SecBlade Firewall Cards NAT Configuration Examples

Similar documents
SecBlade Firewall Cards ARP Attack Protection Configuration Examples

SecBlade Firewall Cards Stateful Failover Configuration Examples

SecBlade Firewall Cards Attack Protection Configuration Example

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

Stateful Failover Technology White Paper

H3C SecPath Series High-End Firewalls

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

SecPath Series Firewalls Virtual Firewall Configuration Examples

H3C SecPath Series High-End Firewalls

SecBlade Firewall Cards Log Management and SecCenter Configuration Example

H3C SecPath Series High-End Firewalls

HP High-End Firewalls

HP Firewalls and UTM Devices

HP High-End Firewalls

H3C SecBlade NetStream Card Configuration Examples

H3C SSL VPN Configuration Examples

SYN Flood Attack Protection Technology White Paper

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

H3C S7500E-X OSPF Configuration Examples

Stateful Network Address Translation 64

Network Address Translation Bindings

H3C S12500 sflow Configuration Examples

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

HP Load Balancing Module

H3C S12500 Unauthorized DHCP Server Detection Configuration Examples

Operation Manual Security. Table of Contents

H3C S12500 VLAN Configuration examples

H3C SR6600 Routers DVPN Configuration Example

PKI Configuration Examples

CCNA Course Access Control Lists

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

User FAQ for H3C Security Products

Isolate-User-VLAN Technology White Paper

Advanced Security and Forensic Computing

H3C SecPath Series High-End Firewalls

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

DHCP Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

IPv6 ND Configuration Example

Advanced Security and Mobile Networks

PT Activity: Configuring a Zone-Based Policy Firewall (ZPF)

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO


Configure Basic Firewall Settings on the RV34x Series Router

MAC-Based VLAN Technology White Paper

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

CCNA Discovery 3 Chapter 8 Reading Organizer

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

HP 5920 & 5900 Switch Series

ASA Access Control. Section 3

Configuring DHCP Features and IP Source Guard

Information About NAT

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

Configuring Static and Dynamic NAT Translation

Cisco ASA 5500 LAB Guide

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Extended ACL Configuration Mode Commands

Case Study. Routing & Switching. Cisco Networking Academy Routing and Switching: Scaling Network Case Study

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Match-in-VRF Support for NAT

HikCentral V.1.1.x for Windows Hardening Guide

Indicate whether the statement is true or false.

CCNA Security PT Practice SBA

Configuring Network Address Translation

Configuring DHCP Features and IP Source Guard

Configuring Voice VLAN

Multihoming with BGP and NAT

CSC Network Security

Implementing Management Plane Protection

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

Implementing Firewall Technologies

Information About NAT

Attack Prevention Technology White Paper

Access Control Lists and IP Fragments

NAT Examples and Reference

Juniper JN DX Specialist (JNCIS-DX) Download Full Version :

Lab - Troubleshooting ACL Configuration and Placement Topology

NAT Examples and Reference

Implementing Management Plane Protection on Cisco IOS XR Software

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Configuring Dynamic ARP Inspection

HPE IMC NTA MPLS VPN Traffic Analysis Configuration Examples

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

HP High-End Firewalls

Implementing Traffic Filtering with ACLs

Implementing NAT-PT for IPv6

Enabling ALGs and AICs in Zone-Based Policy Firewalls

DPtech ADX3000 Series Application Delivery Gateway User Configuration Guide

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. Multi-Service Business Routers Product Series

Introduction to Firewalls using IPTables

H3C S10500 IP Unnumbered Configuration Examples

H3C S9800 Switch Series

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Transcription:

SecBlade Firewall Cards NAT Configuration Examples Keywords: NAT, PAT, private IP address, public IP address, IP address pool Abstract: This document describes the characteristics, applications scenarios, and configuration examples of the network address translation (NAT) features of SecBlade firewall cards. Acronyms: NAT ALG ACL VPN PAT No-PAT Acronyms Network Address Translator Application Level Gateway Access Control List Virtual Private Network Port Address Translation No-Port Address Translation Full spelling Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/22

Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guide 3 Devices Supporting NAT 3 Software Version Used 3 Saving Configuration 4 NAT Configuration Examples 4 Network Requirements 5 Device Basic Configuration 5 NAT Configuration Examples 6 Easy IP 6 PAT 8 No-PAT 10 Static NAT 13 Internal server 17 NAT support for Multi-VPN 19 References 22 Protocols and Standards 22 Hangzhou H3C Technologies Co., Ltd. www.h3c.com 2/22

Feature Overview NAT translates an IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access the Internet. With NAT, a small number of public IP addresses are used to enable a large number of internal hosts to access the Internet. Thus, NAT effectively alleviates the depletion of IP addresses. NAT protects the privacy of the internal network and enables the internal network to provide specific services for users on the Internet. The SecBlade firewall card uses a multi-core CPU, featuring excellent service processing capability and performance. It can be used as the security gateway of a large scale enterprise network to provide one-to-many, one-to-one, and internal server address translation functions. In addition, it supports multiple VPNs and the translation of VLAN interfaces addresses. Application Scenarios Using a small number of public IP addresses to enable a large number of internal hosts to access the Internet. Providing privacy for the internal network. Enabling the internal network to provide specific services for users on the Internet. Configuration Guide NAT basic configuration can be performed through the web interface. NAT supports multi-vpn, such as multi-vpn routing and multi-vpn access control list (ACL) can be configured only through the command line interface (CLI). You can configure the following NAT features through the web interface: Easy IP PAT No-PAT Static NAT NAT server Devices Supporting NAT SecBlade firewall cards on S7500E, S9500E, and S12500 Software Version Used SecBlade firewall card: Any of R3166 and F3166 series versions Hangzhou H3C Technologies Co., Ltd. www.h3c.com 3/22

Saving Configuration Save your configuration in time. To do so, select Device Management > Maintenance from the navigation tree to enter the Save page, and click Apply, as shown in the following figure. NAT Configuration Examples A SecBlade firewall card inserted in an S7500E is used in this configuration example. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/22

Network Requirements Figure 1 Network diagram for configuring NAT Device Basic Configuration 1) Configuring the S7500E # Configure GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3. interface GigabitEthernet1/0/1 port access vlan 172 interface GigabitEthernet1/0/2 port access vlan 10 interface GigabitEthernet1/0/3 port access vlan 2 # Configure Ten-GigabitEthernet 2/0/1 that connects to the SecBlade firewall card. interface Ten-GigabitEthernet2/0/1 port link-type trunk port trunk permit vlan 1 to 200 2) Configuring the interfaces of the SecBlade firewall card. Select Device Management > Interface from the navigation tree. Create interfaces Ten-GigabitEthernet 0/0.2, Ten-GigabitEthernet 0/0.10, and Ten-GigabitEthernet 0/0.172 and add them to the corresponding zones. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 5/22

3) Configuring an ACL 4) Configure ACL 2000 to permit traffic from subnets 1.1.1.0/24 and 2.1.1.0/24 to subnet 172.16.0.0/24. Select Firewall > ACL from the navigation tree, and click Add to enter the following page: Type 2000 for ACL number. Select the match order Config. Click Apply. Click the icon of ACL 2000 to enter the ACL rule page. Click Add and configure as follows: NAT Configuration Examples Easy IP Requirements Use an ACL to permit only certain internal IP addresses to be NATed and use the public IP address of an interface as the translated source address. Configuration steps Select Firewall > NAT > Dynamic NAT from the navigation tree, to enter the page as shown in the following figure: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 6/22

Click Add in the Dynamic NAT field to enter the Add Dynamic NAT page. Select Ten-GigabitEthernet0/0.172 for Interface, type 2000 for ACL, select Easy IP for Address Transfer, and then click Apply. Access PC 3 in the Untrust zone from PC 2 in the DMZ zone, and perform ping, HTTP, FTP, DNS, and Telnet operations. Check the session list to view the results. Verification results The ping, HTTP, FTP, DNS, and Telnet operations are successful. Check the session list: Select Firewall > Session Table > Session Summary from the navigation tree to enter the following page: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 7/22

Type 2.1.1.2 in the IP Address text box, and click Search to display the search results, as shown in the following figure. Configuration guidelines Remove the configuration in this example before performing other configuration. PAT Requirements Translate the source IP address of packets into an IP address in the NAT address pool and translate the source port of the packets. Configuration steps 1) Create an address pool. Select Firewall > NAT > Dynamic NAT from the navigation tree to enter the following page: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 8/22

Click Add in the Address Pool field to enter the Add NAT Address Pool page, as shown in the following figure. Type the address pool index, start IP address, and end IP address, and then click Apply. 2) Configure NAT PAT Select Firewall > NAT > Dynamic NAT from the navigation tree to enter the page as shown in the following figure: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 9/22

Click Add in the Dynamic NAT field to enter the Add Dynamic NAT page. Select Ten-GigabitEthernet0/0.172 for Interface, type 2000 for ACL, select PAT for Address Transfer, and then click Apply. Access PC 3 in the Untrust zone from PC 2 in the DMZ zone, and perform ping, HTTP, FTP, DNS, and Telnet operations. Check the session list to view the results. Verification results The ping, HTTP, FTP, DNS, and Telnet operations are successful. Check the session list: The destination IP address of the response is an IP address in the address pool, and the destination port of the response is different from the source port of the request. Type 2.1.1.2 in the IP Address text box and click Search to display the search result, as shown in the following figure. Configuration guidelines Remove the configuration in this example before performing other configuration. No-PAT Requirements Translate the source IP address of a packet into an IP address in the NAT address pool without translating its source port number. Configuration steps 1) Create an address pool. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 10/22

Select Firewall > NAT > Dynamic NAT from the navigation tree to enter the following page: Click Add in the Address Pool field, to enter the Add NAT Address Pool page, as shown in the following figure. Type the address pool index, start IP address, and end IP address, and then click Apply. 2) Configure No-PAT. Select Firewall > NAT > Dynamic NAT from the navigation tree to enter the following page: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 11/22

Click Add in the Dynamic NAT field to enter the Add Dynamic NAT page. Select Ten-GigabitEthernet0/0.172 for Interface, type 2000 for ACL, select No-PAT for Address Transfer, and then click Apply. Access PC 3 in the Untrust zone from PC 2 in the DMZ zone, and perform ping, HTTP, FTP, DNS, and Telnet operations. Check the session list to view the results. Verification results The ping, HTTP, FTP, DNS, and Telnet operations are successful. Check the session list: The destination IP address (the translated address) of the session response is an IP address in the address pool and the source port of the request is not changed. Type 2.1.1.2 in the IP Address text box and click Search to display the search result, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 12/22

Configuration guidelines Remove the configuration in this example before performing other configuration. Static NAT Requirements Configure a static one-to-one NAT entry that does not translate the source or destination port. When an ACL is specified, the static NAT entry only translates packets permitted by the ACL. Configuration steps 1) Configure static address translation. Select Firewall > NAT > Static NAT from the navigation tree, as shown in following figure: Click Add in the Static Address Mapping field to enter the Add Static Address Mapping page. Type the internal and global IP addresses and click Apply. 2) Enable static address translation. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 13/22

Select Firewall > NAT > Static NAT from the navigation tree, as shown in following figure: Click Add in the Static Address Mapping field to enter the Enable Interface Static Translation page. Select Ten-GigatbitEthernet0/0.172 for Interface Name and click Apply. Access PC 3 from PC 2 and perform ping, HTTP, FTP, DNS, and Telnet operations. Check the session list. Verification result (1) is expected. 3) Create an ACL rule to control the access from the Untrust zone to the DMZ zone. By default, the SecBlade firewall card allows hosts in higher-priority security zones to access hosts in lower-priority security zones, but not vice versa. To allow an external host to access an internal host, you need to configure an interzone policy. Select Firewall > Security Policy > Interzone Policy from the navigation tree, as shown below: Click Add to enter the Add ACL Rule page, and perform the configuration to control the access from the Untrust zone to the Trust zone as shown in the figure below: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 14/22

In the same way, create an ACL rule to control the access from the Untrust zone to the Trust zone. The configured ACL rules are shown as follows: Access PC 2 in the DMZ zone from PC 3 in the Untrust zone, and perform ping, HTTP, FTP, DNS, and Telnet operations. Check the session list. Verification result (2) is expected. 4) Configure ACL 2000 as follows: Apply ACL 2000 to the static NAT entry. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 15/22

Access PC 3 from PC 2 and ping IP address 172.1.1.2. Verification result (3) is expected. Access PC 2 from PC 4 and ping IP address 172.1.1.50. Verification result (4) is expected. Verification results 1) The ping, HTTP, FTP, DNS, and Telnet operations are successful. Check the session list: Type 2.1.1.2 in the IP Address text box and click Search to display the search result, as shown in the following figure. 2) The ping, HTTP, FTP, DNS, and Telnet operations are successful. Check the session list. The destination IP address is translated to the internal address but the destination port number keeps unchanged. Type 172.1.1.2 in the IP Address text box, and click Search to display the search results. 3) PC 2 cannot access PC 3 because ACL 2000 only permits packets from subnet 172.1.1.0 and denies packets from subnet 2.1.1.0. 4) PC 3 can access PC 2 because ACL 2000 permits packets from subnet 172.1.1.0. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 16/22

Configuration guidelines Remove the configuration in this example before performing other configuration. Internal server Requirements Configure an internal server that provides services for external hosts. Upon receiving a request from an external host that wants to access the internal server, NAT translates the destination address and port of the request to the private IP address of the internal server and a specified destination port. Configuration steps 1) Configure an internal server. Select Firewall > NAT > Internal Server from the navigation tree to enter the page as shown below: Click Add to enter the Add Internal Server page, perform the configuration as shown in the page below, and click Apply. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 17/22

2) Create an ACL rule to permit access from the Untrust zone to the DMZ zone. In the same way, create another ACL to permit access from the Untrust zone to the Trust zone. Access PC 2 from PC 3 and ping public IP address 172.1.1.60. Verification result (1) is expected. 3) Create ACL 2000 that denies all packets. 4) Apply ACL 2000 to the internal server as shown below: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 18/22

5) Access PC 2 from PC 3 and ping public IP address 172.1.1.60. Verification result (2) is expected. Verification results 1) The ping operation is successful. Check the session list: Type 172.1.1.2 in the IP Address text box, and click Search to display the search results. 2) The ping operation fails and the internal server does not work because ACL 2000 denies all packets. Configuration guidelines Remove the configuration in this example before performing other configuration. NAT support for Multi-VPN Requirements Easy IP is used in this example. Configuration steps Configure VPNs: 1) You can configure the VPNs in global view at the CLI as follows: Configure VPNs; Bind interfaces to VPNs; Configure VPN routes; Configure ACLs for VPNs. View Command Description [H3C] ip vpn-instance vpn1 [H3C-vpn-instance-vpn1] route-distinguisher 111:1 [H3C-vpn-instance-vpn1] vpn-target 111:1 export-extcommunity Configure a VPN instance. [H3C-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity [H3C-vpn-instance-vpn1] quit [H3C] interface Ten-GigabitEthernet0/0.2 [H3C-Ten-GigabitEthernet0/ 0.2] ip binding vpn-instance vpn1 Bind the interface to the VPN instance. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 19/22

View Command Description [H3C-Ten-GigabitEthernet0/ 0.2] ip address 2.1.1.1 24 Specify an IP address for the interface. [H3C-GigabitEthernet0/3] quit [H3C] interface Ten-GigabitEthernet0/0.10 [H3C- Ten-GigabitEthernet0/0.10] [H3C Ten-GigabitEthernet0/0.10] ip binding vpn-instance vpn1 ip address 172.1.1.1 24 Bind the interface to the VPN instance. Specify an IP address for the interface. [H3C-GigabitEthernet0/1] quit [H3C] acl number 2000 [H3C-acl-basic-2000] rule permit Add an ACL rule. [H3C-acl-basic-2000] rule permit vpn-instance vpn1 Add a VPN ACL rule. [H3C] ip route-static vpn-instance vpn1 0.0.0.0 0 172.1.1.2 public Configure a VPN route to the public network. 2) Select Firewall > NAT > Dynamic NAT from the navigation tree, click Add in the Dynamic NAT field to enter the Add Dynamic NAT page, as shown in the following figure. Select Ten-GigabitEthernet0/0.172 for Interface, type 2000 for ACL, select Easy IP for Address Transfer, and then click Apply. Access PC 3 from PC 2 and perform ping, HTTP, FTP, DNS, and Telnet operations. Check the session list to view the results. Verification results The ping, HTTP, FTP, DNS, and Telnet operations are successful. Check the session list: Type 2.1.1.2 in the IP Address text box and click Search to display the search result, as shown in the following figure. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 20/22

Configuration guidelines Remove the configuration in this example before performing other configuration. Specify a VPN instance when configuring a static NAT entry, as shown below: Specify a VPN instance when configuring an internal server. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 21/22

References Protocols and Standards RFC1631 RFC1918 Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice Hangzhou H3C Technologies Co., Ltd. www.h3c.com 22/22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback