H3c-technologies H3C SecPath F1000-E Manuel d'utilisateur

H3C SecPath Series High-End FirewallsNAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Sof

3 NAPT Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses to be mapped to the same public IP

4 Internal server NAT hides the internal network structure, including the identities of internal hosts. However, some internal hosts such as an inter

5 A DNS mapping entry records the domain name, public address, public port number, and protocol type of an internal server. Upon receiving a DNS repl

6 Configuring NAT in the Web interface Configuration overview Configuring address translation A NAT gateway can be configured with or dynamically gen

7 Task Remarks Configuring a DNS mapping Optional. The DNS mapping feature enables an internal host to use the domain name to access an internal serv

8 Item Description End IP Address Specify the end IP address of the address pool. The end IP address must be identical to or higher than the start IP

9 Item Description Address Transfer Select an address translation mode: • PAT—Refers to NAPT. In this mode, associating an ACL with an address pool

10 Figure 8 Static NAT configuration page Figure 9 Adding static address mapping Table 6 Configuration item Item Description Internal VPN Instanc

11 Item Description ACL Specify the ACL number. If the acl-number argument is specified, the device performs NAT for the packets matching a specific

12 Figure 11 Internal server configuration page Figure 12 Adding an internal server

Copyright © 2011-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

13 Table 8 Configuration items Item Description Interface Specify an interface to which the internal server policy is applied. Protocol Type Select

14 Configuring ACL-based NAT on the internal server Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page s

15 Figure 14 Adding the DNS-MAP Table 10 Configuration items Item Description Protocol Select the protocol supported by an internal server. Global

16 Figure 16 Defining ACL 2001 • Enter 2001 in ACL Number. • Select Config in Match Order. • Click Apply. • Click the icon in the Operation c

17 Figure 18 Configuring ACL 2001 to prohibit other users to access the Internet • Select Deny for Operation. • Click Apply. # Configure a NAT ad

18 Figure 20 Configuring dynamic NAT • Select GigabitEthernet0/1 for Interface. • Enter 2001 in ACL. • Select PAT for Address Transfer. • Enter

19 Configuration procedure # Configure the FTP server. • Select Firewall > NAT Policy > Internal Server from the navigation tree, click Add in

20 Figure 23 Configuring internal Web server 1 • Select GigabitEthernet0/1 for Interface. • Select 6(TCP) for Protocol Type. • Select the option

21 Figure 24 Configuring internal Web server 2 • Select GigabitEthernet0/1 for Interface. • Select 6(TCP) for Protocol Type. • Select the option

22 NOTE: • If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and

Preface The H3C SecPath Series High-End Firewalls documentation set includes 10 configuration guides, which describe the software features for the H3C

23 To configure net-to-net static NAT: Step Command 1. Enter system view. system-view 2. Configure a net-to-net static NAT mapping. nat static [ a

24 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an address pool. nat address-group group-number start-address end-addre

25 Configuring NAPT With a specific ACL associated with an address pool or interface address, NAPT translates the source address of a packet permitte

26 Configuring ACL-based NAT on an internal server This feature maps the destination address of an ACL-permitted packet to the internal server addres

27 One-to-one static NAT configuration example Network requirements As shown in Figure 25, an internal host 10.110.10.8/24 uses public address 202.38

28 [SecPath] nat address-group 1 202.38.1.2 202.38.1.3 # Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access the

29 # Configure the internal FTP server. [SecPath-GigabitEthernet0/2] nat server protocol tcp global 202.38.1.1 21 inside 10.110.10.3 ftp # Configure

30 [SecPath] interface gigabitethernet 0/2 # Configure the internal Web server. [SecPath-GigabitEthernet0/2] nat server protocol tcp global 202.38.1.

31 5. Be aware of the possible effects that the firewall or the ACLs have on NAT, and note the route configurations. Symptom 2 The internal server f

32 Configuring NAT-PT NOTE: The NAT-PT configuration is available only at the command line interface (CLI). Overview Application scenario Because

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times

33 port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address translation and save IPv4 addresses. NAT-PT prefix The

34 Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT device swaps the source and destination IPv4 addresses according to

35 NAT-PT configuration task list NAT-PT configuration task list on the IPv6 side Complete the following tasks to configure NAT-PT to allow active ac

36 Enabling NAT-PT After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the firewall can implement translation

37 Step Command 1. Enter system view. system-view 2. Configure a static IPv4/IPv6 address mapping on the IPv6 side. natpt v6bound static ipv6-addre

38 Step Command Remarks 3. Configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side. • Associate an IPv6 ACL with an address pool: nat

39 Configuring a dynamic mapping policy on the IPv4 side A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 addre

40 Configuring static NAPT-PT mappings of IPv6 servers Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network pr

41 NAT-PT configuration examples Configuring dynamic mapping on the IPv6 side Network requirements As shown in Figure 31, SecPath C with IPv6 address

42 <SecPathC> system-view [SecPathC] ipv6 # Configure a static route to the subnet with the NAT-PT prefix. [SecPathC] ipv6 route-static 3001::

Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical D

43 [SecPathB-GigabitEthernet0/1] ip address 8.0.0.1 255.255.255.0 [SecPathB-GigabitEthernet0/1] natpt enable [SecPathB-GigabitEthernet0/1] quit [Sec

44 Initiator: Source IP/Port : 2001::0002/32768

45 Configuring ALG ALG overview The application level gateway (ALG) feature is used to process application layer packets. Usually, Network Address T

46 • GPRS Tunneling Protocol (GTP) The following describes the FTP operation on an ALG-enabled device. As shown in Figure 33, the host in the outsid

47 The host and the FTP server exchange data through the established data connection. Configuring ALG in the Web interface By default, the ALG functi

48 Figure 35 Network diagram Configuration procedure 1. Enable FTP ALG: By default, the FTP ALG function is enabled, and this step is optional. a

49 Figure 37 Adding ACL 2001 # Configure an ACL rule. a. Click the icon for ACL 2001 and then click Add. b. Select Permit as the operation, as

50 Figure 39 Adding a NAT address pool # Configure dynamic NAT: a. In the Dynamic NAT area, click Add. b. Configure dynamic NAT as shown in Figu

51 Figure 41 Configuring an internal FTP server SIP/H.323 ALG configuration example The H.323 ALG configuration is similar to the SIP ALG configura

52 By default, the SIP ALG function is enabled, and this step is optional. a. Select Firewall > ALG from the navigation tree. The Application La

i Contents Configuring NAT ···························································································································

53 # Create ACL rules: a. Click the icon for ACL 2001 and then click Add. b. Crate an ACL rule as shown in Figure 45: Select Permit as the opera

54 Figure 47 Configuring a NAT address pool # Configure dynamic NAT: a. In the Dynamic NAT area, click Add. b. Configure dynamic NAT as shown in

55 Figure 49 Network diagram Configuration procedure 1. Enable NBT ALG: By default, the NBT ALG function is enabled, and this step is optional. a.

56 Figure 51 Configuring a static address mapping # Configure static NAT for interface GigabitEthernet 0/1: a. In the Interface Static Translatio

57 Figure 53 Configuring an internal WINS server d. In the Internal Server area, click Add. e. Configure an interval WINS server, which is simil

58 Enabling ALG at the CLI Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ALG. alg { all | dns | ftp | gtp | h323 | ils | m

59 [SecPath-GigabitEthernet0/1] nat server protocol tcp global 5.5.5.10 ftp inside 192.168.1.2 ftp SIP/H.323 ALG configuration example The H.323 ALG

60 Configure NAT and ALG on the SecPath so that Host A uses 5.5.5.9 as its external IP address, the WINS server uses 5.5.5.10 as its external IP addr

61 Index A C D E N O T A ALG configuration examples at the CLI,58 ALG configuration examples in the Web interface,47 ALG overview,45 C Configuration

ii Enabling NAT-PT ···································································································································

1 Configuring NAT Overview Introduction to NAT Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header

2 table for the mapping, replaces the destination address with the private address of 192.168.1.3, and then sends the new packet to the internal host