Escolar Documentos
Profissional Documentos
Cultura Documentos
2015
The last article dealt with outbound NAT. Let's focus today on NAT server . NAT server enables private network servers to provide services for external
networks with public IP addresses. In this lab, our enterprise provides FTP services for external users.
We can use the topology from the last post:
converted by Web2PDFConvert.com
Configure interzone packet filtering to ensure that users in Untrust zone can access the FTP server in DMZ zone:
[SRG]display current-configuration configuration policy-interzone
#
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set ftp
policy destination 172.16.1.254 0
Configure internal server. Create a mapping relation between public and private IP addresses of FTP server :
[SRG]nat server 0 protocol tcp global 1.1.1.100 ftp inside 172.16.1.254 ftp
Configure the NAT ALG function for the DMZ-Untrust interzone to ensure that the server provides FTP services for extranet users normally:
[SRG]display current-configuration configuration interzone
#
firewall interzone dmz untrust
detect ftp
What is NAT ALG for? NAT translates only IP addresses in IP packet headers and port information in TCP/UDP packet headers. In our case, the firewall
must identify the IP address and port number in the payload eld of the FTP application, to continue NAT processing. Without NAT ALG, the NAT process
fails.
Veri cation of NAT server
converted by Web2PDFConvert.com
MAC: 54-89-98-91-56-e2
global-end-addr
inside-end-addr
global-end-port
insidevpn
vrrp
: public
: ---
1 NAT servers
<Internet>ftp 1.1.1.100
Trying 1.1.1.100 ...
Press CTRL+K to abort
Connected to 1.1.1.100.
220 FTP service ready.
User(1.1.1.100:(none)):labnario
331 Password required for labnario.
Enter password:
230 User logged in.
[ftp]
converted by Web2PDFConvert.com
COMMENTS
No comments found
Password
Remember me
Register
Login
Forgot password
Email:
Website:
Submit Comment
Powered by Komento
Categories
Basic Con guration
Cheat Sheets
converted by Web2PDFConvert.com
Command Line
Ethernet
FAQ
General
How To
IP Routing
IP Services
Multicast
QoS
Reliability
Security
System Management
VPN
WAN
Latest Posts
NAT server on Huawei USG5500
outbound NAT on Huawei USG5500
https--->webUI--->Huawei Secospace USG6300
VTY access to Secospace USG6300
CPU usage alarm threshold
converted by Web2PDFConvert.com