Home >Documents >Security Tutorial v3.1.1 > 2. Operation > 2.2. Managed Firewall / Managed UTM Version2 > 2.2.30. NAT use case >2.2.30.6. NAPT (HA configuration)

2.2.30.6. NAPT (HA configuration)

2.2.30.6.1. Use case

The following use case is described.
<Example> An host on ECL accesses a website on the Internet.
•Accessing a website on the Internet from Host01 located on a logical network (server segment)
•Converting the destination of communications from a Host01 address into a global address to access (NAPT); allowing communications regarding TCP 80 (No port conversion)
napt-structure-ha

2.2.30.6.2. Conversion image

napt-traffic

2.2.30.6.3. Condition

It is assumed that the following works which depend on use cases have been completed.
Create Managed Firewall
Managed Firewall interface setting/ connection with a logical network
Managed Firewall routing setting (default-gateway setting)
• Destination IP :0.0.0.0
• Subnet Mask :0.0.0.0
•Gateway address: Gateway IPv4 address of Internet-GW (Example: 192.168.1.251)
•Interface: Port for setting the default gateway (Example: Port4)
*If necessary, add routing settings.
Routing setting of Internet-GW
•Destination: Global IP address to be used by NAPT (Example: 153.x.x.20/32)
•Next hop
VRRP IP address of the interface of the Managed Firewall (example: 192.168.1.254)
*If necessary, add routing settings.
Setting needed on Host01
•Routing setting, iptables/Windows firewall settings, setting for handling name resolution, etc.

2.2.30.6.4. Step (1)-1 Address object generation

Generate an address object for Host01.
After inputting setting values, press the [ Save ] button.

napt-create-address-object

Items

Setting value

Address Name

 Host_10.1.1.20

Type

Subnet Mask
IP Address 10.1.1.20

Subnet Mask

 255.255.255.255

Interface

 Port5

2.2.30.6.5. Step (1)-2 NAT object generation

Generate a Source NAT object for NAPT.
After inputting setting values, press the [ Save ] button.

napt-create-nat-object

Items

Setting value

NAT Name

 SNAT_153.x.x.20
Start IP Address 153.x.x.20
End IP Address 153.x.x.20

Note

  • When allocating a single global IP address, set the same value (IP address) to Start IP Address and End IP Address.

  • For the Source NAT object, define the IP address resulted from conversion of the source IP address.

  • For the IP address of the Source NAT object, do not use an IP address actually assigned to other devices.


2.2.30.6.6. Steps (1)-3 Saving an object

Before generating a firewall policy, select [ Apply configuration ] on the device management screen to apply an object.

save

After saving is finished, only the [ Synchronize with Device ] button is displayed.
synchronize-device

2.2.30.6.7. Step (2)-1 Generating a firewall policy

Generate a firewall policy for NAPT-used access from Host01 on ECL to a web server on the Internet.
After inputting setting values, press the [ Save ] button.
napt-create-policy-ha

Items

Setting value

Enable

Presence of check

Incoming Interface

 Port5

Source Address

 Host_10.1.1.20

Outgoing Interface

 Port4

Destination Address Type

 Address Object
Destination Address all

Service

 HTTP
Action ACCEPT

NAT

Presence of check

NAPT Object

 SNAT_153.x.x.20

Log

Any item

Note

  • If having dealt with name resolution through, for example, a DNS server, allow needed communications.


2.2.30.6.8. Step (2)-2 Saving the policy

Select [ Apply configuration ] on the device management screen to apply the firewall policy.

save

After saving is finished, only the [ Synchronize with Device ] button is displayed.
synchronize-device
Now the settings are over.
2.2.30.5. NAPT (Single configuration)
2.2.30.7. Destination NAT + NAPT (Single configuration)