| Solution |
A hairpin NAT is employed when there is a need to grant LAN users access to a server situated on a local network with a public IP address.
The following scenario illustrates a topology where users in the LAN subnet must be able to access a server in the DMZ subnet using a public IP address.
config firewall vip
edit "VIP"
set uuid 62b4d29e-55bd-51ef-c420-41400a0b8f03
set extip 172.16.16.1
set mappedip "10.10.10.2"
set extintf "any"
next
end
show firewall policy 1
config firewall policy
edit 1
set name "Lan-to-Wan"
set uuid 9abc45c8-55bd-51ef-7290-648a4973d83a
set srcintf "port3"
set dstintf "port4"
set action accept
set srcaddr "Lan_Subnet"
set dstaddr "Public_IP"
set schedule "always"
set service "ALL"
set nat enable
next
end
show firewall policy 3
config firewall policy
edit 3
set name "Wan-to-Dmz/VIP"
set uuid 02345c22-55be-51ef-8e40-aebb6c6e10f1
set srcintf "port4"
set dstintf "port2"
set action accept
set srcaddr "Lan_Subnet"
set dstaddr "VIP"
set schedule "always"
set service "ALL"
set nat enable
next
end
id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:8524->172.16.16.1:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=8524, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-000007fd, tun_id=0.0.0.0"
id=65308 trace_id=1 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
id=65308 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=1"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find DNAT: IP-10.10.10.2, port-0(fixed port)"
id=65308 trace_id=1 func=__iprope_check_one_dnat_policy line=5286 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
id=65308 trace_id=1 func=iprope_fwd_check line=789 msg="in-[port3], out-[port4], skb_flags-02000000, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find SNAT: IP-172.16.16.1(from IPPOOL), port-8524"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2262 msg="policy-1 is matched, act-accept"
id=65308 trace_id=1 func=fw_pre_route_handler line=178 msg="VIP-10.10.10.2:8524, outdev-unknown"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3515 msg="DNAT 172.16.16.1:8->10.10.10.2:8524"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.10.10.2 via port2"
id=65308 trace_id=1 func=iprope_fwd_check line=789 msg="in-[port4], out-[port2], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2044 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
id=65308 trace_id=1 func=__iprope_user_identity_check line=1819 msg="ret-matched"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find SNAT: IP-10.10.10.1(from IPPOOL), port-8524"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2262 msg="policy-3 is matched, act-accept"
id=65308 trace_id=1 func=iprope_reverse_dnat_check line=1307 msg="in-[port4], out-[port2], skb_flags-020000c0, vid-1"
Based on the configuration provided, a VIP has been set up to enable access to server-1 for LAN users with public IP addresses.
When attempting to access the server from PC-1 using a public IP, server access is achieved.
However, due to the VIP being configured with a public IP, attempts by external network users to access the firewall with a public IP address
result in the traffic being matched with the VIP, even though the VIP is not included in any firewall policy designed for WAN users.
Consequently, as there is no firewall policy from WAN-to-DMZ with VIP, the traffic is dropped as it matches policy-0.
id=65308 trace_id=26 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 172.16.16.2:21074->172.16.16.1:2048) tun_id=0.0.0.0 from port4. type=8, code=0, id=21074, seq=1."
id=65308 trace_id=26 func=init_ip_session_common line=6076 msg="allocate a new session-00000c88, tun_id=0.0.0.0"
id=65308 trace_id=26 func=iprope_dnat_check line=5331 msg="in-[port4], out-[]"
id=65308 trace_id=26 func=get_new_addr line=1228 msg="find DNAT: IP-10.10.10.2, port-0(fixed port)"
id=65308 trace_id=26 func=__iprope_check_one_dnat_policy line=5286 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
id=65308 trace_id=26 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
id=65308 trace_id=26 func=fw_pre_route_handler line=178 msg="VIP-10.10.10.2:21074, outdev-port4"
id=65308 trace_id=26 func=__ip_session_run_tuple line=3515 msg="DNAT 172.16.16.1:8->10.10.10.2:21074"
id=65308 trace_id=26 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.10.10.2 via port2"
id=65308 trace_id=26 func=iprope_fwd_check line=789 msg="in-[port4], out-[port2], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=26 func=__iprope_check_one_policy line=2262 msg="policy-0 is matched, act-drop"
config firewall vip
edit "VIP"
set uuid 62b4d29e-55bd-51ef-c420-41400a0b8f03
set extip 172.16.16.1
set mappedip "10.10.10.2"
set extintf "any"
set srcintf-filter "port3" <- Set srcintf-filter to restrict the VIP to a specific Interface.
next
end
Access to the firewall using a public IP will be feasible upon implementing the aforementioned changes.
id=65308 trace_id=31 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 172.16.16.2:49748->172.16.16.1:2048) tun_id=0.0.0.0 from port4. type=8, code=0, id=49748, seq=1."
id=65308 trace_id=31 func=init_ip_session_common line=6076 msg="allocate a new session-00000e0f, tun_id=0.0.0.0"
id=65308 trace_id=31 func=iprope_dnat_check line=5331 msg="in-[port4], out-[]"
id=65308 trace_id=31 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-172.16.16.1 via root"
id=65308 trace_id=31 func=iprope_access_proxy_check line=436 msg="in-[port4], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=31 func=__iprope_check line=2292 msg="gnum-100017, check-ffffffffa002c2a7"
id=65308 trace_id=31 func=iprope_policy_group_check line=4752 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=32 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 172.16.16.1:49748->172.16.16.2:0) tun_id=0.0.0.0 from local. type=0, code=0, id=49748, seq=1."
id=65308 trace_id=32 func=resolve_ip_tuple_fast line=5983 msg="Find an existing session, id-00000e0f, reply direction"
It is essential to note that any user in the LAN segment can access server-1 with public IP.
However, to provide access to specific users, a 'src-filter' needs to be configured. The 'src-filter' involves specifying the source address filter, wherein each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y).
config firewall VIP
edit "VIP"
set uuid 62b4d29e-55bd-51ef-c420-41400a0b8f03
set src-filter "192.168.1.2/32" <----- Set src-filter to restrict VIP to specific IP/Subnet.
set extip 172.16.16.1
set mappedip "10.10.10.2"
set extintf "any"
set srcintf-filter "port3"
next
end
|
