22 Apr

2015

NAT server on Huawei USG5500

Posted in Security

The last article dealt with outbound NAT. Let's focus today on NAT server . NAT server enables private network servers to provide services for external
networks with public IP addresses. In this lab, our enterprise provides FTP services for external users.
We can use the topology from the last post:

In our case AR router works as FTP server:

#
FTP server enable
aaa
local-user labnario password cipher qGj8!H#yx.ajUn1vMEIB1lG#
local-user labnario privilege level 3
local-user labnario ftp-directory flash:
local-user labnario service-type ftp
#
interface GigabitEthernet0/0/1
ip address 172.16.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.1

Configuration of Internet router:

#
interface GigabitEthernet0/0/2
ip address 1.1.1.2 255.255.255.0
#
ip route-static 1.1.1.100 255.255.255.255 1.1.1.1

Firewall USG5500 con guration

Set IP addresses of interfaces and add them to proper security zones:

converted by Web2PDFConvert.com

[SRG]dis current-configuration interface GigabitEthernet

#
interface GigabitEthernet0/0/1
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0
[SRG]display current-configuration configuration zone
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/1

Configure interzone packet filtering to ensure that users in Untrust zone can access the FTP server in DMZ zone:
[SRG]display current-configuration configuration policy-interzone
#
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set ftp
policy destination 172.16.1.254 0

Configure internal server. Create a mapping relation between public and private IP addresses of FTP server :
[SRG]nat server 0 protocol tcp global 1.1.1.100 ftp inside 172.16.1.254 ftp

Configure the NAT ALG function for the DMZ-Untrust interzone to ensure that the server provides FTP services for extranet users normally:
[SRG]display current-configuration configuration interzone
#
firewall interzone dmz untrust
detect ftp

What is NAT ALG for? NAT translates only IP addresses in IP packet headers and port information in TCP/UDP packet headers. In our case, the firewall
must identify the IP address and port number in the payload eld of the FTP application, to continue NAT processing. Without NAT ALG, the NAT process
fails.
Veri cation of NAT server

converted by Web2PDFConvert.com

[SRG]display firewall session table verbose

Current Total Sessions : 1
ftp VPN:public --> public
Zone: untrust--> dmz TTL: 00:10:00 Left: 00:09:52
Interface: GigabitEthernet0/0/1 NextHop: 172.16.1.254
<--packets:6 bytes:363
-->packets:8 bytes:364
1.1.1.2:61428+->1.1.1.100:21[172.16.1.254:21]
[SRG]display nat server
Server in private network information:
id
: 0
zone
: --interface
: --global-start-addr : 1.1.1.100
inside-start-addr : 172.16.1.254
global-start-port : 21(ftp)
insideport
: 21(ftp)
globalvpn
: public
protocol
: tcp
no-reverse
: no
Total

MAC: 54-89-98-91-56-e2

global-end-addr
inside-end-addr
global-end-port

: --: --: ---

insidevpn
vrrp

: public
: ---

1 NAT servers

[SRG]display firewall server-map

11:30:50 2015/04/22
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.100:21[172.16.1.254:21], Zone: --Protocol: tcp(Appro: ftp), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 172.16.1.254[1.1.1.100] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public

<Internet>ftp 1.1.1.100
Trying 1.1.1.100 ...
Press CTRL+K to abort
Connected to 1.1.1.100.
220 FTP service ready.
User(1.1.1.100:(none)):labnario
331 Password required for labnario.
Enter password:
230 User logged in.
[ftp]

Tags: Huawei CLI, Huawei firewall, Huawei USG5500, NAT server

converted by Web2PDFConvert.com

COMMENTS

Sort by Oldest First

Sort by Latest First

No comments found

LEAVE YOUR COMMENTS

Login to post a comment

Username

Password

Remember me

Register

Login

Forgot password

Post comment as a guest

Name (Required):

Email:

Website:

Your comments are subjected to administrator's moderation.

Agree to terms and condition.

Submit Comment

Powered by Komento

Categories
Basic Con guration
Cheat Sheets
converted by Web2PDFConvert.com

Command Line
Ethernet
FAQ
General
How To
IP Routing
IP Services
Multicast
QoS
Reliability
Security
System Management
VPN
WAN

Latest Posts
NAT server on Huawei USG5500
outbound NAT on Huawei USG5500
https--->webUI--->Huawei Secospace USG6300
VTY access to Secospace USG6300
CPU usage alarm threshold

Built with HTML5 and CSS3

- Copyright 2014 Labnario
Powered by Warp Theme Framework

converted by Web2PDFConvert.com