You are on page 1of 24

NAT Technology

Huawei Symantec Technologies Co., Ltd.

Objectives
Principles of address conversion
Functions, advantages, and disadvantages
of address conversion
Configuration and deployment of ACLs on
the Huawei Symantec firewall

Huawei Symantec Technologies Co., Ltd.

page 2

..NAT Technology Contents 1 NAT Principle 2 NAT Configuration Huawei Symantec Technologies Co. Ltd.

Ltd.Concept of NAT  Network Address Translation (NAT) is a method to change source address or destination address in the IP packet.  Several hosts in one LAN can access the external resources through a few public addresses. Huawei Symantec Technologies Co. Set the internal server as required for external use.  Hosts in the LAN are protected because their IP addresses are hidden from the outside. page 4 ..

page 5 . Ltd..Address  Public address and private address  Internal address  External address Huawei Symantec Technologies Co.

Ltd.. page 6 .NAT Principle  Control address translation through the ACL  Address pool  Translation correlation  Internal server mapping Huawei Symantec Technologies Co.

. Ltd. page 7 .NAT Principle  Supporting the special protocol such as Application Layer Gateway (ALG)  The Ethernet port supports the address pool  Supporting load balancing in multiple directions Huawei Symantec Technologies Co.

241 10.com 202.5.2 … Totoal: 256 address pool Source Private address www.110.110.110. 202.1 202.110.1..5.5.2 10.110.1.google.110.100 www.1.Address Assignment in NAT  NAT — One-to-one address translation INTERNET 10.com 202.101 page 8 .5.100/24 NET 1 202.1 10. Ltd.101/24 Eudemon防火墙 NET 2 Destination NET 。。。 Huawei Symantec Technologies Co.1.110.1.baidu.110.110.

.110.110.5.2 … Totoal: 256 address pool Destination D-port Source www.Address Assignment in NAT  PAT — Many-to-one address translation INTERNET NET 1 10.1.110.241 8889 10.110.241 8888 10. Ltd.com 80 202.100 202.5.101 Eudemon防火墙 NET 2 NET 。。。 Huawei Symantec Technologies Co.5.110.1.google.5.com 80 202.241 10.100 www.110.110.1 202.101 page 9 S-port Private address .1.baidu. 202.110.110.1.1.

10 10.12 10. that is.11.Basic Principles of NAT-Bi-DirectionalNAT USER 132.. page 10 . inbound NAT Huawei Symantec Technologies Co.0.5.110.12 202.10.5.12 132.12 10. Ltd.5.5.5.110.5.110.10.0.110.11.101 202.5.101 10.11.101  Converted Converted source destination address address 202.110.10.10 Application scenario of bi-directional NAT: NAT from the zone with low priority to the zone with high priority.5.12 10.5.10 10.0.12 Destination address Source address 132.110.

Ltd. page 11 .Advantages and Disadvantages of the Address Translation  Advantages — Allowing several hosts in a LAN to access the public network with one shared IP address —  Masking the internal users to improve the security of the internal network Disadvantages — Not applicable when useful address information exists in packets — Not applicable when IP packets are encrypted — Unable to determine the source address — Affect the efficiency of packet forwarding Huawei Symantec Technologies Co..

Ltd. page 12 .NAT Technology Contents 1 NAT Principle 2 NAT Configuration Huawei Symantec Technologies Co..

10.0/16..0.110.169.2 to 202.0/16  Networking Requirements: — The office network that employees use for working is in the trust security zone.Basic Configuration of NAT(1) internet DMZ 192. Huawei Symantec Technologies Co. Ltd.0/24 Untrust trust 10. the Network Address Port Translation (NAPT) function is used to realize address multiplexing.6.10. and the segment is 10.168.110.20.110. page 13 .10. Because the public IP addresses are limited.169.0/24 10.0.0/24 segment of the trust security zone can access the Internet and users in other segments of this zone cannot.10. — Requirement 1: users in 10.110. The range of legal IP addresses that can access external network is from 202.

110.10.Basic Configuration of NAT(2)   Configure basic functions of the firewall.0 0.0 0.255  Configure an address pool.110.0.169.6 202..255 [Eudemon-acl-basic-2001] rule 1 deny source 10. Eudemon] Eudemon] nat nat address-group address-group 11 202. Ltd.10.2 202.0.169. page 14 .10. [Eudemon] [Eudemon] acl acl 2001 2001 [Eudemon-acl-basic-2001] [Eudemon-acl-basic-2001] rule rule 00 permit permit source source 10.0.0.255 [Eudemon-acl-basic-2001] rule 1 deny source 10.0.0 10.110.110.255 0.169.255.2 202.10.0.10.6  Configure inter-zone packet filtering rules.10. [Eudemon-interzone-trust-untrust] [Eudemon-interzone-trust-untrust] packet-filter packet-filter 2001 2001 outbound outbound Huawei Symantec Technologies Co.255.0.0 0.0. Configure ACLs.169.

For address multiplexing is needed.. pool. the parameter no-pat is not configured. Huawei Symantec Technologies Co. Ltd. [Eudemon-interzone-trust-untrust] [Eudemon-interzone-trust-untrust] nat nat outbound outbound 2001 2001 address-group address-group 11 You Youare arerecommended recommendedto tonot notto touser user parameter parameter no-pat no-patwhen whenconfiguring configuringthe the address addresspool. page 15 .Basic Configuration of NAT(3)  Associate the ACL with the address pool.

20.0/24 Untrust trust 10.1. and the port is 8080..168.20.110.169.168. Huawei Symantec Technologies Co. and the internal IP address of the FTP server is 192.0.10. page 16 .3/24. Ltd.0/24 10. The internal IP address of the WWW server is 192.Internal Server Configuration of NAT(1) internet DMZ 192.110.168.2/24.10. Two addresses that are released to the outside are all 202.20. The outside port number is the default one.0/16  Networking Requirements: — Two internal servers are provide to external users.

168. Ltd.Internal Server Configuration of NAT(2)  Basic Configurations  Configure ACL rules [Eudemon] [Eudemon] acl acl 3000 3000 [Eudemon-acl-adv-3000] [Eudemon-acl-adv-3000] rule rule 00 permit permit tcp tcp destination destination 192.2 192.20.168.168.20.. [Eudemon-interzone-dmz-untrust] [Eudemon-interzone-dmz-untrust] detect detect ftp ftp Huawei Symantec Technologies Co.3 192.2 00 destination-port destination-port eq eq 8080 8080  Configure inter-zone packet filtering rules. [Eudemon-interzone-dmz-untrust] [Eudemon-interzone-dmz-untrust] packet-filter packet-filter 3000 3000 inbound inbound  Enable the NAT ALG function of FTP. page 17 .168.20.3 00 destination-port destination-port eq eq ftp ftp [Eudemon-acl-adv-3000] [Eudemon-acl-adv-3000] rule rule 11 permit permit tcp tcp destination destination 192.20.

3 192.1 ftp ftp inside inside 192.20.169. [Eudemon] [Eudemon] nat nat server server protocol protocol tcp tcp global global 202.169.20.10. Ltd. page 18 . Huawei Symantec Technologies Co.168.169.3 ftp ftp The Theno-reverse no-reverseparameter parameterof ofthe theNat Natserver serverindicates indicates that thatexternal externalIP IPaddress addressof ofthe theinternal internalserver servercan canbe be configured configuredrepeatedly.1 202. [Eudemon] [Eudemon] nat nat server server protocol protocol tcp tcp global global 202.10.20.20.1 80 80 inside inside 192.168.10.10.1 202.169.168. repeatedly.Internal Server Configuration of NAT(3)  Configuring the Internal WWW Server.2 8080 8080  Configuring the Internal FTP Server.2 192.168..

1.1..1.Configuration of Bi-Directional NAT(1) 200.1. Ltd.2/24.the public address is 200. — Do not configure the route to the public network on the FTP Server . the number of the outside port is the default one.10 USER  FTP SERVER 10.1.1. page 19 . The public network cannot be connected actively.1.1. Huawei Symantec Technologies Co.2/24 Networking Requirements — The internal IP address of the FTP server is 10.10.

5 10.0.255 Huawei Symantec Technologies Co.1.10 200. [Eudemon] [Eudemon] nat nat server server global global 200. Ltd.10 inside inside 10.1. page 20 .1.1.0.5 10.0. [Eudemon] [Eudemon] nat nat address-group address-group 11 10.1.0..1.1.1.Configuration of Bi-Directional NAT(2)  Basic Configurations  Configure the NAT server.255 [Eudemon-acl-adv-3001] rule permit ip source 10.0.1.1.0.1.1.1.2 10.1.10 [Eudemon] nat address-group 0 200.2  Configure a NAT address pool.1.10 200.255 0.1.10 200.1.1.1.1.0 0.1.1.1.0.1.1.1.0 0.0 200.1.50 [Eudemon] nat address-group 0 200.1.50 10.10  Configure ACLs that are used for NAT.255 [Eudemon-acl-adv-3001] rule permit ip source 10. [Eudemon-acl-adv-3000] [Eudemon-acl-adv-3000] rule rule permit permit ip ip source source 200.1.1.1.1.0.0 0.

page 21 . E1000/500/300. supported.Configuration of Bi-Directional NAT(3)  Configure the bi-directional NAT.. feature.the thebi-directional bi-directionalNAT NATfeature featureisis supported. Huawei Symantec Technologies Co. USG50. On Onthe theE1000/500/300.The TheUSG50. [Eudemon-interzone-dmz-untrust] [Eudemon-interzone-dmz-untrust] nat nat inbound inbound 3000 3000 address-group address-group 11 [Eudemon-interzone-dmz-untrust] [Eudemon-interzone-dmz-untrust] nat nat outbound outbound 3001 3001 address-group address-group 00  Enable the NAT ALG function of FTP. Ltd.USG3000 USG3000and and Eudemon200/200S/100E Eudemon200/200S/100Edo donot notprovide providethis thisfeature.

page 22 External WEB server .10192.0.102/24 192.12:1021192.168.0.168.1.168.10202.168.0.168.1.0.0.100/24 202.1/24 Firewall Internet Eth0/0/1 202.1.168.1.11:80192.0.0/24 Nat Pool 202.168.168.168.1.168.1.168.1.20 Eth0/0/0 192.101/24 DMZ zone External FTP External mail server server Huawei Symantec Technologies Co.168. Ltd.102:ftp 192..168.1/24 202.168.101:8080 192.Typical NAT Networking—Single Intranet Egress RADIUS server Provide NAT service Log server Intranet 192.0.0.168.100 Eth1/0/0 192.1/26 Provide the NAT Server service 202.

the address conversion for the external public network or the internal server mapping is implemented by using the conversion association technology.  During NAT configuration. Ltd.Review After learning this chapter. Huawei Symantec Technologies Co.  The big problem of NAT is about performance and source traceability. After the selection of the address pool. the host is controlled by the ACL. page 23 . but it also performs security protection. you should understand the following:  The NAT technology is mainly used to solve address problems..

Ltd.. .Huawei Symantec Technologies Co.