H3C Firewall and UTM Devices DNS and NAT Configuration

Transcription

H3C Firewall and UTM Devices DNS and NAT
Configuration Examples (Comware V5)
Copyright © 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.
Contents
Introduction ··································································································································································· 1 Prerequisites ·································································································································································· 1 Example: Allowing private users to use domain name to access a private server when the DNS server is on the
public network (using ALG) ········································································································································· 1 Network requirements ······················································································································································ 1 Software version used ······················································································································································ 2 Configuration procedures ················································································································································ 2 Configuring the firewall in the Web interface ······································································································ 2 Configuring the firewall at the CLI ······················································································································· 10 Verifying the configuration ············································································································································ 12 Configuration files ·························································································································································· 13 Example: Allowing private users to use domain name to access a private server when the DNS server is on the
public network (without ALG) ···································································································································· 14 Network requirements ··················································································································································· 14 Software version used ··················································································································································· 15 Configuration procedures ············································································································································· 15 Configuring the firewall in the Web interface ··································································································· 15 Configuring the firewall at the CLI ······················································································································· 22 Verifying the configuration ············································································································································ 23 Configuration files ·························································································································································· 25 Example: Allowing public users to use domain name to access a private server when the DNS server is on a
private network··························································································································································· 26 Network requirements ··················································································································································· 26 Software version used ··················································································································································· 26 Configuration restrictions and guidelines ···················································································································· 27 Configuration procedures ············································································································································· 27 Configuring the firewall in the Web interface ··································································································· 27 Configuring the firewall at the CLI ······················································································································· 33 Verifying the configuration ············································································································································ 35 Configuration files ·························································································································································· 36 Related documentation ·············································································································································· 37 i
Introduction
This document provides DNS and NAT configuration examples.
Prerequisites
This document is not restricted to specific software or hardware versions.
The configuration examples in this document were created and verified in a lab environment, and all the
devices were started with the factory default configuration. When you are working on a live network,
make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of DNS, NAT, and ALG.
Example: Allowing private users to use domain
name to access a private server when the DNS
server is on the public network (using ALG)
Network requirements
As shown in Figure 1, the DNS server is on the public network and stores the mapping of public IP
address 202.168.100.70 and domain name lc1.8042test.com for a service server on a private network.
Configure DNS with ALG and NAT on the firewall to enable clients on another private network to access
the service server by using the domain name.
1
Figure 1 Network diagram
Software version used
This configuration example was created and verified on SecPath F5000-A5 Feature 3213.
Configuration procedures
Configuring the firewall in the Web interface
1.
Configure IP addresses for interfaces GigabitEthernet 1/3, GigabitEthernet 1/4, and
GigabitEthernet 1/5:
a. From the navigation tree, select Device Management > Interface.
b. Click the
icon for interface GigabitEthernet 1/3.
2
Figure 2 Interface configuration page
c. Configure IP address 202.168.249.187 for GigabitEthernet 1/3, as shown in Figure 3.
d. Click Apply.
3
Figure 3 Edit Interface page for GigabitEthernet 1/3
e. Configure IP address 10.1.1.1 for GigabitEthernet 1/4 in the same way IP address is
configured for GigabitEthernet 1/3.
4
f. Configure IP address 172.16.1.1 for GigabitEthernet 1/5 in the same way IP address is
configured for GigabitEthernet 1/3.
5
2.
Add interface GigabitEthernet 1/3 into the Untrust zone, interface GigabitEthernet 1/4 into the
Trust zone, and interface GigabitEthernet 1/5 into the DMZ zone:
a. From the navigation tree, select Device Management > Zone.
b. Click the
icon for the Untrust zone.
Figure 6 Adding interfaces into security zones
c. On the Modify Zone page, select GigabitEthernet 1/3, and click Apply.
6
Figure 7 Modifying security zone
d. Add GigabitEthernet 1/5 into the DMZ zone, and GigabitEthernet 1/4 into the Trust zone in
the same way.
3.
Configure DNS:
a. From the navigation tree, select Network > DNS > Dynamic.
b. Configure dynamic DNS, as shown in Figure 8.
c. Click Apply.
7
Figure 8 Configuring dynamic DNS
4.
Configure ACL:
a. From the navigation tree, select Firewall > ACL.
b. Click Add.
c. Create ACL 3000:
−
Enter 3000 in the ACL Number field.
−
Select Config for Match Order.
−
Click Apply.
Figure 9 Creating ACL 3000
The ACL configuration result appears.
Figure 10 Configuration result
8
d. Click the
icon for ACL 3000.
e. On the rule edit page that appears, click Add.
f. Configure an ACL rule, as shown in Figure 11.
g. Click Apply.
Figure 11 Creating a rule for ACL 3000
5.
Configure NAT:
a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT.
b. Click Add.
c. Configure dynamic NAT on GigabitEthernet 1/3, as shown in Figure 12.
d. Click Apply.
Figure 12 Adding dynamic NAT
e. From the navigation tree, select Firewall > NAT Policy > Internal Server.
9
f. Click Add.
g. Configure internal server on GigabitEthernet 1/3, as shown in Figure 13.
h. Click Apply.
Figure 13 Adding internal server
6.
Configure DNS ALG:
a. From the navigation tree, select Firewall > ALG.
b. Select DNS from Optional Application Protocols, and click << to add it to Selected Application
Protocols.
c. Click Apply.
Figure 14 Configuring DNS ALG
Configuring the firewall at the CLI
# Configure IP addresses for GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5.
10
<Firewall> system-view
[Firewall] interface gigabitethernet 1/3
[Firewall-GigabitEthernet1/3] ip address 202.168.249.187 255.255.255.0
[Firewall-GigabitEthernet1/3] quit
# Add GigabitEthernet 1/3 into the Untrust zone, GigabitEthernet 1/4 into the Trust zone, and
GigabitEthernet 1/5 into the DMZ zone.
[Firewall] zone name untrust
[Firewall-zone-trust] import interface gigabitethernet 1/3
[Firewall-zone-trust] quit
[Firewall] zone name trust
[Firewall] zone name DMZ
# Configure DNS.
[Firewall] dns resolve
[Firewall] dns proxy enable
[Firewall] dns server 202.168.100.240
[Firewall] dns domain 8042test.com
# Configure an ACL.
[Firewall] acl number 3000
[Firewall-acl-adv-3000] rule 0 permit ip
[Firewall-acl-adv-3000] quit
# Configure NAT.
[Firewall-GigabitEthernet1/3] nat outbound 3000
[Firewall-GigabitEthernet1/3] nat server protocol tcp global 202.168.100.70 any inside
172.16.1.3 any
[Firewall-GigabitEthernet1/3] nat server protocol udp global 202.168.100.70 any inside
172.16.1.3 any
[Firewall-GigabitEthernet1/3] nat server protocol icmp global 202.168.100.70 inside
172.16.1.3
# Enable ALG for DNS.
[Firewall] alg dns
11
Verifying the configuration
# Verify that you can ping domain name lc1.8042test.com from the client, and the resolved IP address is
172.16.1.3.
# Verify that you can telnet lc1.8042test.com from the client.
# Verify that you can use HTTP to access lc1.8042test.com from the client.
# Use the debugging nat packet command to display NAT debug information on the firewall.
*Jul 26 16:43:01:084 2013 f5000a-2 NAT/7/debug:
(0x00000078-in:)Pro : TCP
is to NAT server
(
10.1.1.3: 1460 -
202.168.100.70:
(
10.1.1.3: 1460 -
23) ------>
172.16.1.3:
23)
* *Jul 26 17:31:50:865 2013 f5000a-2 NAT/7/debug:
(0x00000077-out:)Pro : UDP
(
10.1.1.3: 1025 - 202.168.100.240:
(202.168.249.187: 1027 - 202.168.100.240:
53) ------>
53)
*Jul 26 17:31:50:866 2013 f5000a-2 NAT/7/debug:
(0x00000077-in:)Pro : UDP
(202.168.100.240:
53 - 202.168.249.187: 1027) ------>
(202.168.100.240:
53 -
10.1.1.3: 1025)
*Jul 26 17:31:50:867 2013 f5000a-2 NAT/7/debug:
(0x00000077-out:)Pro : UDP
(
10.1.1.3: 1025 - 202.168.100.240:
(202.168.249.187: 1027 - 202.168.100.240:
53) ------>
53)
*Jul 26 17:31:50:868 2013 f5000a-2 NAT/7/debug:
(0x00000077-in:)Pro : UDP
(202.168.100.240:
53 - 202.168.249.187: 1027) ------>
(202.168.100.240:
53 -
10.1.1.3: 1025)
*Jul 26 17:31:50:868 2013 f5000a-2 ALG/7/ALG_DBG:Alg debug info:
From VPN :
0,Pro :
Direction : IN
( 202.168.100.70:
0 ) ----> (
172.16.1.3:
# Display information about session table entries on the firewall.
<Firewall> display session table verbose
Initiator:
Source IP/Port : 10.1.1.3/2048
Dest IP/Port
: 172.16.1.3/768
VPN-Instance/VLAN ID/VLL ID:
Responder:
Dest IP/Port
: 10.1.1.3/768
Pro: ICMP(1)
App: unknown
Start time: 2013-07-26 17:31:49
Root
State: ICMP-CLOSED
TTL: 20s
Zone(in): Trust
Zone(out): DMZ
12
0 )
Received packet(s)(Init): 4 packet(s) 294 byte(s)
Received packet(s)(Reply): 4 packet(s) 294 byte(s)
Initiator:
Dest IP/Port
: 10.1.1.255/137
Responder:
Source IP/Port : 10.1.1.255/137
Dest IP/Port
: 10.1.1.3/137
Pro: UDP(17)
App: NBT-name
Start time: 2013-07-26 17:31:39
Root
State: UDP-OPEN
TTL: 6s
Zone(in): Trust
Zone(out): Local
Initiator:
Dest IP/Port
: 202.168.100.240/53
Responder:
Source IP/Port : 202.168.100.240/53
Dest IP/Port
: 202.168.249.187/1027
Pro: UDP(17)
App: DNS
State: UDP-READY
Start time: 2013-07-26 17:31:49
Root
TTL: 42s
Zone(in): Trust
Zone(out): Untrust
Total find: 3
Configuration files
#
dns resolve
dns server 202.168.100.240
dns domain 8042test.com
#
acl number 3000
rule 0 permit ip
#
interface GigabitEthernet0/4
port link-mode route
ip address 10.1.1.1 255.255.255.0
13
#
ip address 172.16.1.1 255.255.255.0
#
nat outbound 3000
nat server protocol tcp global 202.168.100.70 any inside 172.16.1.3 any
nat server protocol udp global 202.168.100.70 any inside 172.16.1.3 any
nat server protocol icmp global 202.168.100.70 inside 172.16.1.3
ip address 202.168.249.187 255.255.255.0
#
zone name Trust id 2
priority 85
import interface GigabitEthernet1/4
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
#
Example: Allowing private users to use domain
server is on the public network (without ALG)
As shown in Figure 15, the DNS server is on the public network and stores the mapping of public IP
address 202.168.100.70 and domain name lc1.8042test.com for a service server on a private network.
Configure DNS and NAT on the firewall to enable clients on another private network to access the
service server by using the domain name.
14
Trust
Client
10.1.1.3/24
10
G
.1. E1/
1.1 4
/24
1/5
GE /24
1
.
1
6.
2.1
17
Firewall
DNS server
202.168.100.240/24
NAT server
Internet
Untrust
GE1/3
202.168.249.187/24
Service server
172.16.1.3/24
lc1.8042test.com
DMZ
1.
b. Click the
icon for GigabitEthernet 1/3.
15
c. Configure IP address 202.168.249.187 for interface GigabitEthernet 1/3, as shown
in Figure 17.
d. Click Apply.
16
e. Configure IP address 10.1.1.1 for interface GigabitEthernet 1/4 in the same way IP address
is configured for GigabitEthernet 1/3.
f. Configure IP address 172.16.1.1 for interface GigabitEthernet 1/5 in the same way IP
address is configured for GigabitEthernet 1/3.
17
2.
Add GigabitEthernet 1/3 into the Untrust zone, GigabitEthernet 1/4 into the Trust zone and
GigabitEthernet 1/5 into the DMZ zone:
b. Click the
icon for the Untrust zone.
18
d. Add interface GigabitEthernet 1/4 into the Trust zone, and GigabitEthernet 1/5 into the DMZ
zone in the same way.
3.
Configure DNS:
c. Click Apply.
19
4.
Configure ACL:
b. Click Add.
c. Create ACL 3000:
−
−
−
Click Apply.
Figure 23 Creating ACL 3000
20
d. Click the
icon for ACL 3000 to enter the rule edit page.
g. Click Apply.
Figure 25 Adding a rule for ACL 3000
5.
Configure NAT:
b. Click Add.
d. Click Apply.
21
f. Click Add.
g. Configure internal server on GigabitEthernet 1/4, as shown in Figure 27.
h. Click Apply.
Figure 27 Adding internal server
22
# Add GigabitEthernet 1/3 into the Untrust zone, GigabitEthernet 1/4 into the Trust zone, and
# Configure DNS.
# Configure an ACL.
# Configure NAT.
172.16.1.3 any
172.16.1.3 any
172.16.1.3
# Verify that you can ping lc1.8042test.com from the client.
# Verify that you can telnet lc1.8042test.com from client.
# Verify that you can use HTTP to access lc1.8042test.com from the client.
*Jul 26 16:43:01:084 2013 f5000a-2 NAT/7/debug:
(0x00000078-in:)Pro : TCP
is to NAT server
(
10.1.1.3: 1460 -
202.168.100.70:
(
10.1.1.3: 1460 -
172.16.1.3:
23
23) ------>
23)
*Jul 26 16:43:01:085 2013 f5000a-2 NAT/7/debug:
(0x00000078-out:)Pro : TCP
(
172.16.1.3:
( 202.168.100.70:
is from NAT server
23 -
10.1.1.3: 1460) ------>
23 -
10.1.1.3: 1460)
*Jul 26 16:43:01:085 2013 f5000a-2 NAT/7/debug:
(0x00000078-in:)Pro : TCP
is to NAT server
(
10.1.1.3: 1460 -
202.168.100.70:
(
10.1.1.3: 1460 -
23) ------>
172.16.1.3:
23)
*Jul 26 16:43:01:086 2013 f5000a-2 NAT/7/debug:
(0x00000078-out:)Pro : TCP
(
172.16.1.3:
( 202.168.100.70:
is from NAT server
23 -
10.1.1.3: 1460) ------>
23 -
10.1.1.3: 1460)
*Jul 26 16:43:01:086 2013 f5000a-2 NAT/7/debug:
(0x00000078-out:)Pro : TCP
(
172.16.1.3:
( 202.168.100.70:
is from NAT server
23 23 -
10.1.1.3: 1460) ------>
10.1.1.3: 1460)
Initiator:
Dest IP/Port
: 202.168.100.70/23
Responder:
Dest IP/Port
: 10.1.1.3/1460
Pro: TCP(6)
App: TELNET
Start time: 2011-07-26 16:42:59
Root
State: TCP-EST
TTL: 3595s
Zone(in): Trust
Zone(out): DMZ
Initiator:
Source IP/Port : 202.168.249.187/1039
Dest IP/Port
: 202.168.100.240/53
Responder:
Source IP/Port : 202.168.100.240/53
Dest IP/Port
: 202.168.249.187/1039
Pro: UDP(17)
App: DNS
State: UDP-READY
Start time: 2013-07-26 16:42:59
Root
TTL: 46s
Zone(in): Local
Zone(out): Untrust
24
Initiator:
Dest IP/Port
: 10.1.1.1/53
Responder:
Dest IP/Port
: 10.1.1.3/1025
Pro: UDP(17)
App: DNS
State: UDP-READY
Start time: 2013-07-26 16:42:59
Root
TTL: 46s
Zone(in): Trust
Zone(out): Local
Configuration files
#
dns resolve
dns proxy enable
dns server 202.168.100.240
#
acl number 3000
rule 0 permit ip
#
nat outbound 3000
ip address 202.168.249.187 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
#
priority 85
zone name DMZ id 3
priority 50
25
priority 5
Example: Allowing public users to use domain
server is on a private network
As shown in Figure 28, the DNS server is on a private network and stores the mapping of private IP
address 172.16.1.3 and domain name lc1.8042test.com for the service server on another private network.
Configure NAT and DNS on the firewall to enable public clients to access the service server by using the
domain name.
Trust
19
2.1
68
DNS server
192.168.100.240/24
Firewall
.24
G
9.1 E1/
87 3
/24
2.1
17
1/5
GE /24
1
.
6.1
NAT server
Internet
Untrust
GE1/4
202.1.1.1/24
Client
202.1.1.3/24
Service server
172.16.1.3/24
lc1.8042test.com
DMZ
26
Configuration restrictions and guidelines
Before verifying the configuration, use the ipconfig/flushdns command to clear the DNS cache on the
client.
1.
b. Click the
icon for GigabitEthernet 1/3.
c. Configure IP address 192.168.249.187 for interface GigabitEthernet 1/3, as shown
in Figure 30.
d. Click Apply.
27
e. Configure IP address 202.1.1.1 for interface GigabitEthernet 1/4 in the same way IP address
is configured for GigabitEthernet 1/3.
f. Configure IP address 172.16.1.1 for interface GigabitEthernet 1/5 in the same way IP
address is configured for GigabitEthernet 1/3.
28
2.
Add interface GigabitEthernet 1/3 into the Trust zone, GigabitEthernet 1/4 into the Untrust zone,
and interface GigabitEthernet 1/5 into the DMZ zone:
b. Click the
icon for the Trust zone.
29
d. Add GigabitEthernet 1/4 into the Untrust zone, and GigabitEthernet 1/5 into the DMZ zone
in the same way.
3.
Configure DNS:
c. Click Apply.
4.
Configure ACL:
b. Click Add.
c. Create ACL 3000:
−
−
−
Click Apply.
30
Figure 36 Adding ACL
d. Click the
icon for ACL 3000.
g. Click Apply.
Figure 38 Adding a rule for ACL 3000
31
5.
Configure NAT:
b. Click Add.
d. Click Apply.
f. Click Add.
g. Configure internal servers on GigabitEthernet 1/4, as shown in Figure 40 and Figure 41.
h. Click Apply.
Figure 40 Adding internal server 1
32
Figure 41 Adding internal server 2
6.
Configure ALG for DNS:
a. From the navigation tree, select Firewall > ALG.
b. Select DNS from Optional Application Protocols, and click << to add it to Selected Application
Protocols.
c. Click Apply.
Figure 42 Configuring DNS ALG
33
# Add interface GigabitEthernet 1/3 into the Trust zone, GigabitEthernet 1/4 into the Untrust zone, and
# Configure DNS.
# Configure an ACL.
# Configure NAT.
192.168.100.240 any
192.168.100.240 any
192.168.100.240
[Firewall-GigabitEthernet1/4] nat server protocol tcp global 202.1.1.5 any inside 8.1.1.3
any
[Firewall-GigabitEthernet1/4] nat server protocol udp global 202.1.1.5 any inside 8.1.1.3
any
[Firewall-GigabitEthernet1/4] nat server protocol icmp global 202.1.1.5 inside 8.1.1.3
# Enable ALG for DNS.
[Firewall] alg dns
34
# Verify that you can ping lc1.8042test.com from the client and the resolved IP address is 202.1.1.5.
# Verify that you can telnet lc1.8042test.com from the client.
# Verify that you can use HTTP to access lc1.8042test.com from client.
*Jul 26 18:00:59:734 2011 f5000a-2 NAT/7/debug:
(0x00000077-out:)Pro : UDP
(
202.1.1.3: 1025 - 192.168.100.240:
(192.168.249.187: 1029 - 192.168.100.240:
53) ------>
53)
*Jul 26 18:00:59:737 2011 f5000a-2 NAT/7/debug:
(0x00000077-in:)Pro : UDP
(192.168.100.240:
53 - 192.168.249.187: 1029) ------>
(192.168.100.240:
53 -
202.1.1.3: 1025)
*Jul 26 18:00:59:737 2013 f5000a-2 NAT/7/debug:
(0x00000077-out:)Pro : UDP
(
202.1.1.3: 1025 - 192.168.100.240:
(192.168.249.187: 1029 - 192.168.100.240:
53) ------>
53)
*Jul 26 18:00:59:738 2013 f5000a-2 NAT/7/debug:
(0x00000077-in:)Pro : UDP
(192.168.100.240:
53 - 192.168.249.187: 1029) ------>
(192.168.100.240:
53 -
202.1.1.3: 1025)
From VPN :
0,Pro :
Direction : OUT
(
172.16.1.3:
0 ) ----> (
202.1.1.5:
0 )
From VPN :
0,Pro :
Direction : OUT
(192.168.100.240:
0 ) ----> (
202.1.1.240:
0 )
*Jul 26 18:00:59:741 2013 f5000a-2 NAT/7/debug:
(0x00000078-in:)Pro : ICMP is to NAT server
(
202.1.1.3: ---
-
(
202.1.1.3: ---
-
202.1.1.5: --- ) ------>
172.16.1.3: --- )
*Jul 26 18:00:59:742 2013 f5000a-2 NAT/7/debug:
(0x00000078-out:)Pro : ICMP is from NAT server
(
(
172.16.1.3: --202.1.1.5: ---
-
-
202.1.1.3: --- ) ------>
202.1.1.3: --- )
Initiator:
Source IP/Port :202.1.1.3/3668
Dest IP/Port
:202.1.1.5/23
Responder:
35
Dest IP/Port
:202.1.1.3/3668
Pro: TCP(6)
App: TELNET
Start time: 2013-07-27 09:14:25
Root
State: TCP-EST
TTL: 3595s
Zone(in): Trust
Zone(out): DMZ
Initiator:
Source IP/Port : 202.1.1.3/1025
Dest IP/Port
: 192.168.100.240/53
Responder:
Source IP/Port : 192.168.100.240/53
Dest IP/Port
: 192.168.249.187/1039
Pro: UDP(17)
App: DNS
State: UDP-READY
Start time: 2013-07-27 09:13:38
Root
TTL: 54s
Zone(in): Trust
Zone(out): Untrust
Configuration files
#
dns resolve
dns proxy enable
dns server 192.168.100.240
#
acl number 3000
rule 0 permit ip
#
nat outbound 3000
ip address 192.168.249.187 255.255.255.0
#
36
ip address 202.1.1.1 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
#
priority 85
zone name DMZ id 3
priority 50
priority 5
Related documentation
•
H3C SecPath Series Firewalls and UTM Devices NAT and ALG Configuration Guide
•
H3C SecPath Series Firewalls and UTM Devices NAT and ALG Command Reference
•
H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide
•
H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference
•
H3C SecPath Series Firewalls and UTM Devices Network Management Configuration Guide
•
H3C SecPath Series Firewalls and UTM Devices Network Management Command Reference
37

H3C Firewall and UTM Devices DNS and NAT Configuration

Transcription

Similar documents