Scribd
Upload
19 views27 pages

5 Nat

Uploaded by

rodrigo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
19 views27 pages

5 Nat

Uploaded by

rodrigo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 27

Chapter 5

Network Address Translation(NAT)


Training Team
HCSA Official Training

Integrative Cybersecurity
Visionary. AI-powered. Accessible.

Hillstone Networks All Rights Reserved.


1
1 NAT Concept

2 SNAT
Agenda
3 DNAT

4 NAT advanced option

2 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


1 NAT Concept

3 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Why We Need NAT ?

• NAT Background:
 IPv4 exhaustion
 IPv4 extending technologies introduced, the efficient use of NAT
 The popularity of IPv6 technology is not high

• RFC1918 defines three types of private IP addresses as follows. These IP addresses will not
be allocated on the Internet. You can use the IP addresses in an enterprise network freely.
 Class A: 10.0.0.0 - 10.255.255.255 ( 10.0.0.0/8 )
 Class B: 172.16.0.0 - 172.31.255.255 ( 172.16.0.0/12 )
 Class C: 192.168.0.0 - 192.168.255.25 ( 192.168.0.0/16 )

• The private network cannot transmit on the Internet.


4 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.
NAT Concept

• NAT (Network Address Translation) is a protocol to translate the IP address within an IP packet
header to another IP address.
• When the IP packets pass through a firewall, firewall will translate the source IP address
and/or the destination IP address in the IP packets.
• In practice, NAT is mostly used to allow the private network to access the public network, or
vice versa.

5 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


2 SNAT

6 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


SNAT Classification
IP Packet 1 IP Packet 1
Source IP : 192.168.40.10
Source NAT Source IP : 100.1.1.2
Destination IP : 180.1.1.2 Destination IP : 180.1.1.2
Ethernet0/2 Ethernet0/3
Office_User Office Internet02
IP:192.168.40.1 IP:100.1.1.2
Internet
Server
IP : 192.168.40.10 IP : 180.1.1.2

• Static NAT:
• It refers to the process of translating a private IP address from an internal network into a public IP address. It
follows a one-to-one mapping, where each IP address is translated to a specific public IP address.
• Dynamic-IP NAT:
• Dynamic Source NAT involves a multiple-to-multiple translation. In this mode, the source addresses are
translated to specified IP addresses. Each source address is mapped to a unique IP address for translation until
all the specified addresses are occupied.
• Dynamic-Port NAT:
• Multiple source addresses are translated into one of the addresses specified in the IP address entry.
7 |
• Sticky: When enabled, all sessions generated by each source IP will be mapped to theHillstone
Integrative Cybersecurity
sameNetworks
fixed IP address.
All Rights Reserved.
Configure SNAT (CLI)

• To configure SNAT, in the Vrouter/NAT configuration mode, use the following command:
• snatrule [id id] [before id | after id | top] from src-address to dst-address [eif egress-interface]
trans-to {addressbook trans-to-address | eif-ip} mode {static | dynamicip | dynamicport [sticky]}
[log] [disable] [ track track-name] [description description]

• id id - Specifies the ID of the SNAT rule.


• before id | after id | top - Specifies the position of the rule.
• from src-address to dst-address [eif egress-interface] - Specifies conditions of the rule that the traffic should
be matched.
• eif egress-interface - Specifies the egress interface
• addressbook trans-to-address | eif-ip - Specifies the translated IP address.
• mode {static | dynamicip | dynamicport [sticky]} - Specifies the translation mode.

• Check SNAT configuration and resource utilization.


• show snat [id id] [resource] [vrouter vrouter-name]

8 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


CLI Configuration Example:

• Example 1 :
SG-6000(config)# ip vrouter trust-vr
SG-6000(config-vrouter)# snatrule from any to any ser any eif ethernet0/3 trans-
to eif-ip mode dynamicport

• Example 2 :
SG-6000(config)# nat
SG-6000(config-nat)# snatrule from any to any ser any eif ethernet0/3 trans-
to eif-ip mode dynamicport

9 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Source NAT Configuration Example
• Source NAT – Static NAT • Source NAT – Dynamic Port

10 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Thinking: Multi-exit NAT Scenario
• Configure multi-exit route
• Configure multiple exit NAT rules
IP:200.0.0.200
• Security Policy ISP 1
IP:180.1.1.2
E0/4

Trust Zone Internet


E0/3
ISP 2 Untrust Zone

IP:192.168.40.1 IP:100.1.1.2

SG-6000(config)# ip vrouter trust-vr


SG-6000(configvrouter)# snatrule from ____ to ____ service ____ eif ____ trans-
to ____ mode ____

11 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Exit Multiple IP NAT Scenario

• Interface occupied one IP Internet


• Gateway occupied one IP
• When configuring NAT, all addresses
can be used directly except the Ethernet0/4 E0/4
gateway IP 123.1.1.0/29
GW:123.1.1.1
• no need to set secondary IP. 123.1.1.2
123.1.1.3 E0/2
• If one interface rents multiple subnets, 123.1.1.4
it need to configure secondary IP. 123.1.1.5
123.1.1.6

Server

12 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


3 DNAT

13 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Destination NAT
DNAT translates destination IP addresses in a packet. Usually, the IP addresses of internal
servers (such as the WWW server or SMTP server) protected by the device are converted to
public IP addresses. DNAT is commonly used to publish servers externally through IP or port
mapping.
trust
untrust
2 1
DA SA
192.168.10.10 200.1.1.1 9.6.7.3
Internet
4 DA HTTP 80
192.168.1.254 3 Host B
HTTP 9.6.7.3
80
192.168.10.11

14 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


DNAT – IP Mapping

IP mapping: this mode is one-to-one mapping. It is usually used for the external publish of the
server when the public network IP is sufficient.

Thinking: Can we implement 192.168.10.10 publishing HTTP service to external users?


If so, how?

15 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


DNAT – Port Mapping

Port Mapping: This mode allows for a one-to-many mapping, where different ports of a public IP
are mapped to different ports of various internal IPs. It addresses the need to publish multiple
servers to the external network when there is a limited public IP addresses.

Thinking: Can we implement that the 192.168.10.10 publishes HTTP service to external users through the TCP 8888 port?
If so, how?
16 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.
DNAT – Advanced Settings
• Add source address information to exact the DNAT rule

17 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Configure DNAT (CLI)

• To configure a DNAT rule for NAT, in the VRouter configuration mode, use the
following command:
 dnatrule [id id] [before id | after id | top] from src-address to dst-address [service service-name]
trans-to trans-to-address [port port] [load-balance] [track-tcp port] [track-ping] [log] [group group-
id] [disable] [description description]

• Check DNAT configuration:


• show dnat rule [id] [vrouter vrouter-name]

18 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


CLI Configuration Examples

Example 1 :
SG-6000(config)# ip vrouter trust-vr
SG-6000(config-
vrouter)# dnatrule from any to 200.1.1.1/32 service http trans-
to 192.168.10.10 port 80

Example 2 :
SG-6000(config)# nat
SG-6000(config-
nat)# dnatrule from any to 200.1.1.1/32 service http trans-
to 192.168.10.10 port 80

19 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Configure a DNAT-related Policy

Policy > Security Policy, and click New.

20 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Thinking: DNAT Application Scenario

• Configure multi-exit route


• Configure multi-exit NAT rule
Web Server
IP : 10.60.60.10 IP : 200.0.0.200

ISP
IDC Office area E0/4 Internet
Internet02 office area

• DNAT configuration
SG-6000(config)# ip vrouter trust-vr
SG-6000(configvrouter)# dnatrule from ____ to ____ service ____ trans-
to ip ____ port ____ log
• Security Policy
SG-6000(config)# rule from ____ to ____ from-zone ____ to-zone ____ service ____ permit
21 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.
NAT Rule

• There are two types of NAT, which are source NAT and destination
NAT. If there are multiple NAT rules in the system, you can move a
rule as needed.

• Matching sequence of NAT rules:


 Each NAT rule is labeled with a unique ID. The order or number of IDs does not determine the
matching sequence of rules. The rule sequence is displayed by the "show snat/dnat" command,
which also represents the actual rule matching sequence, which is from top to bottom. You can
change the order of rules by moving existing NAT rules to modify the matching sequence.

• Note: When configuring firewall policy, the source and destination


addresses in policy should be the address before NAT translation.
22 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.
4 NAT advanced option

23 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NAT Hit Count

System Admin is able to check the hit count of new added NAT rule to verify if
NAT policy is working or not.

24 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Moving a NAT Rule

• To move a NAT rule via WebUI, in the SNAT/DNAT Configuration dialog, select the nat rule and click
Priority.

• To move a NAT rule, in the NAT configuration mode, use the following commands:
 snatrule move id {before id | after id| top | bottom}
 dnatrule move id {before id | after id| top | bottom}

• To delete a NAT rule, in the NAT configuration mode, use the following commands:
 no snatrule id id
 no dnatrule id id

25 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NAT Optimization

When there is a large accumulation of NAT rules on a device, it becomes challenging for users to
determine whether any rules need to be removed, increasing the difficulty of maintenance. To
ensure the effectiveness of NAT rules and help users resolve issues where some NAT rules are
not being matched due to rule overlapping, the system can perform redundancy check on NAT
rules. This detection checks the coverage of NAT rules and assists users in identifying and
resolving problems caused by rule conflicts or overlaps.

26 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Integrative Cybersecurity
Visionary. AI-powered. Accessible.
+1 408 508 6750
[email protected]
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com

You might also like