NAT Technology.pdf

8/11/2019 NAT Technology.pdf

1/24

Huawei Symantec Technologies Co., Ltd.

NAT Technology


2/24

page 2Huawei Symantec Technologies Co., Ltd.

Objectives

Principles of address conversion

Functions, advantages, and disadvantages

of address conversion

Configuration and deployment of ACLs on

the Huawei Symantec firewall


3/24


NAT Technology

NAT Principle

NAT Configuration

C on t en t s


4/24


Concept of NAT

Network Address Translation (NAT) is a method to change source

address or destination address in the IP packet.Several hosts in one LAN can access the external resources through a

few public addresses. Set the internal server as required for external

use.Hosts in the LAN are protected because their IP addresses are hidden

from the outside.


5/24


Address

Public address and private address

Internal addressExternal address


6/24


Control address translation through the ACL

Address poolTranslation correlation

Internal server mapping

NAT Principle


7/24


NAT Principle

Supporting the special protocol such as Application Layer Gateway

(ALG)The Ethernet port supports the address pool

Supporting load balancing in multiple directions


8/24


Address Assignment in NAT

NAT

One-to-one address translation

202.110.1.1202.110.1.2

Totoal: 256 addresspool

10.110.5.101202.110.1.2www.google.com

10.110.5.100202.110.1.1www.baidu.com

Private addressSourceDestination


9/24


Address Assignment in NAT

PAT

Many-to-one address translation

202.110.1.1202.110.1.2

Totoal: 256 addresspool

10.110.5.1018889202.110.1.24180www.google.com

10.110.5.1008888202.110.1.24180www.baidu.com

Destination Private addressS-portSourceD-port


10/24


Basic Principles of NAT-Bi-DirectionalNAT

Application scenario of bi-directional NAT: NAT from the zone with low

priority to the zone with high priority, that is, inbound NAT

202.10.0.12

10.110.5.101

Converted

destination address

132.11.5.1210.110.5.10110.110.5.10

10.110.5.10202.10.0.12132.11.5.12

Converted source

addressSource addressDestination address

USER

10.110.5.101

132.11.5.12

202.10.0.12

10.110.5.10


11/24


Advantages and Disadvantages of the AddressTranslation

Advantages

Allowing several hosts in a LAN to access the public network with oneshared IP address

Masking the internal users to improve the security of the internal network

Disadvantages

Not applicable when useful address information exists in packets

Not applicable when IP packets are encrypted

Unable to determine the source address

Affect the efficiency of packet forwarding


12/24


NAT Technology

NAT Principle

NAT Configuration

C on t en t s


13/24


Basic Configuration of NAT( )

internet

192.168.20.0/24

UntrustDMZ

trust

10.110.10.0/24

10.110.0.0/16

Networking Requirements: The office network that employees use for working is in the trust security zone, and the segment is 10.110.0.0/16.

Requirement 1: users in 10.110.10.0/24 segment of the trust security zone can access the Internet and users in

other segments of this zone cannot. The range of legal IP addresses that can access external network is from

202.169.10.2 to 202.169.10.6. Because the public IP addresses are limited, the Network Address Port Translation

(NAPT) function is used to realize address multiplexing.


14/24


Basic Configuration of NAT( )Configure basic functions of the firewall.Configure ACLs.

[Eudemon] acl 2001[Eudemon-acl-basic-2001] rule 0 permit source 10.110.10.0 0.0.0.255[Eudemon-acl-basic-2001] rule 1 deny source 10.110.0.0 0.0.255.255

[Eudemon] acl 2001[Eudemon-acl-basic-2001] rule 0 permit source 10.110.10.0 0.0.0.255[Eudemon-acl-basic-2001] rule 1 deny source 10.110.0.0 0.0.255.255

Configure an address pool.

Eudemon] nat address-group 1 202.169.10.2 202.169.10.6Eudemon] nat address-group 1 202.169.10.2 202.169.10.6

Configure inter-zone packet filtering rules.

[Eudemon-interzone-trust-untrust] packet-filter 2001 outbound[Eudemon-interzone-trust-untrust] packet-filter 2001 outbound


15/24


Basic Configuration of NAT(3)

Associate the ACL with the address pool. For address multiplexing is needed,

the parameter no-pat is not configured.

[Eudemon-interzone-trust-untrust] nat outbound 2001 address-group 1[Eudemon-interzone-trust-untrust] nat outbound 2001 address-group 1

You are recommended to not to userparameter no-pat when configuring theaddress pool.

You are recommended to not to userparameter no-pat when configuring theaddress pool.


16/24


Internal Server Configuration of NAT(1)

Networking Requirements: Two internal servers are provide to external users. The internal IP address of the WWW server is

192.168.20.2/24, and the port is 8080, and the internal IP address of the FTP server is

192.168.20.3/24. Two addresses that are released to the outside are all 202.169.10.1. The outside

port number is the default one.

internet

192.168.20.0/24

UntrustDMZ

trust

10.110.10.0/24

10.110.0.0/16


17/24



Basic Configurations

Configure ACL rules

[Eudemon] acl 3000[Eudemon-acl-adv-3000] rule 0 permit tcp destination 192.168.20.3 0 destination-port eq ftp[Eudemon-acl-adv-3000] rule 1 permit tcp destination 192.168.20.2 0 destination-port eq 8080

[Eudemon] acl 3000[Eudemon-acl-adv-3000] rule 0 permit tcp destination 192.168.20.3 0 destination-port eq ftp[Eudemon-acl-adv-3000] rule 1 permit tcp destination 192.168.20.2 0 destination-port eq 8080

Configure inter-zone packet filtering rules.

[Eudemon-interzone-dmz-untrust] packet-filter 3000 inbound[Eudemon-interzone-dmz-untrust] packet-filter 3000 inbound

Enable the NAT ALG function of FTP.

[Eudemon-interzone-dmz-untrust] detect ftp[Eudemon-interzone-dmz-untrust] detect ftp


18/24



Configuring the Internal WWW Server.

[Eudemon] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080[Eudemon] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080

Configuring the Internal FTP Server.

[Eudemon] nat server protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp[Eudemon] nat server protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp

The no-reverse parameter of the Nat server indicatesthat external IP address of the internal server can beconfigured repeatedly.

The no-reverse parameter of the Nat server indicatesthat external IP address of the internal server can beconfigured repeatedly.


19/24


Configuration of Bi-Directional NAT(1)

Networking Requirements

The internal IP address of the FTP server is 10.1.1.2/24;the public address is

200.1.1.10; the number of the outside port is the default one. Do not configure the route to the public network on the FTP Server . The public

network cannot be connected actively.

FTPSERVER

USER

10.1.1.2/24

200.1.1.10


20/24



Basic Configurations

Configure the NAT server.

[Eudemon] nat server global 200.1.1.10 inside 10.1.1.2[Eudemon] nat server global 200.1.1.10 inside 10.1.1.2

Configure a NAT address pool.[Eudemon] nat address-group 1 10.1.1.5 10.1.1.50[Eudemon] nat address-group 0 200.1.1.10 200.1.1.10[Eudemon] nat address-group 1 10.1.1.5 10.1.1.50[Eudemon] nat address-group 0 200.1.1.10 200.1.1.10

Configure ACLs that are used for NAT.

[Eudemon-acl-adv-3000] rule permit ip source 200.1.1.0 0.0.0.255[Eudemon-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255[Eudemon-acl-adv-3000] rule permit ip source 200.1.1.0 0.0.0.255[Eudemon-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255


21/24



Configure the bi-directional NAT.

[Eudemon-interzone-dmz-untrust] nat inbound 3000 address-group 1[Eudemon-interzone-dmz-untrust] nat outbound 3001 address-group 0[Eudemon-interzone-dmz-untrust] nat inbound 3000 address-group 1[Eudemon-interzone-dmz-untrust] nat outbound 3001 address-group 0

On the E1000/500/300, the bi-directional NAT feature issupported. The USG50, USG3000 andEudemon200/200S/100E do not provide this feature.

On the E1000/500/300, the bi-directional NAT feature issupported. The USG50, USG3000 andEudemon200/200S/100E do not provide this feature.

Enable the NAT ALG function of FTP.


22/24


Typical NAT NetworkingSingle Intranet

EgressRADIUS server

Log server

Intranet192.168.0.0/24

External FTPserver

External mailserver

External WEBserver

DMZzone

Internet

Firewall

Provide NAT service

Nat Pool 202.168.0.10-202.168.0.20

Eth0/0/0192.168.0.1/24 Eth0/0/1202.168.0.1/26

192.168.1.102/24

Eth1/0/0192.168.1.1/24

Provide the NAT Serverservice

202.168.0.10-192.168.1.100

202.168.0.11:80-192.168.1.101:8080

202.168.0.12:1021-

192.168.1.102:ftp192.168.1.100/24 192.168.1.101/24


23/24


Review

The NAT technology is mainly used to solve address problems, but it also

performs security protection.

During NAT configuration, the host is controlled by the ACL. After the selection

of the address pool, the address conversion for the external public network or

the internal server mapping is implemented by using the conversion association

technology.

The big problem of NAT is about performance and source traceability.

After learning this chapter, you should understand the following:


24/24


Documents

NAT Technology.pdf