H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

Contents Introduction 1 Prerequisites 1 Example: Allowing private users to use domain name to access a private server when the DNS server is on the public network (using ALG) 1 Network requirements 1 Software version used 2 Configuration procedures 2 Configuring the firewall in the Web interface 2 Configuring the firewall at the CLI 10 Verifying the configuration 12 Configuration files 13 Example: Allowing private users to use domain name to access a private server when the DNS server is on the public network (without ALG) 14 Network requirements 14 Software version used 15 Configuration procedures 15 Configuring the firewall in the Web interface 15 Configuring the firewall at the CLI 22 Verifying the configuration 23 Configuration files 25 Example: Allowing public users to use domain name to access a private server when the DNS server is on a private network 26 Network requirements 26 Software version used 26 Configuration restrictions and guidelines 27 Configuration procedures 27 Configuring the firewall in the Web interface 27 Configuring the firewall at the CLI 33 Verifying the configuration 35 Configuration files 36 Related documentation 37 i

Introduction This document provides DNS and NAT configuration examples. Prerequisites This document is not restricted to specific software or hardware versions. The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network. This document assumes that you have basic knowledge of DNS, NAT, and ALG. Example: Allowing private users to use domain name to access a private server when the DNS server is on the public network (using ALG) Network requirements As shown in Figure 1, the DNS server is on the public network and stores the mapping of public IP address 202.168.100.70 and domain name lc1.8042test.com for a service server on a private network. Configure DNS with ALG and NAT on the firewall to enable clients on another private network to access the service server by using the domain name. 1

Figure 1 Network diagram Software version used This configuration example was created and verified on SecPath F5000-A5 Feature 3213. Configuration procedures Configuring the firewall in the Web interface 1. Configure IP addresses for interfaces GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 1/3. 2

Figure 2 Interface configuration page c. Configure IP address 202.168.249.187 for GigabitEthernet 1/3, as shown in Figure 3. d. Click Apply. 3

Figure 3 Edit Interface page for GigabitEthernet 1/3 e. Configure IP address 10.1.1.1 for GigabitEthernet 1/4 in the same way IP address is configured for GigabitEthernet 1/3. 4

Figure 4 Edit Interface page for GigabitEthernet 1/4 f. Configure IP address 172.16.1.1 for GigabitEthernet 1/5 in the same way IP address is configured for GigabitEthernet 1/3. 5

Figure 5 Edit Interface page for GigabitEthernet 1/5 2. Add interface GigabitEthernet 1/3 into the Untrust zone, interface GigabitEthernet 1/4 into the Trust zone, and interface GigabitEthernet 1/5 into the DMZ zone: a. From the navigation tree, select Device Management > Zone. b. Click the icon for the Untrust zone. Figure 6 Adding interfaces into security zones c. On the Modify Zone page, select GigabitEthernet 1/3, and click Apply. 6

Figure 7 Modifying security zone d. Add GigabitEthernet 1/5 into the DMZ zone, and GigabitEthernet 1/4 into the Trust zone in the same way. 3. Configure DNS: a. From the navigation tree, select Network > DNS > Dynamic. b. Configure dynamic DNS, as shown in Figure 8. c. Click Apply. 7

Figure 8 Configuring dynamic DNS 4. Configure ACL: a. From the navigation tree, select Firewall > ACL. b. Click Add. c. Create ACL 3000: Enter 3000 in the ACL Number field. Select Config for Match Order. Click Apply. Figure 9 Creating ACL 3000 The ACL configuration result appears. Figure 10 Configuration result 8

d. Click the icon for ACL 3000. e. On the rule edit page that appears, click Add. f. Configure an ACL rule, as shown in Figure 11. g. Click Apply. Figure 11 Creating a rule for ACL 3000 5. Configure NAT: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. b. Click Add. c. Configure dynamic NAT on GigabitEthernet 1/3, as shown in Figure 12. d. Click Apply. Figure 12 Adding dynamic NAT e. From the navigation tree, select Firewall > NAT Policy > Internal Server. 9

f. Click Add. g. Configure internal server on GigabitEthernet 1/3, as shown in Figure 13. h. Click Apply. Figure 13 Adding internal server 6. Configure DNS ALG: a. From the navigation tree, select Firewall > ALG. b. Select DNS from Optional Application Protocols, and click << to add it to Selected Application Protocols. c. Click Apply. Figure 14 Configuring DNS ALG Configuring the firewall at the CLI # Configure IP addresses for GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5. 10

<Firewall> system-view [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] ip address 202.168.249.187 255.255.255.0 [Firewall-GigabitEthernet1/3] quit [Firewall] interface gigabitethernet 1/4 [Firewall-GigabitEthernet1/4] ip address 10.1.1.1 255.255.255.0 [Firewall-GigabitEthernet1/4] quit [Firewall] interface gigabitethernet 1/5 [Firewall-GigabitEthernet1/5] ip address 172.16.1.1 255.255.255.0 [Firewall-GigabitEthernet1/5] quit # Add GigabitEthernet 1/3 into the Untrust zone, GigabitEthernet 1/4 into the Trust zone, and GigabitEthernet 1/5 into the DMZ zone. [Firewall] zone name untrust [Firewall-zone-trust] import interface gigabitethernet 1/3 [Firewall-zone-trust] quit [Firewall] zone name trust [Firewall-zone-trust] import interface gigabitethernet 1/4 [Firewall-zone-trust] quit [Firewall] zone name DMZ [Firewall-zone-trust] import interface gigabitethernet 1/5 [Firewall-zone-trust] quit # Configure DNS. [Firewall] dns resolve [Firewall] dns proxy enable [Firewall] dns server 202.168.100.240 [Firewall] dns domain 8042test.com # Configure an ACL. [Firewall] acl number 3000 [Firewall-acl-adv-3000] rule 0 permit ip [Firewall-acl-adv-3000] quit # Configure NAT. [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] nat outbound 3000 [Firewall-GigabitEthernet1/3] nat server protocol tcp global 202.168.100.70 any inside 172.16.1.3 any [Firewall-GigabitEthernet1/3] nat server protocol udp global 202.168.100.70 any inside 172.16.1.3 any [Firewall-GigabitEthernet1/3] nat server protocol icmp global 202.168.100.70 inside 172.16.1.3 [Firewall-GigabitEthernet1/3] quit # Enable ALG for DNS. [Firewall] alg dns 11

Verifying the configuration # Verify that you can ping domain name lc1.8042test.com from the client, and the resolved IP address is 172.16.1.3. # Verify that you can telnet lc1.8042test.com from the client. # Verify that you can use HTTP to access lc1.8042test.com from the client. # Use the debugging nat packet command to display NAT debug information on the firewall. *Jul 26 16:43:01:084 2013 f5000a-2 NAT/7/debug: (0x00000078-in:)Pro : TCP is to NAT server ( 10.1.1.3: 1460-202.168.100.70: 23) ------> ( 10.1.1.3: 1460-172.16.1.3: 23) * *Jul 26 17:31:50:865 2013 f5000a-2 NAT/7/debug: (0x00000077-out:)Pro : UDP ( 10.1.1.3: 1025-202.168.100.240: 53) ------> (202.168.249.187: 1027-202.168.100.240: 53) *Jul 26 17:31:50:866 2013 f5000a-2 NAT/7/debug: (0x00000077-in:)Pro : UDP (202.168.100.240: 53-202.168.249.187: 1027) ------> (202.168.100.240: 53-10.1.1.3: 1025) *Jul 26 17:31:50:867 2013 f5000a-2 NAT/7/debug: (0x00000077-out:)Pro : UDP ( 10.1.1.3: 1025-202.168.100.240: 53) ------> (202.168.249.187: 1027-202.168.100.240: 53) *Jul 26 17:31:50:868 2013 f5000a-2 NAT/7/debug: (0x00000077-in:)Pro : UDP (202.168.100.240: 53-202.168.249.187: 1027) ------> (202.168.100.240: 53-10.1.1.3: 1025) *Jul 26 17:31:50:868 2013 f5000a-2 ALG/7/ALG_DBG:Alg debug info: From VPN : 0,Pro : Direction : IN ( 202.168.100.70: 0 ) ----> ( 172.16.1.3: 0 ) # Display information about session table entries on the firewall. <Firewall> display session table verbose Initiator: Source IP/Port : 10.1.1.3/2048 Dest IP/Port : 172.16.1.3/768 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 172.16.1.3/0 Dest IP/Port : 10.1.1.3/768 VPN-Instance/VLAN ID/VLL ID: Pro: ICMP(1) App: unknown State: ICMP-CLOSED Start time: 2013-07-26 17:31:49 TTL: 20s Root Zone(in): Trust Zone(out): DMZ 12

Received packet(s)(init): 4 packet(s) 294 byte(s) Received packet(s)(reply): 4 packet(s) 294 byte(s) Initiator: Source IP/Port : 10.1.1.3/137 Dest IP/Port : 10.1.1.255/137 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 10.1.1.255/137 Dest IP/Port : 10.1.1.3/137 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: NBT-name State: UDP-OPEN Start time: 2013-07-26 17:31:39 TTL: 6s Root Zone(in): Trust Zone(out): Local Received packet(s)(init): 3 packet(s) 234 byte(s) Received packet(s)(reply): 0 packet(s) 0 byte(s) Initiator: Source IP/Port : 10.1.1.3/1025 Dest IP/Port : 202.168.100.240/53 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 202.168.100.240/53 Dest IP/Port : 202.168.249.187/1027 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: DNS State: UDP-READY Start time: 2013-07-26 17:31:49 TTL: 42s Root Zone(in): Trust Zone(out): Untrust Received packet(s)(init): 2 packet(s) 124 byte(s) Received packet(s)(reply): 2 packet(s) 221 byte(s) Total find: 3 Configuration files # dns resolve dns server 202.168.100.240 dns domain 8042test.com # acl number 3000 rule 0 permit ip # interface GigabitEthernet0/4 port link-mode route ip address 10.1.1.1 255.255.255.0 13

# interface GigabitEthernet0/5 port link-mode route ip address 172.16.1.1 255.255.255.0 # interface GigabitEthernet0/3 port link-mode route nat outbound 3000 nat server protocol tcp global 202.168.100.70 any inside 172.16.1.3 any nat server protocol udp global 202.168.100.70 any inside 172.16.1.3 any nat server protocol icmp global 202.168.100.70 inside 172.16.1.3 ip address 202.168.249.187 255.255.255.0 # zone name Trust id 2 priority 85 import interface GigabitEthernet1/4 zone name DMZ id 3 priority 50 import interface GigabitEthernet1/5 zone name Untrust id 4 priority 5 import interface GigabitEthernet1/3 # Example: Allowing private users to use domain name to access a private server when the DNS server is on the public network (without ALG) Network requirements As shown in Figure 15, the DNS server is on the public network and stores the mapping of public IP address 202.168.100.70 and domain name lc1.8042test.com for a service server on a private network. Configure DNS and NAT on the firewall to enable clients on another private network to access the service server by using the domain name. 14

Figure 15 Network diagram Trust Client 10.1.1.3/24 GE1/4 10.1.1.1/24 GE1/5 172.16.1.1/24 Firewall DNS server 202.168.100.240/24 NAT server Internet Untrust GE1/3 202.168.249.187/24 Service server 172.16.1.3/24 lc1.8042test.com DMZ Software version used This configuration example was created and verified on SecPath F5000-A5 Feature 3213. Configuration procedures Configuring the firewall in the Web interface 1. Configure IP addresses for interfaces GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5: a. From the navigation tree, select Device Management > Interface. b. Click the icon for GigabitEthernet 1/3. 15

Figure 16 Interface configuration page c. Configure IP address 202.168.249.187 for interface GigabitEthernet 1/3, as shown in Figure 17. d. Click Apply. Figure 17 Edit Interface page for GigabitEthernet 1/3 16

e. Configure IP address 10.1.1.1 for interface GigabitEthernet 1/4 in the same way IP address is configured for GigabitEthernet 1/3. Figure 18 Edit Interface page for GigabitEthernet 1/4 f. Configure IP address 172.16.1.1 for interface GigabitEthernet 1/5 in the same way IP address is configured for GigabitEthernet 1/3. 17

Figure 19 Edit Interface page for GigabitEthernet 1/5 2. Add GigabitEthernet 1/3 into the Untrust zone, GigabitEthernet 1/4 into the Trust zone and GigabitEthernet 1/5 into the DMZ zone: a. From the navigation tree, select Device Management > Zone. b. Click the icon for the Untrust zone. Figure 20 Adding interfaces into security zones c. On the Modify Zone page, select GigabitEthernet 1/3, and click Apply. 18

Figure 21 Modifying security zone d. Add interface GigabitEthernet 1/4 into the Trust zone, and GigabitEthernet 1/5 into the DMZ zone in the same way. 3. Configure DNS: a. From the navigation tree, select Network > DNS > Dynamic. b. Configure dynamic DNS, as shown in Figure 22. c. Click Apply. 19

Figure 22 Configuring dynamic DNS 4. Configure ACL: a. From the navigation tree, select Firewall > ACL. b. Click Add. c. Create ACL 3000: Enter 3000 in the ACL Number field. Select Config for Match Order. Click Apply. Figure 23 Creating ACL 3000 The ACL configuration result appears. 20

Figure 24 Configuration result d. Click the icon for ACL 3000 to enter the rule edit page. e. On the rule edit page that appears, click Add. f. Configure an ACL rule, as shown in Figure 25. g. Click Apply. Figure 25 Adding a rule for ACL 3000 5. Configure NAT: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. b. Click Add. c. Configure dynamic NAT on GigabitEthernet 1/3, as shown in Figure 26. d. Click Apply. 21

Figure 26 Adding dynamic NAT e. From the navigation tree, select Firewall > NAT Policy > Internal Server. f. Click Add. g. Configure internal server on GigabitEthernet 1/4, as shown in Figure 27. h. Click Apply. Figure 27 Adding internal server Configuring the firewall at the CLI # Configure IP addresses for GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5. <Firewall> system-view [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] ip address 202.168.249.187 255.255.255.0 [Firewall-GigabitEthernet1/3] quit [Firewall] interface gigabitethernet 1/4 [Firewall-GigabitEthernet1/4] ip address 10.1.1.1 255.255.255.0 22

[Firewall-GigabitEthernet1/4] quit [Firewall] interface gigabitethernet 1/5 [Firewall-GigabitEthernet1/5] ip address 172.16.1.1 255.255.255.0 [Firewall-GigabitEthernet1/5] quit # Add GigabitEthernet 1/3 into the Untrust zone, GigabitEthernet 1/4 into the Trust zone, and GigabitEthernet 1/5 into the DMZ zone. [Firewall] zone name untrust [Firewall-zone-trust] import interface gigabitethernet 1/3 [Firewall-zone-trust] quit [Firewall] zone name trust [Firewall-zone-trust] import interface gigabitethernet 1/4 [Firewall-zone-trust] quit [Firewall] zone name DMZ [Firewall-zone-trust] import interface gigabitethernet 1/5 [Firewall-zone-trust] quit # Configure DNS. [Firewall] dns resolve [Firewall] dns proxy enable [Firewall] dns server 202.168.100.240 [Firewall] dns domain 8042test.com # Configure an ACL. [Firewall] acl number 3000 [Firewall-acl-adv-3000] rule 0 permit ip [Firewall-acl-adv-3000] quit # Configure NAT. [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] nat outbound 3000 [Firewall-GigabitEthernet1/3] quit [Firewall] interface gigabitethernet 1/4 [Firewall-GigabitEthernet1/4] nat server protocol tcp global 202.168.100.70 any inside 172.16.1.3 any [Firewall-GigabitEthernet1/4] nat server protocol udp global 202.168.100.70 any inside 172.16.1.3 any [Firewall-GigabitEthernet1/4] nat server protocol icmp global 202.168.100.70 inside 172.16.1.3 Verifying the configuration # Verify that you can ping lc1.8042test.com from the client. # Verify that you can telnet lc1.8042test.com from client. # Verify that you can use HTTP to access lc1.8042test.com from the client. # Use the debugging nat packet command to display NAT debug information on the firewall. *Jul 26 16:43:01:084 2013 f5000a-2 NAT/7/debug: (0x00000078-in:)Pro : TCP is to NAT server ( 10.1.1.3: 1460-202.168.100.70: 23) ------> ( 10.1.1.3: 1460-172.16.1.3: 23) 23

*Jul 26 16:43:01:085 2013 f5000a-2 NAT/7/debug: (0x00000078-out:)Pro : TCP is from NAT server ( 172.16.1.3: 23-10.1.1.3: 1460) ------> ( 202.168.100.70: 23-10.1.1.3: 1460) *Jul 26 16:43:01:085 2013 f5000a-2 NAT/7/debug: (0x00000078-in:)Pro : TCP is to NAT server ( 10.1.1.3: 1460-202.168.100.70: 23) ------> ( 10.1.1.3: 1460-172.16.1.3: 23) *Jul 26 16:43:01:086 2013 f5000a-2 NAT/7/debug: (0x00000078-out:)Pro : TCP is from NAT server ( 172.16.1.3: 23-10.1.1.3: 1460) ------> ( 202.168.100.70: 23-10.1.1.3: 1460) *Jul 26 16:43:01:086 2013 f5000a-2 NAT/7/debug: (0x00000078-out:)Pro : TCP is from NAT server ( 172.16.1.3: 23-10.1.1.3: 1460) ------> ( 202.168.100.70: 23-10.1.1.3: 1460) # Display information about session table entries on the firewall. <Firewall> display session table verbose Initiator: Source IP/Port : 10.1.1.3/1460 Dest IP/Port : 202.168.100.70/23 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 172.16.1.3/23 Dest IP/Port : 10.1.1.3/1460 VPN-Instance/VLAN ID/VLL ID: Pro: TCP(6) App: TELNET State: TCP-EST Start time: 2011-07-26 16:42:59 TTL: 3595s Root Zone(in): Trust Zone(out): DMZ Received packet(s)(init): 18 packet(s) 1133 byte(s) Received packet(s)(reply): 15 packet(s) 1347 byte(s) Initiator: Source IP/Port : 202.168.249.187/1039 Dest IP/Port : 202.168.100.240/53 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 202.168.100.240/53 Dest IP/Port : 202.168.249.187/1039 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: DNS State: UDP-READY Start time: 2013-07-26 16:42:59 TTL: 46s Root Zone(in): Local Zone(out): Untrust Received packet(s)(init): 1 packet(s) 62 byte(s) Received packet(s)(reply): 1 packet(s) 108 byte(s) 24

Initiator: Source IP/Port : 10.1.1.3/1025 Dest IP/Port : 10.1.1.1/53 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 10.1.1.1/53 Dest IP/Port : 10.1.1.3/1025 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: DNS State: UDP-READY Start time: 2013-07-26 16:42:59 TTL: 46s Root Zone(in): Trust Zone(out): Local Received packet(s)(init): 1 packet(s) 62 byte(s) Configuration files # dns resolve dns proxy enable dns server 202.168.100.240 dns domain 8042test.com # acl number 3000 rule 0 permit ip # interface GigabitEthernet1/3 port link-mode route nat outbound 3000 ip address 202.168.249.187 255.255.255.0 # interface GigabitEthernet1/4 port link-mode route nat server protocol tcp global 202.168.100.70 any inside 172.16.1.3 any nat server protocol udp global 202.168.100.70 any inside 172.16.1.3 any nat server protocol icmp global 202.168.100.70 inside 172.16.1.3 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/5 port link-mode route ip address 172.16.1.1 255.255.255.0 # zone name Trust id 2 priority 85 import interface GigabitEthernet1/4 zone name DMZ id 3 priority 50 25

import interface GigabitEthernet1/5 zone name Untrust id 4 priority 5 import interface GigabitEthernet1/3 Example: Allowing public users to use domain name to access a private server when the DNS server is on a private network Network requirements As shown in Figure 28, the DNS server is on a private network and stores the mapping of private IP address 172.16.1.3 and domain name lc1.8042test.com for the service server on another private network. Configure NAT and DNS on the firewall to enable public clients to access the service server by using the domain name. Figure 28 Network diagram Trust GE1/3 192.168.249.187/24 GE1/5 172.16.1.1/24 Firewall DNS server 192.168.100.240/24 NAT server Internet Untrust GE1/4 202.1.1.1/24 Client 202.1.1.3/24 Service server 172.16.1.3/24 lc1.8042test.com DMZ Software version used This configuration example was created and verified on SecPath F5000-A5 Feature 3213. 26

Configuration restrictions and guidelines Before verifying the configuration, use the ipconfig/flushdns command to clear the DNS cache on the client. Configuration procedures Configuring the firewall in the Web interface 1. Configure IP addresses for interfaces GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5: a. From the navigation tree, select Device Management > Interface. b. Click the icon for GigabitEthernet 1/3. Figure 29 Interface configuration page c. Configure IP address 192.168.249.187 for interface GigabitEthernet 1/3, as shown in Figure 30. d. Click Apply. 27

Figure 30 Edit Interface page for GigabitEthernet 1/3 e. Configure IP address 202.1.1.1 for interface GigabitEthernet 1/4 in the same way IP address is configured for GigabitEthernet 1/3. Figure 31 Edit Interface page for GigabitEthernet 1/4 f. Configure IP address 172.16.1.1 for interface GigabitEthernet 1/5 in the same way IP address is configured for GigabitEthernet 1/3. 28

Figure 32 Edit Interface page for GigabitEthernet 1/5 2. Add interface GigabitEthernet 1/3 into the Trust zone, GigabitEthernet 1/4 into the Untrust zone, and interface GigabitEthernet 1/5 into the DMZ zone: a. From the navigation tree, select Device Management > Zone. b. Click the icon for the Trust zone. Figure 33 Adding interfaces into security zones c. On the Modify Zone page, select GigabitEthernet 1/3, and click Apply. 29

Figure 34 Modifying security zone d. Add GigabitEthernet 1/4 into the Untrust zone, and GigabitEthernet 1/5 into the DMZ zone in the same way. 3. Configure DNS: a. From the navigation tree, select Network > DNS > Dynamic. b. Configure dynamic DNS, as shown in Figure 35. c. Click Apply. Figure 35 Configuring dynamic DNS 4. Configure ACL: a. From the navigation tree, select Firewall > ACL. b. Click Add. c. Create ACL 3000: Enter 3000 in the ACL Number field. Select Config for Match Order. Click Apply. 30

Figure 36 Adding ACL The ACL configuration result appears. Figure 37 Configuration result d. Click the icon for ACL 3000. e. On the rule edit page that appears, click Add. f. Configure an ACL rule, as shown in Figure 38. g. Click Apply. Figure 38 Adding a rule for ACL 3000 31

5. Configure NAT: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. b. Click Add. c. Configure dynamic NAT on GigabitEthernet 1/3, as shown in Figure 39. d. Click Apply. Figure 39 Adding dynamic NAT e. From the navigation tree, select Firewall > NAT Policy > Internal Server. f. Click Add. g. Configure internal servers on GigabitEthernet 1/4, as shown in Figure 40 and Figure 41. h. Click Apply. Figure 40 Adding internal server 1 32

Figure 41 Adding internal server 2 6. Configure ALG for DNS: a. From the navigation tree, select Firewall > ALG. b. Select DNS from Optional Application Protocols, and click << to add it to Selected Application Protocols. c. Click Apply. Figure 42 Configuring DNS ALG Configuring the firewall at the CLI # Configure IP addresses for GigabitEthernet 1/3, GigabitEthernet 1/4, and GigabitEthernet 1/5. <Firewall> system-view [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] ip address 192.168.249.187 255.255.255.0 33

[Firewall-GigabitEthernet1/3] quit [Firewall] interface gigabitethernet 1/4 [Firewall-GigabitEthernet1/4] ip address 202.1.1.1 255.255.255.0 [Firewall-GigabitEthernet1/4] quit [Firewall] interface gigabitethernet 1/5 [Firewall-GigabitEthernet1/5] ip address 172.16.1.1 255.255.255.0 [Firewall-GigabitEthernet1/5] quit # Add interface GigabitEthernet 1/3 into the Trust zone, GigabitEthernet 1/4 into the Untrust zone, and GigabitEthernet 1/5 into the DMZ zone. [Firewall] zone name untrust [Firewall-zone-trust] import interface gigabitethernet 1/3 [Firewall-zone-trust] quit [Firewall] zone name trust [Firewall-zone-trust] import interface gigabitethernet 1/4 [Firewall-zone-trust] quit [Firewall] zone name DMZ [Firewall-zone-trust] import interface gigabitethernet 1/5 [Firewall-zone-trust] quit # Configure DNS. [Firewall] dns resolve [Firewall] dns proxy enable [Firewall] dns server 192.168.100.240 [Firewall] dns domain 8042test.com # Configure an ACL. [Firewall] acl number 3000 [Firewall-acl-adv-3000] rule 0 permit ip [Firewall-acl-adv-3000] quit # Configure NAT. [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] nat outbound 3000 [Firewall-GigabitEthernet1/3] quit [Firewall] interface gigabitethernet 1/4 [Firewall-GigabitEthernet1/4] nat server protocol tcp global 202.1.1.240 any inside 192.168.100.240 any [Firewall-GigabitEthernet1/4] nat server protocol udp global 202.1.1.240 any inside 192.168.100.240 any [Firewall-GigabitEthernet1/4] nat server protocol icmp global 202.1.1.240 inside 192.168.100.240 [Firewall-GigabitEthernet1/4] nat server protocol tcp global 202.1.1.5 any inside 8.1.1.3 any [Firewall-GigabitEthernet1/4] nat server protocol udp global 202.1.1.5 any inside 8.1.1.3 any [Firewall-GigabitEthernet1/4] nat server protocol icmp global 202.1.1.5 inside 8.1.1.3 [Firewall-GigabitEthernet1/4] quit # Enable ALG for DNS. [Firewall] alg dns 34

Verifying the configuration # Verify that you can ping lc1.8042test.com from the client and the resolved IP address is 202.1.1.5. # Verify that you can telnet lc1.8042test.com from the client. # Verify that you can use HTTP to access lc1.8042test.com from client. # Use the debugging nat packet command to display NAT debug information on the firewall. *Jul 26 18:00:59:734 2011 f5000a-2 NAT/7/debug: (0x00000077-out:)Pro : UDP ( 202.1.1.3: 1025-192.168.100.240: 53) ------> (192.168.249.187: 1029-192.168.100.240: 53) *Jul 26 18:00:59:737 2011 f5000a-2 NAT/7/debug: (0x00000077-in:)Pro : UDP (192.168.100.240: 53-192.168.249.187: 1029) ------> (192.168.100.240: 53-202.1.1.3: 1025) *Jul 26 18:00:59:737 2013 f5000a-2 NAT/7/debug: (0x00000077-out:)Pro : UDP ( 202.1.1.3: 1025-192.168.100.240: 53) ------> (192.168.249.187: 1029-192.168.100.240: 53) *Jul 26 18:00:59:738 2013 f5000a-2 NAT/7/debug: (0x00000077-in:)Pro : UDP (192.168.100.240: 53-192.168.249.187: 1029) ------> (192.168.100.240: 53-202.1.1.3: 1025) *Jul 26 18:00:59:738 2013 f5000a-2 ALG/7/ALG_DBG:Alg debug info: From VPN : 0,Pro : Direction : OUT ( 172.16.1.3: 0 ) ----> ( 202.1.1.5: 0 ) *Jul 26 18:00:59:738 2013 f5000a-2 ALG/7/ALG_DBG:Alg debug info: From VPN : 0,Pro : Direction : OUT (192.168.100.240: 0 ) ----> ( 202.1.1.240: 0 ) *Jul 26 18:00:59:741 2013 f5000a-2 NAT/7/debug: (0x00000078-in:)Pro : ICMP is to NAT server ( 202.1.1.3: --- - 202.1.1.5: --- ) ------> ( 202.1.1.3: --- - 172.16.1.3: --- ) *Jul 26 18:00:59:742 2013 f5000a-2 NAT/7/debug: (0x00000078-out:)Pro : ICMP is from NAT server ( 172.16.1.3: --- - 202.1.1.3: --- ) ------> ( 202.1.1.5: --- - 202.1.1.3: --- ) # Display information about session table entries on the firewall. <Firewall> display session table verbose Initiator: Source IP/Port :202.1.1.3/3668 Dest IP/Port :202.1.1.5/23 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 172.16.1.3/23 35

Dest IP/Port :202.1.1.3/3668 VPN-Instance/VLAN ID/VLL ID: Pro: TCP(6) App: TELNET State: TCP-EST Start time: 2013-07-27 09:14:25 TTL: 3595s Root Zone(in): Trust Zone(out): DMZ Received packet(s)(init): 10 packet(s) 630 byte(s) Received packet(s)(reply): 12 packet(s) 1141 byte(s) Initiator: Source IP/Port : 202.1.1.3/1025 Dest IP/Port : 192.168.100.240/53 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.100.240/53 Dest IP/Port : 192.168.249.187/1039 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: DNS State: UDP-READY Start time: 2013-07-27 09:13:38 TTL: 54s Root Zone(in): Trust Zone(out): Untrust Received packet(s)(init): 3 packet(s) 183 byte(s) Received packet(s)(reply): 3 packet(s) 326 byte(s) Configuration files # dns resolve dns proxy enable dns server 192.168.100.240 dns domain 8042test.com # acl number 3000 rule 0 permit ip # interface GigabitEthernet1/3 port link-mode route nat outbound 3000 ip address 192.168.249.187 255.255.255.0 # interface GigabitEthernet1/4 port link-mode route nat server protocol tcp global 202.1.1.240 any inside 192.168.100.240 any nat server protocol udp global 202.1.1.240 any inside 192.168.100.240 any nat server protocol icmp global 202.1.1.240 inside 192.168.100.240 nat server protocol tcp global 202.1.1.5 any inside 8.1.1.3 any nat server protocol udp global 202.1.1.5 any inside 8.1.1.3 any nat server protocol icmp global 202.1.1.5 inside 8.1.1.3 36

ip address 202.1.1.1 255.255.255.0 # interface GigabitEthernet1/5 port link-mode route ip address 172.16.1.1 255.255.255.0 # zone name Trust id 2 priority 85 import interface GigabitEthernet1/4 zone name DMZ id 3 priority 50 import interface GigabitEthernet1/5 zone name Untrust id 4 priority 5 import interface GigabitEthernet1/3 Related documentation H3C SecPath Series Firewalls and UTM Devices NAT and ALG Configuration Guide H3C SecPath Series Firewalls and UTM Devices NAT and ALG Command Reference H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference H3C SecPath Series Firewalls and UTM Devices Network Management Configuration Guide H3C SecPath Series Firewalls and UTM Devices Network Management Command Reference 37