Login
- Table of Contents
-
- H3C SecPath M9000 Multi Service Security Gateway Configuration Examples(V7)(E9X71)-6W700
- 00-Preface
- 01-About the configuration examples
- 02-Web Login Configuration Examples
- 03-Internet Access Through a Static IP Address Configuration Examples
- 04-Internet access through PPPoE configuration examples
- 05-License Configuration Examples
- 06-Signature Library Upgrade Configuration Examples
- 07-Software Upgrade Examples
- 08-Routing deployment configuration examples
- 09-Transparent deployment configuration examples
- 10-Static routing configuration examples
- 11-RIP configuration examples
- 12-OSPF configuration examples
- 13-BGP configuration examples
- 14-Policy-based routing configuration examples
- 15-Security Policy Configuration Examples
- 16-APR-Based Security Policy Configuration Examples
- 17-Object Group Configuration Examples
- 18-User identification configuration examples
- 19-Attack defense configuration examples
- 20-Request Limit Configuration Examples
- 21-IPS Configuration Examples
- 22-URL Filtering Configuration Examples
- 23-Anti-Virus Configuration Examples
- 24-File Filtering Configuration Examples
- 25-Data Filtering Configuration Examples
- 26-WAF Configuration Examples
- 27-IP Reputation Configuration Examples
- 28-APT Defense Configuration Examples
- 29-NetShare Control Configuration Examples
- 30-Bandwidth Management Configuration Examples
- 31-IPsec configuration examples
- 32-SSL VPN IP access configuration examples
- 32-SSL VPN TCP access configuration examples
- 32-SSL VPN Web access configuration examples
- 33-L2TP Configuration Examples
- 34-NAT configuration examples
- 35-NPTv6 Configuration Examples
- 36-Policy-based NAT configuration examples
- 37-NAT hairpin configuration examples
- 38-NAT Flow Logging Configuration Examples
- 39-Inbound Link Load Balancing Configuration Examples
- 40-Outbound Link Load Balancing Configuration Examples
- 41-Server Load Balancing Configuration Examples
- 42-Transparent DNS Proxy Configuration Examples
- 43-Hot Backup Configuration Examples
- 44-Context Configuration Examples
- 45-DNS configuration examples
- 46-Server Connection Detection Configuration Examples
- 47-Connection Limit Configuration Examples
- 48-Public key management configuration examples
- 49-SSL Decryption Configuration Examples
- 50-MAC Address Learning Through a Layer 3 Device Configuration Examples
- 51-4G Configuration Examples
- 52-WLAN Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 38-NAT Flow Logging Configuration Examples | 117.33 KB |
NAT flow logging configuration examples
Contents
· Example: Configuring NAT flow logging
The following information provides NAT flow logging configuration examples.
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of flow logging, NAT logging, and NAT.
Network configuration
As shown in Figure 1, configure NAT flow logging on the device to enable it to send NAT session information to the log server for user tracing and analysis. The following log information is recorded when the internal host accesses the server on the public network: Source IP address, source port number, destination IP address, and destination port number before and after NAT translation.
Software versions used
This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.
Restrictions and guidelines
· To record IP address and port number after translation, use log version 3.0.
· For the NAT flow logging to take effect, you must enable NAT logging.
· Logs cannot be sent to the log host and the information center at the same time. By default, logs are sent to the log host. If the information center is specified as the log output destination, logs will not be sent to the log host.
Procedure
Configuring the device
1. Assign IP addresses to interfaces and add the interfaces to security zones.
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/0.
# In the dialog box that opens, configure the interface:
a. Select the DMZ security zone.
b. On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 192.168.100.200/24.
c. Click OK.
# Add GE 1/0/1 to the Trust security zone and set its IP address to 172.16.1.254/24 in the same way you configure GE 1/0/0.
# Add GE 1/0/2 to the Untrust security zone and set its IP address to 202.2.2.1/24 in the same way you configure GE 1/0/0.
2. Create security policy SecPolicy1.
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create and click Create a policy.
# In the dialog box that opens, configure a security policy:
¡ Enter policy name SecPolicy1.
¡ Select source zone Trust.
¡ Select destination zone Untrust.
¡ Select IPv4 as the type.
¡ Select action Permit.
¡ Specify 172.16.1.0/24 as the source address.
¡ Specify 202.2.2.0/24 as the destination address.
# Click OK.
3. Create security policy SecPolicy2.
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create.
# In the dialog box that opens, configure a security policy:
¡ Enter policy name SecPolicy2.
¡ Select source zone Local.
¡ Select IPv4 as the type.
¡ Select destination zone DMZ.
¡ Select action Permit.
¡ Specify 192.168.100.0/24 as the destination address.
# Click OK.
4. Configure a policy-based NAT rule.
# On the top navigation bar, click Policies.
# From the navigation pane, select Policy-based NAT.
# Click Create.
# Create a policy-based NAT rule, as shown in Figure 2.
Figure 2 Creating a policy-based NAT rule
# Click OK.
5. Configure flow logging.
# On the top navigation bar, click System.
# From the navigation pane, select Log Settings > Basic Settings.
# On the Flow Log tab, configure flow logging, as shown in Figure 3.
Figure 3 Configure flow logging
6. Configure NAT logging.
# On the top navigation bar, click System.
# From the navigation pane, select Log Settings > NAT Log Settings.
# Configure NAT logging, as shown in Figure 4.
Figure 4 Configure NAT logging
# Click Apply.
Configuring the log server
# Configure the log server. (Details not shown.)
Verifying the configuration
Verify that a NAT session log is generated on the log server when the host accesses the server on the public network. The log information includes source IP address, source port number, destination IP address, and destination port number before and after translation.
