Got it

What is NAT and how it works - episode 3 REPRINT

332 0 1 0 0

Authorized reprint by author zhushigeng (Vinsoney)

Hello everyone,

Today I will share with you the deployment of NAT on an NGFW.

4.Deployment of NAT on an NGFW

4.1 Source Address NAPT Based on Address Pools

2

As shown in the preceding figure, a server is connected to a firewall through a switch. The default gateway of the server is set to GE 1/0/1 of the firewall. To ensure the security of the server, the source IP address of the server needs to be converted to an IP address in a range from 10.1.1.5 to 10.1.1.10 when the server accesses the external network.

The key configurations of the firewall are as follows:

# Assigning IP addresses to firewall interfaces and basic configurations, such as adding interfaces to security zones, are not described.

# Create a source address pool named Pool1 and set the source NAT conversion mode to PAT (indicates NAPT that converts both IP addresses and port numbers so that multiple intranet hosts can share a public IP address to access the external network at the same time).

[FW] nat address-group Pool1

[FW-nat-address-group-Pool1] section 10.1.1.5 10.1.1.10

[FW-nat-address-group-Pool1] nat-mode pat

# Create a source NAT policy so that the server can translate the source address when accessing the external network.

[FW] nat-policy

[FW-policy-nat] rule name nat1

[FW-policy-nat-rule-nat1] source-zone trust    # Assume that the server is in a trust zone.

[FW-policy-nat-rule-nat1] destination-zone untrust                    

# The external network is in the untrust zone.

[FW-policy-nat-rule-nat1] source-address 192.168.10.0 24       

# Enable the firewall to convert the source IP address segment for NAT packets.

[FW-policy-nat-rule-nat1] action nat address-group Pool1

# Configure a security policy named test1 to allow devices on the network segment 192.168.10.0/24 in the trust zone to access the untrust zone.

[FW] security-policy

[FW-policy-security] rule name test1

[FW-policy-security-rule-test1] source-zone trust

[FW-policy-security-rule-test1] destination-zone untrust

[FW-policy-security-rule-test1] source-address 192.168.10.0 24

[FW-policy-security-rule-test1] action permit

With the preceding configurations complete, when the server (for example, 192.168.10.5) accesses an external network (for example, ping 10.1.1.2), the following session entries are displayed:

<FW> display firewall session table

 Current Total Sessions : 5

 icmp  VPN: public --> public  192.168.10.5:22360[10.1.1.9:2050] --> 10.1.1.2:2048

The IP address in brackets is converted from the source IP address of 192.168.10.5.

4.2 NAT Internal Server

3

As shown in the preceding figure, a server is connected to a firewall through a switch. The default gateway of the server is set to GE 1/0/1 of the firewall. For security purposes, the real IP addresses of server blades cannot be exposed to external networks when some of them are accessed by external networks. The NAT internal server can be deployed on the firewall. An internal server at 192.168.10.5 is used as an example and mapped to a public IP address of 10.1.1.11 so that external network users can access 192.168.10.5 by sending requests to the public IP address.

Assume that the server is in a trust zone, and the external network is in an untrust zone.

# Assigning IP addresses to firewall interfaces and basic configurations, such as adding interfaces to security zones, are not described.

# Configure the NAT internal server function (NAT Server).

[FW] nat server s1 zone untrust global 10.1.1.11 inside 192.168.10.5

# Configure a security policy and create a security rule so that users in the untrust zone can access 192.168.10.5 in the trust zone.

[FW] security-policy

[FW-policy-security] rule name External_to_Server

[FW-policy-security-rule-External_to_Server] source-zone untrust

[FW-policy-security-rule-External_to_Server] destination-zone trust

[FW-policy-security-rule-External_to_Server] destination-address 192.168.10.5 32

[FW-policy-security-rule-External_to_Server] action permit

With the preceding configurations complete, when an external network user (for example, 10.1.1.2) accesses 10.1.1.11 (for example,ping 10.1.1.11), you can view the following session entries on the firewall:

<FW> display firewall session table

 Current Total Sessions : 1

 icmp  VPN: public --> public  10.1.1.2:52651 --> 10.1.1.11:2048[192.168.10.5:2048]

The destination IP address in brackets is converted from the private IP address by the NAT device.

4.3 Usage Scenario of the NAT Internal Server Function

The nat server s1 zone untrust global 10.1.1.11 inside 192.168.10.5 command creates a NAT internal server named s1 (which can be customized). This command maps an internal IP address 192.168.10.5 to a public IP address 10.1.1.11. For example, when a user in an untrust zone accesses the destination IP address 10.1.1.11, the destination IP address of the packet is converted into 192.168.10.5.

Various parameters can be configured in the NAT internal server function to apply to different service scenarios. The configuration methods are as follows:

Configuration method 1:

4

[FW] nat server s1 global 200.1.1.100 inside 172.16.1.1

One-to-one mapping of IP addresses is configured. When a firewall receives a packet (with any destination port number) destined for 200.1.1.100, the firewall converts the destination address to 172.16.1.1. When the firewall receives a packet sent by a server (172.16.1.1) to access a client, the firewall converts the source IP address into 200.1.1.100. Therefore, Internet users and server can access each other.

Configuration method 2:

5

[FW] nat server s2 zone untrust global 200.1.1.100 inside 172.16.1.1

When the zone keyword and the untrustparameter are configured, the NAT internal server function takes effect only on packets sent to the untrust zone. Destination address translation is performed only for packets received by an interface in the untrust zone.

Configuration mode 3:

6

[FW] nat server s3 zone untrust protocol tcp global 200.1.1.200 22323 inside 172.16.1.1 23

The protocol keyword and TCP parameter are configured. When a firewall receives TCP traffic destined for 200.1.1.200:22323 sent by an untrust interface, the firewall converts the destination IP address to 172.16.1.1 and the destination TCP port number to 23.

Configuration mode 4:

7

If multiple internal servers use one public IP address to advertise routes, you can run the nat server command multiple times and set the global-port parameter (marked red) to a different value in the command each time. When a client sends a request to 200.1.1.200:21111, the client accesses server 1. When the client sends a request to 200.1.1.200:21112, the client accesses server 2.

Configuration method 5:

8

[FW] nat server for1 zone untrust11 protocol tcp global 200.1.1.200 21111 inside 172.16.1.1 23

[FW] nat server for2 zone untrust22protocol tcp global 200.2.2.200 21111 inside 172.16.1.1 23

If an internal server advertises multiple public IP addresses for external networks to access or if links to the public IP addresses are in different security zones, you can configure the NAT internal server function to advertise a particular public IP address of each security zone.

Configuration mode 6:

9

[FW] nat server for1 zone untrust protocol tcp global 200.1.1.200 21111 inside 172.16.1.1 23 no-reverse

[FW] nat server for2 zone untrust protocol tcp global 200.2.2.200 21111 inside 172.16.1.1 23 no-reverse

If an internal server advertises multiple public IP addresses for external networks to access or if the links to the public IP addresses are in the same security zone, you can run the nat servercommand with the no-reverse parameter configured. After the no-reverse parameter is specified, you can configure the mapping between multiple public addresses (global) and the same private IP address (inside).

After the no-reverse parameter is configured, the internal server cannot translate the private IP address of the internal server to a public IP address when proactively accessing the external network. As a result, the internal server cannot initiate connections to the external network. Therefore, the no-reverse parameter can be used to disable the internal server from proactively accessing the external network. The internal server cannot proactively access the external network because the no-reverse parameter is configured. In this case, if the internal server wants to access the external network, configure a source NAT policy in the interzone between the area where the internal server resides and the area where the external network resides so that the policy can be used to convert the private IP address of the server to a public IP address. The IP address in an address pool referenced by the source NAT policy can be a global address or a public address.

That is all I want to share with you! Thank you!

 

Learn more: what is NAT and how it works episode 1 REPRINT

Learn more: what is NAT and how it works episode 2 REPRINT


  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.