NAT Technology PDF

NAT Technology
Huawei Symantec Technologies Co., Ltd.
Objectives
Principles of address conversion
Functions, advantages, and disadvantages
of address conversion
Configuration and deployment of ACLs on
the Huawei Symantec firewall
page 2
NAT Technology
Contents
NAT Principle
NAT Configuration
Concept of NAT
Network Address Translation (NAT) is a method to change source

address or destination address in the IP packet.
Several hosts in one LAN can access the external resources through a
few public addresses. Set the internal server as required for external
use.
Hosts in the LAN are protected because their IP addresses are hidden
from the outside.
page 4
Address
Public address and private address
Internal address
External address
page 5
NAT Principle
Control address translation through the ACL
Address pool
Translation correlation
Internal server mapping
page 6
NAT Principle
Supporting the special protocol such as Application Layer Gateway

(ALG)
The Ethernet port supports the address pool
Supporting load balancing in multiple directions
page 7
Address Assignment in NAT

NAT
One-to-one address translation

INTERNET
10.110.5.100/24
NET 1
202.110.1.241
10.110.5.101/24
Eudemon
NET 2
Destination
NET
202.110.1.1
202.110.1.2
Totoal: 256 address

pool
Source
Private address
www.baidu.com
202.110.1.1
10.110.5.100
www.google.com
202.110.1.2
10.110.5.101
page 8
Address Assignment in NAT

PAT
Many-to-one address translation

INTERNET
NET 1
10.110.5.100
202.110.1.241
10.110.5.101
Eudemon
NET
2
NET
202.110.1.1
202.110.1.2
Totoal: 256 address

pool
Destination
D-port
Source
www.baidu.com
80
202.110.1.241
8888
10.110.5.100
www.google.com
80
202.110.1.241
8889
10.110.5.101
page 9
S-port Private address
Basic Principles of NAT-Bi-DirectionalNAT

USER
132.11.5.12
202.10.0.12
10.110.5.10
10.110.5.101
Converted
Converted source
destination address
address
202.10.0.12
10.110.5.101
10.110.5.10
10.110.5.101
202.10.0.12
132.11.5.12
Destination address
Source address
132.11.5.12
10.110.5.10
Application scenario of bi-directional NAT: NAT from the zone with low
priority to the zone with high priority, that is, inbound NAT
page 10
Advantages and Disadvantages of the Address

Translation
Advantages
Allowing several hosts in a LAN to access the public network with one
shared IP address
Masking the internal users to improve the security of the internal network
Disadvantages
Not applicable when useful address information exists in packets
Not applicable when IP packets are encrypted
Unable to determine the source address
Affect the efficiency of packet forwarding
page 11
NAT Technology
Contents
NAT Principle
NAT Configuration
page 12
Basic Configuration of NAT(1)

internet
DMZ
192.168.20.0/24
Untrust
trust
10.110.10.0/24
10.110.0.0/16
Networking Requirements:
The office network that employees use for working is in the trust security zone, and the segment is 10.110.0.0/16.
Requirement 1: users in 10.110.10.0/24 segment of the trust security zone can access the Internet and users in
other segments of this zone cannot. The range of legal IP addresses that can access external network is from
202.169.10.2 to 202.169.10.6. Because the public IP addresses are limited, the Network Address Port Translation
(NAPT) function is used to realize address multiplexing.
page 13

Configure basic functions of the firewall.

Configure ACLs.
[Eudemon]
[Eudemon] acl
acl 2001
2001
[Eudemon-acl-basic-2001]
[Eudemon-acl-basic-2001] rule
rule 00 permit
permit source
source 10.110.10.0
10.110.10.0 0.0.0.255
0.0.0.255
[Eudemon-acl-basic-2001]
rule
1
deny
source
10.110.0.0
0.0.255.255
[Eudemon-acl-basic-2001] rule 1 deny source 10.110.0.0 0.0.255.255
Configure an address pool.

Eudemon]
Eudemon] nat
nat address-group
address-group 11 202.169.10.2
202.169.10.2 202.169.10.6
202.169.10.6
Configure inter-zone packet filtering rules.

[Eudemon-interzone-trust-untrust]
[Eudemon-interzone-trust-untrust] packet-filter
packet-filter 2001
2001 outbound
outbound
page 14

Associate the ACL with the address pool. For address multiplexing is needed,
the parameter no-pat is not configured.
[Eudemon-interzone-trust-untrust]
[Eudemon-interzone-trust-untrust] nat
nat outbound
outbound 2001
2001 address-group
address-group 11
You
Youare
arerecommended
recommendedto
tonot
notto
touser
user
parameter
parameter no-pat
no-patwhen
whenconfiguring
configuringthe
the
address
addresspool.
pool.
page 15
Internal Server Configuration of NAT(1)

internet
DMZ
192.168.20.0/24
Untrust
trust
10.110.10.0/24
10.110.0.0/16
Networking Requirements:
Two internal servers are provide to external users. The internal IP address of the WWW server is
192.168.20.2/24, and the port is 8080, and the internal IP address of the FTP server is
192.168.20.3/24. Two addresses that are released to the outside are all 202.169.10.1. The outside
port number is the default one.
page 16

Basic Configurations
Configure ACL rules

[Eudemon]
[Eudemon] acl
acl 3000
3000
[Eudemon-acl-adv-3000]
[Eudemon-acl-adv-3000] rule
rule 00 permit
permit tcp
tcp destination
destination 192.168.20.3
192.168.20.3 00 destination-port
destination-port eq
eq ftp
ftp
rule 11 permit
permit tcp
tcp destination
destination 192.168.20.2
192.168.20.2 00 destination-port
destination-port eq
eq 8080
8080
Configure inter-zone packet filtering rules.

[Eudemon-interzone-dmz-untrust]
[Eudemon-interzone-dmz-untrust] packet-filter
packet-filter 3000
3000 inbound
inbound
Enable the NAT ALG function of FTP.

[Eudemon-interzone-dmz-untrust] detect
detect ftp
ftp
page 17

Configuring the Internal WWW Server.

[Eudemon]
[Eudemon] nat
nat server
server protocol
protocol tcp
tcp global
global 202.169.10.1
202.169.10.1 80
80 inside
inside 192.168.20.2
192.168.20.2 8080
8080
Configuring the Internal FTP Server.

[Eudemon]
[Eudemon] nat
nat server
server protocol
protocol tcp
tcp global
global 202.169.10.1
202.169.10.1 ftp
ftp inside
inside 192.168.20.3
192.168.20.3 ftp
ftp
The
Theno-reverse
no-reverseparameter
parameterof
ofthe
theNat
Natserver
serverindicates
indicates
that
thatexternal
externalIP
IPaddress
addressof
ofthe
theinternal
internalserver
servercan
canbe
be
configured
configuredrepeatedly.
repeatedly.
page 18
Configuration of Bi-Directional NAT(1)
200.1.1.10
USER
FTP
SERVER
10.1.1.2/24
Networking Requirements
The internal IP address of the FTP server is 10.1.1.2/24;the public address is

200.1.1.10; the number of the outside port is the default one.
Do not configure the route to the public network on the FTP Server . The public
network cannot be connected actively.
page 19

Basic Configurations
Configure the NAT server.

[Eudemon]
[Eudemon] nat
nat server
server global
global 200.1.1.10
200.1.1.10 inside
inside 10.1.1.2
10.1.1.2
Configure a NAT address pool.

[Eudemon]
[Eudemon] nat
nat address-group
address-group 11 10.1.1.5
10.1.1.5 10.1.1.50
10.1.1.50
[Eudemon]
nat
address-group
0
200.1.1.10
[Eudemon] nat address-group 0 200.1.1.10 200.1.1.10
200.1.1.10
Configure ACLs that are used for NAT.

rule permit
permit ip
ip source
source 200.1.1.0
200.1.1.0 0.0.0.255
0.0.0.255
rule
permit
ip
source
10.1.1.0
0.0.0.255
[Eudemon-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255
page 20

Configure the bi-directional NAT.

[Eudemon-interzone-dmz-untrust] nat
nat inbound
inbound 3000
3000 address-group
address-group 11
[Eudemon-interzone-dmz-untrust] nat
nat outbound
outbound 3001
3001 address-group
address-group 00
Enable the NAT ALG function of FTP.
On
Onthe
theE1000/500/300,
E1000/500/300,the
thebi-directional
bi-directionalNAT
NATfeature
featureisis
supported.
supported.The
TheUSG50,
USG50,USG3000
USG3000and
and
Eudemon200/200S/100E
Eudemon200/200S/100Edo
donot
notprovide
providethis
thisfeature.
feature.
page 21
Typical NAT NetworkingSingle Intranet

Egress
RADIUS server
Provide NAT service
Log server
Intranet
192.168.0.0/24
Nat Pool 202.168.0.10202.168.0.20

Eth0/0/0
192.168.0.1/24
Firewall
Internet
Eth0/0/1
202.168.0.1/26
Provide the NAT Server

service
202.168.0.10192.168.1.100
Eth1/0/0
192.168.1.1/24
202.168.0.11:80192.168.1.101:8080
192.168.1.102/24
192.168.1.100/24
202.168.0.12:1021192.168.1.102:ftp
192.168.1.101/24
DMZ
zone
External FTP External mail

server
server
page 22
External WEB
server
Review
After learning this chapter, you should understand the following:
The NAT technology is mainly used to solve address problems, but it also
performs security protection.
During NAT configuration, the host is controlled by the ACL. After the selection
of the address pool, the address conversion for the external public network or
the internal server mapping is implemented by using the conversion association
technology.
The big problem of NAT is about performance and source traceability.
page 23

NAT Technology PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

NAT Technology PDF

Caricato da

Copyright:

Formati disponibili

NAT Technology

Huawei Symantec Technologies Co., Ltd.

Huawei Symantec Technologies Co., Ltd.

Huawei Symantec Technologies Co., Ltd.

Network Address Translation (NAT) is a method to change source

Huawei Symantec Technologies Co., Ltd.

Public address and private address

Huawei Symantec Technologies Co., Ltd.

Control address translation through the ACL

Internal server mapping

Huawei Symantec Technologies Co., Ltd.

Supporting the special protocol such as Application Layer Gateway

The Ethernet port supports the address pool

Supporting load balancing in multiple directions

Huawei Symantec Technologies Co., Ltd.

Address Assignment in NAT

One-to-one address translation

Huawei Symantec Technologies Co., Ltd.

Totoal: 256 address

Address Assignment in NAT

Many-to-one address translation

Huawei Symantec Technologies Co., Ltd.

Totoal: 256 address

S-port Private address

Basic Principles of NAT-Bi-DirectionalNAT

Huawei Symantec Technologies Co., Ltd.

Advantages and Disadvantages of the Address

Not applicable when useful address information exists in packets

Not applicable when IP packets are encrypted

Unable to determine the source address

Affect the efficiency of packet forwarding

Huawei Symantec Technologies Co., Ltd.

Huawei Symantec Technologies Co., Ltd.

Basic Configuration of NAT(1)

Huawei Symantec Technologies Co., Ltd.

Basic Configuration of NAT(2)

Configure basic functions of the firewall.

Configure an address pool.

Configure inter-zone packet filtering rules.

Huawei Symantec Technologies Co., Ltd.

Basic Configuration of NAT(3)

Internal Server Configuration of NAT(1)

Huawei Symantec Technologies Co., Ltd.

Internal Server Configuration of NAT(2)

Configure ACL rules

Configure inter-zone packet filtering rules.

Enable the NAT ALG function of FTP.

Huawei Symantec Technologies Co., Ltd.

Internal Server Configuration of NAT(3)

Configuring the Internal WWW Server.

Configuring the Internal FTP Server.

Huawei Symantec Technologies Co., Ltd.

Configuration of Bi-Directional NAT(1)

The internal IP address of the FTP server is 10.1.1.2/24;the public address is

Huawei Symantec Technologies Co., Ltd.

Configuration of Bi-Directional NAT(2)

Configure the NAT server.

Configure a NAT address pool.

Configure ACLs that are used for NAT.

Huawei Symantec Technologies Co., Ltd.

Configuration of Bi-Directional NAT(3)

Configure the bi-directional NAT.