HCSCA111 Network Address Translation

Network Address Translation
Foreword
 Network address translation (NAT) translates an IP address carried in the header of an

IPv4 packet into another IP address. Generally, NAT is used to translate private
addresses into public addresses so that devices can communicate across private and
public networks.
 To alleviate the public IPv4 address shortage caused by Internet expansion, NAT
emerged as a temporary solution.
3 Huawei Confidential
Objectives
Upon completion of this course, you will be able to:

 Recognize NAT application scenarios.
 Understand how NAT works.
 Configure NAT on firewalls.
Contents
1. NAT Principle
2. Source NAT
3. Server Mapping
4. Application Scenarios
Background
 IPv4 addresses are depleted.
 IPv6 cannot completely replace IPv4 immediately.
 Technologies to mitigate IPv4 address exhaustion (NAT, for example) continue to emerge.
Advantages and Disadvantages
 Advantages:
 IP addresses can be reused.
 The address translation process is transparent to users.
 Privacy protection is available to internal users.
 Load balancing among internal servers is available.
 Disadvantages:
 Network monitoring is more difficult.
 Some applications are restricted.
Basic Principle
 NAT translates the source and destination IP addresses in IP packet headers so that numerous
private addresses can access the public network through a limited number of public addresses.
Destination IP address:
Destination IP address: 123.3.2.3
Translates private source
123.3.2.3
Source IP address: addresses into public
Source IP address: 123.3.2.1 addresses
10.1.1.1
Destination IP address:
123.3.2.1
Source IP address:
123.3.2.3
Internal user FTP server

10.1.1.1 Destination IP address: 123.3.2.3
10.1.1.1
Source IP address: Translates destination
123.3.2.3 public addresses into
private addresses
NAT Categories
 Address pool mode

Source NAT  Outbound interface address mode
(easy IP)
Server  Static mapping (NAT server)

mapping
Contents
1. NAT Principle
2. Source NAT
3. Server Mapping
Address Pool Mode (1)
 Address pool mode without port translation
Source address Destination address Source address Destination address

192.168.0.11 1.1.1.1
Translate 9.9.9.9 1.1.1.1
Trust Untrust
 One-to-one address translation is performed without port translation.
192.168.1.1 155.133.87.1
192.168.1.2 155.133.87.2
192.168.1.3 155.133.87.3
192.168.1.4 Discard
Address Pool Mode (2)
 Address pool mode with port translation
Source address Source Destination address Translate Source address Source port Destination address
192.168.0.11 port X 1.1.1.1 2.2.2.2 Y 1.1.1.1
Trust Untrust
 Different private addresses are mapped to the same public address but different port numbers to
implement many-to-one address translation.
192.168.1.1 155.133.87.1:7111
192.168.1.2 155.133.87.1:7112
192.168.1.3 155.133.87.1:7113
Easy IP
 Outbound interface address mode (easy IP)
Source address Destination address Translate Source address Destination address

192.168.0.11 1.1.1.1 155.133.87.1 1.1.1.1
Trust Untrust
192.168.1.1 155.133.87.1:7111
192.168.1.2 155.133.87.1:7112
192.168.1.3 155.133.87.1:7113
NAT ALG
 The NAT application level gateway (ALG) is a translation proxy used for certain application
protocols and can translate the address and port number carried in application layer data.
Ethernet Application Ethernet

IP header TCP header
header data trailer
?
Information that
can be NATed
NAT ALG Implementation Principle
 NAT ALG application in FTP active mode
Private network Public network
Host NAT ALG FTP Server

192.168.1.2 192.168.1.2 <------> 8.8.8.11 8.8.8.1
Set up a control connection between the host and FTP server.
The host sends a PORT packet.

(192.168.1.2, 1084)
ALG The payload of the PORT packet has
processing been translated.
(8.8.8.11, 12487)
The FTP server initiates a data The FTP server initiates a data connection
connection to the host. to the host.
(8.8.8.1, 3004 -> 192.168.1.2, 1084) (8.8.8.1, 3004 -> 8.8.8.11, 12487)
Transmit data over the established data connection.
Contents
1. NAT Principle
2. Source NAT
3. Server Mapping
NAT Server - Internal Server
 The NAT server function uses a public address to represent the private address of an internal
server.
Source Destination address Source Destination address
address 192.168.1.1 address 202.202.1.1
Translate
Public address
202.202.1.1
WWW server DMZ Untrust
192.168.1.1 Real address External user
 On the firewall, a public address is configured to represent the server's private address. External
users access the server through this public address.
NAT Server and Server Map Table (1)
 After the NAT server is configured, the device automatically generates server map entries that
map public and private addresses.
[NGFW]nat server server1 protocol tcp global 202.202.1.1 inside 192.168.1.1
Protocol carried Post-NAT Private

over IP public address address
 Example: server map entry
Type: Nat Server, ANY ->202.202.1.1:21[192.168.1.1:21], Zone:---, protocol:tcp

Vpn: public --> public
Type: Nat Server Reverse, 192.168.1.1[202.202.1.1] -> ANY, Zone:---, protocol:tcp Vpn: public
--> public, counter: 1
NAT Server and Server Map Table (2)
 After no-reverse is specified, the device generates only forward server map entries.
[NGFW]nat server server1 protocol tcp global 202.202.1.1 inside 192.168.1.1 no-reverse
 Example: server map entry
Type: Nat Server, ANY -> 202.202.1.1[192.168.1.1], Zone:---, protocol:tcp

Vpn: public -> public
Contents
1. NAT Principle
2. Source NAT
3. Server Mapping
Typical NAT Scenario and Configuration Example
 Application scenarios
Untrust zone
 Source NAT application
 NAT server application
202.169.10.1/29
192.168.20.1/24
DMZ 192.168.0.1/24
Trust zone
Source NAT Configuration on the Firewall (Web)
 Configure a NAT address pool.
Source NAT Configuration on the Firewall (Web)
 Configure a source NAT policy.
In this example, the

configuration enables users in
the trust zone to access
Internet resources in the
untrust zone. Therefore, the
source security zone is trust
and the destination security
zone is untrust.
Select the configured address

pool.
NAT Server Configuration on the Firewall (Web)
 Configure the internal web and FTP servers.
External and internal

addresses. The public
address is the address
used by external users
for access. The private
address is the internal
server's address on the
LAN.
NAT Server Configuration on the Firewall (Web)
 Configure an interzone security policy.
Source NAT Configuration on the Firewall (CLI)
 Configure interzone access rules.
 Specify the network segment 192.168.0.0 as the source address. (Detailed configurations are not
described here.)
 Configure an address pool.
[NGFW] nat address-group 1
[NGFW -nat-address-group-1] section 202.169.10.2 202.169.10.6
 Configure a source NAT policy.
[NGFW] nat-policy
[NGFW-policy-nat] rule name nat1
[NGFW-policy-nat-rule-nat1] source-zone trust
[NGFW-policy-nat-rule-nat1] destination-zone untrust
[NGFW-policy-nat-rule-nat1] source-address 192.168.0.0 24
[NGFW-policy-nat-rule-nat1] action nat address-group 1
NAT Server Configuration on the Firewall (CLI)
 Configure the internal web and FTP servers.
[USG] nat server wwwserver protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080
[USG] nat server ftpserver protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp
 Configure interzone packet filtering rules.

[USG] security-policy
[USG -policy-security] rule name p1
[USG -policy-security-rule-p1] source-zone untrust
[USG -policy-security-rule-p1] destination-zone dmz
[USG -policy-security-rule-p1] destination-address 192.168.20.2 32
[USG -policy-security-rule-p1] service http
[USG -policy-security-rule-p1] action permit
[USG -policy-security] rule name p2
[USG -policy-security-rule-p2] source-zone untrust
[USG -policy-security-rule-p2] destination-zone dmz
[USG -policy-security-rule-p2] destination-address 192.168.20.3 32
[USG -policy-security-rule-p2] service ftp
[USG -policy-security-rule-p2] action permit
Twice NAT
 Application scenarios:
 NAT server + source NAT
 Intrazone NAT
Interzone Twice NAT
 To simplify the configuration of the route from a server to a public network, you can configure
source NAT based on the NAT server function.
Private address after

source NAT
DMZ Untrust
192.168.1.1 2.2.2.5
192.168.1.5 202.20.1.5
Internal server Internet user
Real address Public address
Intrazone Twice NAT
 The firewall translates the destination address of the user's request packet into the private address of the FTP server.
In addition, it translates the source address into the public address of the user.
 The firewall translates the source address of the response packet from the FTP server into the public address. In
addition, it translates the destination address into the private address of the user.
Trust zone
Server's public address User's public address

202.202.1.1 202.202.1.5
192.168.1.5 192.168.1.1
Internal user Server
Quiz
1. Which of the following are reasons why NAT emerged?

A. Insufficient IP address resources
B. Protection to real IP addresses of internal servers
C. Requirements of specific services
D. Demand for easy device management
Summary
 Technical principle of NAT

 NAT application scenarios
 Typical NAT configurations on firewalls
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.
The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.

HCSCA111 Network Address Translation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCSCA111 Network Address Translation

Uploaded by

Copyright:

Available Formats

Network Address Translation

 Network address translation (NAT) translates an IP address carried in the header of an

Upon completion of this course, you will be able to:

Internal user FTP server

 Address pool mode

Server  Static mapping (NAT server)

Source address Destination address Source address Destination address

 One-to-one address translation is performed without port translation.

Source address Destination address Translate Source address Destination address

Ethernet Application Ethernet

Host NAT ALG FTP Server

The host sends a PORT packet.

Transmit data over the established data connection.

[NGFW]nat server server1 protocol tcp global 202.202.1.1 inside 192.168.1.1

Protocol carried Post-NAT Private

 Example: server map entry

Type: Nat Server, ANY ->202.202.1.1:21[192.168.1.1:21], Zone:---, protocol:tcp

 Example: server map entry

Type: Nat Server, ANY -> 202.202.1.1[192.168.1.1], Zone:---, protocol:tcp

In this example, the

Select the configured address

External and internal

 Configure interzone packet filtering rules.

Private address after

Server's public address User's public address

1. Which of the following are reasons why NAT emerged?

B. Protection to real IP addresses of internal servers

C. Requirements of specific services

D. Demand for easy device management

 Technical principle of NAT

Copyright©2021 Huawei Technologies Co., Ltd.

The information in this document may contain predictive

You might also like