Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

On the NAT Strategy of Huawei Firewall

2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Blog catalogue 1. What is NAT? Second, how to solve the loop and invalid ARP problems in the source address translation environment? What is a Server-map table? Fourth, the message processing flow of NAT. 5. Start configuring Nat I. What is NAT?

NAT technology is a technology used to solve the depletion of IP address resources, and it is also a transition technology from IPv4 to IPv6. NAT technology is used in most network environments. This blog focuses on Huawei's NAT knowledge.

1. NAT classification

At the boundary of internal and external network, there are two directions of traffic: outbound and inbound, so NAT technology includes source address translation and destination address translation.

In general, source address translation is mainly used to solve the scenario of internal LAN computers accessing Internet, while destination address translation is mainly used to solve the scenario of Internet users accessing LAN servers, and the target address is often referred to as server address mapping.

The source address translation methods supported by Huawei are as follows:

NAT No-PAT: similar to the dynamic translation of Cisco, only the source IP address is translated, not the port, so it belongs to many-to-many translation and cannot save public network IP address. In practice, it is less used, so it is mainly suitable for scenarios where there are fewer users who need to access the Internet and there are enough public network addresses.

NAPT (Network Address and Port Translation Network address and Port Translation): similar to the PAT translation of Cisco, NAPT translates both the source address of the message and the source port. The translated address cannot be the IP address of the public network interface. It belongs to many-to-many or many-to-one translation, which can save IP addresses and is used in many scenarios. It is mainly suitable for scenarios where a large number of internal users need to access the Internet and only a few public network IP addresses are available.

Outgoing interface address (Easy-IP): because its translation method is very simple, it is also called Easy-IP. Like NAPT, it translates both the source IP address and the source port. The difference is that the address after the outbound address translation can only be the IP address configured by the external network interface of the NAT device, which belongs to many-to-one translation, which can save IP address. It is mainly suitable for situations where there are no additional public network addresses available and there are a large number of internal Internet users. The translation target is directly through the IP address of the public network interface itself.

Smart NAT (Intelligent Translation): NAPT and NAT No-PAT work together to reserve a public network address for NAPT translation, while other public network addresses are used for NAT No-PAT translation.

NAT Server: static one-to-one release, mainly used when internal servers need to provide services to Internet.

Triple NAT: a translation related to source IP address, source port and protocol type. Translating source IP address and source port into fixed public network IP address and port can solve some problems that can not be realized in ordinary NAT. Second, how to solve the loop and invalid ARP problems in the source address translation environment?

When configuring Huawei NAT translation, black hole routing is often configured to solve routing loops and invalid ARP. About how it is generated, that is, in some NAT translation methods, a public IP is mapped to solve the private network connection Internet, so these two situations will occur if someone accesses the mapped public IP through internet. To talk about it in detail, it is very troublesome, but it is very simple to solve these two problems, that is, to configure black hole routing (specify the traffic from the address mapped by internet active access to the empty interface null0). How to configure it will be shown in the later configuration, as shown in the following figure:

NAT Server (rough): is one of the NAT Server translation types, which means that there is only a simple mapping between the source address and the translated address, and there is no port mapping involved. For example, the source address is 192.168.10.5 and the translated address is 202.96.10.2. If you are doing a NAT of this type NAT Server (rough), then all packets accessing 202.96.10.2 will be forwarded to 192.168.10.5.

NAT Server (fine): is also one of the NAT Server translation types, indicating the mapping relationship between the source address and the translated address, which has been specifically located to a certain port, such as: the source address is 192.168.10.5, the translated address is 202.96.10.2, and the NAT translation of NAT Server (fine) is performed, so it is possible that the FTP traffic (port 21) accessing 202.96.10.2 will be forwarded to 192.168.10.5. However, if you access the Web traffic of 202.96.10.2 (port 80max 443), it is not necessarily forwarded to the address of 192.168.10.5. It can be said that NAT Server (fine) is port-based NAT translation. What is a Server-map table?

The difference between the Server-map table and the session table:

The session table records the connection information, including the connection status.

The server-map table does not record the current connection information, but the information obtained by analyzing the messages of the current connection, which is used to solve the problem that the next data flow passes through the firewall. The function of server-map table can be understood as solving future problems by making preparations in advance, such as multi-port protocol such as FTP, from the beginning of the three-way handshake to the final completion of data transmission, the port may change and other problems. Server-map can just solve this problem.

However, this server-map table is also needed in NAT, that is, when data traffic passes through the firewall through NAT, the server-map table records the corresponding relationship between the source address and the translated address, so that the subsequent traffic can be directly matched to the server-map table without checking the NAT policy, so as to achieve efficient NAT translation. If the user accesses the translated address through the Internet, it can also be matched to the server-map table, so as to efficiently forward the data to the real host of the intranet (the security policy must be allowed to pass).

The server-map table does not need to be manually configured and is generated automatically. Here is a brief introduction to the following server-map table

In NAT, not all tables can generate server-map tables. When some types of NAT are configured on the firewall, server-map tables are generated on the firewall. By default, two server-map entries are generated, namely forward entries and reverse entries (Reverse), as shown below:

At this point, the purpose of the Server-map table is:

The forward entry carries port information, which is used to enable Internet users to translate the destination address directly through the server-map table when they visit the server in the intranet.

Reverse entry (Reverse): no port information is carried, and the destination address is arbitrary to enable the server to access the Internet. Fourth, the processing flow of messages in NAT

The firewall interface needs to go through a series of processing processes from receiving a message to finally sending it out, and NAT is only one of the tasks. The configuration of NAT is affected by routing and security policies, so understanding the message processing flow of NAT is of great help to the configuration of AT. The processing flow of the message by NAT is shown in the following figure.

The process of NAT processing messages is as follows:

(1) after receiving the message, the firewall first checks whether the message matches the entry in Server-map, if so, converts the target address of the message according to the table item, and then carries out step (3) processing; otherwise, step (2) processing is carried out.

(2) find out whether there is a relevant configuration of the target NAT, and if so, and meet the NAT condition, the target address is translated and processed in step (3); otherwise, step (3) is processed directly.

(3) look up the routing table according to the destination address of the message, and if there is a target route, process it in step (4); otherwise, discard the message.

(4) match the rules in the security policy in turn, and if the policy allows the message to pass, process step (5); otherwise, discard the message.

(5) to find out whether there is a relevant configuration of the source NAT and whether it meets the NAT conditions. If so, the source address is translated and processed in step (6); otherwise, step (6) processing is carried out directly.

(6) create a session before sending a message, and the subsequent and returned messages can be directly matched with the session table for forwarding.

(7) the firewall sends messages.

Because the order in which the firewall processes messages is the destination address translation → security policy → source address translation, in the NAT environment, the source address of the security policy should be the address before the source address translation and the destination address should be the translated address of the destination address.

5. Start configuring NAT

In order to show the effect better and more directly, I build a topology diagram here to simulate the 192.168.10.0 NAT 24 network as the private network and 192.168.200.0Universe 24 as the public network. I will write down the details below. Note (I will empty the policy and address pool configured by the last NAT before configuring each NAT, for a more intuitive display) the topology diagram is as follows:

1. Configure the IP address and gateway of the device according to the topology diagram

1) R1 configure IP address [R1] int eth0/0/0 # enter interface [R1-Ethernet0/0/0] ip add 192.168.100.2 24 # interface configuration IP address [R1-Ethernet0/0/0] int eth0/0/1 # enter interface [R1-Ethernet0/0/1] ip add 192.168.200.1 24 # interface configuration IP address [R1-Ethernet0/0/1] quit [R1] Ip route-static 192.168.10.024 Ethernet 0undo shutdown 0Universe 0 192.168.100.1 # configuration off the private network static 2) Firewall interface configuration IP address and joining area [FW1] int g1G0 # entry interface [FW1-GigabitEthernet1/0/0] ip add 192.168.10.1 24 # interface configuration IP address [FW1-GigabitEthernet1/0/0] undo shutdown # activation interface [FW1 -GigabitEthernet1/0/0] FW1-zone-trust [FW1] firewall zone trust # enter the trust area [FW1-zone-trust] add interface GigabitEthernet1/0/0 # interface join the trust area [FW1-zone-trust] quitters [FW1] int g1AGOUA 1 # enter the interface [FW1-GigabitEthernet1/0/1] ip add 192.168.100.1 24 # interface configuration IP address [FW1-GigabitEthernet1/0/1] undo shutdown # activate interface [FW1 -GigabitEthernet1/0/1] quit[ FW1] firewall zone untrust # enter the untrust region [FW1-zone-untrust] add interface GigabitEthernet1/0/1 # API to join the untrust region [FW1-zone-untrust] quitters [FW1] ip route-static 0.0.0.0 0.0.0.0 192.168.100.2 # configure to go to the public network by default

Next, start configuring NAT.

2 、 Configure NAT No-PAT1) configure security policy [FW1] security-policy # configure security policy [FW1-policy-security] rule name nat # Security policy name is nat [FW1-policy-security-rule-nat] source-zone trust # define source zone as trust [FW1-policy-security-rule-nat] destination-zone untrust # define target area untrue [FW1-policy-security-rule-nat] source-address 192.168.10. 0 24 # define translation source network [FW1-policy-security-rule-nat] action permit # allow traffic through [FW1-policy-security-rule-nat] quit [FW1-policy-security] quit2) configure NAT No-PAT address pool group [FW1] nat address-group natno-pat # address pool group name is natno-pat [FW1-address-group-natno-pat] section 0 192.168.100.3 192.168.100.4 # address pool start And end address [FW1-address-group-natno-pat] mode no-pat local # address pool provides services for natno-pat [FW1-address-group-natno-pat] quit3) configuration NAT No-PAT policy [FW1] nat-policy # configuration NATT policy [FW1-policy-nat] rule name natpolicy # nat policy name is natpolicy [FW1-policy-nat-rule-natpolicy] source-address 192.168.10.0 24 # defines the translation source network [FW1-policy-nat-rule-natpolicy] source-zone trust # defines the conversion source area [FW1-policy-nat-rule-natpolicy] destination-zone untrust # defines the translation target area [FW1-policy-nat-rule-natpolicy] action nat address-group natno-pat # defines the translation source and address pool to establish a mapping relationship [FW1-policy-nat-rule-natpolicy] quit [FW1-policy-nat] quit4) configuration Routing black hole [FW1] ip route-static 192.168.100.3 32 null 0 [FW1] ip route-static 192.168.100.4 32 null 0

5) verify, use the private network ping the external network, and then check the session table

3 、 Configure NAPT1) configure security policy [FW1] security-policy # configure security policy [FW1-policy-security] rule name NAPT # Security policy name is NAPT [FW1-policy-security-rule-NAPT] source-zone trust define source zone trust [FW1-policy-security-rule-NAPT] destination-zone untrust # define target zone untruth [FW1-policy-security-rule-NAPT] source-address 192.168.10.0 24 # define transformation Source network [FW1-policy-security-rule-NAPT] action permit # allows traffic through [FW1-policy-security-rule-NAPT] quit [FW1-policy-security] quit2) configure NAPT address pool [FW1] nat address-group NAPT # address pool name is NAPT [FW1-address-group-napt] section 0 192.168.100.5 192.168.100.5 # address pool range [FW1-address-group-napt] mode pat # address pool for NAPT fetch For service [FW1-address-group-napt] quit3) configuration NAPT policy [FW1] nat-policy # pe configuration NAT policy [FW1-policy-nat] rule name pat # NAPT policy name is pat [FW1-policy-nat-rule-pat] source-zone trust # define transformation source area [FW1-policy-nat-rule-pat] destination-zone untrust # define transformation target area [FW1-policy-nat-rule-pat] source-address 192. 168.10.0 24 # definition of translation source network [FW1-policy-nat-rule-pat] action nat address-group NAPT # definition of translation source and address pool mapping [FW1-policy-nat-rule-pat] quit [FW1-policy-nat] quit4) configuration routing black hole [FW1] ip route-static 192.168.100.5 32 null 0

5) verify, ping public network to view the session table

4 、 Configure Easy-IP1) configure security policy [FW1] security-policy # configure security policy [FW1-policy-security] rule name easyip # name of security policy is easyip [FW1-policy-security-rule-easyip] source-zone trust # define source zone trust [FW1-policy-security-rule-easyip] destination-zone untrust # define target zone untruth [FW1-policy-security-rule-easyip] source-address 192.168.10.0 24 # definition Convert source network [FW1-policy-security-rule-easyip] action permit # allow traffic through [FW1-policy-security-rule-easyip] quit [FW1-policy-security] quit2) configure NAT policy [FW1] nat-policy # configure NAT policy [FW1-policy-nat] rule name easyip # NAT policy name is easyip [FW1-policy-nat-rule-easyip] source-zone trust # define translation source area [FW1-policy-nat-rule- Easyip] destination-zone untrust # define translation destination area [FW1-policy-nat-rule-easyip] source-address 192.168.10.0 24 # define translation source network [FW1-policy-nat-rule-easyip] action nat easy-ip # call firewall extranet interface ip address [FW1-policy-nat-rule-easyip] quit [FW1-policy-nat] quit

3) verify, ping public network to view the session table

5 、 Configure NAT Server1) configure security policy [FW1] security-policy # configure security policy [FW1-policy-security] rule name NATserver # Security policy name is NATserver [FW1-policy-security-rule-NATserver] source-zone untrust # specify access source as external area [FW1-policy-security-rule-NATserver] destination-zone trust # specify access target as internal area [FW1-policy-security-rule-NATserver] destination-address 192.168. 10.02 "specify access network as internal address [FW1-policy-security-rule-NATserver] action permit # allow external network access [FW1-policy-security-rule-NATserver] quit [FW1-policy-security] quit2) configure application layer check [FW1] firewall interzone trust untrust # j check area for internal and external areas [FW1-interzone-trust-untrust] detect ftp # check ftp protocol [FW1-interzone-trust-untrust] quit3) configure FTP NAT server[FW1] nat server ftp protocol tcp global 192.168.100.30 21 inside 192.168.10.10 21

4) verify, ping private network to view the session table, ftp can also access the private network, due to my environmental problems, I will not access ftp

The blog is over!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report