Configuring Network Address Translation (NAT) on Huawei Firewall USG6000

1. Overview

 

The function of Network Address Translation (NAT) is to translation a private IP address to into a public IP address that connected to the internet before packets are forwarded to another network and vice versa. NAT can advertise a single public IP address for the entire local private network to the internet and providing a security by hiding the entire internal network behind that address.

In this article, we will configure different configuration of static NAT or Server NAT and Dynamic NAT on Huawei firewall model USG6000.

2. Prerequisites

 

In this document, it is supposed that:

a. You have already install Huawei eNSP on your computer. If you do not, you can refer to this link Huawei Network Device Simulation With eNSP.
b. You know how to configure SSH remote management on Huawei router. If you do not, you can refer this link SSH Configuration on Huawei Router AR2220.

3. Lab Scenario Set up

 

We will set up a Lab to configure NAT as show in the following diagram. We will configure NAT on “FW1”. There is one router in the LAN with the host name as “Server-SSH” and this host is acting as an inside LAN server. We will configure SSH server on this host. There is one router act as the internet and another router act as computer in the public network.

Configuring Network Address Translation (NAT) on Huawei Firewall USG6000

The following is the basic configuration of each devices.

On Server-SSH

First all, we can configure host name and IP as the following.

] sysname Server-SSH
] int g0/0/0
     ip add 10.10.10.2 255.255.255.0
] ip route-static 0.0.0.0 0.0.0.0 10.10.10.1

Then, let’s configure SSH server fore remote management as the following.

] user-interface vty 0 4
    authentication-mode aaa
    protocol inbound all

] stelnet server enable

] aaa
    local-user netadmin password cipher 111
    local-user netadmin privilege level 15
    local-user netadmin service-type ssh telnet

] rsa local-key-pair create

On FW1

On FW1 let’s configure the basic configuration as the following.

] sysname FW1
] int g1/0/1
      undo shutdown
      ip address 10.10.10.1 255.255.255.0
      undo service-manage enable
] int g1/0/2
      undo shutdown
      ip address 200.1.1.1 255.255.255.248
      undo service-manage enable

] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2

Add interface Gi1/0/1 to the trust zone and interface Gi1/0/2 to the untrust zone.

] firewall zone trust
     add interface g1/0/1
] firewall zone untrust
     add interface g1/0/2

Configure the firewall rules to allow traffic as the following.

security-policy
 rule name acl_internet
   source-zone trust
   destination-zone untrust
   action permit
 rule name acl_localany
   source-zone local
   action permit
 rule name acl_trustlocal
   source-zone trust
   destination-zone local
   action permit
 rule name acl_internetin
   source-zone untrust
   destination-zone local
   action permit
 rule name acl_ssh
   source-zone untrust
   destination-zone trust
   destination-address 10.10.10.2 32
   service protocol tcp destination-port 22
   action permit

On router acts as the Internet

We just need to configure IP address on each interface on the Internet router.

] sysname Internet
] int g0/0/0
     ip add 200.1.1.2 255.255.255.248
] int g0/0/1
     ip add 100.1.1.2 255.255.255.252

On router acts as a computer in public network

On PC router, let’s configure the basic configuration as the following.

] sysname PC1
] int g0/0/0
     ip add 100.1.1.1 255.255.255.252
] ip route-static 0.0.0.0 0.0.0.0 100.1.1.2

 

4. Dynamic NAT

4.1 Configure Dynamic NAT To Interface IP

 

Before we configure dynamic NAT, HQ-RT01 is not able to ping to IP address of the internet router.

<Server-SSH>ping 100.1.1.1
 PING 100.1.1.1: 56 data bytes, press CTRL_C to break
 Request time out
 Request time out
 Request time out
 Request time out
 Request time out

--- 100.1.1.1 ping statistics ---
 5 packet(s) transmitted
 0 packet(s) received
 100.00% packet loss

Now let start to configure dynamic NAT on FW1. First, we need to create a network object to contain the IP address to be NATed. In below object, we allow only IP 10.10.10.2  in the LAN can access to the internet.

] ip address-set Obj_nat type object
      address 0 10.10.10.2 0

Then, we need to configure dynamic NAT on the NAT policy configuration using interface g1/0/2 as egress interface that connect direct to the internet and using the created object above.

] nat-policy
    rule name nat_internet
    source-zone trust
    egress-interface g1/0/2
    source-address address-set Obj_nat
    action nat easy-ip

Now, Server-SSH should be able to ping to IP address on the internet.

<Server-SSH>ping 100.1.1.1
 PING 100.1.1.1: 56 data bytes, press CTRL_C to break
 Reply from 100.1.1.1: bytes=56 Sequence=1 ttl=253 time=40 ms
 Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=253 time=30 ms
 Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=253 time=30 ms
 Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=253 time=30 ms
 Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=253 time=30 ms

--- 100.1.1.1 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received
 0.00% packet loss
 round-trip min/avg/max = 30/32/40 ms

4.2 Configure Dynamic NAT With IP Pool

 

It is also possible if we want to translate our LAN IP subnet to pool of public IP address. In the following command will create a NAT pool with IP address rang from 200.1.1.3 to 200.1.1.4.

] nat address-group nat-pool 0
     mode pat
     route enable
     section 0 200.1.1.3 200.1.1.4

Then on NAT policy configuration, we need delete the old rule and add the new rule as the following. Then, we can test ping to internet again from Server-SSH.

] nat-policy
     un rule name nat_internet
     rule name nat_pool_internet
           source-zone trust
           destination-zone untrust
           source-address address-set Obj_nat
           action nat address-group nat-pool

5. Static NAT

5.1 Configure Static NAT To Interface IP

 

If we want to publish the access of the internal server to the internet, we can configure static NAT on our firewall “FW1”. In the following command will configure a static NAT for remote SSH access from the internet using the IP address that is assigned to interface GE1/0/2 of FW1.

] nat server nat_ssh 0 protocol tcp global 200.1.1.1 22 inside 10.10.10.2 22

Now, if we test telnet port 22 to the public IP configure on interface GE1/0/2 of firewall FW1 from router PC, we should get the following successful result.

<PC1>telnet 200.1.1.1 22
 Press CTRL_] to quit telnet mode
 Trying 200.1.1.1 ...
 Connected to 200.1.1.1 ...SSH-1.99-DOPRA-1.5

To login to Server-SSH from the internet, we can use the following commands.

[PC1]stelnet 200.1.1.1
Please input the username:netadmin
Trying 200.1.1.1 ...
Press CTRL+K to abort
Connected to 200.1.1.1 ...
Enter password:
 ----------------------------------------------------------------------------- 
 
 User last login information: 
 -----------------------------------------------------------------------------
 Access Type: SSH 
 IP-Address : 100.1.1.1 ssh 
 Time : 2019-01-17 13:08:39-08:00 
 -----------------------------------------------------------------------------
<Server-SSH>

5.2 Configure Static NAT To IP In The Same Interface Subnet

 

Usually, there are many local services to publish to be accessible from the internet. In this case, we can configure NAT the local IP to any available public IP within the same subnet of IP that assigned to the Huawei firewall “FW1” interface GE1/0/2 which it is connect directly to the internet.

To so, first we need delete the NAT configure above.

] un nat server all

we can configure NAT as the following to NAT public IP 200.1.1.5 port 22 to the private IP 10.10.10.2 port 22.

] nat server nat_ssh 0 protocol tcp global 200.1.1.5 22 inside 10.10.10.2 22

We can test telnet from PC1 router as the following.

<PC1>telnet 200.1.1.5 22
 Press CTRL_] to quit telnet mode
 Trying 200.1.1.5 ...
 Connected to 200.1.1.5 ...SSH-1.99-DOPRA-1.5

Now we can test SSH from PC1 router, we should get the following result.

[PC1]stelnet 200.1.1.5
Please input the username:netadmin
Trying 200.1.1.5 ...
Press CTRL+K to abort
Connected to 200.1.1.5 ...
Enter password:
 ----------------------------------------------------------------------------- 
 
 User last login information: 
 -----------------------------------------------------------------------------
 Access Type: SSH 
 IP-Address : 100.1.1.1 ssh 
 Time : 2019-01-17 14:55:04-08:00 
 -----------------------------------------------------------------------------
<Server-SSH>
<Server-SSH>

6. Conclusion

 

That’s all about configuring network address translation (NAT) on Huawei firewall model USG6000 from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments