Whether NAT Server can be configured for the USG6000 in transparent mode

33

The USG6000 supports NAT Server in transparent mode. The configuration of NAT Server in transparent mode is the same as that in common mode.

Other related questions:
Whether NAT Server of the USG6000 series can be bound with the VRRP group
NAT Server of the UGS6000 series cannot be bound with the VRRP group.

Login to the USG6000 series in Layer-2 transparent access mode through a service interface
Login to the USG6000 series in Layer-2 transparent access mode through a service interface The service interface is a Layer-2 interface. It must be added to a VLAN. Then, you can log in to the device through the VLANIF interface. For example, two service interfaces are GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. The configuration is as follows: # Create a VALN and add the interface to the VLAN (by default, the interface belongs to VLAN1). system-view [NGFW] vlan 2 [NGFW-vlan-2] quit [NGFW] interface GigabitEthernet 1/0/1 [NGFW-GigabitEthernet1/0/1] portswitch [NGFW-GigabitEthernet1/0/1] port access vlan 2 [NGFW-GigabitEthernet1/0/1] quit [NGFW] interface GigabitEthernet 1/0/2 [NGFW-GigabitEthernet1/0/2] portswitch [NGFW-GigabitEthernet1/0/2] port access vlan 2 [NGFW-GigabitEthernet1/0/2] quit # Configure a VLANIF interface. [NGFW] interface vlanif 2 [NGFW-Vlanif2] ip address 10.1.3.1 24 [NGFW-Vlanif2] service-manage enable [NGFW-Vlanif2] service-manage stelnet permit [NGFW-Vlanif2] service-manage https permit [NGFW-Vlanif2] quit [NGFW] firewall zone trust [NGFW-zone-trust] add interface vlanif 2 [NGFW-zone-trust] quit After the configuration is complete, you can log in to the device through 10.1.3.1.

Method used to configure the L2TP VPN in transparent mode on the USG6000
In transparent mode, the USG6000 uses the IP address of the VLANIF interface as the address of the LNS server. The NAT server is configured on the access device. The IP address of the VLANIF interface is provided, as a public IP address, for users. Configure the LNS as follows: 1. Configure the VLAN and VLANIF interface. a. Create a VLAN with ID 10. [LNS] vlan 10 [LNS-vlan10] quit b. Add interfaces GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 to VLAN 10. [LNS] interface GigabitEthernet 0/0/1 [LNS-GigabitEthernet0/0/1] portswitch [LNS-GigabitEthernet0/0/1] port access vlan 10 [LNS-GigabitEthernet0/0/1] quit [LNS] interface GigabitEthernet 0/0/2 [LNS-GigabitEthernet0/0/2] portswitch [LNS-GigabitEthernet0/0/2] port access vlan 10 [LNS-GigabitEthernet0/0/2] quit c. Create a VLANIF interface and configure an IP address. [LNS] interface vlanif 10 [LNS-Vlanif10] ip address 10.2.1.3 255.255.255.0 [LNS-Vlanif10] quit 2. Configure a static route. a. Configure a default route for the LNS, with the next hop address being the IP address of the access device interface that is directly connected to the LNS. [LNS] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1 b. Configure a route to the server network segment on the HQ intranet, with the next hop address being the IP address of the VLANIF interface in the VLAN where the intranet L3 switch interface that is directly connected to the LNS resides. [LNS] ip route-static 10.4.1.0 255.255.255.0 10.2.1.2 3. Configure the L2TP. a. Configure the local user and password. [LNS] aaa [LNS-aaa] local-user vpnuser@domain1.com password cipher Vpnuser@123 b. Configure the IP address pool and allocate an intranet IP address to the VPN user. [LNS-aaa] domain domain1.com [LNS-aaa-domain-domain1.com] ip pool 1 10.3.1.2 10.3.1.254 [LNS-aaa-domain-domain1.com] quit [LNS-aaa] quit c. Enable the L2TP. [LNS] l2tp enable d. Configure the suffix separator of the domain name. Only separator @ is supported when a user name containing a domain name requires a separator. [LNS] l2tp domain suffix-separator @ e. Create the virtual interface template and configure the related parameters, including the IP address, PPP authentication mode, and address pool binding. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 10.3.1.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit f. Create an L2TP group and configure the related parameters, including the local end name of the tunnel, bound virtual interface template, and password used for L2TP tunnel verification. [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name headquarter [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel password cipher Tunnel@123 [LNS-l2tp1] quit 4. Add the interface to the security zone and configure the inter-zone packet filter. Note: The Virtual-Template interface can be added to any security zone. If the security zone where the Virtual-Template interface resides is different from the security zone where the interface connecting the HQ LNS and the L3 switch resides, packet filter must be configured for two security zones, so that a dial-up user can access resources on the HQ intranet. Packet filter between the security zone where the interface connecting the LNS and the access device resides and the Local security zone must be enabled to accept tunnel negotiation requests initiated by the LAC, for example, the Untrust security zone where interface (5)GigabitEthernet 0/0/1 resides. a. Add the interface to the security zone. [LNS] firewall zone trust [LNS-zone-trust] add interface Vlanif10 [LNS-zone-trust] add interface Virtual-Template 1 [LNS-zone-trust] quit [LNS] firewall zone untrust [LNS-zone-untrust] add interface GigabitEthernet 0/0/1 [LNS-zone-untrust] quit [LNS] firewall zone dmz [LNS-zone-dmz] add interface GigabitEthernet 0/0/2 [LNS-zone-dmz] quit

Whether the firewall supports source NAT in transparent mode (service interfaces working in switching mode)
Yes. However, the post-NAT source address can use addresses in the address pool, but not addresses of outbound interfaces.

Whether the firewall supports transparent mode
The USG2000&5000&6000 support transparent mode.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top