2. In the Address Pool area, click Add. The Add NAT Address Pool page appears. 7

13 Figure 6 Adding NAT Address Pool page 3. Create an IP address pool as described in 235HTable Click Apply. Table 1 Configuration items Item Index Start IP Address End IP Address Description Specify the index of an address pool. Specify the start IP address of the address pool. Specify the end IP address of the address pool. The end IP address must be identical to or higher than the start IP address. Configure the address pool as a low-priority or a non low-priority address pool. Low priority IMPORTANT: This configuration item is applicable for asymmetric-path stateful failover only. The low priority settings for the local and peer devices must be different. 47BConfiguring dynamic NAT on an interface 1. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. The dynamic NAT configuration page appears, as shown in 236HFigure In the Dynamic NAT area, click Add to enter the Add Dynamic NAT page. 8

14 Figure 7 Adding Dynamic NAT page 3. Configure dynamic NAT on an interface as described in 237HTable Click Apply. Table 2 Configuration items Item Interface Description Specify an interface on which dynamic NAT is to be enabled. Specify an ACL for dynamic NAT. You cannot associate an ACL with multiple NAT address pools, or associate an ACL with both Easy IP and an address pool. ACL Address Transfer IMPORTANT: On some devices, the rules of an ACL applied on an interface cannot conflict with one another, that is, rules with the same source IP address, destination IP address, and VPN instance are considered as a conflict. In a basic ACL (numbering 2000 to 2999), rules with the same source IP address and VPN instance are considered as a conflict. Select an address translation mode: PAT Refers to NAPT. In this mode, associating an ACL with an address pool translates both IP addresses and port numbers. No-PAT Refers to many-to-many NAT. In this mode, associating an ACL with an address pool translates only IP addresses. Easy IP In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address, and uses an ACL to match IP packets. Only one mode can be selected for an address pool. Specify the index of a NAT address pool for dynamic NAT. Address Pool Index Global VPN Instance The NAT address pool must have been configured through NAT address configuration. If Easy IP is selected for Address Transfer, you do not need to enter an address pool index. Specify the name of the instance to which the external IP addresses (that is, the NAT address pool) belong. 9

15 Item Enable track to VRRP VRRP Group Description Configure whether to associate dynamic NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate dynamic NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, Make sure each address pool on an interface is associated with one VRRP group only. Otherwise, the system associates the address pool with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you must add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group. 48BCreating a static address mapping 1. From the navigation tree, select Firewall > NAT Policy > Static NAT. Figure 8 Static NAT configuration page 2. In the Static Address Mapping area where static address mappings are displayed, click Add to enter the Add Static Address Mapping page. 10

16 Figure 9 Adding Static Address Mapping page 3. Configure a static address mapping as described in 238HTable Click Apply. Table 3 Configuration item Item Internal VPN Instance Internal IP Address Global VPN Instance Global IP Address Network Mask ACL Description Specify a name of the VPN instance to which the internal IP addresses belong. If no internal VPN instance is specified, this indicates that the internal address is a common private network address. Enter an internal IP address for the static address mapping. Specify a name of the VPN instance to which the external IP addresses belong. If no global VPN instance is specified, this indicates that the external address is a common public network address. Enter a public IP address for the static address mapping. Specify the network mask for internal and public IP addresses. If the network mask is specified, net-to-net static NAT is implemented. If no network mask is specified, the default mask is used. In this case, one-to-one static NAT is delivered. Specify an ACL for static NAT. 49BEnabling static NAT on an interface 1. From the navigation tree, select Firewall > NAT Policy > Static NAT. 2. In the Interface Static Translation area, click Add to enter the Enable Interface Static Translation page. 11

17 Figure 10 Enabling Interface Static Translation page 3. Enable static NAT on an interface as described in 239HTable Click Apply. Table 4 Configuration items Item Interface Name Enable track to VRRP VRRP Group Description Select an interface to which static NAT is applied. Configure whether to associate static NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate static NAT on an interface with a VRRP group. When two network devices implement both stateful failover and static NAT, to ensure normal switchovers between the two devices, you need to add the devices to the same VRRP group, and associate static NAT with the VRRP group. 50BConfiguring an internal server This section describes basic and advanced internal server settings. In the common configuration page, you can specify the service type without setting internal ports, which use the default ports of services. In the advanced configuration page, you need to specify the protocol type and internal ports. 113BConfigure basic internal server settings 1. From the navigation tree, select Firewall > NAT Policy > Internal Server. The internal server configuration page appears. 12

18 Figure 11 Internal server configuration page 2. In the Internal Server area, click Add. The Add Internal Server page appears. 13

19 Figure 12 Adding Internal Server page 3. Configure the internal server as described in 240HTable Click Apply. 114BConfigure advanced internal server settings 1. Click Advanced in the page shown in 241HFigure 13. The Advanced Configuration page appears. 14

20 Figure 13 Configuring advanced internal server settings 2. Configure the internal server as described in 242HTable Click Apply. Table 5 Configuration items Item Interface Protocol Type Global VPN Instance External IP Address Description Specify an interface to which the internal server policy is applied. Select the protocol to be carried by IP (Only supported by advanced configuration). For advanced configuration, if the selected protocol type is neither 6(TCP) nor 17(UDP), you can only specify a mapping between an internal IP address and an external IP address. Configuration items for internal and the global ports are not available. Specify a name of the VPN instance to which the external address belongs. If no global VPN instance is specified, this indicates that the external IP address is a common public network address that does not belong to any VPN instance. Specify the public IP address for the internal server. You can enter an IP address, or use the IP address of an interface. 15

21 Item Description Specify the global port numbers for the internal server. Global Port Internal VPN Instance Internal IP This option is available when 6(TCP) or 17(UDP) is selected as the protocol type. You can: For common configuration Use the single box to specify a global port. 0 represents the default port of the specified service type. If the selected service type is any(tcp) or any(udp), the global port is any port. Use the double boxes to specify a range of global ports, which have a one-to-one correspondence with the specified range of internal IP addresses. For advanced configuration Set the global port only when the protocol type is 6(TCP) or 17(UDP). Use the single box to specify a fixed port and 0 represents the specified internal port. Use the double boxes to specify a range of global ports that have a one-to-one correspondence with the specified range of internal IP addresses. Specify a name of the VPN instance to which the internal server belongs. If no internal VPN instance is specified, this indicates that the internal server is a common private network server that does not belong to any VPN instance. Specify the internal IP addresses for the internal server. For common configuration: Use the single box to specify a fixed internal IP address if you use the single box for Global Port to set a global port. Use the double boxes to specify a range of internal IP addresses if you use the double boxes for Global Port to set a range of global ports. The specified range of internal IP addresses have a one-to-one correspondence with the specified range of global ports. The number of internal IP addresses must be identical to the number of specified global ports. For advanced configuration: When the protocol type is neither 6(TCP) nor 17(UDP), or you specify a fixed global port in the single box for Global Port, specify a fixed internal IP address in the single box. When the protocol type is 6(TCP) or 17(UDP), and you set a range of global ports in the double boxes for Global Port, specify a range of internal IP addresses in the double boxes. The specified range of internal IP addresses has a one-to-one correspondence with the specified range of global ports. The number of internal addresses must be identical to the number of specified global ports. Specify the service type provided by the internal server. (Only supported by common configuration) Service Internal Port ACL IMPORTANT: The port number of the internal server is the default port number of the selected service. If the selected service type is any(tcp) or any(udp), the internal port is any port. Specify the internal port number of the internal server. (Only supported by advanced configuration.) This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you enter 0 in the text box, all types of services are provided. This configuration indicates a static connection between internal addresses and external addresses. Specify an ACL for internal server. 16

22 Item Enable track to VRRP VRRP Group Description Configure whether to associate the internal server on an interface with a VRRP group, and specify the VRRP group to be associated if you associate the internal server on an interface with a VRRP group. When two network devices deliver both stateful failover and dynamic NAT, Make sure each address pool on an interface is associated with one VRRP group only. Otherwise, the system associates the address pool with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add devices to the same VRRP group, and associate dynamic NAT with the VRRP group. 51BConfiguring ACL-based NAT on the internal server 1. From the navigation tree, select Firewall > NAT Policy > Internal Server. The internal server configuration page as shown in 243HFigure 11 appears. 2. In the Internal Server Based on ACL area, click Add. Figure 14 Internal server based on ACL configuration 3. Configure ACL-based NAT as described in 244HTable Click Apply. Table 6 Configuration items Item Interface Protocol type ACL Internal VPN Instance Internal IP Description Specify an interface to which the internal server policy is applied. Select the protocol to be carried by IP. Enter the number of an ACL for the internal server policy. Select the box and select a VPN instance to which the internal server belongs. If the internal server is a common private network server that does not belong to any VPN instance, do not select the box. Enter the IP addresses of the internal server. 17

23 Item Internal Port Description Enter the port number of the internal server. This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you enter 0 in the field, all types of services are provided which indicates a static connection exists between the internal address and external address. 52BConfiguring DNS mapping 1. From the navigation tree, select Firewall > NAT Policy > Internal Server. 2. In the DNS-MAP area, click Add. The page for adding DNS-MAP appears. Figure 15 Adding DNS-MAP page 3. Configure DNS mapping as shown in 245HTable Click Apply. Table 7 Configuration items Item Protocol Global IP Global Port Domain Description Select the protocol supported by an internal server. Specify the external IP address of the internal server. Specify the port number of the internal server. Specify the domain name of the internal server. 53BNAT configuration example 115BNetwork requirements As shown in 246HFigure 16, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. 18

24 Figure 16 Network diagram 116BConfiguring Firewall 1. Configure an ACL to permit internal users in subnet /24 to access the Internet: a. From the navigation tree, select Firewall > ACL. b. Click Add. c. Enter 2001 in ACL Number, and click Apply. Figure 17 Defining ACL 2001 d. Click the icon in the operation column corresponding to ACL 2001 to enter the ACL 2001 configuration page. e. Click Add. f. On the page that appears, select Permit in Operation. Select the Source IP Address box and enter Enter in Source Wildcard. g. Click Apply. 19

25 Figure 18 Configuring ACL 2001 to permit users on network /24 to access the Internet h. Click Add on the ACL Select Deny for Operation, and click Apply. Figure 19 Configuring ACL 2001 to prohibit other users to access the Internet 2. Configure a NAT address pool: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. b. Click Add. c. On the page that appears as shown in 247HFigure 20, enter 0 in Index, enter in Start IP Address and enter in End IP Address. d. Click Apply. Figure 20 Configuring NAT address pool 0 3. Configure dynamic NAT: a. Click Add in the Dynamic NAT area. b. On the page that appears, select GigabitEthernet0/1 for Interface and enter 2001 for ACL. c. Select PAT for Address Transfer. d. Enter 0 for Address Pool Index. 20

26 e. Click Apply. Figure 21 Configuring dynamic NAT 54BInternal server configuration example 117BNetwork requirements As illustrated in 248HFigure 22, a company provides two Web servers and one FTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for the Web server 1 is /16, and for the Web server 2 is /16. The company has three public IP addresses from /24 through /24. Specifically, the company has the following requirements: External hosts can access internal servers using public address /24. Port 8080 is used for Web server 2. Figure 22 Network diagram 118BConfiguring Firewall 1. Configure the FTP server: a. From the navigation tree, select Firewall > NAT Policy > Internal Server. b. Click Add in the Internal Server area. c. On the page that appears, select GigabitEthernet0/1 for Interface. d. Select the Assign IP Address option, and enter

27 e. Select the first option for Global Port and enter 21. f. Enter in the Internal IP field. g. Select the service type ftp. h. Click Apply. Figure 23 Configuring an internal FTP server 2. Configure the Web server 1: a. Click Add in the Internal Server area. b. On the page that appears, select GigabitEthernet0/1 for Interface. c. Select the Assign IP Address option, and enter d. Select the first option for Global Port and enter 80. e. Enter in the Internal IP field. f. Select the service type www. g. Click Apply. 22

28 Figure 24 Configuring internal Web server 1 3. Configure the Web server 2: a. Click Add in the Internal Server area. b. On the page that appears, select GigabitEthernet0/1 for Interface. Select the Assign IP Address option, and enter Select the first option for Global Port and enter Enter in the Internal IP field. Select the service type www. c. Click Apply. 23

29 Figure 25 Configuring internal Web server 2 9BConfiguring NAT at the CLI 55BNAT configuration task list Task Configure address translation: 249HConfiguring static NAT 250HConfiguring dynamic NAT 251HConfiguring an internal server 252HConfiguring DNS mapping Remarks Either is required. Required. Optional. If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and reboot the device, to avoid the following problems: After you delete the NAT-related configuration, address translation can still work for sessions already created. If you configure NAT when NAT is running, the same configuration may have different results because of different configuration orders. 24

30 56BConfiguring static NAT Static NAT supports NAT multiple-instance as long as the VPN instance of an IP address is provided. Static NAT supports two modes: one-to-one and net-to-net. 119BConfiguring one-to-one static NAT One-to-one static NAT translates a private IP address into a public IP address. To configure one-to-one static NAT: Step Command 1. Enter system view. system-view 2. Configure a one-to-one static NAT mapping. nat static [ acl-number ] local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] 3. Enter interface view. interface interface-type interface-number 4. Enable static NAT on the interface. nat outbound static [ track vrrp virtual-router-id ] 120BConfiguring net-to-net static NAT Net-to-net static NAT translates a private network into a public network. To configure net-to-net static NAT: Step Command 1. Enter system view. system-view 2. Configure a net-to-net static NAT mapping. nat static [ acl-number ] net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { mask-length mask } 3. Enter interface view. interface interface-type interface-number 4. Enable static NAT on the interface. nat outbound static [ track vrrp virtual-router-id ] 57BConfiguring dynamic NAT Dynamic NAT support NAT multiple-instance as long as the VPN instance of an IP address is provided. 121BConfiguration prerequisites Configure an ACL to specify IP addresses permitted to be translated. For more information about ACL, see Access Control Configuration Guide. Determine whether to use an interface's IP address as the translated source address. To select the address of an interface as the translated address, use Easy IP. To select an address from an address pool as the translated address, use No-PAT or NAPT for dynamic address translation. No-PAT is used in many-to-many address translation but does not translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating also TCP/UDP port numbers. Determine a public IP address pool for address translation. Determine whether to translate port information. 25

31 122BConfiguring NAT address pools You can configure NAT address pools in two ways: Configure an address pool that consists of a set of consecutive addresses. Configure an address group that can contain several members. Each member specifies an address pool that consists of a set of consecutive addresses. The address pools of members may not be consecutive. The NAT device selects an IP address from a specific NAT address pool as the source address of a packet. To configure an address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an address pool. nat address-group group-number start-address end-address [ level level ] Address pools must not overlap. To configure an address group: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an address group and enter its view. 3. Add a member to the address group. nat address-group group-number address start-address end-address N/A The IP address pools of address group members must not overlap with each other or with other address pools. 123BConfiguring Easy IP Easy IP allows the device to use the IP address of one of its interfaces as the source address of NATed packets. To configure Easy IP: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Enable Easy IP by associating an ACL with the IP address of the interface. nat outbound [ acl-number ] [ next-hop ip-address ] [ track vrrp virtual-router-id ] 124BConfiguring No-PAT With a specific ACL associated with an address pool or interface address, No-PAT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, without using the port information. To configure No-PAT: 26

32 Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure No-PAT by associating an ACL with an IP address pool on the outbound interface for translating only IP addresses. nat outbound [ acl-number ] address-group group-number [ vpn-instance vpn-instance-name ] no-pat [ track vrrp virtual-router-id ] 125BConfiguring NAPT With a specific ACL associated with an address pool or interface address, NAPT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, with using the port information. To configure NAPT: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure NAPT by associating an ACL with an IP address pool on the outbound interface for translating both IP address and port number. nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] ] [ track vrrp virtual-router-id ] 58BConfiguring an internal server To configure an internal server, you need to map an external IP address and port number to the internal server. This is done through executing the nat server command on an interface. Internal server configurations include external network information (external IP address global-address and external port number global-port), internal network information (internal IP address local-address and internal port number local-port), and internal server protocol type. 126BConfiguring a common internal server After mapping the internal IP address/port number (local-address and local-port) of a common internal server to an external IP address/port number (global-address and global-port), hosts in external networks can access the server located in the internal network. The device supports using the interface address as the external address of an internal server, which is the Easy IP feature. If you want to specify an interface, the interface must be a loopback interface and must already exist. If you configure an internal server using Easy IP but do not configure an IP address for the interface, the internal server configuration does not take effect. To configure a common internal server (1): Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 27

33 Step Command Remarks 3. Configure a common internal server. nat server [ index acl-number ] protocol pro-type global { global-address current-interface interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] nat server [ index acl-number ] protocol pro-type global { global-address current-interface interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] Use either command. To configure a common internal server (2): Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure a common internal server. nat server [ index acl-number ] protocol pro-type global { global-address current-interface interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ track vrrp virtual-router-id ] nat server [ index acl-number ] protocol pro-type global { global-address current-interface interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-name ] inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] Use either command. To configure a common internal server (3): Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure a common internal server. nat server [ index acl-number ] protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] } 59BConfiguring ACL-based NAT on an internal server This feature maps the destination address of an ACL-permitted packet to the internal server address or the internal server IP address/port number. To configure ACL-based NAT on an internal server: 28

34 Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure an internal server based on ACL. nat server protocol pro-type global acl-number inside local-address [ local-port ] [ vpn-instance local-name ] 60BConfiguring DNS mapping With DNS mapping, an internal host can access an internal server on the same private network by using the domain name of the internal server when the DNS server resides on the public network. To configure a DNS mapping: Step Command 1. Enter system view. system-view 2. Configure a DNS mapping. nat dns-map domain domain-name protocol pro-type ip global-ip port global-port 61BDisplaying and maintaining NAT Task Command Remarks Display information about NAT address pools. Display all NAT configuration information. Display NAT configuration information. Display DNS mapping configuration information. Display the internal server information. Display static NAT information. Display NAT statistics. display nat address-group [ group-number ] [ { begin exclude include } regular-expression ] display nat all [ { begin exclude include } regular-expression ] display nat bound [ { begin exclude include } regular-expression ] display nat dns-map [ { begin exclude include } regular-expression ] display nat server [ { begin exclude include } regular-expression ] display nat static [ { begin exclude include } regular-expression ] display nat statistics [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. 62BOne-to-one static NAT configuration example 127BNetwork requirements An internal host /24 uses public address to access the Internet. 29

35 Figure 26 Network diagram 128BConfiguration procedure # As shown in 253HFigure 26, configure the IP addresses for the interfaces. (Details not shown.) # Configure a one-to-one static NAT mapping. <Firewall> system-view [Firewall] nat static # Enable static NAT on interface GigabitEthernet 0/2. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] nat outbound static [Firewall-GigabitEthernet0/2] quit 63BDynamic NAT configuration example 129BNetwork requirements As shown in 254HFigure 27, a company has three public IP addresses ranging from /24 to /24, and internal network address /16. Figure 27 Network diagram 130BConfiguration procedure # As shown in 255HFigure 27, configure the IP addresses for the interfaces. (Details not shown.) # Configure address pool 1. <Firewall> system-view [Firewall] nat address-group # Configure ACL 2001, permitting only users from network segment /24 to access the Internet. [Firewall] acl number 2001 [Firewall-acl-basic-2001] rule permit source [Firewall-acl-basic-2001] rule deny [Firewall-acl-basic-2001] quit 30

36 # Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 0/2. No-PAT [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] nat outbound 2001 address-group 1 no-pat [Firewall-GigabitEthernet0/2] quit NAPT [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] nat outbound 2001 address-group 1 [Firewall-GigabitEthernet0/2] quit 64BCommon internal server configuration example 131BNetwork requirements As shown in 256HFigure 28, a company provides two Web servers, one FTP server, and one SMTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for Web server 1 is /16, for Web server 2 is /16, and for the SMTP server is /16. The company has three public IP addresses ranging from /24 to /24. Specifically, the company has the following requirements: External hosts can access internal servers with public address /24. Port 8080 is used for Web server 2. Figure 28 Network diagram /16 Web server /16 Web server 2 GE0/ /16 GE0/ /24 Internet Firewall Host FTP server /16 SMTP server /16 132BConfiguration procedure # As shown in 257HFigure 28, configure the IP addresses for the interfaces. (Details not shown.) # Enter interface GigabitEthernet 0/2 view. <Firewall> system-view [Firewall] interface gigabitethernet 0/2 # Configure the internal FTP server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside ftp # Configure the internal Web server 1. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal Web server 2. 31

37 [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal SMTP server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global smtp inside smtp [Firewall-GigabitEthernet0/2] quit 65BNAT DNS mapping configuration example 133BNetwork requirements As shown in 258HFigure 29, a company provides Web and FTP services to external users, and uses internal IP network segment /16. The IP addresses of the Web and FTP servers are /16 and /16, respectively. The company has three public addresses /24 through /24. The DNS server is at /24. The public IP address is used to provide services to external users. External users can use the public address or domain name of internal servers to access them. Internal users can access the internal servers by using their domain names. Figure 29 Network diagram /16 Web server /16 FTP server /24 DNS server GE0/ /16 GE0/ /24 Internet Firewall Host A /16 Host B /24 134BConfiguration procedure # As shown in 259HFigure 29, configure the IP addresses for the interfaces. (Details not shown.) # Enter the view of interface GigabitEthernet 0/2. <Firewall> system-view [Firewall] interface gigabitethernet 0/2 # Configure the internal Web server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal FTP server. [Firewall-GigabitEthernet0/2] nat server protocol tcp global inside ftp [Firewall-GigabitEthernet0/2] quit # Configure two DNS mapping entries: map the domain name of the Web server to , and ftp.server.com of the FTP server to [Firewall] nat dns-map domain protocol tcp ip port www [Firewall] nat dns-map domain ftp.server.com protocol tcp ip port ftp 32

38 [Firewall] quit 135BVerifying the configuration # After completing the configurations, display the DNS mapping configuration information. <Firewall> display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: Global-IP : Global-port: 80(www) Protocol : 6(TCP) Domain-name: ftp.server.com Global-IP : Global-port: 21(ftp) Protocol : 6(TCP) Host A and Host B can use the domain name to access the Web server, and use ftp.server.com to access the FTP server. 10BTroubleshooting NAT 66BSymptom 1 67BSolution Abnormal translation of IP addresses. 1. Enable debugging for NAT. Try to locate the problem based on the debugging display. 2. Use other commands, if necessary, to further identify the problem. Pay special attention to the source address after the address translation and make sure this address is the address that you intend to change to. If not, there may be an address pool bug. 3. Make sure a route is available between the destination network and the address pool segment. 4. Be aware of the possible effects that the firewall or the ACLs have to NAT, and also note the route configurations. 68BSymptom 2 69BSolution The internal server functions abnormally. 1. Verify that the internal server host is properly configured. 2. Verify the router is correctly configured with respect to the internal server parameters, such as the internal server IP address. 3. Use the display acl command to verify that the firewall permits external access to the internal network. For more information about firewall, see Attack Protection Configuration Guide. 33

39 2BConfiguring NAT-PT NAT-PT can be configured only at the CLI. NAT-PT is not supported on VLAN interfaces and does not support VPN instances, IPv4 fragments, or ICMPv6 fragments. 11BFeature and hardware compatibility Hardware F1000-A-EI/F1000-S-EI F1000-E F5000 Firewall module U200-A U200-S NAT-PT compatible Yes Yes Yes Yes Yes No 12BOverview Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network. As shown in 260HFigure 30, NAT-PT runs on the device between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can communicate without changing their configurations. Figure 30 Network diagram 34

40 70Basic concepts 136BNAT-PT mechanism 137BNAT-PT prefix There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: static mapping, dynamic mapping, and NAPT-PT: Static mapping Static mappings are manually configured for translation between IPv6 and IPv4 addresses. Dynamic mapping Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses. Different from static mappings, dynamic mappings are not fixed one-to-one mappings between IPv6 and IPv4 addresses. NAPT-PT Network Address Port Translation Protocol Translation (NAPT-PT) realizes the TCP/UDP port number translation besides static or dynamic address translation. With NAPT-PT, different IPv6 addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address translation and save IPv4 addresses. The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases: Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device translates source and destination IPv6 addresses of the packet into IPv4 addresses. After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the translated source IPv6 address is the configured NAT-PT prefix. 71BImplementing NAT-PT 138BSession initiated by an IPv6 host Figure 31 NAT-PT implementation (session initiated by an IPv6 host) NAT-PT works as follows: 1. Determines whether to perform NAT-PT. Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device considers that the packet needs to be forwarded to the IPv4 network and NAT-PT needs to be performed. 35

41 2. Translates the source IP address. The NAT-PT device translates the source IPv6 address of the packet into an IPv4 address according to the static or dynamic mapping on the IPv6 side. 3. Translates the destination IP address. The NAT-PT device translates the destination IPv6 address of the packet into an IPv4 address according to the static mapping, if configured, on the IPv4 network side. Without any static mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is translated into that IPv4 address. Otherwise, the translation fails. 4. Forwards the packet and stores the mappings. After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses, the NAT-PT device forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT device. 5. Forwards the reply packet according to the stored mappings. Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT device swaps the source and destination IPv4 addresses according to the stored mappings and forwards the packet to the IPv6 host. 139BSession initiated by an IPv4 host The NAT-PT implementation process for a session initiated by an IPv4 host is as follows: 1. Determines whether to perform NAT-PT. Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT device checks the destination IPv4 address in the packet against the static mappings configured on the IPv6 network side. If a match is found, the device considers that the packet needs to be forwarded to the IPv6 network and NAT-PT needs to be performed. 2. Translates the source IP address. The NAT-PT device translates the source IPv4 address of the packet into an IPv6 address according to the static or dynamic mapping on the IPv4 side. If no mapping is configured on the IPv4 side, the source IPv4 address with the first configured NAT-PT prefix is used as the translated source IPv6 address. 3. Translates the destination IP address. The NAT-PT device translates the destination IPv4 address of the packet into an IPv6 address according to the static mapping on the IPv6 side. 4. Forwards the packet and stores the mappings. After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses, the NAT-PT device forwards the packet to the IPv6 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT device. 5. Forwards the reply packet according to the stored mappings. Upon receiving a reply packet from the IPv6 host to the IPv4 host, the NAT-PT device swaps the source and destination IPv6 addresses according to the stored mappings and forwards the packet to the IPv4 host. 36

42 72BNAT-PT limitations Because of the following limitations, NAT-PT is not recommended in some applications. For example, tunneling is recommended in the case where an IPv6 host needs to communicate with another IPv6 host across an IPv4 network. In NAT-PT translation, the request and response packets of a session must be processed by the same NAT-PT device. The Options field in the IPv4 packet header cannot be translated. NAT-PT does not provide end-to-end security. For more information about tunneling, see VPN Configuration Guide. NAT-PT supports ICMP, DNS, FTP, and other protocols that employ the network layer protocol but have no address information in the protocol messages. 73BProtocols and standards RFC 2765, Stateless IP/ICMP Translation Algorithm RFC 2766, Network Address Translation - Protocol Translation (NAT-PT) 13BNAT-PT configuration task list Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task 261HEnabling NAT-PT 262HConfiguring a NAT-PT prefix 263HConfiguring IPv4/IPv6 address mappings on the IPv6 side 264HConfiguring a static mapping on the IPv4 side 265HSetting the ToS field after NAT-PT translation Remarks Required. Required. Required. Optional. If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address. Optional. Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task 266HEnabling NAT-PT 267HConfiguring a NAT-PT prefix 268HConfiguring IPv4/IPv6 address mappings on the IPv4 side Remarks Required. Required. Optional. If no IPv4/IPv6 address mapping is configured, the source IPv4 address added with the first configured NAT-PT prefix is used as the translated source IPv6 address. 37

43 Task 269HConfiguring IPv4/IPv6 address mappings on the IPv4 side 270HConfiguring static NAPT-PT mappings of IPv6 servers 271HSetting the traffic class field after NAT-PT translation Remarks Required. Complete either task. Optional. 14BConfiguration prerequisites Before you implement NAT-PT, complete the following tasks: 1. Enable IPv6 on the device. For more information, see Network Management Configuration Guide. 2. Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT. 15BEnabling NAT-PT After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the device can implement translation between IPv4 and IPv6 addresses. Follow these guidelines when you enable NAT-PT: The natpt enable command enables both NAT-PT and Address Family Translation (AFT). For information about AFT, see VPN Configuration Guide. Do not configure NAT-PT mapping policies and AFT policies on the same device. To enable NAT-PT: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable NAT-PT on the interface. natpt enable Disabled by default. 16BConfiguring a NAT-PT prefix Follow these guidelines when you configure a NAT-PT prefix: The NAT-PT prefix must be different from the IPv6 address prefix of a local interface. Otherwise, incoming packets matching the prefix get lost due to NAT-PT translation. To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt v6bound dynamic command, you must cancel the referenced configuration first. To configure a NAT-PT prefix: Step Command 1. Enter system view. system-view 2. Configure a NAT-PT prefix. natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ] 38

44 17BConfiguring IPv4/IPv6 address mappings on the IPv6 side IPv4/IPv6 address mappings on the IPv6 side can be static or dynamic. 74BConfiguring a static mapping on the IPv6 side A static mapping on the IPv6 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address: If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static mapping, the source IPv6 address is translated into the corresponding IPv4 address. If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static mapping, the destination IPv4 address is translated into the corresponding IPv6 address. To configure a static IPv4/IPv6 address mapping on the IPv6 side: Step Command 1. Enter system view. system-view 2. Configure a static IPv4/IPv6 address mapping natpt v6bound static ipv6-address ipv4-address on the IPv6 side. 75BConfiguring a dynamic mapping policy on the IPv6 side A dynamic IPv4/IPv6 mapping policy on the IPv6 side is that if the source IPv6 address matches a specific IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in a specific NAT-PT address pool or the IPv4 address of a specific interface. For ACL configuration, see Access Control Configuration Guide. The device provides four dynamic mapping policies: Policy 1 Associate an IPv6 ACL with an address pool. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address in the specified address pool. Policy 2 Associate an IPv6 ACL with an interface address. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into the IPv4 address of the specified interface. Policy 3 Associate a NAT-PT prefix with an address pool. If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in the specified address pool. Policy 4 Associate a NAT-PT prefix with an interface address. If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into the IPv4 address of the specified interface. To use policy 1 or 3, configure a NAT-PT address pool first. A NAT-PT address pool is a group of contiguous IPv4 addresses and is used to translate an IPv6 address into an IPv4 address dynamically. When an IPv6 packet is sent from an IPv6 network to an IPv4 network, 39

45 if policy 1 or 3 is set, the NAT-PT device will select an IPv4 address from the NAT-PT address pool as the source IPv4 address of the IPv6 packet. To configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a NAT-PT address pool. 3. Configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side. natpt address-group group-number start-ipv4-address end-ipv4-address Associate an IPv6 ACL with an address pool: natpt v6bound dynamic acl6 number acl-number address-group address-group [ no-pat ] Associate an IPv6 ACL with an interface address: natpt v6bound dynamic acl6 number acl-number interface interface-type interface-number Associate a NAT-PT prefix with an address pool: natpt v6bound dynamic prefix natpt-prefix address-group address-group [ no-pat ] Associate a NAT-PT prefix with an interface address: natpt v6bound dynamic prefix natpt-prefix interface interface-type interface-number Skip this step if you use policy 2 or policy 4. Use one of the commands. The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with the natpt prefix command. If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses, and the end IPv4 address in the address pool is used for NAPT-PT. 18BConfiguring IPv4/IPv6 address mappings on the IPv4 side IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic. 76BConfiguring a static mapping on the IPv4 side A static IPv4/IPv6 address mapping on the IPv4 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address: If the source IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches a static IPv4/IPv6 address mapping, the source IPv4 address is translated into the corresponding IPv6 address. If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4 address. To configure a static IPv4/IPv6 address mapping on the IPv4 side: 40

46 Step Command 1. Enter system view. system-view 2. Configure a static IPv4/IPv6 address mapping on the IPv4 side. natpt v4bound static ipv4-address ipv6-address 77BConfiguring a dynamic mapping policy on the IPv4 side A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches a specific ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address. The natpt-prefix argument specified in the natpt v6bound dynamic acl number acl-number prefix natpt-prefix command must have been configured with the natpt prefix command. For more information about ACL, see Access Control Configuration Guide. To configure a dynamic IPv4/IPv6 mapping policy on the IPv4 side: Step Command 1. Enter system view. system-view 2. Configure a dynamic IPv4/IPv6 source address mapping policy on the IPv4 side. natpt v4bound dynamic acl number acl-number prefix natpt-prefix 19BSetting the ToS field after NAT-PT translation You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. To set the ToS field in packets after NAT-PT translation: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the ToS field in IPv4 packets translated from IPv6 packets to 0. natpt turn-off tos By default, the value of the ToS field of IPv4 packets is the same as that of the Traffic Class field in corresponding IPv6 packets. 20BSetting the traffic class field after NAT-PT translation You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. To set the Traffic Class field in packets after NAT-PT translation: Step Command Remarks 1. Enter system view. system-view N/A 41

47 Step Command Remarks 2. Set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0. natpt turn-off traffic-class By default, the value of the Traffic Class field of IPv6 packets is the same as that of the ToS field in corresponding IPv4 packets. 21BConfiguring static NAPT-PT mappings of IPv6 servers Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of the IPv6 server. Upon receiving an access request to an IPv6 server from an IPv4 host, the NAT-PT device checks the destination address and port number of the packet against the static address/port mapping of the IPv6 server. If they match, the device translates the source IPv4 address of the packet into the corresponding IPv6 address according to the IPv4/IPv6 address mapping on the IPv4 side, and translates the destination IPv4 address and port number in the request to the corresponding IPv6 address and port number according to the static address/port mapping of the IPv6 server. When you configure a static address/port mapping of an IPv6 server, specify the following: Protocol type The type of the transport layer protocol used by the server. It can be TCP or UDP. IPv4 address and port number of the server Used by IPv4 hosts to access the server. IPv6 address and port number of the server. To configure a static NAPT-PT mapping for an IPv6 server: Step Command 1. Enter system view. system-view 2. Configure a static address and port number mapping for an IPv6 server. natpt v4bound static v6server protocol protocol-type ipv4-address ipv4-port-number ipv6-address ipv6-port-number 22BDisplaying and maintaining NAT-PT Task Command Remarks Display all NAT-PT configuration information. Display NAT-PT address pool configuration information. Display the static and dynamic NAT-PT address mappings. Display NAT-PT statistics information. display natpt all [ { begin exclude include } regular-expression ] display natpt address-group [ { begin exclude include } regular-expression ] display natpt address-mapping [ { begin exclude include } regular-expression ] display natpt statistics [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. 42

48 Task Command Remarks Clear all NAT-PT statistics information. reset natpt statistics Available in user view. 23BNAT-PT configuration examples 78BConfiguring dynamic mapping on the IPv6 side 140BNetwork requirements As shown in 272HFigure 32, Router B with IPv6 address 2001::2/64 on an IPv6 network wants to access Router A with IPv4 address /24 on an IPv4 network, whereas Router A cannot actively access Router B. To meet the preceding requirements, you need to configure Firewall that is deployed between the IPv4 network and IPv6 network as a NAT-PT device, and configure dynamic mapping policies on the IPv6 side on Firewall so that IPv6 hosts can access IPv4 hosts but IPv4 hosts cannot access IPv6 hosts. Figure 32 Network diagram 141BConfiguration procedure 1. Configure Firewall (NAT-PT device): # Configure interface addresses and enable NAT-PT on the interfaces. <Firewall> system-view [Firewall] ipv6 [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address [Firewall-GigabitEthernet0/1] natpt enable [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ipv6 address 2001::1/64 [Firewall-GigabitEthernet0/2] natpt enable [Firewall-GigabitEthernet0/2] quit # Configure a NAT-PT prefix. [Firewall] natpt prefix 3001:: # Configure a NAT-PT address pool. [Firewall] natpt address-group # Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts. [Firewall] natpt v6bound dynamic prefix 3001:: address-group 1 2. Configure Router A on the IPv4 side: # Configure an IP address for GigabitEthernet 0/1. 43

49 <RouterA> system-view [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ip address [RouterA-GigabitEthernet0/1] quit # Configure a static route to subnet /24. [RouterA] ip route-static Configure Router B on the IPv6 side: # Enable IPv6. <RouterB> system-view [RouterB] ipv6 # Configure an IP address for GigabitEthernet 0/1. [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ipv6 address 2001::2/64 [RouterB-GigabitEthernet0/1] quit # Configure a static route to the subnet with the NAT-PT prefix. [RouterB] ipv6 route-static 3001:: ::1 79BConfiguring static mappings on the IPv4 side and the IPv6 side 142BNetwork requirements As shown in 273HFigure 33, Router B with IPv6 address 2001::2/64 on an IPv6 network can communicate with Router A with IPv4 address /24 on an IPv4 network. To meet the preceding requirement, you need to configure Firewall that is deployed between the IPv4 network and IPv6 network as a NAT-PT device, and configure static mappings on the IPv4 side and IPv6 side on Firewall, so that Router A and Router B can communicate with each other. Figure 33 Network diagram 143BConfiguration procedure 1. Configure Firewall: # Configure interface addresses and enable NAT-PT on the interfaces. <Firewall> system-view [Firewall] ipv6 [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address [Firewall-GigabitEthernet0/1] natpt enable [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ipv6 address 2001::1/64 [Firewall-GigabitEthernet0/2] natpt enable [Firewall-GigabitEthernet0/2] quit 44

50 # Configure a NAT-PT prefix. [Firewall] natpt prefix 3001:: # Configure a static IPv4/IPv6 mapping on the IPv4 side. [Firewall] natpt v4bound static ::5 # Configure a static IPv4/IPv6 mapping on the IPv6 side. [Firewall] natpt v6bound static 2001:: Configure Router A: # Configure an IP address for GigabitEthernet 0/1. <RouterA> system-view [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ip address [RouterA-GigabitEthernet0/1] quit # Configure a static route to subnet /24. <RouterA> system-view [RouterA] ip route-static Configure Router B on the IPv6 side: # Enable IPv6. <RouterB> system-view [RouterB] ipv6 # Configure an IP address for GigabitEthernet 0/1. [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ipv6 address 2001::2/64 [RouterB-GigabitEthernet0/1] quit # Configure a static route to the subnet with the NAT-PT prefix. [RouterB] ipv6 route-static 3001:: ::1 24BTroubleshooting NAT-PT 80BSymptom 81BSolution NAT-PT fails when a session is initiated on the IPv6 side. 1. Enable debugging for NAT-PT and locate the fault according to the debugging information about the device. 2. During debugging, check whether the source address of a packet is translated successfully. If not, it is possible that the address pool has no sufficient IP addresses. 3. You can configure a larger address pool, or use NAPT-PT to perform NAT-PT. 45

51 3BNAT444 The device does not support stateful failover of the NAT444 feature. NAT444 can be configured only at the CLI. 25BFeature and hardware compatibility Hardware F1000-A-EI/F1000-S-EI F1000-E F5000 Firewall module U200-A U200-S NAT444 compatible No No No Yes No No 26BOverview 27BFeatures NAT444 translates an IPv4 address to another IPv4 address to a third IPv4 address. Compared to transition technologies like DS-lite, NAT64, 6RD, and dual stack, it costs less on the accessing devices and services by only doubling the NAT at the carrier grade. 82BAssigning port blocks NAT444 applies to the scenario where multiple users use a public address for accessing services and solves the user tracing problem by assigning port blocks. As shown in 274HFigure 34, after NAT444 translation, internal users at and use the same public address but different port numbers for accessing Internet services. Figure 34 Assigning port blocks 46

52 83BStatic mappings Figure 35 User tracing process Transition technology deployment scheme contains two IP-port mapping modes: static and dynamic. Static IP-port mapping mode AAA and Carrier Grade NAT (CGN) set parameters through the network management system and execute the same algorithm for generating mappings. During address tracing process, AAA and CGN do not exchange mappings with each other, and trace the address directly. Dynamic IP-port mapping mode CGN reports the mappings between user addresses and port blocks to the log server or AAA server through syslogs or RADIUS packets. During address tracing process, AAA requests the log server for mappings. The dynamic IP-port mapping mode applies to Broadband Remote Access Server (BRAS) cards. After assigning an IP address to an online user, BRAS dynamically determines the public address and port block used by the user, generates an address mapping table, and then reports the table to the AAA server through extended RADIUS packets. This mode can use port block resources effectively in theory, but only takes effect at any time when no user accesses any service for a long time. The followings may affect user tracing: When a great number of users are going online and offline, generation of large number of syslogs and RADIUS packets increases the load of AAA servers or log servers. Thus, log servers cannot meet the requirements and AAA servers' performance may be affected. Syslogs and RADIUS packets are UDP packets and dynamic IP-port mappings may be lost. In dynamic IP-port mapping mode, storing mappings is supposed to be time-phrased. Therefore, it is required for the AAA servers and log servers to have large storage space. 84BNAT unlimited connection NAT unlimited connection can make sure NAT addresses and port numbers be reused unlimitedly. As shown in 275HFigure 36, different sources (different addresses or different ports) can reuse a NAT address and port number as long as the destination address or destination port number is different. 47

53 Figure 36 NAT unlimited connection 85BUser connection limit You can use connection limit to prevent large amount of resources being occupied because of excessive sessions and to prevent external attacks after FullCone NAT is enabled. 86BFull cone NAT Enable Full cone NAT when the P2P node is behind a NAT device and provides external download services. 87BMultiple routing protocols NAT444 supports static routes and policy-based routes as well as dynamic routes such as OSPF, BGP, and ISIS. 28BNAT444 configuration task list Task 276HConfiguring NAT444 static IP-port mappings Configuring NAT HConfiguring NAT444 dynamic IP-port mappings 278HConfiguring Full cone NAT 279HConfiguring NAT444 logging Remarks Either is required. Optional. Optional. When static NAT444, dynamic NAT444, static NAT, and dynamic NAT all exist and are used for matching the same flows, the matching sequence is as follows: 1. Static NAT. 2. Static NAT For dynamic NAT444 and dynamic NAT, ACLs are matched in descending order. 29BConfiguring NAT444 static IP-port mappings By configuring an internal-to-external IP-port mapping manually, NAT444 assigns a public address and a port block to each user of the private address pool. CGN uses the specified public address and port block to translate the private source IP and port when an internal user accesses an external network. To configure a NAT444 static IP-port mapping in system view: 48

54 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a NAT444 static IP-port mapping. nat444 static local local-start-address local-end-address [ vpn-instance local-name ] global global-start-address global-end-address port-range port-range-start port-range-end block-size block-size The command takes effect globally. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable static NAT444 on the interface to make the static IP-port mapping take effect. nat outbound static The command applies to the interface. To configure a NAT444 static IP-port mapping in interface view: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure a NAT444 static IP-port mapping. 4. Enable static NAT444 on the interface to make the static IP-port mapping take effect. nat444 static local local-start-address local-end-address [ vpn-instance local-name ] global global-start-address global-end-address port-range port-range-start port-range-end block-size block-size nat outbound static 30BConfiguring NAT444 dynamic IP-port mappings NAT444 dynamic IP-port mappings combine traditional dynamic NAT associations (configured with nat outbound acl) and NAT444 static IP-port mappings. When an internal user accesses the Internet, NAT444 translates the source addresses of the outbound packets permitted by the associated ACL. NAT444 assigns a dynamic IP port block from the associated public address pool to the user for the first connection. For the following connections of the user, the public port is obtained from the assigned port block for the source address's translation. When all connections from the user are closed, the assigned IP-port block is released. Associate an ACL with an address pool on an interface to enable dynamic NAT444. Configure dynamic NAT444 on the outbound interface of a NAT device, and if needed, configure it on multiple outbound interfaces for an internal host. 88BConfiguration prerequisites Configure an ACL to specify IP addresses permitted to be translated. Configure a public IP address pool for address translation. For configurations about ACL, address pool, and address group, see Access Control Configuration Guide and "Configuring NAT". 49

55 89BConfiguration procedure Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an outbound NAT444. nat444 outbound acl-number address-group group-number port-range port-range-start port-range-end block-size block-size The ACL can be modified and also can be nonexistent. The configuration does not take effect when the ACL does not exist. The address pool must be existing and cannot be modified once it is referenced. A NAT444 dynamic IP-port mapping is created when a user first accesses the Internet, and is removed when the user's last connection is removed. You cannot remove the NAT444 dynamic IP-port mapping manually. When you remove the NAT444 dynamic associations of an interface, if other NAT444 associations do not associate the address pool, all NAT444 dynamic IP-port mappings of the address pool are removed. 31BConfiguring Full cone NAT Full cone NAT sets the mapping behavior mode for NAT444: Endpoint-Independent Mapping For packets with the same source address and port number, the same NAT444 mapping applies so that the source IP address and port number are mapped to the same external address and port number, regardless of the destination addresses of the packets. The NAT444 gateway also allows external hosts to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT444 gateways. Address and Port-Dependent Mapping For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAT444 mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers. The NAT444 gateway allows the hosts only on the corresponding external networks where these destination addresses reside to access the internal network. This mode is secure but inconvenient for communication among hosts that connect to different NAT444 gateway. If an ACL is configured, NAT444 mapping in endpoint-independent mapping behavior mode applies to packets permitted by the ACL only. If no ACL is configured, NAT444 mapping in that mode applies to all packets. To configure Full cone NAT: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure Full cone NAT. nat mapping-behavior endpoint-independent [ acl acl-num ] NAT444 mapping behavior mode is Address and Port Dependent Mapping. 50

56 32BConfiguring NAT444 logging NAT444 sends the following logs to the log server when an internal user access the Internet through NAT444: NAT444 user log NAT444 session establishment log NAT444 session removal log NAT444 logs support two formats: china-telecom and china-unicom-nat444. You can configure the two formats by executing the info-center format command. For more information about NAT444 log formats and NAT444 logging configurations, see System Management and Maintenance Configuration Guide and System Management and Maintenance Command Reference. To configure NAT444 logging: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NAT444 logging. nat444 log { user session-start session-end } By default, NAT444 logging is disabled. 33BDisplaying and maintaining NAT444 Task Command Remarks Display NAT444 static IP-port mappings. Display NAT444 dynamic IP-port mappings. display nat444 static-ip-port-block display nat444 dynamic-ip-port-block Available in any view. Available in any view. 34BNAT444 configuration examples 90BNetwork requirements NAT444 gateways can be designed in a MAN with BRASs or core routers (CRs) through bypass mode to interconnect an IPv4 network with an IPv6 network. Bypass BRAS 51

57 Figure 37 A BRAS with 1 to n NAT444 gateways network diagram IPv4 network IPv6 network IPv4 network IPv6 network CR-1 CR-2 CR-1 CR-2 MAN MAN NAT444-1 NAT444 BRAS SR BRAS BRAS SR BRAS NAT444-2 Bridging users Routing users a) Distributed bypass NAT444 Bridging users Routing users b) Distributed inserted card NAT444 Bypass core router Figure 38 A CR with 1 to n NAT444 gateways network diagram NAT444-1 IPv4 network IPv6 network NAT444-3 IPv4 network IPv6 network CR-1 CR-2 CR-1 CR-2 NAT444-1 NAT444-2 MAN MAN NAT444-2 NAT444-4 BRAS-2 BRAS-1 SR-1 SR-2 BRAS-2 BRAS-1 SR-1 SR-2 Bridging users Routing users Bridging users Routing users a) Centralized bypass NAT444 b) Centralized inserted card NAT444 52

58 91BConfiguration procedure This configuration example is only for the NAT444 device. For configurations about other network devices, see the descriptions about the related features. Configure a static NAT444 IP-port mapping: # Configure a static NAT444 IP-port mapping. <Sysname> system-view [Sysname] nat444 static local global port-range block-size 1000 # Enable static NAT444 on the outbound interface to make the IP-port mapping take effect. [Sysname] interface ten-gigabitethernet0/ [Sysname-Ten-GigabitEthernet0/0.1002] nat444 outbound static [Sysname-Ten-GigabitEthernet0/0.1002] quit # Enable NAT444 logging. [Sysname] nat444 log user [Sysname] nat444 log session-start [Sysname] quit # Display static NAT444 IP-port mappings. <Sysname> display nat444 static-ip-port-block NAT ip-port-assign table: Local-ip <-> Global-ip : (Port1 - Port2 ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) 53

59 <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) <-> : ( ) Configure a dynamic NAT444 IP-port mapping: # Configure address pool 1. <Sysname> System-view [Sysname] nat address-group # Create ACL 3000, permitting packets from to pass through. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 permit ip source [Sysname-acl-adv-3000] quit # Configure a dynamic NAT444 IP-port mapping. [Sysname] interface Ten-GigabitEthernet0/ [Sysname-Ten-GigabitEthernet0/0.1002] vlan-type dot1q vid 1002 [Sysname-Ten-GigabitEthernet0/0.1002] nat444 outbound 3000 address-group 1 port-range block-size 1000 [Sysname-Ten-GigabitEthernet0/0.1002] ip address [Sysname-Ten-GigabitEthernet0/0.1002] quit # Enable NAT444 logging. [Sysname] nat444 log user [Sysname] nat444 log session-start # Display dynamic IP-port mappings. [Sysname] display nat444 dynamic-ip-port-block Dynamic NAT444 IP-port-block tables: (Used: 3, Unused:97) Local-IP <-> Global-IP Port-block : Connections, Local-VPN <-> : ( ) : 252, <-> : ( ) : 252, <-> : ( ) : 251,

60 4BConfiguring ALG Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. Usually NAT translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which may cause problems if not translated. For example, an FTP application involves both data connection and control connection, and data connection establishment dynamically depends on the payload information of the control connection. ALG can work with NAT and ASPF to implement the following functions: Address translation Resolves the source IP address, port, protocol type (TCP or UDP), and remote IP address information in packet payloads. Data connection detection Extracts information required for data connection establishment and establishing data connections for data exchange. Application layer status checking Inspects the status of the application layer protocol in packets. Packets with correct states have their status updated and are sent for further processing, whereas packets with incorrect states are dropped. Support for these functions depends on the application layer protocol. ALG can process the following protocol packets: DNS FTP GTP H.323, including RAS, H.225, and H.245 ICMP ILS MSN NBT PPTP QQ RTSP RSH SCCP SIP SQLNET, a language in Oracle TFTP When using ALG to process protocol packets, follow these guidelines: H.323 protocol packets cannot be forwarded at Layer 2 because the Layer 2 header is removed from the H.323 fragmented packets in the cache. ALG can process RSH protocol packets only on enhanced firewall modules. 55

61 35BALG process The following example describes the FTP operation of an ALG-enabled device. As shown in 280HFigure 39, the host on the external network accesses the FTP server on the internal network in passive mode through the ALG-enabled device. Figure 39 Network diagram for ALG-enabled FTP application in passive mode The communication process includes the following steps: 1. Establishing a control connection. The host sends a TCP connection request to the server. If a TCP connection is established, the server and the host enter the user authentication stage. 2. Authenticating the user. The host sends the server an authentication request, which contains the FTP commands (user and password) and the contents. When the request passes through the ALG-enabled device, the commands in the payload of the packet are resolved and used to check whether the protocol state transition is correctly proceeding. If not, the request will be dropped. In this way, ALG protects the server against clients that send packets with state errors or log in to the server with unauthorized user accounts. An authentication request with the correct state is forwarded by the ALG-enabled device to the server, which authenticates the host according to the information in the packet. 3. Establishing a data connection. If the host passes the authentication, a data connection is established between it and the server. If the host is accessing the server in passive mode, the server sends the host a PASV response that uses its private network address and port number (IP1, Port1). When the response arrives at the ALG-enabled device, the device resolves the packet and translates the server's private network address and port number into the server's public network address and port number (IP2, Port2) respectively. Then, the device uses the public network address and port number to establish a data connection with the host. 56

62 4. Exchanging data. The host and the FTP server exchange data through the established data connection. 36BConfiguring ALG in the Web interface By default, ALG is enabled only for FTP. 92BConfiguration procedure To enable ALG for protocols: 1. From the navigation tree, select Firewall > ALG. Figure 40 ALG configuration page 2. Add target application protocols to the Selected Application Protocols list to enable ALG for them. By default, ALG is enabled for all protocols. 3. Click Apply. 93BFTP ALG configuration example 144BNetwork requirements As shown in 281HFigure 56, a company uses the private network segment /24. The company wants to provide FTP services using public IP address Configure NAT and ALG on the firewall so that hosts on the external network can access the FTP server on the internal network. 57

63 Figure 41 Network diagram FTP server Local: Global: /24 Firewall GE0/ /24 Internet Host 145BConfiguration procedure This section describes ALG configuration only, assuming that other required configurations on the server and client have been done. 1. Enable ALG for FTP. (By default, ALG is enabled for FTP, and this step can be skipped.) a. Select Firewall > ALG from the navigation tree. b. Add ftp to the Selected Application Protocols list. c. Click Apply. Figure 42 Enabling ALG for FTP 2. Configure an internal FTP server: a. Select Firewall > NAT > Internal Server from the navigation tree. b. In the Internal Server area, click Add. c. Select GigabitEthernet0/1. d. Enter as the external IP address. e. Enter 21 as the global port. f. Enter as the internal IP address. g. Click Apply. 58

64 Figure 43 Adding an internal FTP server 94BSIP/H.323 ALG configuration example H.323 ALG configuration is similar to SIP ALG configuration. This example discusses SIP ALG configuration. 146BNetwork requirements As shown in 282HFigure 57, a company uses the private network segment /24, and has four public network addresses: , , , and SIP UA 1 is on the internal network and SIP UA 2 is on the outside network. Configure NAT and ALG on the firewall so that SIP UA 1 and SIP UA 2 can communicate by using their aliases, and SIP UA 1 selects an IP address from the range to when registering with the SIP server on the external network. Figure 44 Network diagram 147BConfiguration procedure This section describes ALG configuration only, assuming that other required configurations on the server and client have been done. 1. Enable ALG for SIP: 59

65 a. Select Firewall > ALG from the navigation tree. b. Add sip to the Selected Application Protocols list. c. Click Apply. Figure 45 Enabling ALG for SIP 2. Configure ACL 2001: a. Select Firewall > ACL from the navigation tree. b. Click Add. c. Enter 2001 in the ACL Number field. d. Select Config as the match order. e. Click Apply. Figure 46 Adding ACL 2001 f. Click the icon for ACL g. Click Add. h. Select Permit as the operation. 60

66 i. Select Source IP Address, enter as the source IP address, and enter as the source wildcard. j. Click Apply. Figure 47 Configuring an ACL rule to permit packets sourced from /24 k. Click Add. l. Select Deny as the operation. m. Click Apply. Figure 48 Configuring an ACL rule to deny packets 3. Configure the NAT address pool: a. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree. b. In the Address Pool area, click Add. c. Enter 1 in the Index field. d. Enter as the start IP address. e. Enter as the end IP address. f. Click Apply. 61

67 Figure 49 Adding a NAT address pool 4. Configure dynamic NAT: a. In the Dynamic NAT area, click Add. b. Select GigabitEthernet0/1. c. Enter 2001 for the ACL field. d. Select PAT as the address translation. e. Enter 1 as the address pool index. f. Click Apply. Figure 50 Configuring dynamic NAT 95BNBT ALG configuration example 148BNetwork requirements As shown in 283HFigure 58, a company using the private network segment /24 wants to provide NBT services to the outside. Configure NAT and ALG on the firewall so that Host A uses as its external IP address, the WINS server uses as its external IP address, and Host B can access the WINS server and Host A by using host names. 62

68 Figure 51 Network diagram 149BConfiguration procedure This section describes ALG configuration only, assuming that other required configurations on the server and client have been done. 1. Enable ALG for NBT: a. Select Firewall > ALG from the navigation tree. b. Add nbt to the Selected Application Protocols list. c. Click Apply. Figure 52 Enabling ALG for NBT 2. Configure static NAT: a. Select Firewall > NAT > Static NAT from the navigation tree. b. In the Static Address Mapping area, click Add. c. Enter as the internal IP address. d. Enter as the global IP address. e. Click Apply. 63

69 Figure 53 Adding a static address mapping 3. Configure static NAT for interface GigabitEthernet 0/1: a. In the Interface Static Translation area, click Add. b. Select GigabitEthernet0/1. c. Click Apply. Figure 54 Configuring static NAT for interface GigabitEthernet 0/1 4. Configure an internal WINS server: a. Select Firewall > NAT > Internal Server from the navigation tree. b. In the Internal Server area, click Add. c. Select GigabitEthernet0/1. d. Select 17(UDP) as the protocol type, e. Enter as the external IP address. f. Enter 137 as the global port. g. Enter as the internal IP address. h. Enter 137 as the internal port. i. Click Apply. 64

70 Figure 55 Configuring an internal WINS server j. In the Internal Server area, click Add. Configure an interval WINS server, which is similar to the configuration shown in 284HFigure 55. k. Select GigabitEthernet0/1. l. Select 17(UDP) as the protocol type, m. Enter as the external IP address. n. Enter 138 as the global port. o. Enter as the internal IP address. p. Enter 138 as the internal port. q. Click Apply. r. In the Internal Server area, click Add. Configure an interval WINS server, which is similar to the configuration shown in 285HFigure 55. s. Select GigabitEthernet0/1. t. Select 6(TCP) as the protocol type. u. Enter as the external IP address. v. Enter 139 as the global port. w. Enter as the internal IP address. x. Enter 139 as the internal port. y. Click Apply. 65