H3C Firewall and UTM Devices IPsec-NAT Configuration Examples (Comware V5)

Transcription

1 H3C Firewall and UTM Devices IPsec-NAT Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

2 Contents Introduction 1 Prerequisites 1 Example: Configuring IPsec and NAT combined application 1 Network requirements 1 Software version used 1 Configuration procedures 2 Configuring Firewall A 2 Configuring Firewall B 14 Verifying the configuration 23 Configuration files 23 Related documentation 25 i

3 Introduction This document provides a configuration example for IPsec and NAT combined application. Prerequisites This document is not restricted to specific software or hardware versions. The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network. This document assumes that you have basic knowledge of IPsec and NAT. Example: Configuring IPsec and NAT combined application Network requirements As shown in Figure 1, an enterprise internal network LAN 1 accesses the Internet through Firewall A (a F1000-E firewall) and accesses the server in LAN 2 through an IPsec tunnel. Firewall A uses NAT to save public IP addresses. Firewall B (a F5000-A5 firewall) uses NAT to hide the internal server IP address. Figure 1 Network diagram Software version used This configuration example was created and verified on SecPath F1000-E Release 3734P06 and SecPath F5000-A5 Feature

4 Configuration procedures Configuring Firewall A Configuring Firewall A in the Web interface 1. Configure an IP address for GigabitEthernet 0/1: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 0/1 to enter the interface configuration page. c. Configure IP address for the interface. d. Click Apply. Figure 2 Configuring interface GigabitEthernet 0/1 2. Configure an IP address for GigabitEthernet 0/3: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 0/3 to enter the interface configuration page. c. Configure IP address for the interface. d. Click Apply. 2

5 Figure 3 Configuring interface GigabitEthernet 0/3 3. Configure a NAT address pool: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. The Address Pool & Dynamic NAT page appears. Figure 4 Address Pool & Dynamic NAT page b. In the Address Pool area, click Add. The Add NAT Address Pool page appears. c. Enter index 0, start IP address , and end IP address d. Click Apply. 3

6 Figure 5 Adding a NAT address pool 4. Configure ACL 3100 to match packets to be NATed: a. From the navigation tree, select Firewall > ACL. The ACL list is displayed. Figure 6 ACL list b. Click Add to create ACL 3100, as shown in Figure 7. c. Click Apply. ACL 3100 will be displayed in the ACL list. Figure 7 Adding an ACL Figure 8 ACL 3100 in the ACL list 4

7 d. Click the edit icon for ACL The Advanced ACL 3100 page appears. Figure 9 Advanced ACL 3100 page e. Click Add to add a rule for ACL Figure 10 Adding a rule for ACL 3100 f. Click Apply. The Advanced ACL 3100 page appears again, displaying the rule you just added. Figure 11 Rule added for ACL Configure ACL 3101 to match packets to be IPsec protected: a. From the navigation tree, select Firewall > ACL. The ACL list is displayed. 5

8 Figure 12 ACL list b. Click Add to create ACL 3101, as shown in Figure 13. c. Click Apply. ACL 3101 will be displayed in the ACL list. Figure 13 Adding an ACL Figure 14 ACL 3101 in the ACL list d. Click the edit icon for ACL The Advanced ACL 3101 page appears. Figure 15 Advanced ACL 3101 page e. Click Add to add a rule for ACL

9 Figure 16 Adding a rule for ACL 3101 f. Click Apply. The Advanced ACL 3101 page appears again, displaying the rule you just added. Figure 17 Rule added for ACL Configure an IKE proposal: a. From the navigation tree, select VPN > IKE > Proposal. The IKE proposal list page appears. Figure 18 IKE proposal list b. Click Add to configure an IKE proposal, as shown in Figure 19. c. Click Apply. 7

10 Figure 19 Adding an IKE proposal 7. Configure an IKE peer: a. From the navigation tree, select VPN > IKE > Peer. The IKE peer list page appears. Figure 20 IKE peer list b. Click Add to configure an IKE peer with the pre-shared key nat, as shown in Figure 21. c. Click Apply. 8

11 Figure 21 Adding an IKE peer 8. Specify the IKE proposal for the IKE peer to reference. This configuration is supported only at the CLI. For the CLI configuration, see "Configuring Firewall A at the CLI." 9. Configure an IPsec proposal: a. From the navigation tree, select VPN > IPSec > Proposal. The IPsec proposal list page appears. Figure 22 IPsec proposal list b. Click Add. The IPSec Proposal Configuration Wizard appears. Figure 23 IPsec proposal configuration wizard c. Click Custom mode to configure an IPsec proposal, as shown in Figure 24. 9

12 d. Click Apply. Figure 24 Adding an IPsec proposal 10. Configure an IPsec policy: a. From the navigation tree, select VPN > IPSec > Policy. The IPsec policy list page appears. Figure 25 IPsec policy list b. Click Add to configure an IPsec policy, as shown in Figure 26. c. Click Apply. 10

13 Figure 26 Adding an IPsec policy 11. Apply the IPsec policy to the interface GigabitEthernet 0/3: a. From the navigation tree, select VPN > IPSec > IPSec Application. b. Click the edit icon for interface GigabitEthernet 0/3. c. Select the IPsec policy nat_po. d. Click Apply. Figure 27 IPsec policy application 12. Configure dynamic NAT: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. 11

14 Figure 28 Address Pool & Dynamic NAT page b. In the Dynamic NAT area, click Add to configure dynamic NAT, as shown in Figure 29. c. Click Apply. Figure 29 Adding dynamic NAT Configuring Firewall A at the CLI Configure an IP address for interface GigabitEthernet 0/1. <FirewallA> system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ip address [FirewallA-GigabitEthernet0/1] quit Configure an IP address for interface GigabitEthernet 0/3. [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] ip address [FirewallA-GigabitEthernet0/3] quit Configure a NAT address pool. [FirewallA] nat address-group level 1 Configure ACL 3100 to identify packets to be NATed. [FirewallA] acl number 3100 [FirewallA-acl-adv-3100] rule 0 permit ip source destination [FirewallA-acl-adv-3100] quit Configure ACL 3101 to identify packets to be IPsec protected. [FirewallA] acl number

15 [FirewallA-acl-adv-3101] rule 0 permit ip source destination [FirewallA-acl-adv-3101] quit Configure IKE proposal 1. [FirewallA] ike proposal 1 [FirewallA-ike proposal-1] authentication-method pre-share [FirewallA-ike-proposal-1] authentication-algorithm md5 [FirewallA-ike-proposal-1] encryption-algorithm des-cbc [FirewallA-ike-proposal-1] dh group1 [FirewallA-ike proposal-1] quit Create IKE peer peer_nat. [FirewallA] ike peer peer_nat Set the pre-shared key for IKE negotiation to plaintext string nat. [FirewallA-ike-peer-peer_nat] pre-shared-key nat Specify the IP address of the remote IKE security gateway. [FirewallA-ike-peer-peer_nat] remote-address Specify IKE proposal 1 for the IKE peer to reference. [FirewallA-ike-peer-peer_nat] proposal 1 [FirewallA-ike-peer-peer_nat] quit Configure an IPsec transform set. [FirewallA] ipsec transform-set nat_prop [FirewallA-ipsec-transform-set-nat_prop] encapsulation-mode tunnel [FirewallA-ipsec-transform-set-nat_prop] transform esp [FirewallA-ipsec-transform-set-nat_prop] esp authentication-algorithm md5 [FirewallA-ipsec-transform-set-nat_prop] esp encryption-algorithm des [FirewallA-ipsec-transform-set-nat_prop] quit Create an IKE-based IPsec policy with the name nat_po and sequence number 1. [FirewallA] ipsec policy nat_po 1 isakmp Reference ACL [FirewallA-ipsec-policy-isakmp-nat_po-1] security acl 3101 Reference IKE peer peer_nat. [FirewallA-ipsec-policy-isakmp-nat_po-1] ike-peer peer_nat Reference IPsec transform set nat_prop. [FirewallA-ipsec-policy-isakmp-nat_po-1] transform-set nat_prop [FirewallA-ipsec-policy-isakmp-nat_po-1] quit Apply the IPsec policy to the interface GigabitEthernet 0/3. [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] ipsec policy nat_po Apply the NAT address pool to the interface GigabitEthernet 0/3. [FirewallA-GigabitEthernet0/3] nat outbound 3100 address-group 0 [FirewallA-GigabitEthernet0/3] quit 13

16 Configuring Firewall B Configuring Firewall B in the Web interface 1. Configure an IP address for GigabitEthernet 1/1: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 1/1 to enter the interface configuration page. c. Configure IP address for the interface. d. Click Apply. Figure 30 Configuring interface GigabitEthernet 1/1 2. Configure an IP address for GigabitEthernet 1/3: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 1/3 to enter the interface configuration page. c. Configure IP address for the interface. d. Click Apply. 14

17 Figure 31 Configuring interface GigabitEthernet 1/3 3. Configure ACL 3101 for IPsec: a. From the navigation tree, select Firewall > ACL. The ACL list is displayed. Figure 32 ACL list b. Click Add to create ACL 3101, as shown in Figure 33. c. Click Apply. ACL 3101 will be displayed in the ACL list. Figure 33 Adding an ACL 15

18 Figure 34 ACL 3101 in the ACL list d. Click the edit icon for ACL The Advanced ACL 3101 page appears. Figure 35 Advanced ACL 3101 e. Click Add to add a rule for ACL 3101, as shown in Figure 36. f. Click Apply. The Advanced ACL 3101 page appears again, displaying the rule you just added. Figure 36 Adding a rule for ACL 3101 Figure 37 Rule added for ACL Configure an IKE proposal: 16

19 a. From the navigation tree, select VPN > IKE > Proposal. The IKE proposal list page appears. Figure 38 IKE proposal list b. Click Add to configure an IKE proposal, as shown in Figure 39. c. Click Apply. Figure 39 Adding an IKE proposal 5. Configure an IKE peer: a. From the navigation tree, select VPN > IKE > Peer. The IKE peer list page appears. Figure 40 IKE peer list b. Click Add to configure an IKE peer with the pre-shared key nat, as shown in Figure 41. c. Click Apply. 17

20 Figure 41 Adding an IKE peer 6. Specify the IKE proposal for the IKE peer to reference. This configuration is supported only at the CLI. For the CLI configuration, see "Configuring Firewall B at the CLI." 7. Configure an IPsec proposal: a. From the navigation tree, select VPN > IPSec > Proposal. The IPsec proposal list page appears. Figure 42 IPsec proposal list b. Click Add. The IPSec Proposal Configuration Wizard appears. Figure 43 IPsec proposal configuration wizard c. Click Custom mode to configure an IPsec proposal, as shown in Figure 44. d. Click Apply. 18

21 Figure 44 Adding an IPsec proposal 8. Configure an IPsec policy: a. From the navigation tree, select VPN > IPSec > Policy. The IPsec policy list page appears. Figure 45 IPsec policy list b. Click Add to configure an IPsec policy, as shown in Figure 46. c. Click Apply. 19

22 Figure 46 Adding an IPsec policy 9. Apply the IPsec policy to interface GigabitEthernet 1/3: a. From the navigation tree, select VPN > IPSec > IPSec Application. b. Click the edit icon for interface GigabitEthernet 1/3. c. Select the IPsec policy nat_po. d. Click Apply. Figure 47 IPsec policy application 10. Configure the internal server: a. From the navigation tree, select Firewall > NAT Policy > Internal Server. 20

23 Figure 48 Internal Server & DNS-MAP page b. In the Internal Server area, click Add to configure the internal server, as shown in Figure 49. c. Click Apply. Figure 49 Adding an internal server Configuring Firewall B at the CLI Configure an IP address for interface GigabitEthernet 1/1. <FirewallB> system-view [FirewallB] interface gigabitethernet 1/1 [FirewallB-GigabitEthernet1/1] ip address [FirewallB-GigabitEthernet1/1] quit Configure an IP address for interface GigabitEthernet 1/3. [FirewallB] interface gigabitethernet 1/3 [FirewallB-GigabitEthernet1/3] ip address [FirewallB-GigabitEthernet1/3] quit Enable the system-defined interzone policy to match packets that do not match any other interzone policy. [FirewallB] interzone policy default by-priority Configure ACL 3101 for IPsec. 21

24 [FirewallB] acl number 3101 [FirewallB-acl-adv-3101] rule 0 permit ip source destination [FirewallB-acl-adv-3101] quit Configure IKE proposal 1. [FirewallB] ike proposal 1 [FirewallB-ike proposal-1] authentication-method pre-share [FirewallB-ike proposal-1] authentication-algorithm md5 [FirewallB-ike-proposal-1] encryption-algorithm des-cbc [FirewallB-ike-proposal-1] dh group1 [FirewallB-ike proposal-1] quit Create IKE peer peer_nat. [FirewallB] ike peer peer_nat Set the pre-shared key for IKE negotiation to plaintext string nat. [FirewallB-ike-peer-peer_nat] pre-shared-key nat Specify the IP address of the local IKE security gateway. [FirewallB-ike-peer-peer_nat] local-address Specify IKE proposal 1 for the IKE peer to reference. [FirewallB-ike-peer-peer_nat] proposal 1 [FirewallB-ike-peer-peer_nat] quit Configure an IPsec transform set. [FirewallB] ipsec transform-set nat_prop [FirewallB-ipsec-transform-set-nat_prop] encapsulation-mode tunnel [FirewallB-ipsec-transform-set-nat_prop] transform esp [FirewallB-ipsec-transform-set-nat_prop] esp authentication-algorithm md5 [FirewallB-ipsec-transform-set-nat_prop] esp encryption-algorithm des [FirewallB-ipsec-transform-set-nat_prop] quit Create an IKE-based IPsec policy with the name nat_po and sequence number to 1. [FirewallB] ipsec policy nat_po 1 isakmp Reference ACL [FirewallB-ipsec-policy-isakmp-nat_po-1] security acl 3101 Reference IKE peer peer_nat. [FirewallB-ipsec-policy-isakmp-nat_po-1] ike-peer peer_nat Reference IPsec transform set nat_prop. [FirewallB-ipsec-policy-isakmp-nat_po-1] transform-set nat_prop [FirewallB-ipsec-policy-isakmp-nat_po-1] quit Apply the IPsec policy to the interface GigabitEthernet 1/3. [FirewallB] interface gigabitethernet 1/3 [FirewallB-GigabitEthernet1/3] ipsec policy nat_po Apply the internal server to the interface GigabitEthernet 1/3. [FirewallB-GigabitEthernet1/3] nat server protocol udp global any inside any [FirewallB-GigabitEthernet1/3] quit 22

25 Verifying the configuration Enable NAT packet debugging on Firewall A and B. This example uses Firewall A. <FirewallA> debugging nat packet <FirewallA> terminal debugging <FirewallA> terminal monitor <FirewallA> system-view [FirewallA] info-center enable Access the server in LAN 2 from a host in LAN 1. NAT packet debugging information is generated on both firewalls. <FirewallA> *Feb 29 14:35:18: FirewallA NAT/7/debug: (GigabitEthernet0/3-out:)Pro : UDP ( : : 1024) > ( : : 1024) <FirewallB> *Feb 29 14:38:54: FirewallB NAT/7/debug: (GigabitEthernet1/3-in:)Pro : UDP is to NAT server ( : : 1024) > ( : : 1024) Display the IKE SAs established on the firewalls. <FirewallA> display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi status RD ST 1 IPSEC RD ST 2 IPSEC -- flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT <FirewallB> display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi status RD 1 IPSEC RD 2 IPSEC -- flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO TIMEOUT Configuration files Firewall A: nat address-group level 1 23

26 acl number 3100 rule 0 permit ip source destination acl number 3101 rule 0 permit ip source destination ike proposal 1 authentication-algorithm md5 ike peer peer_nat proposal 1 pre-shared-key cipher $c$3$2kwok6fyspmm5vbgpjhuft4myh1ccq== remote-address ipsec transform-set nat_prop encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm des ipsec policy nat_po 1 isakmp security acl 3101 ike-peer peer_nat transform-set nat_prop interface GigabitEthernet0/1 port link-mode route ip address interface GigabitEthernet0/3 port link-mode route nat outbound 3100 address-group 0 ip address ipsec policy nat_po Firewall B: interzone policy default by-priority acl number 3101 rule 0 permit ip source destination ike proposal 1 authentication-algorithm md5 ike peer peer_nat proposal 1 pre-shared-key cipher $c$3$mtwnfgqkumgkblan1+s81xz579tlkg== local-address

27 ipsec transform-set nat_prop encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm des ipsec policy nat_po 1 isakmp security acl 3101 ike-peer peer_nat transform-set nat_prop interface GigabitEthernet1/1 port link-mode route ip address interface GigabitEthernet1/3 port link-mode route nat server protocol udp global any inside any ip address ipsec policy nat_po Related documentation H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference H3C SecPath Series Firewalls and UTM Devices VPN Configuration Guide H3C SecPath Series Firewalls and UTM Devices VPN Command Reference H3C SecPath Series Firewalls and UTM Devices Network Management Configuration Guide H3C SecPath Series Firewalls and UTM Devices Network Management Command Reference 25