[Dr.WoW] [No.18] Source NAT-part 3

Latest reply: Jun 2, 2015 07:16:08 3473 1 0 0

7 Source NAT in Multi-Egress Scenario

We have learned NAT implementations of various types and it seems that we have understood everything about NAT. However, in real-world configuration, we may still have challenges. For example, in the multi-egress scenario, how to configure source NAT?

In the following example, the firewall has two ISP links to the Internet. We will use this example to illustrate how to configure source NAT. If more ISP links are available, the configuration method is similar.

As shown in Figure 1-8, an enterprise has deployed a firewall at the network egress as the gateway, which is connected to the Internet through links ISP1 and ISP2 so that the PCs on the private network can access the Internet.

Figure 1-8 Source NAT networking in the dual-ISP scenario

[Dr.WoW] [No.18] Source NAT-part 3-1327005-1

 

In this scenario, a major challenge for the firewall is to select an ISP link when forwarding traffic destined from the private network to the Internet. If the optimal ISP link for a packet is ISP1 but the packet is forwarded through ISP2, the detour may increase latency and deteriorate user experience.

ISP links can be selected based on destination addresses. In this case, we can configure two equal-cost default or specific routes. ISP links can also be selected based on source addresses. In this case, we can configure policy-based routing. These will be described in detail in Chapter 10 ISP Link Selection.

For NAT, packets are sent out through either ISP1 or ISP2, regardless of the route selection method. Regardless of which ISP link is used, NAT is doing its job as long as the private addresses are translated into a public address before packets are sent out.

Usually, we add the interfaces connected to ISP1 and ISP2 to different security zones. Then, we configure source NAT policies between the security zone (usually the Trust zone) where the private network resides and the security zones of the two interfaces connected to ISP1 and ISP2, as shown in Figure 1-9.

Figure 1-9 NAT networking in the dual-ISP scenario

[Dr.WoW] [No.18] Source NAT-part 3-1327005-2 

This following example describes how to configure source NAT in NAPT mode. In the example, the public addresses assigned by ISP1 are 1.1.1.10 through 1.1.1.12, and those by ISP2 are 2.2.2.10 through 2.2.2.12.

Add interfaces to security zones.

[FW] firewall zone trust

[FW-zone-trust] add interface GigabitEthernet1/0/1

[FW-zone-trust] quit

[FW] firewall zone name isp1

[FW-zone-isp1] set priority 10

[FW-zone-isp1] add interface GigabitEthernet1/0/2

[FW-zone-isp1] quit

[FW] firewall zone name isp2

[FW-zone-isp2] set priority 20

[FW-zone-isp2] add interface GigabitEthernet1/0/3

[FW-zone-isp2] quit

Configure two NAT address pools.

[FW] nat address-group 1 1.1.1.10 1.1.1.12

[FW] nat address-group 2 2.2.2.10 2.2.2.12

Configure two NAT policies based on the interzone relationship.

[FW] nat-policy interzone trust isp1 outbound

[FW-nat-policy-interzone-trust-isp1-outbound] policy 1

[FW-nat-policy-interzone-trust-isp1-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-isp1-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-isp1-outbound-1] address-group 1

[FW-nat-policy-interzone-trust-isp1-outbound-1] quit

[FW-nat-policy-interzone-trust-isp1-outbound] quit

[FW] nat-policy interzone trust isp2 outbound

[FW-nat-policy-interzone-trust-isp2-outbound] policy 1

[FW-nat-policy-interzone-trust-isp2-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-isp2-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-isp2-outbound-1] address-group 2

[FW-nat-policy-interzone-trust-isp2-outbound-1] quit

[FW-nat-policy-interzone-trust-isp2-outbound] quit

Configure two security policies based on the interzone relationship.

[FW] policy interzone trust isp1 outbound

[FW-policy-interzone-trust-isp1-outbound] policy 1

[FW-policy-interzone-trust-isp1-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-isp1-outbound-1] action permit

[FW-policy-interzone-trust-isp1-outbound-1] quit

[FW-policy-interzone-trust-isp1-outbound] quit

[FW] policy interzone trust isp2 outbound

[FW-policy-interzone-trust-isp2-outbound] policy 1

[FW-policy-interzone-trust-isp2-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-isp2-outbound-1] action permit

[FW-policy-interzone-trust-isp2-outbound-1] quit

[FW-policy-interzone-trust-isp2-outbound] quit

Of course, do not forget blackhole routes.

[FW] ip route-static 1.1.1.10 32 NULL 0

[FW] ip route-static 1.1.1.11 32 NULL 0

[FW] ip route-static 1.1.1.12 32 NULL 0

[FW] ip route-static 2.2.2.10 32 NULL 0

[FW] ip route-static 2.2.2.11 32 NULL 0

[FW] ip route-static 2.2.2.12 32 NULL 0

If we add the interfaces connected to ISP1 and ISP2 to the same security zone, for example, the Untrust zone, the NAT policies cannot distinguish the two links based on the interzone relationship. To help you understand this, we provide a configuration script, in which NAT policy 1 and policy 2 are configured in the Trust-to-Untrust interzone.

#

nat-policy interzone trust untrust outbound

 policy 1

  action source-nat

  policy source 192.168.0.0 0.0.0.255

  address-group 1

policy 2

  action source-nat

  policy source 192.168.0.0 0.0.0.255

  address-group 2

#

Policy 1 has a higher priority than policy 2. Therefore, all packets destined from the private network to the Internet match policy 1 and are forwarded through ISP1. Policy 2 is ignored. Therefore, we must add the interfaces to different security zones and configure NAT policies based on the interzone relationship.

8 Summary

We have thoroughly studied various NAT implementations. Now let's compare them side by side, as shown in Table 1-2.

Table 1-2 Comparison between source NAT implementations supported by Huawei firewalls

Source NAT Implementation

IP Address Mapping

Port Translated?

Dynamic Server-Map Entry Generated?

Blackhole Route Needed?

Source Address in the Security Policy

NAT No-PAT

One-to-one

No

Yes

Yes

Private address before NAT

NAPT

Many-to-one

Many-to-many

Yes

No

Yes

Egress interface address mode (also called easy-IP)

Many-to-one

Yes

No

No

Smart NAT

One-to-one+many-to-one (the reserved address)

No, except for the reserved address

Yes, but only for NAT No-PAT

Yes

Triplet NAT

Many-to-one

Many-to-many

Yes

Yes

No

 

 

 

9 Further Reading

Triplet NAT has a scientific name: full cone. According to RFC3489, full cone is one of the four types of port mapping methods in NAT. The other three are restricted cone, port restricted cone, and symmetric.

To further your understanding, we will compare the full cone mode with the symmetric mode. Since RFC3489 has been obsoleted by RFC5389, the restricted cone and port restricted cone are not discussed.

Full cone NAT is illustrated in Figure 1-10. The public address and port for hosts on the private network are stable in a period of time after address translation, regardless of the destination addresses. Therefore, the hosts on the private network can use the same triplet (source IP address, source port, and protocol) to access different hosts on the Internet. The hosts on the Internet can also initiate access to the hosts on the private network using the same triplet.

Figure 1-10 Full cone NAT

[Dr.WoW] [No.18] Source NAT-part 3-1327005-3 

Symmetric NAT is illustrated in Figure 1-11. The addresses of the hosts on the private network are translated based on destination addresses, and the public addresses and ports vary. The hosts on the private network have different triplets (source IP address, source port, and protocol). Therefore, only hosts on the Internet that have specific ports can access the private network. That is to say, you need to specify the target hosts and ports. Symmetric NAT is also called quintuplet (source IP address, destination IP address, source port, destination port, and protocol) NAT. NAPT is also quintuplet NAT.

Figure 1-11 Symmetric NAT

[Dr.WoW] [No.18] Source NAT-part 3-1327005-4

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jun 2, 2015 07:16:08 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login