Professional Documents
Culture Documents
Chapter 9 - NAT
Chapter 9 - NAT
HCSA-NGFW 2022
1 Basic Concept of NAT
Contents
2 Source NAT
3 Destination NAT
5
Basic Concept of NAT
Why We Need NAT?
• NAT Background:
– IPv4 exhaustion
– IPv4 extending technologies introduced, the efficient use of NAT
– The popularity of IPv6 technology is not high
www.hillstonenet.com
NAT Concept
• NAT (Network Address Translation) is a protocol to translate the IP address within an IP
packet header to another IP address. When the IP packets pass through a security appliance
or router, the appliance or router will translate the source IP address and/or the destination IP
address in the IP packets. In practice, NAT is mostly used to allow the private network to
access the public network, or vice versa.
SNAT IP packet1
IP packet1
S-IP:200.1.1.1
S-IP:192.168.10.10
D-IP:200.200.200.200
D-IP:200.200.200.200
Ethernet0/1 Ethernet0/4
trust untrust
IP:192.168.10.254 IP:200.1.1.1
Internet
PC
Server
IP:192.168.10.10
IP packet2 IP:200.200.200.200
S-IP:192.168.10.10
D-IP:200.200.200.200
IP packet2 IP packet2
S-IP:192.168.10.10
DNAT
S-IP: 200.200.200.200
D-IP:192.168.10.10 D-IP:200.1.1.1
www.hillstonenet.com
NAT Classification
static
Source NAT(SNAT) dynamic-ip
dynamic-port
Port mapping
Destination NAT(DNAT)
IP mapping
trust untrust
3 4
SA DA
Internet
192.168.10.10 200.1.1.1 9.6.7.3
1
SA 2 Host B
192.168.10.254 9.6.7.3
192.168.10.11
SA DA SNAT SA DA
www.hillstonenet.com
Configure SNAT (WebUI)
Policy > NAT > SNAT, and click New.
SNAT supports:
- Static NAT (static-ip)
- Dynamic NAT (dynamic-ip)
- Dynamic port (dynamic-port)
www.hillstonenet.com
SNAT - Static NAT
• Static - Static mode means one-to-one translation. This mode requires the translated address entry
to contain the same number of IP addresses as that of the source address entry.
10 www.hillstonenet.com
SNAT – Dynamic IP
• Dynamic IP - Dynamic IP mode means multiple-to-one translation. This mode translates the source address to a specific IP
address. Each source address will be mapped to a unique IP address, until all specified addresses are occupied.
11 www.hillstonenet.com
SNAT – Dynamic Port
• Dynamic port - Called PAT.
Multiple source addresses will
be translated to one specified IP
address in an address entry.
12 www.hillstonenet.com
Configure SNAT (CLI)
• To configure SNAT ,in the Vrouter/NAT configuration mode, use the following
command:
snatrule [id id] [before id | after id | top] from src-address to dst-address [eif egress-
interface] trans-to {addressbook trans-to-address | eif-ip} mode {static | dynamicip |
dynamicport [sticky]} [log] [disable] [ track track-name] [description description]
www.hillstonenet.com
Destination NAT
Destination NAT
DNAT translates destination IP addresses, and usually the IP addresses of internal servers (such as the WWW
server or SMTP server) protected by the device is translated to public IP addresses.
trust untrust
2 1
DA SA
192.168.10.10 200.1.1.1 9.6.7.3
HTTP Internet
4 DA 80
192.168.1.254 3 Host B
HTTP 9.6.7.3
80
192.168.10.11
SA DA DNAT SA DA
www.hillstonenet.com
DNAT – IP Mapping
• IP mapping: this mode is one-to-one mapping. It is usually used for the external publish of
the server when the public network IP is sufficient.
www.hillstonenet.com
DNAT – Port Mapping
• Port mapping: this mode is one to multiple mapping, which maps different ports of an public IP to different
ports of different IP on the intranet, so as to meet the needs of multiple servers to publish when the public IP is
limited.
www.hillstonenet.com
DNAT – Advanced Settings
www.hillstonenet.com
DNAT - SLB
• DNAT supports SLB;192.168.10.10 and 192.168.10.11 is in same server pool
www.hillstonenet.com
Configure DNAT (CLI)
• To configure a DNAT rule for NAT, in the VRouter configuration mode,
use the following command:
dnatrule [id id] [before id | after id | top] from src-address to dst-address [service service-
name] trans-to trans-to-address [port port] [load-balance] [track-tcp port] [track-ping]
[log] [group group-id] [disable] [description description]
www.hillstonenet.com
Advanced NAT Setting
22
NAT Rule
• There are two types of NAT rules, which are source NAT rules and destination
NAT rules. SNAT translates source IP addresses; DNAT translates destination
IP addresses. If there are multiple NAT rules in the system, you can move a
rule as needed.
• Note: When configuring firewall policy, the source and destination addresses
in policy should be the address before NAT translation.
www.hillstonenet.com
NAT Hit Count
System Admin is able to check the hit count of new added nat rule to verify if
nat policy is working or not
www.hillstonenet.com
Moving a NAT Rule
• To move a NAT rule via WebUI, in the SNAT/DNAT Configuration dialog, select the nat rule
and click Priority.
• To move a NAT rule, in the NAT configuration mode, use the following commands:
- snatrule move id {before id | after id| top | bottom}
- dnatrule move id {before id | after id| top | bottom}
• To delete a NAT rule, in the NAT configuration mode, use the following commands:
- no snatrule id id
- no dnatrule id id
www.hillstonenet.com
Configure a DNAT-related Policy
• Policy > Security Policy, and click New.
www.hillstonenet.com
Bidirectional NAT(BNAT)
BNAT can be seen as a combination of DNAT and SNAT, which uses just one rule to achieve both source and
destination translation.
In the packet processing flow, BNAT has precedence over DNAT. When a packet mataches a BNAT rule, it follows
the destination translation and source transaltion defined in that BNAT rule. It will not check for other regular NAT
rules. After it finishes BNAT mapping, it will start to match polic.
To create a BNAT rule, under VRouter configuration mode, use the command below:
• bnatrule [id id ] [before id | after id | top] [ interface interface-name ] virtual {ip {A.B.C.D/M| X:X:X:X:X::X/M }
| address-book address-name } real {ip {A.B.C.D | A.B.C.D/M | X:X:X:X:X::X/M } | address-book address-
name } [group group-id ] [description description]
www.hillstonenet.com
Questions
1. Which type of NAT does an Intranet user typically use to access
Internet?
2. When it requires port-based DNAT instead of IP-based DNAT?
3. How to configure the destination IP address in the policy rule for the
server that is published to Internet?
www.hillstonenet.com
LAB
E0/2
E0/1 FW1 L3-untrust
L3-trust 192.168.13.1/24
192.168,1.254/24 SNAT: 192.168.13.2
E0/2 E0/1
E0/3 L3-untrust L3-trust
PC1 L3-untrust 192.168.13.3/24 192.168.2.254/24
182.168.12.1/24 DNAT: 192.168.2.2
192.168.1.1
E0/1 E0/2
L3-untrust E0/3 FW3
L3-trust PC2
182.168.12.2/24 192.168.23.2/24 L3-untrust 192.168.2.21/24
192.168.23.3/24
X
FW2
www.hillstonenet.com
Thanks