Understand Firewall NAT Server & Source NAT Using the CLI - In Practice

Hello guys!

Today, I would like to present an introduction to Firewall NAT Server & Source NAT in practice.

About This Experiment

After NAT is configured on the firewall connecting an intranet to the Internet, multiple users on the intranet can access the Internet at the same time by using a small number of public IP addresses. In addition, users on the Internet can access the intranet server through specific IP addresses.

Ps: All addresses used in the example are false and used only in a lab environment for study purposes.

Configuration Roadmap

1. Configure IP addresses for interfaces and add the interfaces to security zones. Configure a security policy to permit packets from the Untrust zone to the DMZ.

2. Configure NAT Server.

3. Create a NAT address pool.

4. Configure a NAT policy.

Configuration Procedure on the CLI

Step 1 Complete the configuration of the upstream and downstream service interfaces on the USG. Configure IP addresses for the interfaces and add the interfaces to security zones. (Omitted)

Step 2 Configure a security policy to filter the packets transmitted between security zones.

Step 3 Configure NAT Server.

Step 4 Configure a NAT address pool.

Step 5 Configure NAT ALG for the DMZ-Untrust interzone to ensure that the intranet server can provide the FTP service for Internet users. This step can be omitted because NAT ALG is enabled globally by default.

Step 6 Create a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for NAT, and bind the NAT policy to NAT address pool 2.

Verification

Checking the NAT Server Information

Run the display nat server command to check the NAT Server information.

With that our practical example was completed.

Cheers,