Home >Documents >Security Tutorial v3.1.1 > 2. Operation > 2.2. Managed Firewall / Managed UTM Version2 > 2.2.30. NAT use case >2.2.30.7. Destination NAT + NAPT (Single configuration)

2.2.30.7. Destination NAT + NAPT (Single configuration)

2.2.30.7.1. Use case

The following use case is described.
<Example> Building up an open web server (Host01) on ECL and accessing through the Internet (Destination NAT)
Access from an open web server (Host01) to a website on the Internet (NAPT)
Setting with a single global IP address
dnat-napt-structure-single

2.2.30.7.2. Conversion image

Destination NAT (No port conversion)
dnat-no-port-traffic

NAPT
dnat-napt-traffic

2.2.30.7.3. Condition

It is assumed that the following works which depend on use cases have been completed.
Create Managed Firewall
Managed Firewall interface setting/ connection with a logical network
Managed Firewall routing setting (default-gateway setting)
• Destination IP :0.0.0.0
• Subnet Mask :0.0.0.0
•Gateway address: Gateway IPv4 address of Internet-GW (Example: 192.168.1.251)
•Interface: Port for setting the default gateway (Example: Port4)
*If necessary, add routing settings.
Routing setting of Internet-GW
•Destination: Global IP address to be used by NAPT (Example: 153.x.x.20/32)
•Next hop
IP address of the interface of the Managed Firewall (example: 192.168.1.254)
*If necessary, add routing settings.
Setting needed on Host01
•Routing setting, iptables/Windows firewall settings, setting for handling name resolution, etc.

2.2.30.7.4. Step (1)-1 Address object generation

Generate an address object for Host01.
After inputting setting values, press the [ Save ] button.

dnat-dnat-napt-create-address-object

Items

Setting value

Address Name

 Host_10.1.1.10

Type

 Subnet
IP Address 10.1.1.10

Subnet Mask

 255.255.255.255

Interface

 Port5

2.2.30.7.5. Step (1)-2 Destination NAT object generation

Create a destination NAT object
After inputting setting values, press the [ Save ] button.

dnat-napt-create-dnat-object

Items

Setting value

NAT Name

 DNAT_153.x.x.10
External IP Address 153.x.x.10
Mapped IP Address 10.1.1.10

External Interface

 Port4

Port Forward

Absence of check

Note

  • For an External IP address, do not use an IP address actually assigned to other devices.

  • For an External IP address and Mapped IP address, do not use the same address.


2.2.30.7.6. Step (1)-3 Source NAT object generation

Generate a Source NAT object for NAPT.
After inputting setting values, press the [ Save ] button.

dnat-napt-create-snat-object

Items

Setting value

NAT Name

 SNAT_153.x.x.10
Start IP Address 153.x.x.10
End IP Address 153.x.x.10

Note

  • When allocating a single global IP address, set the same value (IP address) to Start IP Address and End IP Address.

  • For the Source NAT object, define the IP address resulted from conversion of the source IP address.

  • For the IP address of the Source NAT object, do not use an IP address actually assigned to other devices.


2.2.30.7.7. Steps (1)-4 Saving an object

Before generating a firewall policy, select [ Apply configuration ] on the device management screen to apply an object.

save

After saving is finished, only the [ Synchronize with Device ] button is displayed.
synchronize-device

2.2.30.7.8. Step (2)-1 Generating a firewall policy

Generate a firewall policy for destination NAT-used access from the Internet to a web server (Host01).
After inputting setting values, press the [ Save ] button.
dnat-napt-create-dnat-policy-single

Items

Setting value

Enable

Presence of check

Incoming Interface

 Port4

Source Address

 all

Outgoing Interface

 Port5

Destination Address Type

 NAT Object
Destination NAT DNAT_153.x.x.10

Service

 HTTP
Action ACCEPT

NAT

Absence of check

Log

Any item

2.2.30.7.9. Step (2)-2 Saving the policy

Generate a firewall policy for NAPT-used access from Host01 on ECL to a web server on the Internet.
After inputting setting values, press the [ Save ] button.
dnat-napt-create-napt-policy-single

Items

Setting value

Enable

Presence of check

Incoming Interface

 Port5

Source Address

 Host_10.1.1.10

Outgoing Interface

 Port4

Destination Address Type

 Address Object
Destination Address all

Service

 HTTP
Action ACCEPT

NAT

Presence of check

NAT mode

 Use NAPT Object

NAPT Object

 SNAT_153.x.x.10

Log

Any item

Note

  • If having dealt with name resolution through, for example, a DNS server, allow needed communications.


2.2.30.7.10. Step (2)-2 Saving the policy

Select [ Apply configuration ] on the device management screen to apply the firewall policy.

save

After saving is finished, only the [ Synchronize with Device ] button is displayed.
synchronize-device
Now the settings are over.
2.2.30.6. NAPT (HA configuration)
2.2.30.8. Destination NAT + NAPT (HA configuration)