[Dr.WoW] [No.19] NAT Server Highlighted

Latest reply: Jun 4, 2015 10:37:00 3517 1 0 0

1 NAT Server Mechanism

Schools and companies may need to provide services for external users. The servers that provide such services usually use private addresses and cannot be accessed by users on the Internet. In this case, how can we configure the firewall as the gateway to resolve the problem?

Readers who have read about source NAT must have thought about NAT.

Bingo! You are in the right direction. However, source NAT works well when users on a private network need to access the Internet. However, the situation is just the opposite here. The server on a private network provides services, and users on the Internet imitate the access to the server. The address to be translated is changed from source address to destination address. Therefore, we name this implementation NAT server.

Let's use Figure 1-1 to illustrate how to configure NAT server on the firewall. NAT server also needs a public IP address, just as in source NAT. However, you do not need to put the public address into an address pool. Let's say the public address is 1.1.1.1 in this example.

NOTE

If possible, do not use the IP address of the WAN interface on the firewall as the public address for NAT. If you must do so, specify the protocol and port during NAT server configuration to avoid conflicts between NAT server and management functions, such as Telnet and web interface.

Figure 1-1 NAT server networking

[Dr.WoW] [No.19] NAT Server-1327835-1

 

NAT server is configured as follows:

1.         Configure NAT server.

Run the following command on the firewall to map the private address (10.1.1.2) of the server to a public address (1.1.1.1).

[FW] nat server global 1.1.1.1 inside 10.1.1.2

If multiple protocols and ports are enabled on the same server, this configuration will make all services accessible to users on the Internet, bringing security risks. Huawei firewalls support service-specific NAT server so that only specified services are accessible to users on the Internet after NAT server is configured. For example, we can map port 80 to port 9980 for users on the Internet to access.

NOTE

In this example, port 80 is translated into port 9980 instead of port 80 because some carriers will block new services on ports 80, 8000, and 8080.

[FW] nat server protocol tcp global 1.1.1.1 9980 inside 10.1.1.2 80 

After NAT server is configured, server-map entries will be generated. However, unlike in source NAT, the server-map entries in NAT server are static and are not triggered by packets. The entries will be automatically generated after NAT server configuration and will be automatically deleted after NAT server configuration is deleted. The server-map entries in NAT server look like the following output:

[FW] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

 Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

Just like triplet NAT, NAT server also generates two server-map entries:

  • Forward server-map entry

"Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80]" is the forward server-map entry, which records the mapping between private address/port and public address/port. "[10.1.1.2:80]" is the private address and port of the server, and 1.1.1.1:9980 is the public address and port. If we translate the entry into human words, it is: When any client initiates a connection to 1.1.1.1:9980, the destination address and port will be translated into 10.1.1.2:80. This entry is used to translate the destination address and port of packets destined from the Internet to the server.

  • Return server-map entry

"Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any" is the return server-map entry. It is used to translate the private source address into a public address when the server initiates access to the Internet without using a source NAT policy. This is the sweet part of NAT server, because you can use one command to configure NAT in both directions between the server and the Internet.

Here the word "translate" appears multiple times. Yes. The entries are just address translation, whether in the forward or return direction. They are not like the server-map entries in ASPF. In ASPF, server-map entries can create a channel that can bypass security policies. Therefore, in NAT server, you must configure security policies to permit traffic in both directions between the private server and the Internet.

2.         Configure a security policy.

Now comes a typical question asked by thousands of people: To allow users on the Internet to access the private server in NAT server configuration, is the destination address in the security policy the private address or public address? Before answering this question, let's first take a look at how the firewall process packets destined from users on the Internet to the private server.

When a user initiates access to 1.1.1.1:9980 (the private server), the firewall check whether the packet matches a server-map entry. If a match is found, the firewall translates the destination address and port to 10.1.1.2:80. Then, the firewall look for an outgoing interface for destination address 10.1.1.2. Then, the firewall checks the security zones where the incoming and outgoing interfaces reside to determine the interzone security policy. Therefore, the destination address in the security policy must be the private address, not the public address mapped to the private address of the server. Therefore, the security policy for this example should be:

[FW] policy interzone dmz untrust inbound

[FW-policy-interzone-dmz-untrust-inbound] policy 1

[FW-policy-interzone-dmz-untrust-inbound-1] policy destination 10.1.1.2 0

[FW-policy-interzone-dmz-untrust-inbound-1] policy service service-set http

[FW-policy-interzone-dmz-untrust-inbound-1] action permit

[FW-policy-interzone-dmz-untrust-inbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

If the packet is permitted by the security policies, the firewall creates the following session and forward the packet to the private server.

[FW] display firewall session table

 Current Total Sessions : 1

  http VPN:public --> public 1.1.1.2:2049-->1.1.1.1:9980[10.1.1.2:80]

Upon receiving the packet, the firewall responds to the packet. After the response packet arrives on the firewall and matches the session table, the firewall translates the source address and port of the packet to 1.1.1.1:9980 and forwards the packet to the Internet. When subsequent packets between the user and private server arrive on the firewall, the firewall translates the address and port based on the session table, not the server-map entry.

The packet captures before and after NAT show the results of NAT server:

l  The destination address and port of packets destined from the user on the Internet to the private server are translated.

[Dr.WoW] [No.19] NAT Server-1327835-2 

l  The source address and port of packets destined from the private server to the user on the Internet are translated.

[Dr.WoW] [No.19] NAT Server-1327835-3

 

3.         Configure a blackhole route.

To avoid routing loops, a blackhole route must be configured for NAT server.

[FW] ip route-static 1.1.1.1 32 NULL 0

2 NAT Server in Multi-Egress Scenario

Similar like source NAT, NAT server also needs to address the multi-egress scenario. As shown in the following example, the firewall has two ISP links. NAT server is configured as follows:

1.         Configure NAT server.

As shown in Figure 1-2, an enterprise has deployed a firewall at the network egress as the gateway, which is connected to the Internet through links ISP1 and ISP2 so that the users on the Internet can access the server on the private network.

Figure 1-2 NAT server networking in the dual-ISP scenario

[Dr.WoW] [No.19] NAT Server-1327835-4 

As the egress gateway, the firewall is connected to two ISPs. Therefore, the NAT server configuration is divided into two parts so that the private server can provide services through public addresses obtained from both ISPs. Two methods are available:

Method 1: Add the WAN interfaces connected to the two ISPs to different security zones and specify the zone parameter during NAT server configuration. In this way, the server can advertise different public IP addresses to different security zones, as shown in Figure 1-3.

Figure 1-3 NAT server networking in the dual-ISP scenario (WAN interfaces in different security zones)

[Dr.WoW] [No.19] NAT Server-1327835-5 

In the following example, the public address advertised to ISP1 is 1.1.1.20 and that advertised to ISP2 is 2.2.2.20.

Add interfaces to security zones.

[FW] firewall zone dmz

[FW-zone-dmz] add interface GigabitEthernet1/0/4

[FW-zone-dmz] quit

[FW] firewall zone name isp1

[FW-zone-isp1] set priority 10

[FW-zone-isp1] add interface GigabitEthernet1/0/2

[FW-zone-isp1] quit

[FW] firewall zone name isp2

[FW-zone-isp2] set priority 20

[FW-zone-isp2] add interface GigabitEthernet1/0/3

[FW-zone-isp2] quit

Configure NAT server with the zone parameter specified.

[FW] nat server zone isp1 protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80

[FW] nat server zone isp2 protocol tcp global 2.2.2.20 9980 inside 172.16.0.2 80

Configure two security policies based on the interzone relationship.

[FW] policy interzone isp1 dmz inbound

[FW-policy-interzone-dmz-isp1-inbound] policy 1

[FW-policy-interzone-dmz-isp1-inbound-1] policy destination 172.16.0.2 0

[FW-policy-interzone-dmz-isp1-inbound-1] policy service service-set http

[FW-policy-interzone-dmz-isp1-inbound-1] action permit

[FW-policy-interzone-dmz-isp1-inbound-1] quit

[FW-policy-interzone-dmz-isp1-inbound] quit

[FW] policy interzone isp2 dmz inbound

[FW-policy-interzone-dmz-isp2-inbound] policy 1

[FW-policy-interzone-dmz-isp2-inbound-1] policy destination 172.16.0.2 0

[FW-policy-interzone-dmz-isp2-inbound-1] policy service service-set http

[FW-policy-interzone-dmz-isp2-inbound-1] action permit

[FW-policy-interzone-dmz-isp2-inbound-1] quit

[FW-policy-interzone-dmz-isp2-inbound] quit

Of course, do not forget blackhole routes.

[FW] ip route-static 1.1.1.20 32 NULL 0

[FW] ip route-static 2.2.2.20 32 NULL 0

After the configuration, the following server-map entries are generated on the firewall.

[FW] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

Nat Server, any -> 1.1.1.20:9980[172.16.0.2:80], Zone: isp1

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 172.16.0.2[1.1.1.20] -> any, Zone: isp1

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server, any -> 2.2.2.20:9980[172.16.0.2:80], Zone: isp2

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 172.16.0.2[2.2.2.20] -> any, Zone: isp2

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

We can see that both the forward and return server-map entries are generated. The forward server-map entries allow users on the Internet to access the private server, and the return server-map entries allow the private server to initiate access to the Internet.

Therefore, we recommend that you add the WAN interfaces connected to ISP1 and ISP2 to different security zones and configure NAT server with the zone parameter specified. If the two interfaces have been added to the same zone and cannot be changed, there is another way.

Method 2: Specify the no-reverse parameter during NAT server configuration so that the server can advertise two public IP addresses, as shown in Figure 1-4.

Figure 1-4 NAT server networking in dual-ISP scenario (WAN interfaces in the same security zone)

[Dr.WoW] [No.19] NAT Server-1327835-6 

In this scenario, the no-reverse parameter must be specified to ensure the functioning of NAT server. The following example illustrates the NAT server configuration. Some configurations are the same as in method 1 and are therefore omitted.

Configure NAT server with parameter no-reverse specified.

[FW] nat server protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80 no-reverse

[FW] nat server protocol tcp global 2.2.2.20 9980 inside 172.16.0.2 80 no-reverse

After the configuration, the following server-map entries are generated on the firewall.

[FW] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

Nat Server, any -> 1.1.1.20:9980[172.16.0.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server, any -> 2.2.2.20:9980[172.16.0.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

We can see only the forward server-map entries are generated to allow users on the Internet to access the private server. However, to allow the private server to initiate access to the Internet, you must configure a NAT policy in the Trust-to-Untrust interzone.

You may ask that what if we do not specify the no-reverse parameter and configure two NAT server entries? The answer is that the two NAT server commands cannot be delivered if we do not specify the parameter.

[FW] nat server protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80

[FW] nat server protocol tcp global 2.2.2.20 9980 inside 172.16.0.2 80

  Error: This inside address has been used!

Let's see what will happen if the two commands can be delivered. Let's run one command on one firewall and the other command on the other firewall and check the server-map entries on the two firewalls.

[FW1] nat server protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80

[FW1] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

Nat Server, any -> 1.1.1.20:9980[172.16.0.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 172.16.0.2[1.1.1.20] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

[FW2] nat server 1 global 2.2.2.20 inside 172.16.0.2

[FW2] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

 Nat Server, any -> 2.2.2.20:9980[172.16.0.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 172.16.0.2[2.2.2.20] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

We can see that the return server-map entry on one firewall translates source address 172.16.0.2 to 1.1.1.20, and that on the other firewall translates source address 172.16.0.2 to 2.2.2.20. If the two return server-map entries appear on the same firewall, what will happen? The firewall must translate source address 172.16.0.2 to both 1.1.1.20 and 2.2.2.20. Then, the firewall does not know what to do. That is the problem if we do not specify the no-reverse parameter in the nat server command. If the no-reverse parameter is specified, the return server-map entries will not be generated, and this problem will not happen.

2.         Configure the sticky load balancing function.

We have learned how to determine whether to specify the zone or no-reverse parameter based on whether the WAN interfaces connected to ISP1 and ISP2 are added to the same security zone. However, we need to consider more than that in the dual-ISP scenario. We also need to consider which ISP will be used to access the private server.

For example, if the users on ISP1 network access the private server through the public address assigned by ISP2, the route is a detour. Moreover, the two ISPs may not be connected to each other. As a result, the connection will be slow or even unavailable.

Therefore, we must avoid such situations to ensure that the public address advertised for users on ISP1 network is the public address obtained from ISP1 and that for users on ISP2 network is the public address obtained from ISP2.

Moreover, when the firewall processes the return packets from the private server, such problem may also occur. As shown in Figure 1-5, users on ISP1 network access the private server through the public address obtained from ISP1, and the packets are received on GE1/0/2. When the return packets from the private server arrive on the firewall, although the packets match the session table and NAT is performed, the firewall must determine the outgoing interface based on the destination address. If the firewall has a default route but does not have a specific route to the user on the Internet, the return packets may be forwarded through GE1/0/3, which is connected to the ISP2 network. The packets transmitted through the ISP2 network may not be able to arrive on the ISP1 network.

Figure 1-5 NAT server traffic interrupted because the forward and return packets do not pass through the same firewall interface

[Dr.WoW] [No.19] NAT Server-1327835-7

 

To resolve this problem, we can configure routes to the users on ISP1 and ISP2 networks. However, ISP1 and ISP2 networks have a large number of networks, and manual configuration is not pragmatic. To resolve this issue, the firewall provides the sticky load balancing function, meaning that packets take the same route back, without depending on the routing table to determine the outgoing interface.

The sticky load balancing function must be configured on both firewall interfaces connected to ISP1 and ISP2 networks. The following commands are used to enable sticky load balancing on GE1/0/2. In this example, the next hop on ISP1 is 1.1.1.254. The commands are available on USG9500 series.

[FW] interface GigabitEthernet 1/0/2

[FW-GigabitEthernet1/0/2] redirect-reverse nexthop 1.1.1.254

For USG2000 or USG5000 series, the commands are:

[FW] interface GigabitEthernet 1/0/2

[FW-GigabitEthernet1/0/2] reverse-route nexthop 1.1.1.254

For USG6000 series, the commands are:

[FW] interface GigabitEthernet 1/0/2

[FW-GigabitEthernet1/0/2] gateway 1.1.1.254

[FW-GigabitEthernet1/0/2] reverse-route enable

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jun 4, 2015 10:37:00 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login