Whether NAT Server can be configured for the USG6000 in transparent mode

The USG2000&5000&6000 support transparent mode.

Yes. However, the post-NAT source address can use addresses in the address pool, but not addresses of outbound interfaces.

NAT Server of the UGS6000 series cannot be bound with the VRRP group.

Login to the USG6000 series in Layer-2 transparent access mode through a service interface The service interface is a Layer-2 interface. It must be added to a VLAN. Then, you can log in to the device through the VLANIF interface. For example, two service interfaces are GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. The configuration is as follows: # Create a VALN and add the interface to the VLAN (by default, the interface belongs to VLAN1). system-view [NGFW] vlan 2 [NGFW-vlan-2] quit [NGFW] interface GigabitEthernet 1/0/1 [NGFW-GigabitEthernet1/0/1] portswitch [NGFW-GigabitEthernet1/0/1] port access vlan 2 [NGFW-GigabitEthernet1/0/1] quit [NGFW] interface GigabitEthernet 1/0/2 [NGFW-GigabitEthernet1/0/2] portswitch [NGFW-GigabitEthernet1/0/2] port access vlan 2 [NGFW-GigabitEthernet1/0/2] quit # Configure a VLANIF interface. [NGFW] interface vlanif 2 [NGFW-Vlanif2] ip address 10.1.3.1 24 [NGFW-Vlanif2] service-manage enable [NGFW-Vlanif2] service-manage stelnet permit [NGFW-Vlanif2] service-manage https permit [NGFW-Vlanif2] quit [NGFW] firewall zone trust [NGFW-zone-trust] add interface vlanif 2 [NGFW-zone-trust] quit After the configuration is complete, you can log in to the device through 10.1.3.1.

In transparent mode, the USG6000 uses the IP address of the VLANIF interface as the address of the LNS server. The NAT server is configured on the access device. The IP address of the VLANIF interface is provided, as a public IP address, for users. Configure the LNS as follows: 1. Configure the VLAN and VLANIF interface. a. Create a VLAN with ID 10. [LNS] vlan 10 [LNS-vlan10] quit b. Add interfaces GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 to VLAN 10. [LNS] interface GigabitEthernet 0/0/1 [LNS-GigabitEthernet0/0/1] portswitch [LNS-GigabitEthernet0/0/1] port access vlan 10 [LNS-GigabitEthernet0/0/1] quit [LNS] interface GigabitEthernet 0/0/2 [LNS-GigabitEthernet0/0/2] portswitch [LNS-GigabitEthernet0/0/2] port access vlan 10 [LNS-GigabitEthernet0/0/2] quit c. Create a VLANIF interface and configure an IP address. [LNS] interface vlanif 10 [LNS-Vlanif10] ip address 10.2.1.3 255.255.255.0 [LNS-Vlanif10] quit 2. Configure a static route. a. Configure a default route for the LNS, with the next hop address being the IP address of the access device interface that is directly connected to the LNS. [LNS] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1 b. Configure a route to the server network segment on the HQ intranet, with the next hop address being the IP address of the VLANIF interface in the VLAN where the intranet L3 switch interface that is directly connected to the LNS resides. [LNS] ip route-static 10.4.1.0 255.255.255.0 10.2.1.2 3. Configure the L2TP. a. Configure the local user and password. [LNS] aaa [LNS-aaa] local-user vpnuser@domain1.com password cipher Vpnuser@123 b. Configure the IP address pool and allocate an intranet IP address to the VPN user. [LNS-aaa] domain domain1.com [LNS-aaa-domain-domain1.com] ip pool 1 10.3.1.2 10.3.1.254 [LNS-aaa-domain-domain1.com] quit [LNS-aaa] quit c. Enable the L2TP. [LNS] l2tp enable d. Configure the suffix separator of the domain name. Only separator @ is supported when a user name containing a domain name requires a separator. [LNS] l2tp domain suffix-separator @ e. Create the virtual interface template and configure the related parameters, including the IP address, PPP authentication mode, and address pool binding. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 10.3.1.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit f. Create an L2TP group and configure the related parameters, including the local end name of the tunnel, bound virtual interface template, and password used for L2TP tunnel verification. [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name headquarter [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel password cipher Tunnel@123 [LNS-l2tp1] quit 4. Add the interface to the security zone and configure the inter-zone packet filter. Note: The Virtual-Template interface can be added to any security zone. If the security zone where the Virtual-Template interface resides is different from the security zone where the interface connecting the HQ LNS and the L3 switch resides, packet filter must be configured for two security zones, so that a dial-up user can access resources on the HQ intranet. Packet filter between the security zone where the interface connecting the LNS and the access device resides and the Local security zone must be enabled to accept tunnel negotiation requests initiated by the LAC, for example, the Untrust security zone where interface (5)GigabitEthernet 0/0/1 resides. a. Add the interface to the security zone. [LNS] firewall zone trust [LNS-zone-trust] add interface Vlanif10 [LNS-zone-trust] add interface Virtual-Template 1 [LNS-zone-trust] quit [LNS] firewall zone untrust [LNS-zone-untrust] add interface GigabitEthernet 0/0/1 [LNS-zone-untrust] quit [LNS] firewall zone dmz [LNS-zone-dmz] add interface GigabitEthernet 0/0/2 [LNS-zone-dmz] quit