F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Configuration Guide-6PW100
Table Of Contents
- Title Page
- Table of Contents
- Configuring NAT
- Overview
- Configuration guidelines
- Configuring NAT in the Web interface
- Recommended configuration procedure
- Creating an address pool
- Configuring dynamic NAT on an interface
- Creating a static address mapping
- Enabling static NAT on an interface
- Configuring an internal server
- Configuring ACL-based NAT on the internal server
- Configuring DNS mapping
- NAT configuration example
- Internal server configuration example
- Configuring NAT at the CLI
- NAT configuration task list
- Configuring static NAT
- Configuring dynamic NAT
- Configuring an internal server
- Configuring ACL-based NAT on an internal server
- Configuring DNS mapping
- Displaying and maintaining NAT
- One-to-one static NAT configuration example
- Dynamic NAT configuration example
- Common internal server configuration example
- NAT DNS mapping configuration example
- Troubleshooting NAT
- Configuring NAT-PT
- Feature and hardware compatibility
- Overview
- NAT-PT configuration task list
- Configuration prerequisites
- Enabling NAT-PT
- Configuring a NAT-PT prefix
- Configuring IPv4/IPv6 address mappings on the IPv6 side
- Configuring IPv4/IPv6 address mappings on the IPv4 side
- Setting the ToS field after NAT-PT translation
- Setting the traffic class field after NAT-PT translation
- Configuring static NAPT-PT mappings of IPv6 servers
- Displaying and maintaining NAT-PT
- NAT-PT configuration examples
- Troubleshooting NAT-PT
- NAT444
- Configuring ALG
- Support and other resources
- Index
66
37B
Configuring ALG at the CLI
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ALG.
alg { all | dns | ftp | gtp | h323 | ils |
msn | nbt | pptp | qq | rtsp | sccp |
sip | sqlnet | tftp }
Optional.
By default, ALG is enabled only for FTP.
96BFTP ALG configuration example
150BNetwork requirements
As shown in 286HFigure 56, a company uses the private network segment 192.168.1.0/24. The company
wants to provide FTP services using public IP address 5.5.5.10.
Configure NAT and ALG on the firewall so that hosts on the external network can access the FTP server
on the internal network.
Figure 56 Network diagram
151BConfiguration procedure
This section describes ALG configuration only, assuming that other required configurations on the server
and client have been done.
# Enable ALG for FTP.
[Firewall] alg ftp
# Configure internal FTP server.
[Firewall] interface gigabitethernet 0/1
[Firewall-GigabitEthernet0/1] nat server protocol tcp global 5.5.5.10 ftp inside
192.168.1.2 ftp
97BSIP/H.323 ALG configuration example
H.323 ALG configuration is similar to SIP ALG configuration. This example discusses SIP ALG
configuration.
152BNetwork requirements
As shown in 287HFigure 57, a company uses the private network segment 192.168.1.0/24, and has four public
network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. SIP UA 1 is on the internal network and SIP
UA 2 is on the external network.
Configure NAT and ALG on the firewall to enable SIP UA 1 and SIP UA 2 to communicate by using their
aliases, and to enable SIP UA 1 to select an IP address from the range 5.5.5.9 to 5.5.5.11 when
registering with the SIP server on the external network.