[Dr.WoW] [No.18] Source NAT-part 2 Highlighted

Latest reply: Jun 2, 2015 07:15:54 2564 1 0 0

4 Egress Interface Address Mode (Easy-IP)

In egress interface address mode, the public IP address of the egress interface is used for address translation. Multiple users of the private network share the same public IP address. Therefore, port translation is also performed. This mode can be deemed a variant of NAPT.

When the egress of a firewall obtains the public IP address through dial-up, you cannot add the public IP address to the address pool because the public address is dynamically obtained. In this case, you need to configure the egress interface address mode so that addresses can be translated when the public IP address changes. The egress interface address mode simplifies the configuration process and is therefore called easy-IP, which is available on USG2000, USG5000, and USG6000 series.

Easy-IP does not require a NAT address pool or blackhole route. All you need is to specify the outgoing interface in the NAT address policy, as shown in Figure 1-4.

Figure 1-4 Easy-IP networking

[Dr.WoW] [No.18] Source NAT-part 2-1326977-1

 

The configuration is as follows:

1.         Configure a NAT policy.

[FW] nat-policy interzone trust untrust outbound

[FW-nat-policy-interzone-trust-untrust-outbound] policy 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-untrust-outbound-1] easy-ip GigabitEthernet1/0/2   //Specify the outgoing interface.

[FW-nat-policy-interzone-trust-untrust-outbound-1] quit

[FW-nat-policy-interzone-trust-untrust-outbound] quit

2.         Configure a security policy.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

The users on the private network can access the web server. If you display the sessions on the firewall, you can see the following information:

[FW] display  firewall session table

Current Total Sessions : 2

  http  VPN:public --> public 192.168.0.2:2054[202.1.1.1:2048]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.3:2054[202.1.1.1:2049]-->210.1.1.2:80

From the session table, we can see that the two private IP addresses have been translated into the public IP address (202.1.1.1) of the egress interface and the port is also translated. If other uses on the private network access the web server, the addresses are also translated to 202.1.1.1, and the port is translated to different ports to distinguish the users.

Like NAPT, easy-IP does not generate any server-map entry.

5 Smart NAT

As we have mentioned before, NAP No-PAT is a one-to-one address translation, which means that a public address in the address pool can be used by only one private network user. If all the public addresses are used, other users cannot access the Internet. Then, what if other users want to access the Internet? The solution is smart NAT.

Smart NAT incorporates the benefits of both NAT No-PAT and NAPT. The mechanism is as follows:

Let's say the address pool has N IP addresses, and one of them is reserved and the remaining addresses form address section 1. During address translation, the addresses in section 1 are preferentially used for one-to-one address translation. When the IP addresses in section 1 are exhausted, the reserved IP address is used for NAPT (many-to-one address translation).

We can consider smart NAT an enhanced NAP No-PAT because smart NAT overcomes the limitation of NAT No-PAT. In NAT No-PAT, other users cannot access the Internet if the number of users accessing the Internet equals to the number of public addresses in the address pool until the used public addresses are released (the sessions expire).

If the same situation occurs in smart NAT, other users can share the reserved public IP address to access the Internet.

Smart NAT is available on USG9500 V300R001. Therefore, USG9500 series is used as an example to describe smart NAT configuration, as shown in Figure 1-5.

Figure 1-5 Smart NAT networking

[Dr.WoW] [No.18] Source NAT-part 2-1326977-2 

The detailed configuration process is as follows:

1.      Configure a NAT address pool.

[FW] nat address-group 1

[FW-address-group-1] mode no-pat local

[FW-address-group-1] smart-nopat 202.1.1.3     //reserved address

[FW-address-group-1] section 1 202.1.1.2 202.1.1.2   //This section cannot contain the reserved address.

[FW-address-group-1] quit

2.      Configure a NAT policy.

[FW] nat-policy interzone trust untrust outbound

[FW-nat-policy-interzone-trust-untrust-outbound] policy 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1   //Reference the NAT address pool.

[FW-nat-policy-interzone-trust-untrust-outbound-1] quit

[FW-nat-policy-interzone-trust-untrust-outbound] quit

3.      Configure a security policy.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

4.      Configure blackhole routes.

[FW] ip route-static 202.1.1.2 32 NULL 0

[FW] ip route-static 202.1.1.3 32 NULL 0

If one user on the private network accesses the web server, the session information on the firewall resembles:

[FW] display firewall session table

Current total sessions: 1

 Slot: 2 CPU: 3

  http  VPN:public --> public 192.168.0.2:2053[202.1.1.2:2053]-->210.1.1.2:80

From the session table, we can see that the private IP address has been translated into a public IP address in section 1 and the port is not translated.

Other users on the private network can also access the web server. If you display the sessions on the firewall, you can see the following information:

[FW] display firewall session table

Current total sessions: 3

 Slot: 2 CPU: 3

  http  VPN:public --> public 192.168.0.2:2053[202.1.1.2:2053]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.3:2053[202.1.1.3:2048]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.4:2053[202.1.1.3:2049]-->210.1.1.2:80

From the session table, we can see that the two private IP addresses have been translated into the reserved public IP address and the port is also translated. That is, NAPT is performed for the two users. NAPT is performed using the reserved public IP address only when the public IP addresses (except the reserved address) in the address pool are exhausted.

Let's take a look at the server-map table. Smart NAT includes NAT No-PAT. Therefore, related server-map entries are generated.

[FW] display firewall server-map

 ServerMap item(s) on slot 2 cpu 3

 ------------------------------------------------------------------------------

 Type: No-Pat,  192.168.0.2[202.1.1.2] -> ANY,  Zone: untrust

 Protocol: ANY(Appro: unknown),  Left-Time:00:05:55,  Pool: 1, Section: 1

 Vpn: public -> public  

 

 Type: No-Pat Reverse,  ANY -> 202.1.1.2[192.168.0.2],  Zone: untrust 

 Protocol: ANY(Appro: unknown),  Left-Time:---,  Pool: 1, Section: 1  

 Vpn: public -> public 

6 Triplet NAT

We have learned four types of source NAT, among which NAPT is most widely used. Source NAT not only alleviates the exhaustion of public addresses, but also hides the real private network addresses, improving security as well. However, these NAT implementations do not work well with P2P, which is widely used in file sharing, voice communications, and video transfer. When NAT meets P2P, it is not a rosy NAT-P2P. Instead, the result is that you cannot use P2P to download the latest movies or video chat.

To resolve this problem, we need triplet NAT. To understand triplet NAT, we must first understand the P2P mechanism and the problems to P2P services if NAPT is enabled.

As shown in Figure 1-6, P2P services are running on both PC2 and PC2. To run the P2P services, the two clients must exchange messages with the P2P server for login and authentication. The P2P server records the addresses and ports of the clients. If PC1 resides on a private network, the firewall performs NAPT for packets destined from PC1 to the P2P server. Therefore, the client address and port recorded on the P2P server are the post-NAT public address and port. When PC2 downloads a file, the P2P server sends PC2 the IP address and port of the client on which the requested file resides (for example, the address and port of PC1). Then, PC2 sends a request to PC1 and starts to download the file.

Figure 1-6 P2P service interaction process

[Dr.WoW] [No.18] Source NAT-part 2-1326977-3

 

The interaction seems to be perfect. However, two problems exist:

1.         PC1 periodically sends packets to the P2P server, and NAPT is performed on these packets. Therefore, the address and port are changing after NAPT. Therefore, the address and port of PC1 stored on the P2P server must be constantly updated, affecting the running of P2P services.

2.         More importantly, the forwarding mechanism of the firewall determines that packets returned by the P2P server to the PC1 can pass through the firewall only when they match the session table. Other hosts, such as PC2, cannot initiate access to PC1 through the post-NAT address and port. By default, the security policies on the firewall do not allow such packets to pass through.

Triplet NAT can perfectly resolve these two problems because triplet NAT has the following two features:

1.         The post-NAT port is stable.

During a period of time after PC1 accesses the P2P server, the post-NAT port will be the same when PC1 accesses the P2P server again or accesses other hosts on the Internet.

2.         Access initiated from the Internet is supported.

PC2 can obtain the post-NAT address and port of PC1 to initiate access to the address and port, regardless of whether PC1 has accessed PC2. The access packets initiated from PC2 to PC1 are permitted, even when no security policy is configured on the firewall for such packets.

These features of triplet NAT support P2P services. Triplet NAT is available on USG9500 V300R001. The triplet NAT configuration is described as follows, as shown in Figure 1-7.

NOTE

For USG2000, USG5000, and USG6000 series firewalls, user-defined ASPF can be configured to ensure that P2P services are normal.

Figure 1-7 Triplet NAT networking

[Dr.WoW] [No.18] Source NAT-part 2-1326977-4

 

Triplet NAT configuration is described as follows. Blackhole routes cannot be configured. Otherwise, services will be interrupted.

1.         Configure a NAT address pool.

[FW] nat address-group 1

[FW-address-group-1] mode full-cone local     //Set the mode to triplet NAT.

[FW-address-group-1] section 1 202.1.1.2 202.1.1.3

[FW-address-group-1] quit

2.         Configure a NAT policy.

[FW] nat-policy interzone trust untrust outbound

[FW-nat-policy-interzone-trust-untrust-outbound] policy 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1   //Reference the NAT address pool.

[FW-nat-policy-interzone-trust-untrust-outbound-1] quit

[FW-nat-policy-interzone-trust-untrust-outbound] quit

3.         Configure a security policy.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

When the P2P clients on the private network access the P2P server, the session information on the firewall resembles:

[FW] display firewall session table

 Current total sessions: 1

 Slot: 2 CPU: 3

 tcp VPN: public --> public 192.168.0.2:4661[202.1.1.2:3536] --> 210.1.1.2:4096

From the session table, we can see that the private IP address of the P2P client has been translated into a public IP address and the port is also translated. Now let's take a look at the server-map table.

NOTE

?       The Untrust zone in the server-map table is generated because the local parameter in the mode full-cone local command is specified. If the command is mode full-cone global, the zone is not specified, indicating that security zones are not restricted.

?       For more information about the FullCone field in the server-map table, see 4.1.9 Further Reading.

[FW] display firewall server-map

 ServerMap item(s) on slot 2 cpu 3

 ------------------------------------------------------------------------------

 Type: FullCone Src,  192.168.0.2:4661[202.1.1.2:3536] -> ANY,  Zone: Untrust

 Protocol: tcp(Appro: ---),  Left-Time:00:00:58,  Pool: 1, Section: 0

 Vpn: public -> public  

 Hotversion: 2

  

 Type: FullCone Dst,  ANY -> 202.1.1.2:3536[192.168.0.2:4661],  Zone: Untrust

 Protocol: tcp(Appro: ---),  Left-Time:00:00:58,  Pool: 1, Section: 0  

 Vpn: public -> public 

 Hotversion: 2

From the server-map table, we can see that two server-map entries are generated for the triplet NAT: a source server-map entry (FullCone Src) and a destination server-map entry (FullCone Dst). The functions of the two entries are described as follows:

  • Source server map entry (FullCone Src)

Before the expiration of the entries, the address and port after address translation are 202.1.1.2:3536 when PC1 accesses any host in the Untrust zone, ensuring port consistency.

  • Destination server map entry (FullCone Dst)

Before the expiration of the entries, any host in the Untrust zone can access port 4661 on PC1 through 202.1.1.2:3536, meaning that P2P clients on the Internet can initiate connection to PC1.

Therefore, the source and destination server-map entries allow triplet NAT to support P2P services. From the source and destination server-map entries, we can see that only the source IP address and port and protocol are involved in triplet NAT, and that is why it is called "triplet" NAT.

As we have mentioned, the destination server-map entry allows P2P clients on the Internet to initiate connections to PC1. Some may ask, are server-map entries generated in triplet NAT the same as those in ASPF so that packets matching the entries are not subject to the control of security policies? There are more to tell. For triplet NAT, the firewalls also support endpoint-independent filter function. The command is as follows.

NOTE

In the command, the endpoint-independent parameter means that the address translation is independent from the address and port translation on the other end. This parameter can be considered another name for triplet NAT. On Huawei firewalls, this command controls whether security policies are needed to examine packets in triplet NAT.

[FW] firewall endpoint-independent filter enable

After the endpoint-independent filter is enabled, packets matching the destination server-map entry can pass through the firewall without being matched against security policies. If the function is disabled, packets matching the destination server-map entries must also be matched against security policies to determine whether they are permitted. By default, the endpoint-independent filter function is enabled. That is why the P2P clients on the Internet can initiate connections to PC1 on the private network.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jun 2, 2015 07:15:54 Helpful(0) Helpful(0)

thank you.

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login