1. Overview
The function of Network Address Translation (NAT) is to translation a private IP address to into a public IP address that connected to the internet before packets are forwarded to another network and vice versa. NAT can advertise a single public IP address for the entire local private network to the internet and providing a security by hiding the entire internal network behind that address.
In this article, we will configure different configuration of static NAT or Server NAT and Dynamic NAT on Huawei firewall model USG6000.
2. Prerequisites
In this document, it is supposed that:
a. You have already install Huawei eNSP on your computer. If you do not, you can refer to this link Huawei Network Device Simulation With eNSP.
b. You know how to configure SSH remote management on Huawei router. If you do not, you can refer this link SSH Configuration on Huawei Router AR2220.
3. Lab Scenario Set up
We will set up a Lab to configure NAT as show in the following diagram. We will configure NAT on “FW1”. There is one router in the LAN with the host name as “Server-SSH” and this host is acting as an inside LAN server. We will configure SSH server on this host. There is one router act as the internet and another router act as computer in the public network.
The following is the basic configuration of each devices.
On Server-SSH
First all, we can configure host name and IP as the following.
] sysname Server-SSH ] int g0/0/0 ip add 10.10.10.2 255.255.255.0 ] ip route-static 0.0.0.0 0.0.0.0 10.10.10.1
Then, let’s configure SSH server fore remote management as the following.
] user-interface vty 0 4 authentication-mode aaa protocol inbound all ] stelnet server enable ] aaa local-user netadmin password cipher 111 local-user netadmin privilege level 15 local-user netadmin service-type ssh telnet ] rsa local-key-pair create
On FW1
On FW1 let’s configure the basic configuration as the following.
] sysname FW1
] int g1/0/1
undo shutdown
ip address 10.10.10.1 255.255.255.0
undo service-manage enable
] int g1/0/2
undo shutdown
ip address 200.1.1.1 255.255.255.248
undo service-manage enable
] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
Add interface Gi1/0/1 to the trust zone and interface Gi1/0/2 to the untrust zone.
] firewall zone trust
add interface g1/0/1
] firewall zone untrust
add interface g1/0/2
Configure the firewall rules to allow traffic as the following.
security-policy rule name acl_internet source-zone trust destination-zone untrust action permit rule name acl_localany source-zone local action permit rule name acl_trustlocal source-zone trust destination-zone local action permit rule name acl_internetin source-zone untrust destination-zone local action permit rule name acl_ssh source-zone untrust destination-zone trust destination-address 10.10.10.2 32 service protocol tcp destination-port 22 action permit
On router acts as the Internet
We just need to configure IP address on each interface on the Internet router.
] sysname Internet ] int g0/0/0 ip add 200.1.1.2 255.255.255.248 ] int g0/0/1 ip add 100.1.1.2 255.255.255.252
On router acts as a computer in public network
On PC router, let’s configure the basic configuration as the following.
] sysname PC1 ] int g0/0/0 ip add 100.1.1.1 255.255.255.252 ] ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
4. Dynamic NAT
4.1 Configure Dynamic NAT To Interface IP
Before we configure dynamic NAT, HQ-RT01 is not able to ping to IP address of the internet router.
<Server-SSH>ping 100.1.1.1 PING 100.1.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 100.1.1.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Now let start to configure dynamic NAT on FW1. First, we need to create a network object to contain the IP address to be NATed. In below object, we allow only IP 10.10.10.2 in the LAN can access to the internet.
] ip address-set Obj_nat type object
address 0 10.10.10.2 0
Then, we need to configure dynamic NAT on the NAT policy configuration using interface g1/0/2 as egress interface that connect direct to the internet and using the created object above.
] nat-policy
rule name nat_internet
source-zone trust
egress-interface g1/0/2
source-address address-set Obj_nat
action nat easy-ip
Now, Server-SSH should be able to ping to IP address on the internet.
<Server-SSH>ping 100.1.1.1 PING 100.1.1.1: 56 data bytes, press CTRL_C to break Reply from 100.1.1.1: bytes=56 Sequence=1 ttl=253 time=40 ms Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=253 time=30 ms Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=253 time=30 ms Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=253 time=30 ms Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=253 time=30 ms --- 100.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/32/40 ms
4.2 Configure Dynamic NAT With IP Pool
It is also possible if we want to translate our LAN IP subnet to pool of public IP address. In the following command will create a NAT pool with IP address rang from 200.1.1.3 to 200.1.1.4.
] nat address-group nat-pool 0
mode pat
route enable
section 0 200.1.1.3 200.1.1.4
Then on NAT policy configuration, we need delete the old rule and add the new rule as the following. Then, we can test ping to internet again from Server-SSH.
] nat-policy
un rule name nat_internet
rule name nat_pool_internet
source-zone trust
destination-zone untrust
source-address address-set Obj_nat
action nat address-group nat-pool
5. Static NAT
5.1 Configure Static NAT To Interface IP
If we want to publish the access of the internal server to the internet, we can configure static NAT on our firewall “FW1”. In the following command will configure a static NAT for remote SSH access from the internet using the IP address that is assigned to interface GE1/0/2 of FW1.
] nat server nat_ssh 0 protocol tcp global 200.1.1.1 22 inside 10.10.10.2 22
Now, if we test telnet port 22 to the public IP configure on interface GE1/0/2 of firewall FW1 from router PC, we should get the following successful result.
<PC1>telnet 200.1.1.1 22 Press CTRL_] to quit telnet mode Trying 200.1.1.1 ... Connected to 200.1.1.1 ...SSH-1.99-DOPRA-1.5
To login to Server-SSH from the internet, we can use the following commands.
[PC1]stelnet 200.1.1.1 Please input the username:netadmin Trying 200.1.1.1 ... Press CTRL+K to abort Connected to 200.1.1.1 ... Enter password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: SSH IP-Address : 100.1.1.1 ssh Time : 2019-01-17 13:08:39-08:00 ----------------------------------------------------------------------------- <Server-SSH>
5.2 Configure Static NAT To IP In The Same Interface Subnet
Usually, there are many local services to publish to be accessible from the internet. In this case, we can configure NAT the local IP to any available public IP within the same subnet of IP that assigned to the Huawei firewall “FW1” interface GE1/0/2 which it is connect directly to the internet.
To so, first we need delete the NAT configure above.
] un nat server all
we can configure NAT as the following to NAT public IP 200.1.1.5 port 22 to the private IP 10.10.10.2 port 22.
] nat server nat_ssh 0 protocol tcp global 200.1.1.5 22 inside 10.10.10.2 22
We can test telnet from PC1 router as the following.
<PC1>telnet 200.1.1.5 22 Press CTRL_] to quit telnet mode Trying 200.1.1.5 ... Connected to 200.1.1.5 ...SSH-1.99-DOPRA-1.5
Now we can test SSH from PC1 router, we should get the following result.
[PC1]stelnet 200.1.1.5 Please input the username:netadmin Trying 200.1.1.5 ... Press CTRL+K to abort Connected to 200.1.1.5 ... Enter password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: SSH IP-Address : 100.1.1.1 ssh Time : 2019-01-17 14:55:04-08:00 ----------------------------------------------------------------------------- <Server-SSH> <Server-SSH>
6. Conclusion
That’s all about configuring network address translation (NAT) on Huawei firewall model USG6000 from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
