Scribd
Upload
70 views93 pages

03 Access Control Practices

This document provides a summary of access control practices and Hillstone security policy configuration. It discusses security zones, system architecture, interface configuration, policy rules, and basic policy elements such as source/destination zones and addresses, services, and permit/deny actions. It also provides examples of configuring policies through the CLI and security policy page. The key aspects covered are dividing the network into security zones, binding interfaces to zones, and creating rules to control traffic flows between zones.

Uploaded by

tony09110
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views93 pages

03 Access Control Practices

This document provides a summary of access control practices and Hillstone security policy configuration. It discusses security zones, system architecture, interface configuration, policy rules, and basic policy elements such as source/destination zones and addresses, services, and permit/deny actions. It also provides examples of configuring policies through the CLI and security policy page. The key aspects covered are dividing the network into security zones, binding interfaces to zones, and creating rules to control traffic flows between zones.

Uploaded by

tony09110
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 93

Chapter 3: Access Control Practices

Reshape.Security
Embrace Cyber Resilience

© 2022 Hillstone Networks | All rights reserved.


1
Agenda

v Stone OS System Architecture

v Security Policy

v Network Deployment Mode

v Route Technology

v NAT Technology

2 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


System Architecture Contents:

v Security Zone

v Stone OS System Architecture

v Interface Configuration

3 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Security Zone

Security Zone,or named as Zone,A security zone is a collection of one or more interface or network
segments, it is the main feature of firewall different from router.

• Firewall uses Security Zone to divide network,The security check is triggered only when the
message flows between the security zones.

• You can apply proper policy rules to zones to make the devices control the traffic transmission
among zones. It is independent from physical interfaces, which makes security rules more flexible.

4 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Predefined Security Zone
There are Layer 2 zone and Layer 3 zone,Layer 2 zone work in Layer 2 mode and Layer 3
zone work in Layer 3 mode.

There are 8 predefined security zones in StoneOS, which are:trust、untrust、dmz、L2-


trust、L2-untrust、L2-dmz、 VPNHub and HA

You can also customize security zones. Actually predefined security zones and user-defined
security zones make no difference in functions, and you can use them as needed.

5 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


StoneOS System Architecture

• The system architecture of StoneOS includes the following components:


• Zones
-L2 Zone
-L3 Zone
• Interfaces
• Virtual Switch
• Virtual Router
• Policy

6 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


StoneOS Architecture Diagram
Trust-VR Logical
Interface
Physical
Interface
L3-Zone1 L3-Zone2
L3 Zone

vswitchif L2 Zone

V-Switch V-Switch

V-Router

L2-Zone1 L2-Zone2 Binding

Eth0/0 Eth0/1 Eth0/2 Eth0/3 Eth0/4


7 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Interface Type

§ Hillstone products provide a variety of interface types which can be classified


as physical interface and logical interface:
• Physical interface: Every Ethernet port on the device is a physical interface
• Logical interface :
Ø VSwitchif
Ø Sub-interface
Ø VLAN interface
Ø Tunnel interface
Ø Aggregate interface
Ø Redundant interface
§ According to the binding zone, the interfaces can also be categorized into
Layer 2 interface and Layer 3 interface.

8 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


IP Type

• Static IP
• DHCP
• PPPoE

9 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Static Interface
Network > Interface, select the interface, click『Edit』button, select layer 3 zone and configure the static IP

10 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


DHCP Interface
Network > Interface select the interface,click『Edit』button, select layer 3 zone, IP
type is “DHCP”,enable the default route generation.

11 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Zone & vSwitch、vRouter
Strict hierarchy of interface, zone, Vswitch and Vrouter:
• L2-Zone is bound to a virtual switch
• L3-Zone is bound to a virtual router
• An interface is bound to a security zone L2-Zone Virtual Switch
• An interface can only be bound to one zone.
• A zone is allowed to contain multiple interfaces.
• The interface bound to an L2-Zone is called an L2-interface.
• The interface bound to an L3-Zone is called an L3-interface.
• L3-interface has its own IP address and management services.

L3-Zone Virtual Router

12 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


2 Security Policy

13 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Security Policy
• Security policy is the basic function of network security appliance.

• Policy is designed to control the traffic forwarding between security zones/segments.


By default, Hillstone devices will deny all traffic between security zones/segments

• The policy can identify which flow between security zones or segments will be
permitted and which will be denied based on the policy rules.

14 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Basic Elements of Policy Rules
• Policy filtering conditions:
– Source Zone/Address - The source zone/address of the traffic.
– Destination Zone/Address – The destination zone/address of the traffic.
– Service – The service type of the traffic.
– *User
– *Application
– *VLAN – the vlan ID of traffic

• Action:
– Permit
– Deny
– Security Connection
– WebAuth
– Tunnel, From tunnel
15 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Configure Policy Rule (CLI)
• To enter the policy configuration mode, in global configuration mode, use the following command:
• policy-global:
• After entering the policy configuration mode, to create a policy rule, use the following command:
• rule [id id] [top | before id | after id] [role {UNKNOWN | role-name} | user aaa-server-name user-
name | user-group aaa-server-name user-group-name] from src-addr to dst-addr service service-
name {permit | deny | tunnel tunnel-name | fromtunnel tunnel-name | webauth | portal-server}
•id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign an ID to the
policy rule.
• top | before id | after id - Specifies the location of the policy rule.
• By default, the newly-created policy rule is located at the end of all the rules.
• from src-addr - Specifies the source address of the policy rule.
• to dst-addr - Specifies the destination address of the policy rule.
• service service-name - Specifies the service name of the policy rule.
• permit | deny | tunnel tunnel-name| fromtunnel tunnel-name | webauth aaa-server | portal-server

16 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy Configuration(CLI)

• Enter global configuration mode


Ø SG-6000# configure
• Enter policy configuration mode
Ø SG-6000(config)# policy-global
• Configure Policy Rule
Ø SG-6000(config-policy)# rule from address-book1 to any from-zone trust to-zone untrust service any permit
• Check Policy Configuration
Ø show policy [id id] [from src-zone] [to dst-zone]
• id id – Shows the detailed information of the specified policy rule.
• from src-zone – Shows the detailed information of the policy rule whose source security zone is the specified
zone.
• to dst-zone – Shows the detailed information of the policy rule whose destination security zone is the
specified zone.

17 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy Filtering Condition and Action
Policy > Security Policy, Click『New』to create a policy

Eth0/1 trust Eth0/4 untrust


Internet

PC User Web server


192.168.10.10 www.hillstonenet.com

18 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Matching Sequence Example
• According to below network topology, can the PC access to FTP server? Which policy rule
will be matched?
PC2
192.168.10.0/24 FTP
Server
.2 E0/1 E0/4 Internet
trust .1 untrust
PC3

.3

19 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Matching Sequence of Policy Rules

• The first flow packet matches policy rule

• Matching sequence of policy rules:


- When traffic flows into a Hillstone device, the device will query for policy
rules in the list by turns (from top to the bottom, not accord to policy ID),
and processes the traffic according to the first matched rule.

• The default policy rule denies all the traffic.

20 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy Position
• Policy > Security Policy edit of a policy rule and click 『Options』 to change the position of this policy

21 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Check / Move the Policy Position
• Policy > Security Policy

• To move a policy rule, in the policy rule configuration mode, use the following
command:
Ø move id {top | bottom | before id | after id}

22 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


22
Security Policy Matching Principles

23 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Object

• Object includes:
Ø Address Book

Ø Host Book

Ø Service Book

Ø APP Book

Ø Schedule

Ø *AAA server, User and Role

Ø *Track Object

24 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Configure Address Book (WebUI)
Object > Address Book, click 『New』

25 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Host Book
Object > Host Book, click 『New』, Regular expression is also supported.

26 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Service Book(WebUI)
Object > Service Book > Service
Is able to see the predefined services

CLI:show service predefined

27 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


User-defined Service(WebUI)

28 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


User-defined Service Group(WebUI)
• Service Group: define the correspondent server into group to convenient the configuration.

29 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Application Book
Object > APP Book > Application
You can view or edit the predefined applications, the predefined application will be updated online automatically.

CLI:show application predefined


30 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Schedule

• Schedule includes: Days and Timeframe

• Schedule controls the effectiveness for some


functions, such as allows a policy rule to take
effect in a specified time, and it can also be
applied in other function modules.

• Must set correct system time


before using schedule

31 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Create a Schedule
Object > Schedule. Click 『New』 to create a schedule.

32 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Apply Schedule to a Policy Rule
• Click Security > Security Policy. Click 『New』 to create a policy rule which blocks the game applications
access from the trust zone to the untrust zone and only take effect in the specified schedule.

33 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Task 3: Traffic Access Between Zones

2xx.0.0.0/24 office
.200
Internet01 E0/4
E0/2 .10
Internet .2
.1
100.1.1.0/28 E0/3
.1 Office_User
Internet02 E0/1 192.168.40.0/24
10.50.50.0/24
.2

IDC .1
10.60.60.0/24

IDC_Server

34 | See. Understand. Act. 10.60.60.10 © 2022 Hillstone Networks | All rights reserved.
Task 3: Traffic Access Between Zones

• Intercommunication between the office area and the data center area needs to be established based on
security, data isolation, and access control to ensure the confidentiality, integrity, and availability of data.
At the same time, it is necessary to consider compliance with national and industry security requirements
to ensure the effective protection of the information system security.
Ø By dividing the network into security zones, subsequent management and maintenance can be facilitated.
Ø Security zone for the office area: Office
Ø Security zone for the data center: IDC
Ø ICMP traffic from the Office zone to the IDC zone is prohibited.

Ø The Office zone is allowed to access FTP and HTTP services from IDC_Server in the IDC zone, and the access traffic should
be logged.

35 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy Global Configuration

• Multi-Security Zone Mode


Ø A policy that supports configuring multiple security zones simultaneously to reduce the number of policies
required in the system and convenient policy management for users.

• Single-Security Zone Mode


Ø A policy that only supports configuring one source zone and one destination zone.

• By default, the system uses the single-security zone mode.

36 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy Hit Count
• Statistic of policy usability, can be used to judge the validity of policy

SG-6000# show policy hit-count //CLI


Most hit policy rules:
====================================================================No.
Id Name Src-zone Dst-zone Src-addr Dst-addr Service Applica~ Action Hit-count
--------------------------------------------------------------------------------------------------------------------
1 2 vpn trust untrust vpn branch1 Any PERMIT 1053
2 3 office trust untrust prov .. dmz Any PERMIT 579
3 4 untrust trust dmz Any Any PERMIT 0
4 1 Any Any Any Any Any PERMIT 1012
5 dft Any Any 0
====================================================================
37 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Policy Redundancy Check

38 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy Import/Export
• Only support DAT format

39 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Session Displayed in Policy
• Session detail can be checked in policy directly under WebUI.

40 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Mini Policy
• In the automated operations and maintenance scenarios,
the configured policies are often very detailed. The
consequence of this is that it will generate a large number
of policies. As the scale of policies increases, the
conventional policies currently in use become bottlenecks
in terms of query speed, system resource consumption,
and device startup speed.
• To meet this requirement, there is a need for a more
streamlined and higher-specification form of policy. The
mini-policy format supports more streamlined dimensions
and dimension types, which fulfilling this requirement.
• In terms of dimensions, mini-policy only supports the
following: source zone, destination zone, source address,
destination address, service entry, action and description.
Source and destination addresses can only be configured
with a single IP, service entries support specifying protocol
numbers and ports, and action only support "deny" and
"permit."

41 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Mini Policy Principles

• The policy matching priority is as follows: Mini-policy > Security policy > Default action.
• It is not possible to adjust the priority of mini-policies and security policies.

• Mini-policies do not have a sequential relationship, and it is not possible to move mini-policies.

• Before deploying new mini-policies, a relevance check will be performed to ensure that the mini-policies are
completely unrelated to each other.

42 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Endpoint Share Access Detect Principles

• Share Access Identification Method:


• The terminal information of the accessing IP is identified through the HTTP UA, including terminal brand/model
(only for mobile terminals) and operating system (including PC terminals).
• Share Access Control Method:
• The control member is based on the accessing IP, and the control condition is based on the maximum number of
share access endpoints under the monitored IP. It controls the IP that exceeds the limit of accessing terminals.
The control actions include:
• Warning: Logging the event and pushing an warning page to the user, interfere user to access network. The
control duration can be set, and after the duration time elapses, the control will be automatically lifted, and
the identification process restarts.
• Logging Only: Only logging the IP with behavior that exceeds the limitation, it will not affect the network
access.

43 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Share Access Detect Signature Database

• Check share access detect signature information:


Ø show share-access-detect signature info

• Online update the share access detect signature database:


Ø exec share-access-detect signature update

• Offline import share access detect signature database:


Ø import share-access-detect signature from ftp server A.B.C.D xx.sig
Ø import share-access-detect signature from tftp server A.B.C.D xx.sig

44 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Share Access Common Scenario – Wireless
Router Sharing
• Wireless Router Sharing:
• Through a wireless router, all terminal devices access the network by using the WAN port IP 200.1.1.1.

45 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Share Access Common Scenario – Laptop or
Cellphone Hotspot
• Laptop or Cellphone Hotspot:
• Through hotspot or software sharing methods, all terminal devices access the network using the IP 200.1.1.1.

46 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


3 Network Deployment Mode

47 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Routing Mode

• Routing mode is often used in conjunction with NAT Internet


(Network Address Translation) function, hence it is
also known as "NAT mode". In routing mode, each E0/4
interface has an IP address and belongs to a Layer untrust
3 security zone. In this configuration, the device
has both routing and security policy functionalities.
• Characteristics of Routing Mode: E0/1 E0/2
• Interfaces are bound to Layer 3 security zones. trust dmz
• Routing is configured as needed.
• Advantages:
• Suitable for deployment at network boundaries.
• Can replace traditional egress routers.

192.168.10.0/24 192.168.20.0/24

48 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Transparent Mode
Internet
• Transparent mode, also known as "bridge
mode" or "transparent bridging mode“, it is
suitable for scenarios where routers and
switches are already deployed in the original
network, and users do not want to modify the
LAN interface:192.168.10.254/24
existing network. In this scenario, user only
use firewall for security protection.
E0/4 L2-untrust
• Characteristics of Transparent Mode:
• Interfaces are bound to Layer 2 security zones.
• The management IP address is configured on the
vswitchif interface.
E0/1 L2-trust

• Advantages:
• No need to modify the existing network architecture.
• Faster and more stable deployment.

49 | See. Understand. Act. 192.168.10.10/24 © 2022 Hillstone Networks | All rights reserved.
Tap Mode
Internet
• For certain device functionalities such as
IPS, AV, statistical sets, and network
behavior control, they can operate in either
inline mode or tap mode. When the device
operates in tap mode, it only performs
statistics, scanning, or logging on the traffic LAN interface:192.168.10.254/24
without forwarding it.
• Characteristics of Bypass Mode:
• Interfaces are bound to tap security zones. mirror
• Only performs statistics, scanning, or logging on
the traffic.
zone TAP
• Advantages:
• No network changes required.
• Network traffic will not be affected by device
failures.

50 | See. Understand. Act. 192.168.10.10/24 © 2022 Hillstone Networks | All rights reserved.
Mix Mode

Internet
• Mix Mode: E0/4
• If a user's network requires both firewall untrust
configuration for Layer 2 interfaces
(transparent mode) and Layer 3 interfaces
(routing mode), the firewall operates in mix
mode. E0/1 vSwitchif1 E0/2
l2-trust trust l2-dmz
192.168.10.254/24

192.168.10.0/24 192.168.10.0/24
Gw:192.168.10.254 Gw:192.168.10.254

51 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


4 Route Technology

52 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Routing Principles

• Routing is a fundamental concept in data communication networks. It refers to the activity of


transmitting information from a source address to a destination address through interconnected
networks. Routing occurs at the third layer (network layer) of the OSI network reference model.
When a device receives an IP packet, it looks up the destination IP address in its routing table
to find the "best match" routing entry. The device then forwards the packet based on the egress
or next-hop IP indicated by the routing entry.
• Routing Table: The firewall looks up its local routing table to determine the best route and
distribute the best route to the Forwarding Information Base (FIB) table. The FIB table will
guides the packets forwarding.

53 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Routing Type

• StoneOS Support below routing type:


Ø Destination Route(Static Route, Dynamic Route, ISP Route)
Ø Destination Interface-based Route
Ø Source-Based Route
Ø Source Interface-Based Route
Ø Policy-based Route

54 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Configure Destination Route (Static Route)(CLI)
• To enter the VRouter configuration mode, in the global configuration mode, use the following
command:
• ip vrouter trust-vr

• To add a destination route, in the VRouter configuration mode, use the following command:
• ip route {A.B.C.D/M | A.B.C.D A.B.C.D} {A.B.C.D | interface-name } [distance-value] [weight
weight-value]
– A.B.C.D/M | A.B.C.D A.B.C.D - Specifies the destination address.
– A.B.C.D | interface-name - Specifies the type of next hop.
• a gateway address (A.B.C.D) or interface (interface-name)
• If the next hop type is interface, you can only select a tunnel interface, Null interface or
PPPoE interface.
– distance-value - Specifies the administrative distance of the route.
• The smaller the value is, the higher the priority is.
– weight-value - Specifies the weight value.
• The weight ratio of traffic forwarding in load balance
55 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Routing Example: Distance
100.1.1.1/24
ip route 100.1.1.0/24 122.1.1.1 10
ISP ip route 100.1.1.0/24 133.1.1.2 1

GW:122.1.1.1 GW:133.1.1.2

ISP 1 ISP 2

Ethernet0/3 Ethernet0/4
untrust untrust

Ethernet0/1 Ethernet0/2
trust trust

LAN1 LAN2
192.168.1.0/24 192.168.2.0/24
56 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Destination Route(Static Route)
• Network > Routing select destination route,and click 『New』button
• Default route is a special destination route, destination is 0.0.0.0,netmask is 0

Only when next-hope is Tunnel、Null、PPPoE,we will use the “Interface”based route

57 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


ISP Route

• Many users apply for multiple links to achieve load balancing of traffic. However, conventional
load balancing does not consider the flow destination, which can result in slow network speeds
if a server accessed through one ISP is connected via another ISP. To address this issue,
Hillstone devices offer ISP routing function, which allowing different ISP traffic to be routed
through dedicated routes, thereby improving network speed.
• To configure ISP routing, users first need to add subnet entries to an ISP and then configure
ISP routes with the ISP name as the destination. Users can customize ISP information or
upload a configuration file which containing different ISP information.

58 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


ISP Profile
• ISP profile contains the IP range of this ISP.

SG-6000(config)# isp-network Education


SG-6000(config-isp)# subnet 217.1.1.199/24
59 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
ISP Route
• Call ISP profile information and automatically generate ISP route

SG-6000(config)# ip vrouter trust-vr


SG-6000(config-vrouter)# ip route Education 200.1.1.254

60 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Check ISP Route
• Check ISP route under the destination route, Precedence is 10

61 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy-based Routing(PBR)

• Policy-based Route (PBR) is designed to select a router and forward data based on
the source IP address, destination IP address and service type of a packet.

• To create a Policy-based route, take the following steps:


1. Create PBR
2. Create PBR rule

62 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Create PBR
Network > Routing select Policy-based Routing, click 『New』button
and select PBR

63 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Create PBR Rule
Network > Routing, select Policy-based Routing, click『New』button and
select Rule

64 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Policy-based Routing Priority
• Firstly check the PBR bindings,the default priority of policy routing binding is as follows:
Ø Interface > Zone > Virtual Router

• Rules bound to one PBR are matched from top to bottom.

• Only one PBR can be bound to an interface / security zone / virtual router.

65 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Destination Interface-based Route, Source-based
Route, and Source Interface-based Route
• Destination Interface-based Routing:
• Destination interface route is designed to select a route and forward data based on the destination
network segment and ingress interface of a packet.

• Source-based Routing:
• It select a route and forward data based on the source IP address of the data packet.

• Source Interface-based Routing:


• It select a route and forward data based on the source IP address and ingress interface of the data
packet.

66 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Routing Sequence

• Routing sequence:
Ø Policy based Route à Source interface based route à Source based route à
Destination interface based route à Destination Route/ISP route/dynamic route

67 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


5 NAT Technology

68 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Why We Need NAT?
• NAT Background:
Ø IPv4 exhaustion
Ø IPv4 extending technologies introduced, the efficient use of NAT
Ø The popularity of IPv6 technology is not high

• RFC1918 defines three types of private IP addresses as follows. These IP addresses will
not be allocated on the Internet. You can use the IP addresses in an enterprise network
freely.
Ø Class A: 10.0.0.0 - 10.255.255.255(10.0.0.0/8)
Ø Class B: 172.16.0.0 - 172.31.255.255(172.16.0.0/12)
Ø Class C: 192.168.0.0 - 192.168.255.25(192.168.0.0/16)

• The private network cannot transmit on the Internet.

69 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


NAT Concept

• NAT (Network Address Translation) is a protocol to translate the IP address within an IP packet
header to another IP address.
• When the IP packets pass through a firewall, firewall will translate the source IP address and/or
the destination IP address in the IP packets.
• In practice, NAT is mostly used to allow the private network to access the public network, or
vice versa.

70 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


SNAT Classification
IP Packet 1 IP Packet 1
Source IP:192.168.40.10
Source NAT Source IP:100.1.1.2
Destination IP:180.1.1.2 Destination IP:180.1.1.2
Ethernet0/2 Ethernet0/3
Office_User Office Internet02
IP:192.168.40.1 IP:100.1.1.2
Internet
Server
IP:192.168.40.10 IP:180.1.1.2

• Static NAT:
• It refers to the process of translating a private IP address from an internal network into a public IP address. It
follows a one-to-one mapping, where each IP address is translated to a specific public IP address.
• Dynamic-IP NAT:
• Dynamic Source NAT involves a multiple-to-multiple translation. In this mode, the source addresses are
translated to specified IP addresses. Each source address is mapped to a unique IP address for translation until
all the specified addresses are occupied.
• Dynamic-Port NAT:
• Multiple source addresses are translated into one of the addresses specified in the IP address entry.
• Sticky: When enabled, all sessions generated by each source IP will be mapped to the same fixed IP address.
71 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Configure SNAT (CLI)
• To configure SNAT ,in the Vrouter/NAT configuration mode, use the following
command:
• snatrule [id id] [before id | after id | top] from src-address to dst-address [eif egress-
interface] trans-to {addressbook trans-to-address | eif-ip} mode {static | dynamicip |
dynamicport [sticky]} [log] [disable] [ track track-name] [description description]

• id id - Specifies the ID of the SNAT rule.


• before id | after id | top - Specifies the position of the rule.
• from src-address to dst-address [eif egress-interface] - Specifies conditions of the rule that the
traffic should be matched.
• eif egress-interface - Specifies the egress interface
• addressbook trans-to-address | eif-ip - Specifies the translated IP address.
• mode {static | dynamicip | dynamicport [sticky]} - Specifies the translation mode.

• Check SNAT configuration and resource utilization


• show snat [id id] [resource] [vrouter vrouter-name]

72 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


CLI Configuration Example:

• Example 1:
SG-6000(config)# ip vrouter trust-vr
SG-6000(config-vrouter)# snatrule from any to any ser any eif ethernet0/3 trans-to eif-
ip mode dynamicport

• Example 2:
SG-6000(config)# nat
SG-6000(config-nat)# snatrule from any to any ser any eif ethernet0/3 trans-to eif-
ip mode dynamicport

73 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Source NAT Configuration Example
• Source NAT – Static NAT • Source NAT – Dynamic Port

74 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Thinking: Multi-exit NAT Scenario
• Configure multi-exit route
• Configure multiple exit NAT rules IP:200.0.0.200
• Security Policy ISP 1
IP:180.1.1.2
E0/4

Trust Zone Internet


E0/3
ISP 2 Untrust Zone

IP:192.168.40.1 IP:100.1.1.2

SG-6000(config)# ip vrouter trust-vr


SG-6000(configvrouter)# snatrule from ____ to ____ service ____ eif ____ trans-
to ____ mode ____

75 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Exit Multiple IP NAT Scenario

• Interface occupied one IP Internet

• Gateway occupied one IP


• When configuring NAT, all addresses can Ethernet0/4 E0/4
be used directly except the gateway IP 123.1.1.0/29
GW:123.1.1.1
• no need to set secondary IP. 123.1.1.2
123.1.1.3
• If one interface rents multiple subnets, it 123.1.1.4
E0/2
need to configure secondary IP. 123.1.1.5
123.1.1.6

Server

76 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Task 4: Office area access to the Internet

Game APP

2xx.0.0.0/24 .200 Office


150.1.1.0/28 Internet01 E0/4
180.1.1.0/28 E0/2 .10
Internet
.1
100.1.1.0/30 E0/3 192.168.40.0/24
Office_User
Internet02 .2

77 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Task 4: Office area access to the Internet

Requirements: In this task, the requirement is to implement internet access for the Office area.
The following requirements should be met:
• The firewall should be connected to the internet by using dual links, where E0/4 is the primary
link and E0/3 serves as a backup link.
• To ensure smooth operations in the Office area, implement the requirement for Office users to
access the internet, while also restricting the content they can access. The access control
measures should be flexible, which can met different business needs.
Ø Office users can only access to the internet
Ø Only when accessing to the 150.1.1.0/24 and 180.1.1.0/24 networks, it should be forwarded through the E0/3
interface. All other traffic should be forwarded through E0/4.
Ø Server is prohibited to access to the internet.
Ø During office hours, Office users should be prohibited from accessing gaming websites.
Ø Internet access information from the Office area should be logged on the firewall.

78 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Destination NAT
DNAT translates destination IP addresses in packet, usually translating IP addresses of internal servers (such
as the WWW server or SMTP server) protected by the device to public IP addresses. It is commonly used to
publish servers externally through IP mapping or port mapping.
trust untrust
2 1
DA SA
192.168.10.10 200.1.1.1 9.6.7.3
Internet
4 DA HTTP 80
192.168.1.254 3 Host B
HTTP 9.6.7.3
80
192.168.10.11

79 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


DNAT – IP Mapping
• IP mapping: this mode is one-to-one mapping. It is usually used for the external publish of the server when the
public network IP is sufficient.

Thinking: can we implement that the 192.168.10.10 publish HTTP service to the external users?
If we can, how to implement it?

80 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


DNAT – Port Mapping
• Port Mapping: This mode allows for a one-to-many mapping, where different ports of a public IP are mapped to different
ports of various internal IPs. It addresses the need to publish multiple servers to the external network when there is a
limited public IP addresses.

Thinking: can we implement that the 192.168.10.10 publish HTTP service to the external users through
TCP 8888 port?
If we can, how to implement it?
81 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
DNAT – Advanced Settings
• Add source address information to exact the DNAT rule

82 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Configure DNAT (CLI)
• To configure a DNAT rule for NAT, in the VRouter configuration mode, use
the following command:
Ø dnatrule [id id] [before id | after id | top] from src-address to dst-address [service service-name]
trans-to trans-to-address [port port] [load-balance] [track-tcp port] [track-ping] [log] [group
group-id] [disable] [description description]

• Check DNAT configuration:


• show dnat rule [id] [vrouter vrouter-name]

83 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


CLI Configuration Examples
Example 1:
SG-6000(config)# ip vrouter trust-vr
SG-6000(config-vrouter)# dnatrule from any to 200.1.1.1/32 service http trans-
to 192.168.10.10 port 80

Example 2:
SG-6000(config)# nat
SG-6000(config-nat)# dnatrule from any to 200.1.1.1/32 service http trans-
to 192.168.10.10 port 80

84 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Configure a DNAT-related Policy
Policy > Security Policy, and click New.

85 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Thinking: DNAT Application Scenario
• Configure multi-exit route
• Configure multi-exit NAT rule Web Server
IP:10.60.60.10 IP:200.0.0.200

ISP
IDC Office area E0/4 Internet
Internet02 office area
• DNAT configuration
SG-6000(config)# ip vrouter trust-vr
SG-6000(configvrouter)# dnatrule from ____ to ____ service ____ trans-
to ip ____ port ____ log
• Security Policy
SG-6000(config)# rule from ____ to ____ from-zone ____ to-
zone ____ service ____ permit

86 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Task 5: Publish Internal Business

2xx.0.0.0/24 office
.200
Internet01 E0/4
E0/2 .10
Internet .2
.1
100.1.1.0/28 E0/3
.1 Office_User
Guest-User Internet02 E0/1 192.168.40.0/24
10.50.50.0/24
.2

IDC .1
10.60.60.0/24

IDC_Server
87 | See. Understand. Act. 10.60.60.10 © 2022 Hillstone Networks | All rights reserved.
Task 5: Publish Internal Business

Requirements:
In this task, there is a need to publish the FTP and HTTP services from webServer1 in the IDC
zone to the external network. The requirements are as follows:
• To facilitate business development and convenient resource transfer, the administrator has
decided to publish the HTTP service from the internal network server to the internet for user
access. Additionally, the FTP service should be accessible to internal network users and VPN
users to facilitate file uploads and downloads. You are required to configure the firewall to
ensure the smooth operation of these services.
Ø Internal network publish HTTP service to the external network.
Ø Use the non-standard port 8888 for the HTTP service.
Ø Limit FTP access to internal network users only.
Ø Enable NAT logging.

88 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


NAT Rule
• There are two types of NAT, which are source NAT and destination
NAT. If there are multiple NAT rules in the system, you can move a rule
as needed.

• Matching sequence of NAT rules:


Ø Each NAT rule is labeled with a unique ID. The order or number of IDs does not determine
the matching sequence of rules. The rule sequence displayed by the "show snat/dnat"
command which also represents the actual rule matching sequence, which is from top to
bottom. You can change the order of rules by moving existing NAT rules to modify the
matching sequence.

• Note: When configuring firewall policy, the source and destination


addresses in policy should be the address before NAT translation.

89 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


NAT Hit Count
• System Admin is able to check the hit count of new added NAT rule to verify if
NAT policy is working or not.

90 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Moving a NAT Rule
• To move a NAT rule via WebUI, in the SNAT/DNAT Configuration dialog, select the nat rule and click Priority.

• To move a NAT rule, in the NAT configuration mode, use the following commands:
Ø snatrule move id {before id | after id| top | bottom}
Ø dnatrule move id {before id | after id| top | bottom}
• To delete a NAT rule, in the NAT configuration mode, use the following commands:
Ø no snatrule id id
Ø no dnatrule id id

91 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


NAT Optimization

• When there is a large accumulation of NAT rules on a device, it becomes challenging for users
to determine whether any rules need to be removed, increasing the difficulty of maintenance.
To ensure the effectiveness of NAT rules and help users resolve issues where some NAT rules
are not being matched due to rule overlapping, the system can perform redundancy check on
NAT rules. This detection checks the coverage of NAT rules and assists users in identifying
and resolving problems caused by rule conflicts or overlaps.

92 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


+1 408 508 6750
[email protected]
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com

You might also like