Day 5 of JUNIA (NAT) 02/24 Update SLTechnology News&Howtos

Day 5 of JUNIA (NAT)

2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

1. Interface mode of firewall

a.Route mode

No NAT translation based on routing

By default, no NAT translation is done.

Using Policy-based NAT translation

By default, all Zones except Trust Zone are Route Mode

b.Nat model

When an interface is in NAT mode, packets received on the interface will undergo source address translation (NAPT network address port translation).

View the mode of the interface

FW1-> get interface eth2

Set FFilter to view the processing of firewall traffic from source 10.1.1.1 to destination 1.1.1.1

FW1-> set ffilter src-ip 10.1.1.1 dst-ip 1.1.1.1

FW1-> debug flow basic

FW1-> get db stream

2. Policy-based NAT

a. One-way NAT

NAT-Src

NAT-Dst

VIP

b. Two-way NAT

MIP

3. NAT application environment

a.NAT-Src When converting a private network address to a public network address (when Internet access is required)

b.NAT-Dst will map the services of some hosts to the public network, but these hosts will not be able to access the Internet directly.

c.VIP services that map a public network address to multiple private network addresses, but these hosts will not be able to access the Internet directly.

Public Zone must be Untrust

d.MIP one-to-one address translation, but bidirectional

4.NAT-Src

a.DIP dynamic address translation

1. Create a DIP address pool on the extranet

FW1-> set interface eth3 dip 4 1.1.1.10 1.1.1.19

2. Create a NAT Policy from an intranet Zone to an extranet Zone

FW1-> set policy top from home to untrust any any any nat src dip-id 4 permit

b. Port-based DIP address translation

FW1-> set interface eth3 dip interface-ip incoming

FW1-> set policy top from home to untrust any any any nat src dip-id permit

c. DIP configuration based on Shift transition address (one command for multi-hop one-to-one static mapping)

Creating a DIP

FW1-> set interface eth3 dip 4 shift-from 10.1.1.2 to 1.1.1.10 1.1.1.19

specified policy

FW1-> set policy top from home to untrust any any any nat src dip-id 4 permit

No conversion will be possible beyond the corresponding private network address

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.