Full cone NAT for fixed port range IP pools
Full cone Network Address Translation (NAT) support is added for Fixed Port Range (FPR) IP pools. It allows all external hosts to send packets to internal hosts through a mapped external IP address and port, enhancing connectivity and communication efficiency. Full cone NAT is also known as Endpoint Independent Filtering (EIF).
To enable full cone NAT, enable the permit-any-host command when configuring the FPR IP pool.
config firewall ippool
edit <name>
set type fixed-port-range
set permit-any-host {enable | disable}
next
end
In this example, a NAT44 FPR IP pool with permit-any-host enabled is created and applied to a policy. The packet is sent from Client1 to Server1 that hits the policy. The session list is checked for the NAT IP address and port, 172.16.201.3 and 1033. The expectation session list is checked to see that the session will be used to allow access to the NAT IP address and port from any other external host, such as Server2. The packet sent from Server2 to the NAT IP address and port is forwarded to Client1.
To configure and check the full cone IP pool:
-
Create an IP pool with full cone NAT:
config firewall ippool edit "test-new-fpr-ippool-1" set type fixed-port-range set startip 172.16.201.3 set endip 172.16.201.4 set startport 1024 set endport 1087 set source-startip 10.1.100.41 set source-endip 10.1.100.42 set port-per-user 64 set permit-any-host enable set comments "test" next end -
Use the IP pool with full cone NAT in a policy:
config firewall policy edit 7 set name "policy-fpr-ippool" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set auto-asic-offload disable set nat enable set ippool enable set poolname "test-new-fpr-ippool-1" next end -
Check the session list:
# diagnose sys session list session info: proto=17 proto_state=00 duration=65 expire=175 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=5 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=58/2/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0 hook=post dir=org act=snat 10.1.100.41:20041->172.16.200.155:2156(172.16.201.3:1033) hook=pre dir=reply act=dnat 172.16.200.155:2156->172.16.201.3:1033(10.1.100.41:20041) misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0 serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
-
Check the expectation session list:
# diagnose sys session list expectation session info: proto=17 proto_state=00 duration=74 expire=-44 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=2 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255 state=new log f31 statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=dnat 10.1.100.41:0->172.16.201.3:1033(10.1.100.41:0) hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0) misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0 serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: new disabled-by-policy session info: proto=17 proto_state=00 duration=74 expire=-44 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=2 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=1 tunnel=/ vlan_cos=255/255 state=new log f31 statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=0->8/8->0 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=dnat 0.0.0.0:0->172.16.201.3:1033(10.1.100.41:20041) hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0) misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0 serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: new disabled-by-policy
-
Check that the packet sent from Server2 to the NAT IP address and port number is forwarded to Client1:
# diagnose sniffer packet any 'udp and port 1033 or 20041' 4 interfaces=[any] filters=[udp and port 1033 or 20041] 12.001145 port1 in 172.16.200.55.4155 -> 172.16.201.3.1033: udp 4 12.001180 port2 out 172.16.200.55.4155 -> 10.1.100.41.20041: udp 4 2 packets received by filter 0 packets dropped by kernel
# diagnose sys session list session info: proto=17 proto_state=00 duration=234 expire=1734 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=1 tunnel=/ vlan_cos=255/255 state=log intree statistic(bytes/packets/allow_err): org=32/1/0 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=7->8/8->7 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=dnat 172.16.200.55:4155->172.16.201.3:1033(10.1.100.41:20041) hook=post dir=reply act=snat 10.1.100.41:20041->172.16.200.55:4155(172.16.201.3:1033) misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0 serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy