Beruflich Dokumente
Kultur Dokumente
Objectives
Principles of address conversion
Functions, advantages, and disadvantages
of address conversion
Configuration and deployment of ACLs on
the Huawei Symantec firewall
page 2
NAT Technology
Contents
NAT Principle
NAT Configuration
Concept of NAT
Several hosts in one LAN can access the external resources through a
few public addresses. Set the internal server as required for external
use.
Hosts in the LAN are protected because their IP addresses are hidden
from the outside.
page 4
Address
Internal address
External address
page 5
NAT Principle
Address pool
Translation correlation
page 6
NAT Principle
page 7
NAT
10.110.5.100/24
NET 1
202.110.1.241
10.110.5.101/24
Eudemon
NET 2
Destination
NET
202.110.1.1
202.110.1.2
Private address
www.baidu.com
202.110.1.1
10.110.5.100
www.google.com
202.110.1.2
10.110.5.101
page 8
PAT
NET 1
10.110.5.100
202.110.1.241
10.110.5.101
Eudemon
NET
2
NET
202.110.1.1
202.110.1.2
Destination
D-port
Source
www.baidu.com
80
202.110.1.241
8888
10.110.5.100
www.google.com
80
202.110.1.241
8889
10.110.5.101
page 9
10.110.5.10
10.110.5.101
Converted
Converted source
destination address
address
202.10.0.12
10.110.5.101
10.110.5.10
10.110.5.101
202.10.0.12
132.11.5.12
Destination address
Source address
132.11.5.12
10.110.5.10
Application scenario of bi-directional NAT: NAT from the zone with low
priority to the zone with high priority, that is, inbound NAT
page 10
Advantages
Allowing several hosts in a LAN to access the public network with one
shared IP address
Masking the internal users to improve the security of the internal network
Disadvantages
page 11
NAT Technology
Contents
NAT Principle
NAT Configuration
page 12
192.168.20.0/24
Untrust
trust
10.110.10.0/24
10.110.0.0/16
Networking Requirements:
The office network that employees use for working is in the trust security zone, and the segment is 10.110.0.0/16.
Requirement 1: users in 10.110.10.0/24 segment of the trust security zone can access the Internet and users in
other segments of this zone cannot. The range of legal IP addresses that can access external network is from
202.169.10.2 to 202.169.10.6. Because the public IP addresses are limited, the Network Address Port Translation
(NAPT) function is used to realize address multiplexing.
page 13
page 14
Associate the ACL with the address pool. For address multiplexing is needed,
the parameter no-pat is not configured.
[Eudemon-interzone-trust-untrust]
[Eudemon-interzone-trust-untrust] nat
nat outbound
outbound 2001
2001 address-group
address-group 11
You
Youare
arerecommended
recommendedto
tonot
notto
touser
user
parameter
parameter no-pat
no-patwhen
whenconfiguring
configuringthe
the
address
addresspool.
pool.
Huawei Symantec Technologies Co., Ltd.
page 15
192.168.20.0/24
Untrust
trust
10.110.10.0/24
10.110.0.0/16
Networking Requirements:
Two internal servers are provide to external users. The internal IP address of the WWW server is
192.168.20.2/24, and the port is 8080, and the internal IP address of the FTP server is
192.168.20.3/24. Two addresses that are released to the outside are all 202.169.10.1. The outside
port number is the default one.
page 16
Basic Configurations
page 17
The
Theno-reverse
no-reverseparameter
parameterof
ofthe
theNat
Natserver
serverindicates
indicates
that
thatexternal
externalIP
IPaddress
addressof
ofthe
theinternal
internalserver
servercan
canbe
be
configured
configuredrepeatedly.
repeatedly.
page 18
200.1.1.10
USER
FTP
SERVER
10.1.1.2/24
Networking Requirements
Do not configure the route to the public network on the FTP Server . The public
network cannot be connected actively.
page 19
Basic Configurations
page 20
On
Onthe
theE1000/500/300,
E1000/500/300,the
thebi-directional
bi-directionalNAT
NATfeature
featureisis
supported.
supported.The
TheUSG50,
USG50,USG3000
USG3000and
and
Eudemon200/200S/100E
Eudemon200/200S/100Edo
donot
notprovide
providethis
thisfeature.
feature.
page 21
Intranet
192.168.0.0/24
Internet
Eth0/0/1
202.168.0.1/26
Eth1/0/0
192.168.1.1/24
202.168.0.11:80192.168.1.101:8080
192.168.1.102/24
192.168.1.100/24
202.168.0.12:1021192.168.1.102:ftp
192.168.1.101/24
DMZ
zone
page 22
External WEB
server
Review
After learning this chapter, you should understand the following:
The NAT technology is mainly used to solve address problems, but it also
performs security protection.
During NAT configuration, the host is controlled by the ACL. After the selection
of the address pool, the address conversion for the external public network or
the internal server mapping is implemented by using the conversion association
technology.
page 23