Labnario Com(7)
5
NAT server on Huawei USG5500 Posted in Security The last article dealt with outbound NAT. Let's focus today on NAT server NAT server . NAT server enables private network servers to provide services for external networks with public IP addresses. In this lab, our enterprise provides FTP services for external users. We can use the topology from the last post: In our case AR router works as FTP server: # FTP server enable aaa local-user labnario password cipher qGj8!H#yx.ajUn1vMEIB1lG# local-user labnario privilege level 3 local-user labnario ftp-directory flash: local-user labnario service-type ftp # interface GigabitEthernet0/0/1 ip address 172.16.1.254 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 172.16.1.1 Configuration of Internet router: # interface GigabitEthernet0/0/2 ip address 1.1.1.2 255.255.255.0 # ip route-static 1.1.1.100 255.255.255.255 1.1.1.1 Firewall USG5500 conguration Firewall USG5500 conguration Set IP addresses of interfaces and add them to proper security zones: 22 Apr 2015 converted by Web2PDFConvert.com
-
Upload
hussein-dhafan -
Category
Documents
-
view
34 -
download
0
description
eNSP lab
Transcript of Labnario Com(7)
NAT server on Huawei USG5500Posted in Security
The last article dealt with outbound NAT. Let's focus today on NAT serve rNAT serve r . NAT server enables private network servers to provide services for externalnetworks with public IP addresses. In this lab, our enterprise provides FTP services for external users.
We can use the topology from the last post:
In our case AR router works as FTP server:
#FTP server enableaaa local-user labnario password cipher qGj8!H#yx.ajUn1vMEIB1lG# local-user labnario privilege level 3 local-user labnario ftp-directory flash: local-user labnario service-type ftp#interface GigabitEthernet0/0/1 ip address 172.16.1.254 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 172.16.1.1
Configuration of Internet router:
#interface GigabitEthernet0/0/2 ip address 1.1.1.2 255.255.255.0#ip route-static 1.1.1.100 255.255.255.255 1.1.1.1
Firewall USG5500 con gurationFirewall USG5500 con guration
Set IP addresses of interfaces and add them to proper security zones:
22 Apr
2015
converted by Web2PDFConvert.com
[SRG]dis current-configuration interface GigabitEthernet #interface GigabitEthernet0/0/1 ip address 172.16.1.1 255.255.255.0#interface GigabitEthernet0/0/2 ip address 1.1.1.1 255.255.255.0
[SRG]display current-configuration configuration zone #firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2#firewall zone dmz set priority 50 add interface GigabitEthernet0/0/1
Configure interzone packet filtering to ensure that users in Untrust zone can access the FTP server in DMZ zone:
[SRG]display current-configuration configuration policy-interzone #policy interzone dmz untrust inbound policy 1 action permit policy service service-set ftp policy destination 172.16.1.254 0
Configure internal server. Create a mapping relation between public and private IP addresses of FTP serve rFTP serve r :
[SRG]nat server 0 protocol tcp global 1.1.1.100 ftp inside 172.16.1.254 ftp
Configure the NAT ALG function for the DMZ-Untrust interzone to ensure that the server provides FTP services for extranet users normally:
[SRG]display current-configuration configuration interzone #firewall interzone dmz untrust detect ftp
What is NAT ALG for? NAT translates only IP addresses in IP packet headers and port information in TCP/UDP packet headers. In our case, the firewallmust identify the IP address and port number in the payload eld of the FTP application, to continue NAT processing. Without NAT ALG, the NAT processfails.
Veri cation of NAT serve rVeri cation of NAT serve r
converted by Web2PDFConvert.com
[SRG]display firewall session table verbose Current Total Sessions : 1 ftp VPN:public --> public Zone: untrust--> dmz TTL: 00:10:00 Left: 00:09:52 Interface: GigabitEthernet0/0/1 NextHop: 172.16.1.254 MAC: 54-89-98-91-56-e2 <--packets:6 bytes:363 -->packets:8 bytes:364 1.1.1.2:61428+->1.1.1.100:21[172.16.1.254:21]
[SRG]display nat server Server in private network information: id : 0 zone : --- interface : --- global-start-addr : 1.1.1.100 global-end-addr : --- inside-start-addr : 172.16.1.254 inside-end-addr : --- global-start-port : 21(ftp) global-end-port : --- insideport : 21(ftp) globalvpn : public insidevpn : public protocol : tcp vrrp : --- no-reverse : no
Total 1 NAT servers
[SRG]display firewall server-map 11:30:50 2015/04/22 server-map item(s) ------------------------------------------------------------------------------ Nat Server, any -> 1.1.1.100:21[172.16.1.254:21], Zone: --- Protocol: tcp(Appro: ftp), Left-Time: --:--:--, Addr-Pool: --- VPN: public -> public
Nat Server Reverse, 172.16.1.254[1.1.1.100] -> any, Zone: --- Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --- VPN: public -> public
<Internet>ftp 1.1.1.100Trying 1.1.1.100 ...Press CTRL+K to abortConnected to 1.1.1.100.220 FTP service ready.User(1.1.1.100:(none)):labnario331 Password required for labnario.Enter password:230 User logged in.
[ftp]
Tags: Huawei CLI, Huawei firewall, Huawei USG5500, NAT server
converted by Web2PDFConvert.com
Powered by Komento
Submit CommentSubmit Comment
COMMENTS
No comme nts foundNo comme nts found
LEAVE YOUR COMMENTS
Post comment as a guest
Your comments are subjected to administrator's moderation.
Sort by Oldest First Sort by Latest First
Login to post a comment
Login Remember meRegister Forgot password
Name (Required): Email: Website:
0
Agree to terms and condition.
CategoriesBasic Con gurationCheat SheetsCommand LineEthernetFAQGeneralHow To …IP RoutingIP ServicesMulticastQoSReliability
Username Password
converted by Web2PDFConvert.com
SecuritySystem ManagementVPNWAN
Latest Posts
how to manage files through SCP on Huawei
Huawei eNSP - news
memory usage alarm threshold
from Huawei CLI - rollback configuration
NAT server on Huawei USG5500
Powered by Warp Theme Framework
Built with HTML5 and CSS3- Copyright © 2014 Labnario
converted by Web2PDFConvert.com
