Home - Labnario

NAT server on Huawei USG5500

22 Apr, 2015 1

The last article dealt with outbound NAT. Let’s focus today on NAT server. NAT server enables private network servers to provide services for external networks with public IP addresses. In this lab, our enterprise provides FTP services for external users.

We can use the topology from the last post:

In our case AR router works as FTP server:

#
FTP server enable
aaa
 local-user labnario password cipher qGj8!H#yx.ajUn1vMEIB1lG#
 local-user labnario privilege level 3
 local-user labnario ftp-directory flash:
 local-user labnario service-type ftp
#
interface GigabitEthernet0/0/1
 ip address 172.16.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.1

Configuration of Internet router:

#
interface GigabitEthernet0/0/2
 ip address 1.1.1.2 255.255.255.0
#
ip route-static 1.1.1.100 255.255.255.255 1.1.1.1

Firewall USG5500 configuration

Set IP addresses of interfaces and add them to proper security zones:

[SRG]dis current-configuration interface GigabitEthernet 
#
interface GigabitEthernet0/0/1
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 1.1.1.1 255.255.255.0

[SRG]display current-configuration configuration zone 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/1

Configure interzone packet filtering to ensure that users in Untrust zone can access the FTP server in DMZ zone:

[SRG]display current-configuration configuration policy-interzone 
#
policy interzone dmz untrust inbound
 policy 1
  action permit
  policy service service-set ftp
  policy destination 172.16.1.254 0

Configure internal server. Create a mapping relation between public and private IP addresses of FTP server:

[SRG]nat server 0 protocol tcp global 1.1.1.100 ftp inside 172.16.1.254 ftp

Configure the NAT ALG function for the DMZ-Untrust interzone to ensure that the server provides FTP services for extranet users normally:

[SRG]display current-configuration configuration interzone 
#
firewall interzone dmz untrust
 detect ftp

What is NAT ALG for? NAT translates only IP addresses in IP packet headers and port information in TCP/UDP packet headers. In our case, the firewall must identify the IP address and port number in the payload field of the FTP application, to continue NAT processing. Without NAT ALG, the NAT process fails.

Verification of NAT server

[SRG]display firewall session table verbose
 Current Total Sessions : 1
  ftp  VPN:public --> public
  Zone: untrust--> dmz  TTL: 00:10:00  Left: 00:09:52
  Interface: GigabitEthernet0/0/1  NextHop: 172.16.1.254  MAC: 54-89-98-91-56-e2
  <--packets:6 bytes:363   -->packets:8 bytes:364
  1.1.1.2:61428+->1.1.1.100:21[172.16.1.254:21]

[SRG]display nat server 
Server in private network information:
 id                : 0                  
 zone              : ---           
 interface         : ---           
 global-start-addr : 1.1.1.100           global-end-addr   : ---                
 inside-start-addr : 172.16.1.254        inside-end-addr   : ---                
 global-start-port : 21(ftp)             global-end-port   : ---                
 insideport        : 21(ftp)            
 globalvpn         : public              insidevpn         : public             
 protocol          : tcp                 vrrp              : ---                
 no-reverse        : no                 

  Total   1 NAT servers

[SRG]display firewall server-map 
11:30:50  2015/04/22
 server-map item(s) 
 ------------------------------------------------------------------------------
 Nat Server, any -> 1.1.1.100:21[172.16.1.254:21], Zone: ---
   Protocol: tcp(Appro: ftp), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public

 Nat Server Reverse, 172.16.1.254[1.1.1.100] -> any, Zone: ---
   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public


<Internet>ftp 1.1.1.100
Trying 1.1.1.100 ...
Press CTRL+K to abort
Connected to 1.1.1.100.
220 FTP service ready.
User(1.1.1.100:(none)):labnario
331 Password required for labnario.
Enter password:
230 User logged in.

[ftp]

outbound NAT on Huawei USG5500

15 Apr, 2015 0

What does it mean outbound NAT?

Outbound NAT translates the source IP addresses of packets sent from a high-priority security zone to a low-priority one.

I allowed myself to post a flowchart of configuring intranet users to access extranet through NAT (from Huawei documentation):

It easily lets us to choose a suitable way of configuring outbound NAT. In this lab I will try to do a review of these methods.

Let’s look at the topology:

Just forget about FTP server and focus on the bottom of the topology. We will use the FTP server in one of the next articles.

The main requirement in this lab is to configure the firewall, to provide access to the Internet for intranet users, on network segment 10.0.0.0/24.

The configuration of NAT for all above methods is the same. The difference lies in the configuration of NAT address group.

Let’s start!

Set IP addresses of interfaces and add the interfaces to proper security zones:

[SRG]display current-configuration interface GigabitEthernet
#
interface GigabitEthernet0/0/2
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/3.100
 vlan-type dot1q 100
 alias GigabitEthernet0/0/3.100
 ip address 10.0.0.1 255.255.255.0
#
[SRG]display current-configuration | begin firewall zone
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3.100
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2

Configure L2 communication on the LAN switch:

#
vlan batch 100
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 100
#
interface Ethernet0/0/3
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100

Ensure that the users on network segment 10.0.0.0/24 can access the Untrust zone:

[SRG]policy interzone trust untrust outbound 
[SRG-policy-interzone-trust-untrust-outbound]policy 1
[SRG-policy-interzone-trust-untrust-outbound-1]policy source 10.0.0.0 mask 24
[SRG-policy-interzone-trust-untrust-outbound-1]action permit

And now the promised configuration of NAT. In this case one private IP address will correspond to one public IP address. To achive it, I will create NAT address group with No-PAT option. NAT No-PAT is also called one-to-one address translation. During the translation, the source IP address of a packet is translated from a private IP address into a public IP address, while the port number is not translated. It means that, when a private network host adopts one public IP address, this address cannot be used by another host because all the ports of public IP address are occupied.

Create NAT address group:

[SRG]nat address-group 1 1.1.1.20 1.1.1.25

Configure NAT policy for the TRUST-UNTRUST interzone, define the range of source IP addresses for NAT and bind the NAT policy to the previousely created NAT address pool:

[SRG]nat-policy interzone trust untrust outbound 
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1
[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat 
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 10.0.0.0 mask 24
[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1 no-pat

Let’s verify if it is working correctly. Just try to ping interface loopback of Internet router (5.5.5.5/32) from the both hosts:

User_1>ping 5.5.5.5

Ping 5.5.5.5: 32 data bytes, Press Ctrl_C to break
From 5.5.5.5: bytes=32 seq=1 ttl=254 time=47 ms
From 5.5.5.5: bytes=32 seq=2 ttl=254 time=46 ms
From 5.5.5.5: bytes=32 seq=3 ttl=254 time=63 ms
From 5.5.5.5: bytes=32 seq=4 ttl=254 time=63 ms
From 5.5.5.5: bytes=32 seq=5 ttl=254 time=47 ms

--- 5.5.5.5 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 46/53/63 ms

User_2>ping 5.5.5.5

Ping 5.5.5.5: 32 data bytes, Press Ctrl_C to break
From 5.5.5.5: bytes=32 seq=1 ttl=254 time=47 ms
From 5.5.5.5: bytes=32 seq=2 ttl=254 time=46 ms
From 5.5.5.5: bytes=32 seq=3 ttl=254 time=62 ms
From 5.5.5.5: bytes=32 seq=4 ttl=254 time=46 ms
From 5.5.5.5: bytes=32 seq=5 ttl=254 time=47 ms

--- 5.5.5.5 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 46/49/62 ms

Check if the session entry of firewall has been created succesfully:

[SRG]display firewall session table

 Current Total Sessions : 15
  icmp  VPN:public --> public 10.0.0.11:41543[1.1.1.21:41543]-->5.5.5.5:2048
  icmp  VPN:public --> public 10.0.0.10:41031[1.1.1.20:41031]-->5.5.5.5:2048

[SRG]display firewall session table verbose

 Current Total Sessions : 50
  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:00
  Interface: GigabitEthernet0/0/2  NextHop: 1.1.1.2  MAC: 54-89-98-5c-36-fb
  <--packets:1 bytes:60   -->packets:1 bytes:60
  10.0.0.10:50247[1.1.1.20:50247]-->5.5.5.5:2048

  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:00
  Interface: GigabitEthernet0/0/2  NextHop: 1.1.1.2  MAC: 54-89-98-5c-36-fb
  <--packets:1 bytes:60   -->packets:1 bytes:60
  10.0.0.11:50247[1.1.1.21:50247]-->5.5.5.5:2048

Check whether the server-map entry is successfully created:

<SRG>display firewall server-map

 server-map item(s) 
 ------------------------------------------------------------------------------

 No-Pat, 10.0.0.10[1.1.1.20] -> any, Zone: ---
   Protocol: any(Appro: ---), Left-Time: 00:11:59, Addr-Pool: 1
   VPN: public -> public

 No-Pat Reverse, any -> 1.1.1.20[10.0.0.10], Zone: untrust
   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public

 No-Pat, 10.0.0.11[1.1.1.21] -> any, Zone: ---
   Protocol: any(Appro: ---), Left-Time: 00:11:59, Addr-Pool: 1
   VPN: public -> public

 No-Pat Reverse, any -> 1.1.1.21[10.0.0.11], Zone: untrust
   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public

Now we can create another NAT address group with only one address available to check NAPT:

#
 nat address-group 2 1.1.1.30 1.1.1.30
#
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 10.0.0.0 mask 24
  address-group 2

[SRG]display firewall session table
 Current Total Sessions : 53
  icmp  VPN:public --> public 10.0.0.10:54605[1.1.1.30:2067]-->5.5.5.5:2048
  icmp  VPN:public --> public 10.0.0.11:55117[1.1.1.30:2070]-->5.5.5.5:2048

And finally NAT easy IP:

#
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 10.0.0.0 mask 24
  easy-ip GigabitEthernet0/0/2
#
[SRG]display firewall session table 

 Current Total Sessions : 50
  icmp  VPN:public --> public 10.0.0.10:34127[1.1.1.1:17133]-->5.5.5.5:2048
  icmp  VPN:public --> public 10.0.0.11:34383[1.1.1.1:17134]-->5.5.5.5:2048

If the interface IP address is adopted as the public IP address directly, no NAT address pool is required.

huawei cheat sheet – information center

15 Apr, 2015 0

I am often asked how to find syslog commands on Huawei devices. As one is familiar with Cisco‘s devices, he is looking for “logging” command in Huawei’s VRP. And this is the main problem. Remember that equivalent of Cisco’s logging is info-center on Huawei.

The information center functions as an information hub. The information center manages most output information. Output information is classified and then effectively filtered. Together with debugging commands and the SNMP module, the information center provides powerful support for the network administrator to monitor the operation of devices and locate faults.

Generally speaking, the information center distributes three types of information with eight severity levels to ten information channels, and then outputs that information in different directions.

Today I decided to create a simple cheat sheet, describing Huawei’s information center:

https—>webUI—>Huawei Secospace USG6300

1 Apr, 2015 0

As a graphical user interface is useless in case of routers and switches, it looks useful when configuring a firewall. Of course it is my point of view. I do not go into what is better for you. I like using CLI but, sometimes, it is worth to simplify your daily routine. The first step is to configure HTTPS access to webUI of USG6300. This is what we will focus today.

Well known topology from the last post:

Topology_USG_access

Configure IP address of firewall’s interface and add it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Enable HTTPS server on that interface:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]service-manage https permit

Create two administrator’s accounts:

#
 manager-user web_lab
  password cipher %@%@`ruiCXfgEFCJGnNu0!<@&bYP@.eMJIk7-H&m&h&[xo11Oh_Z%@%@
  service-type web
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type stelnet
 #
 manager-user web_lab_2
  password cipher %@%@S0e84!g|rRX38&1S*-l;h*!ub`{@$-`o0=71fW<8Ch{9g0'"%@%@
  service-type web
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type stelnet
#

Why two accounts? Because we will assign different roles for these 2 administrators to show you such possibility. We will use the default system-admin role for one administrator and a new created web-admin role for the second one.

#
role system-admin
  description system-admin
 dashboard read-write
 monitor read-write
 policy read-write
 object read-write
 network read-write
 system read-write

#
role web_lab
 dashboard none
 monitor
  read-only session statistic statistic-acl
  none packet-capture diagnose
 policy none
 object none
 network none
 system none
#

Then we can bind our administrators to properly defined roles:

[USG6300-aaa]bind manager-user web_lab role system-admin
[USG6300-aaa]bind manager-user web_lab_2 role web_lab

Enable HTTPS server with default certificate and set the service port:

[USG6300]web-manager enable
 Enable http server successfully !
[USG6300]web-manager security enable port 8443
 Enable http security-server successfully ! web-manager

Let’s verify what will happen if we use both accounts to get to GUI of the firewall.

Open a browser and enter https://172.16.1.1:8443.

webUI_web_lab_user_2

webUI_web_lab_2_user_2

As you can notice, the access varies depending on the assigned role for administrators.

VTY access to Secospace USG6300

31 Mar, 2015 0

A new box for fun 🙂

Thanks to my colleagues I have opportunity to test Huawei Secospace USG6300.

A rental period is not long, so let’s start from the beginning.

Telnet and SSH

Topology_USG_access

Configure IP address of firewall’s interface and assign it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Enable telnet and SSH services on that interface:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]service-manage telnet permit
[USG6300-GigabitEthernet0/0/7]service-manage ssh permit

Create local users for telnet and SSH access:

[USG6300]aaa
[USG6300-aaa]manager-user vty_labnario
[USG6300-aaa-manager-user-vty_labnario]password cipher Labnario123
[USG6300-aaa-manager-user-vty_labnario]service-type telnet
[USG6300-aaa-manager-user-vty_labnario]level 15

#
 manager-user ssh_labnario
  password cipher %@%@*;-$=&1LSK4n^9Tn)Ny!H,#w3&0~LrT%*W@gFyXV4LT,"2)$%@%@
  service-type ssh
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type stelnet
 #

Set authentication method for VTY interfaces:

[USG6300]user-interface vty 0 4
[USG6300-ui-vty0-4]authentication-mode aaa

Enable servers for configured services:

[USG6300]telnet server enable
[USG6300]stelnet server enable

To complete SSH configuration, create RSA key:

[USG6300]rsa local-key-pair create
12:06:32  2015/03/31
The key name will be: USG6300_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 2048 bits may cause security risks.
       The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
.+++
.............+++
.............++++++++
.............++++++++

[USG6300]

Let’s verify access to the device:

***********************************************************
*           All rights reserved 2014                      *
*       Without the owner's prior written consent,        *
* no decompiling or reverse-engineering shall be allowed. *
* Notice:                                                 *
*      This is a private communication system.            *
*   Unauthorized access or use may lead to prosecution.   *
***********************************************************

Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.

Login authentication


Username:vty_labnario
Password:
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
NOTICE:This is a private communication system.
       Unauthorized access or use may lead to prosecution.
<USG6300>
First time login or password is overtime, Please change your password.
Please input new password:**********
Please confirm new password:**********
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
NOTICE:This is a private communication system.
       Unauthorized access or use may lead to prosecution.
<USG6300>

login as: ssh_labnario
ssh_labnario@172.16.1.1's password:

***********************************************************
*           All rights reserved 2014                      *
*       Without the owner's prior written consent,        *
* no decompiling or reverse-engineering shall be allowed. *
* Notice:                                                 *
*      This is a private communication system.            *
*   Unauthorized access or use may lead to prosecution.   *
***********************************************************

Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
  ----------------------------------------------------------------------------
  User last login information:
  ----------------------------------------------------------------------------
  Access Type: SSH
  IP-Address : 172.16.1.10
  Time       : 2015-03-31 12:08:16 +01:00
  State      : Login Succeeded
  ----------------------------------------------------------------------------
<USG6300>
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
NOTICE:This is a private communication system.
       Unauthorized access or use may lead to prosecution.
<USG6300>

As you could see, password must be changed after the first login. You can disable modifying the password by the command:

[USG6300-aaa]undo manager-user password-modify enable

SFTP

As secure FTP is related to SSH, let’s try to finish this article with SFTP configuration:

#
 manager-user sftp_lab
  password cipher %@%@!siuS<f},>]>IM,2!|,#K!ul&;<u1g4:%'e8[NIfPZF@*'{v%@%@
  service-type ssh
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type sftp
#
[USG6300]sftp server enable
Info: Succeeded in starting the SFTP server.

To verify, we can use PSFTP software:

psftp> open 172.16.1.1
login as: sftp_lab
Using username "sftp_lab".
sftp_lab/172.16.1.1's password:
Remote working directory is /
psftp>

Page 5 of 33« First...«3 456 7 »10 20 30...Last »