If you have an FTP server or any other server that you want to make available to internet users, just place the server in DMZ zone of your firewall e.g. Huawei USG and configure a destination NAT. You can then easly restrict IP addresses and protocols that can access your server. And this video is just about that 😉
USG firewall configuration script:
# interface GigabitEthernet1/0/1 undo shutdown ip address 10.0.100.1 255.255.255.252 # interface GigabitEthernet1/0/2 undo shutdown ip address 5.0.0.2 255.255.255.252 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/1 # ip route-static 0.0.0.0 0.0.0.0 5.0.0.1 # firewall detect ftp # nat server 0 protocol tcp global 6.6.6.1 ftp inside 10.0.100.2 ftp unr-route # nat address-group PUBLIC_OUT 2 mode no-pat global route enable section 0 6.6.6.1 6.6.6.1 # security-policy rule name PUBLIC_OUT source-zone dmz destination-zone untrust source-address 10.0.100.0 mask 255.255.255.252 action permit rule name PUBLIC_IN source-zone untrust destination-zone dmz source-address 1.1.1.1 mask 255.255.255.255 destination-address 10.0.100.0 mask 255.255.255.252 action permit # nat-policy rule name PUBLIC_OUT source-zone dmz destination-zone untrust source-address 10.0.100.0 mask 255.255.255.252 action source-nat address-group PUBLIC_OUT
If you, for some reason, cannot use easy-ip NAT, you can use source NAT with NAT address pool. Depending on how many public IP addresses you have got, you can configure no-PAT option, when only IP address is translated or you can set PAT, in other words NAT with port translation to assure LAN users accessing Internet. Details in the video 😉
USG firewall configuration script:
# dhcp enable # interface GigabitEthernet1/0/0 undo shutdown ip address 10.0.0.1 255.255.255.0 service-manage ping permit dhcp select interface dhcp server excluded-ip-address 10.0.0.100 dhcp server static-bind ip-address 10.0.0.200 mac-address 5489-98b4-6a79 dhcp server dns-list 10.0.0.100 # interface GigabitEthernet1/0/2 undo shutdown ip address 5.0.0.2 255.255.255.252 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 5.0.0.1 # nat address-group SOURCE-NAT 0 mode pat route enable section 0 6.6.6.0 6.6.6.0 OR nat address-group SOURCE-NAT 0 mode no-pat global route enable section 0 6.6.6.0 6.6.6.1 # security-policy rule name ALLOW source-zone local destination-zone trust destination-zone untrust action permit rule name NAT_EASY source-zone trust destination-zone untrust source-address 10.0.0.0 mask 255.255.255.0 action permit # nat-policy rule name SOURCE-NAT source-zone trust destination-zone untrust source-address 10.0.0.0 mask 255.255.255.0 action source-nat address-group SOURCE-NAT
A short video describing EASY-IP source NAT on Huawei’s USG firewall to assure that our intranet users can acccess the Internet.
The easy-ip is the easiest way to translate private IP addresses on your local area network when you have only one public IP address or the public IP address is assigned dynamically.
USG firewall configuration script:
# dhcp enable # interface GigabitEthernet1/0/0 undo shutdown ip address 10.0.0.1 255.255.255.0 service-manage ping permit dhcp select interface dhcp server excluded-ip-address 10.0.0.100 dhcp server static-bind ip-address 10.0.0.200 mac-address 5489-98b4-6a79 dhcp server dns-list 10.0.0.100 # interface GigabitEthernet1/0/2 undo shutdown ip address 5.0.0.2 255.255.255.252 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 5.0.0.1 # security-policy rule name ALLOW source-zone local destination-zone trust destination-zone untrust action permit rule name NAT_EASY source-zone trust destination-zone untrust source-address 10.0.0.0 mask 255.255.255.0 action permit # nat-policy rule name NAT_EASY source-zone trust destination-zone untrust source-address 10.0.0.0 mask 255.255.255.0 action source-nat easy-ip #
A reminder for those who already know, a guide for those who would like to know. My first video on how to access emulated eNSP devices, including graphical access to the USG firewall. Hope you like it 🙂