Web example: public network users access internal servers through NAT Server
This section provides an example of configuring public network users to access internal servers through a NAT server.
Networking requirements
A company deploys a FW as a security gateway at the network border. To enable the private network Web server and FTP server to provide external services, the NAT server function needs to be configured on the FW. In addition to the IP address of the public network interface, the company also applied for an IP address (1.1.1.10) from the ISP as the address for the internal network server to provide external services. The network environment is shown in Figure 1, where the Router is the access gateway provided by the ISP.
Figure 1 NAT Server network diagram
data planning
| project |
data |
illustrate |
|
|---|---|---|---|
| GigabitEthernet 1/0/1 |
IP address: 1.1.1.1/24 Security zone: Untrust |
The actual configuration needs to be configured according to the requirements of the ISP. |
|
| GigabitEthernet 1/0/2 |
IP address: 10.2.0.1/24 Security zone: DMZ |
The intranet server needs to configure 10.2.0.1 as the default gateway. |
|
| NAT Server |
Name: policy_web Public network address: 1.1.1.10 Private network address: 10.2.0.7 Public network port: 8080 Private network port: 80 |
Through this mapping, users using the extranet can access 1.1.1.10, and the traffic with port number 8080 can be sent to the web server on the intranet. The private network address of the web server is 10.2.0.7, and the private network port number is 80. |
|
| Name: policy_ftp Public network address: 1.1.1.10 Private network address: 10.2.0.8 Public network port: 21 Private network port: 21 |
Through this mapping, users using the external network can access 1.1.1.10, and traffic with port number 21 can be sent to the FTP server on the internal network. The private network address of the FTP server is 10.2.0.8, and the private network port number is 21. |
||
| routing |
default route |
Destination address: 0.0.0.0 Next Hop: 1.1.1.254 |
To ensure that the service traffic provided by the intranet server can be normally forwarded to the router of the ISP, a default route to the Internet can be configured on the FW. |
Configuration idea
- Configure the interface IP address and security zone to complete the configuration of basic network parameters.
- Configure security policies to allow external network users to access internal servers.
- Configure the NAT server to map the intranet Web server and FTP server respectively.
- Configure a default route on the FW so that the service traffic provided by the intranet server can be normally forwarded to the router of the ISP.
- Configure a static route to the public address of the NAT server on the Router.
Steps
- Configure the IP address of the FW interface and add the interface to the security zone.
- Configure an IP address for interface GigabitEthernet 1/0/1, and add the interface to a security zone.
-
Choose Network > Interfaces.
-
In Interface List, click in the line where interface GigabitEthernet 1/0/1 is located.
, configure according to the following parameters.
safe area
untrust
IPv4
IP address
1.1.1.1/24
-
Click OK.
-
- Configure an IP address for interface GigabitEthernet 1/0/2, and add the interface to a security zone.
-
In Interface List, click in the line where interface GigabitEthernet 1/0/2 is located.
, configure according to the following parameters.
safe area
dmz
IPv4
IP address
10.2.0.1/24
-
Click OK.
-
- Configure an IP address for interface GigabitEthernet 1/0/1, and add the interface to a security zone.
- Configure security policies to allow external network users to access internal servers.
-
Choose Policy > Security Policy > Security Policy.
-
In Security Policy List, click New, select New Security Policy, and configure the security policy according to the following parameters.
name
policy1
source security area
untrust
target safe area
dmz
Destination address/area
10.2.0.0/24
action
allow
-
Click OK.
-
- Configure the server mapping (NAT Server) function, and create two server mappings to map the intranet Web server and FTP server respectively.
- Choose Policy > NAT Policy > Server Mapping.
- Click Add and configure server mapping according to the following parameters to map the intranet web server.
- Click OK.
- Referring to the above steps, create another server mapping according to the following parameters, which is used to map the intranet FTP server.
When the global address of the NAT Server is not on the same network segment as the public network interface address, blackhole routing must be configured; when the global address of the NAT Server and the public network interface address are on the same network segment, it is recommended to configure black hole routing; When the address is the same as that of the public network interface, no routing loop will occur, and no black hole routing needs to be configured.
- Choose Policy > NAT Policy > Server Mapping.
- Enable the NAT ALG function of the FTP protocol.
- 选择“策略 > ASPF配置”。
- 在“ASPF配置”界面,勾选“FTP”。
- 选择“策略 > ASPF配置”。
- 在FW上配置缺省路由,使内网服务器对外提供的服务流量可以正常转发至ISP的路由器。
- 选择“网络 > 路由 > 静态路由”。
- 在“静态路由列表”中,单击“新建”,按如下参数配置缺省路由。
协议类型
IPv4
目的地址/掩码
0.0.0.0/0.0.0.0
下一跳
1.1.1.254
- 单击“确定”。
- 在Router上配置到服务器映射的公网地址(1.1.1.10)的静态路由,下一跳为1.1.1.1,使得去服务器的流量能够送往FW。
通常需要联系ISP的网络管理员来配置此静态路由。
配置脚本
FW的配置脚本:
#
sysname FW
#
nat server policy_web 0 protocol tcp global 1.1.1.10 8080 inside 10.2.0.7 www unr-route
nat server policy_ftp 1 protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp unr-route
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.2.0.1 255.255.255.0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall interzone dmz untrust
detect ftp
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#
security-policy
rule name policy1
source-zone untrust
destination-zone dmz
destination-address 10.2.0.0 24
action permit
#
return