Understand Firewall NAT Server & Source NAT Using the CLI - In Practice
Hello guys!
Today, I would like to present an introduction to Firewall NAT Server & Source NAT in practice.
About This Experiment
After NAT is configured on the firewall connecting an intranet to the Internet, multiple users on the intranet can access the Internet at the same time by using a small number of public IP addresses. In addition, users on the Internet can access the intranet server through specific IP addresses.
Objectives:
Understand the application scenario and mechanism of Source NAT.
Understand the application scenario and mechanism of NAT Server.
Configure NAT Server and Source NAT on the CLI and web UI.
Experiment Networking
Figure 1 - Topology for configuring NAT Server and Source NAT on a firewall
Experiment Planning
A security device USG is deployed on a service node. The upstream and downstream devices of the USG are switches.
| Device Name | Port | IP Address | Zone |
| FW1 | G1/0/0 | 10.1.1.1 | DMZ |
| G1/0/5 | 10.1.2.100 | Trust | |
| G1/0/6 | 20.1.2.100 | Untrust | |
| PC1 | E/0/0/1 | 10.1.2.100 | Trust |
| PC2 | E/0/0/1 | 20.1.2.100 | Untrust |
| Server | E/0/0/1 | 10.1.1.100 | DMZ |
Table 1 - Port addresses and zones
Experiment Tasks
| No. | Task | Subtask | Description |
| 1 | Complete basic configurations. | Configure security zones. | Add interfaces to security zones. |
| Configure a security policy. | Permit the packets from the Trust zone to the Untrust zone. | ||
| 2 | Configure Source NAT. | Configure a NAT address pool. | Create a public address pool. |
| Configure a NAT policy. | Configure a NAT policy for packets from the Trust zone to the Untrust zone. |
Experiment Task Configuration (Source NAT)
Configuration Roadmap
1. Configure IP addresses for interfaces and add the interfaces to security zones. Configure a security policy to permit packets from the Trust zone to the Untrust zone.
2. Create a NAT address pool.
3. Configure a NAT policy.
Configuration Procedure on the CLI
Step 1 Complete the configuration of the upstream and downstream service interfaces on the USG. Configure IP addresses for the interfaces and add the interfaces to security zones.
Step 2 Configure a security policy to permit packets from the Trust zone to the Untrust zone.
Step 3 Configure a NAT address pool and set the public address range to 2.2.2.2-2.2.2.5.
Step 4 Configure a NAT policy.
Step 5 - Configure IP address on PCs.
Verification
Checking the Ping Result and Firewall Session Table
Run the ping 20.1.2.100 command on PC1 to check whether PC1 can ping through PC2.
Run the display firewall session table command to check the NAT results.
With that our practical example was completed.
Cheers,
