Upload
viktor220378
View
231
Download
0
Embed Size (px)
Citation preview
8/11/2019 NAT Technology.pdf
1/24
Huawei Symantec Technologies Co., Ltd.
NAT Technology
8/11/2019 NAT Technology.pdf
2/24
page 2Huawei Symantec Technologies Co., Ltd.
Objectives
Principles of address conversion
Functions, advantages, and disadvantages
of address conversion
Configuration and deployment of ACLs on
the Huawei Symantec firewall
8/11/2019 NAT Technology.pdf
3/24
Huawei Symantec Technologies Co., Ltd.
NAT Technology
NAT Principle
NAT Configuration
C on t en t s
8/11/2019 NAT Technology.pdf
4/24
page 4Huawei Symantec Technologies Co., Ltd.
Concept of NAT
Network Address Translation (NAT) is a method to change source
address or destination address in the IP packet.Several hosts in one LAN can access the external resources through a
few public addresses. Set the internal server as required for external
use.Hosts in the LAN are protected because their IP addresses are hidden
from the outside.
8/11/2019 NAT Technology.pdf
5/24
page 5Huawei Symantec Technologies Co., Ltd.
Address
Public address and private address
Internal addressExternal address
8/11/2019 NAT Technology.pdf
6/24
page 6Huawei Symantec Technologies Co., Ltd.
Control address translation through the ACL
Address poolTranslation correlation
Internal server mapping
NAT Principle
8/11/2019 NAT Technology.pdf
7/24
page 7Huawei Symantec Technologies Co., Ltd.
NAT Principle
Supporting the special protocol such as Application Layer Gateway
(ALG)The Ethernet port supports the address pool
Supporting load balancing in multiple directions
8/11/2019 NAT Technology.pdf
8/24
page 8Huawei Symantec Technologies Co., Ltd.
Address Assignment in NAT
NAT
One-to-one address translation
202.110.1.1202.110.1.2
Totoal: 256 addresspool
10.110.5.101202.110.1.2www.google.com
10.110.5.100202.110.1.1www.baidu.com
Private addressSourceDestination
8/11/2019 NAT Technology.pdf
9/24
page 9Huawei Symantec Technologies Co., Ltd.
Address Assignment in NAT
PAT
Many-to-one address translation
202.110.1.1202.110.1.2
Totoal: 256 addresspool
10.110.5.1018889202.110.1.24180www.google.com
10.110.5.1008888202.110.1.24180www.baidu.com
Destination Private addressS-portSourceD-port
8/11/2019 NAT Technology.pdf
10/24
page 10Huawei Symantec Technologies Co., Ltd.
Basic Principles of NAT-Bi-DirectionalNAT
Application scenario of bi-directional NAT: NAT from the zone with low
priority to the zone with high priority, that is, inbound NAT
202.10.0.12
10.110.5.101
Converted
destination address
132.11.5.1210.110.5.10110.110.5.10
10.110.5.10202.10.0.12132.11.5.12
Converted source
addressSource addressDestination address
USER
10.110.5.101
132.11.5.12
202.10.0.12
10.110.5.10
8/11/2019 NAT Technology.pdf
11/24
page 11Huawei Symantec Technologies Co., Ltd.
Advantages and Disadvantages of the AddressTranslation
Advantages
Allowing several hosts in a LAN to access the public network with oneshared IP address
Masking the internal users to improve the security of the internal network
Disadvantages
Not applicable when useful address information exists in packets
Not applicable when IP packets are encrypted
Unable to determine the source address
Affect the efficiency of packet forwarding
8/11/2019 NAT Technology.pdf
12/24
page 12Huawei Symantec Technologies Co., Ltd.
NAT Technology
NAT Principle
NAT Configuration
C on t en t s
8/11/2019 NAT Technology.pdf
13/24
page 13Huawei Symantec Technologies Co., Ltd.
Basic Configuration of NAT( )
internet
192.168.20.0/24
UntrustDMZ
trust
10.110.10.0/24
10.110.0.0/16
Networking Requirements: The office network that employees use for working is in the trust security zone, and the segment is 10.110.0.0/16.
Requirement 1: users in 10.110.10.0/24 segment of the trust security zone can access the Internet and users in
other segments of this zone cannot. The range of legal IP addresses that can access external network is from
202.169.10.2 to 202.169.10.6. Because the public IP addresses are limited, the Network Address Port Translation
(NAPT) function is used to realize address multiplexing.
8/11/2019 NAT Technology.pdf
14/24
page 14Huawei Symantec Technologies Co., Ltd.
Basic Configuration of NAT( )Configure basic functions of the firewall.Configure ACLs.
[Eudemon] acl 2001[Eudemon-acl-basic-2001] rule 0 permit source 10.110.10.0 0.0.0.255[Eudemon-acl-basic-2001] rule 1 deny source 10.110.0.0 0.0.255.255
[Eudemon] acl 2001[Eudemon-acl-basic-2001] rule 0 permit source 10.110.10.0 0.0.0.255[Eudemon-acl-basic-2001] rule 1 deny source 10.110.0.0 0.0.255.255
Configure an address pool.
Eudemon] nat address-group 1 202.169.10.2 202.169.10.6Eudemon] nat address-group 1 202.169.10.2 202.169.10.6
Configure inter-zone packet filtering rules.
[Eudemon-interzone-trust-untrust] packet-filter 2001 outbound[Eudemon-interzone-trust-untrust] packet-filter 2001 outbound
8/11/2019 NAT Technology.pdf
15/24
page 15Huawei Symantec Technologies Co., Ltd.
Basic Configuration of NAT(3)
Associate the ACL with the address pool. For address multiplexing is needed,
the parameter no-pat is not configured.
[Eudemon-interzone-trust-untrust] nat outbound 2001 address-group 1[Eudemon-interzone-trust-untrust] nat outbound 2001 address-group 1
You are recommended to not to userparameter no-pat when configuring theaddress pool.
You are recommended to not to userparameter no-pat when configuring theaddress pool.
8/11/2019 NAT Technology.pdf
16/24
page 16Huawei Symantec Technologies Co., Ltd.
Internal Server Configuration of NAT(1)
Networking Requirements: Two internal servers are provide to external users. The internal IP address of the WWW server is
192.168.20.2/24, and the port is 8080, and the internal IP address of the FTP server is
192.168.20.3/24. Two addresses that are released to the outside are all 202.169.10.1. The outside
port number is the default one.
internet
192.168.20.0/24
UntrustDMZ
trust
10.110.10.0/24
10.110.0.0/16
8/11/2019 NAT Technology.pdf
17/24
page 17Huawei Symantec Technologies Co., Ltd.
Internal Server Configuration of NAT(2)
Basic Configurations
Configure ACL rules
[Eudemon] acl 3000[Eudemon-acl-adv-3000] rule 0 permit tcp destination 192.168.20.3 0 destination-port eq ftp[Eudemon-acl-adv-3000] rule 1 permit tcp destination 192.168.20.2 0 destination-port eq 8080
[Eudemon] acl 3000[Eudemon-acl-adv-3000] rule 0 permit tcp destination 192.168.20.3 0 destination-port eq ftp[Eudemon-acl-adv-3000] rule 1 permit tcp destination 192.168.20.2 0 destination-port eq 8080
Configure inter-zone packet filtering rules.
[Eudemon-interzone-dmz-untrust] packet-filter 3000 inbound[Eudemon-interzone-dmz-untrust] packet-filter 3000 inbound
Enable the NAT ALG function of FTP.
[Eudemon-interzone-dmz-untrust] detect ftp[Eudemon-interzone-dmz-untrust] detect ftp
8/11/2019 NAT Technology.pdf
18/24
page 18Huawei Symantec Technologies Co., Ltd.
Internal Server Configuration of NAT(3)
Configuring the Internal WWW Server.
[Eudemon] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080[Eudemon] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080
Configuring the Internal FTP Server.
[Eudemon] nat server protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp[Eudemon] nat server protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp
The no-reverse parameter of the Nat server indicatesthat external IP address of the internal server can beconfigured repeatedly.
The no-reverse parameter of the Nat server indicatesthat external IP address of the internal server can beconfigured repeatedly.
8/11/2019 NAT Technology.pdf
19/24
page 19Huawei Symantec Technologies Co., Ltd.
Configuration of Bi-Directional NAT(1)
Networking Requirements
The internal IP address of the FTP server is 10.1.1.2/24;the public address is
200.1.1.10; the number of the outside port is the default one. Do not configure the route to the public network on the FTP Server . The public
network cannot be connected actively.
FTPSERVER
USER
10.1.1.2/24
200.1.1.10
8/11/2019 NAT Technology.pdf
20/24
page 20Huawei Symantec Technologies Co., Ltd.
Configuration of Bi-Directional NAT(2)
Basic Configurations
Configure the NAT server.
[Eudemon] nat server global 200.1.1.10 inside 10.1.1.2[Eudemon] nat server global 200.1.1.10 inside 10.1.1.2
Configure a NAT address pool.[Eudemon] nat address-group 1 10.1.1.5 10.1.1.50[Eudemon] nat address-group 0 200.1.1.10 200.1.1.10[Eudemon] nat address-group 1 10.1.1.5 10.1.1.50[Eudemon] nat address-group 0 200.1.1.10 200.1.1.10
Configure ACLs that are used for NAT.
[Eudemon-acl-adv-3000] rule permit ip source 200.1.1.0 0.0.0.255[Eudemon-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255[Eudemon-acl-adv-3000] rule permit ip source 200.1.1.0 0.0.0.255[Eudemon-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255
8/11/2019 NAT Technology.pdf
21/24
page 21Huawei Symantec Technologies Co., Ltd.
Configuration of Bi-Directional NAT(3)
Configure the bi-directional NAT.
[Eudemon-interzone-dmz-untrust] nat inbound 3000 address-group 1[Eudemon-interzone-dmz-untrust] nat outbound 3001 address-group 0[Eudemon-interzone-dmz-untrust] nat inbound 3000 address-group 1[Eudemon-interzone-dmz-untrust] nat outbound 3001 address-group 0
On the E1000/500/300, the bi-directional NAT feature issupported. The USG50, USG3000 andEudemon200/200S/100E do not provide this feature.
On the E1000/500/300, the bi-directional NAT feature issupported. The USG50, USG3000 andEudemon200/200S/100E do not provide this feature.
Enable the NAT ALG function of FTP.
8/11/2019 NAT Technology.pdf
22/24
page 22Huawei Symantec Technologies Co., Ltd.
Typical NAT NetworkingSingle Intranet
EgressRADIUS server
Log server
Intranet192.168.0.0/24
External FTPserver
External mailserver
External WEBserver
DMZzone
Internet
Firewall
Provide NAT service
Nat Pool 202.168.0.10-202.168.0.20
Eth0/0/0192.168.0.1/24 Eth0/0/1202.168.0.1/26
192.168.1.102/24
Eth1/0/0192.168.1.1/24
Provide the NAT Serverservice
202.168.0.10-192.168.1.100
202.168.0.11:80-192.168.1.101:8080
202.168.0.12:1021-
192.168.1.102:ftp192.168.1.100/24 192.168.1.101/24
8/11/2019 NAT Technology.pdf
23/24
page 23Huawei Symantec Technologies Co., Ltd.
Review
The NAT technology is mainly used to solve address problems, but it also
performs security protection.
During NAT configuration, the host is controlled by the ACL. After the selection
of the address pool, the address conversion for the external public network or
the internal server mapping is implemented by using the conversion association
technology.
The big problem of NAT is about performance and source traceability.
After learning this chapter, you should understand the following:
8/11/2019 NAT Technology.pdf
24/24
Huawei Symantec Technologies Co., Ltd.