[T&C] CGNAT Port Reservation (Port Forwarding) with Firewall using Thunder CGN/CFW
siddharthaa
Member ✭
In this article we will see how you can implement CGNAT Static Port Reservation (also known as Port Forwarding) using A10 Thunder CGN/CFW.
Deployment Scenario
Here is the deployment scenario:
We have two internal services that we want to make accessible to the outside world using Thunder CGN/CFW:
- SSH server running on 100.64.101.101 at port 22
- Web server running on 100.64.101.102 at port 80
These services will be exposed to the outside world using a public IP 203.0.113.2, such that:
- An external user accessing 203.0.113.2:2022 will be forwarded to internal service at 100.64.101.101:22
- An external user accessing 203.0.113.2:8080 will be forwarded to internal service at 100.64.101.102:80
Note: Here the connections will be initiated from outside-to-inside, and not from inside-to-outside as is normally the case in a CGNAT deployment.
Additionally, we will configure a firewall to allow only specific clients/subnets to access these services.
Configuration
CGNAT Configuration
This can be achieved using the following CGNAT configuration on the Thunder CGN.
First configure inside and outside NAT interfaces and define a NAT pool:
interface ethernet 1 enable ip address 203.0.113.1 255.255.255.0 ip nat outside ! interface ethernet 2 enable ip address 100.64.101.1 255.255.255.0 ip nat inside ! cgnv6 nat pool CGN_Server_Pool 203.0.113.2 netmask /32
Now configure the port forwarding rules as follows:
cgnv6 lsn port-reservation inside 100.64.101.101 22 22 nat 203.0.113.2 2022 2022 ! cgnv6 lsn port-reservation inside 100.64.101.102 80 80 nat 203.0.113.2 8080 8080
Here we map the inside IP 100.64.101.101 and port 22 to a public IP 203.0.113.2 and port 2022.
Similarly, we map the inside IP 100.64.101.102 and port 80 to the same public IP 203.0.113.2 and port 8080.
Note: Here we have two different inside IP addresses, 100.64.101.101 and 100.64.101.102, however they can also be the same as long as the port numbers are different.
To view the list of port reservations:
vThunder-CGN#sh cgnv6 lsn port-reservations LSN Port Reservations Inside Address Start End NAT Address Start End ------------------------------------------------------------------ 100.64.101.101 22 22 203.0.113.2 2022 2022 100.64.101.102 80 80 203.0.113.2 8080 8080 Total Static Port Reservations: 2 vThunder-CGN#
Optionally configure CGNAT logging as follows:
cgnv6 server syslog1 203.0.113.110 port 514 udp ! cgnv6 server syslog2 203.0.113.111 port 514 udp ! cgnv6 service-group SG-CGN-LOG udp member syslog1 514 member syslog2 514 ! cgnv6 template logging CGN-LOG-TEMPLATE log sessions service-group SG-CGN-LOG ! cgnv6 lsn logging default-template CGN-LOG-TEMPLATE
Firewall Configuration
We can additionally secure this deployment by adding a firewall policy.
Note: Firewall requires the Thunder CFW license.
For example, here we configure a firewall policy to allow traffic only from the host 203.0.113.102 destined to 203.0.113.2 at ports 2022 or 8080:
fw template logging FW-LOG format ascii service-group SG-CGN-LOG ! fw logging FW-LOG ! rule-set FWPOLICY rule rule1 action permit cgnv6 log source ipv4-address 203.0.113.102/32 source zone any dest ipv4-address 203.0.113.2/32 dest zone any service tcp dst eq 2022 rule rule2 action permit cgnv6 log source ipv4-address 203.0.113.102/32 source zone any dest ipv4-address 203.0.113.2/32 dest zone any service tcp dst eq 8080 rule rule3 action deny log source ipv4-address any source zone any dest ipv4-address any dest zone any service any ! fw active-rule-set FWPOLICY
Note: The rule for permit action includes applying cgnv6 policy to the permitted traffic.
Note: Here we have configured the same syslog servers for both CGNAT and firewall logging. Alternatively, you can configure a different set of syslog servers for firewall logging.
Verification
From an outside client machine (e.g., 203.0.113.102) start two different sessions:
- SSH session to the public IP at port 2022 (203.0.113.2:2022)
- Web session to the public IP at port 8080 (203.0.113.2:8080)
SSH session from the client machine:
Web server session from the client machine:
We can confirm that the traffic has undergone NAT translation and forwarded correctly by looking at the session entries on the Thunder device:
vThunder-CGN#sh session
Traffic Type Total
---------------------------------------------
Total Sessions 2
TCP Established 2
<snip>
Prot Forward Source Forward Dest snip>Reverse Source Reverse Dest Age Hash Flags Type
---------------------------------------------------------------------------------------------------------------------------------------------------
Tcp 203.0.113.102:51700 203.0.113.2:8080 100.64.101.102:80 203.0.113.102:51700 300 1 NFe0f0r0 LSN
Tcp 203.0.113.102:46068 203.0.113.2:2022 100.64.101.101:22 203.0.113.102:46068 300 1 NFe0f0r0 LSN
Total Sessions: 2
vThunder-CGN#
Now initiate SSH and web connections from a different client, say 203.0.113.103. Since this client is not in our permit list, the traffic will get dropped.
We can confirm this by looking at the firewall logs on our log server:
Nov 17 06:27:11 vThunder-CGN FW-TCP-I: 203.0.113.103:35090<-->203.0.113.2:8080 ACT=DENY RT=1142939692 IN-INTF=ethernet1 POLICY=FWPOLICY RULE=rule3#015 Nov 17 06:27:17 vThunder-CGN FW-TCP-I: 203.0.113.103:37314<-->203.0.113.2:2022 ACT=DENY RT=1142941096 IN-INTF=ethernet1 POLICY=FWPOLICY RULE=rule3#015
Complete Configuration
Here is the complete configuration for reference:
Note: The license is Thunder CFW license.
!64-bit Advanced Core OS (ACOS) version 5.2.1-P6, build 74 (Oct-09-2022,09:24) ! ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! ip dns primary 8.8.8.8 ! ip dns secondary 8.8.4.4 ! hostname vThunder-CGN ! timezone America/Los_Angeles ! ntp server time.google.com prefer ! ntp server ntp.ubuntu.com ! glm use-mgmt-port glm enable-requests ! interface management ip address 10.64.4.27 255.255.255.0 ip default-gateway 10.64.4.1 ! interface ethernet 1 enable ip address 203.0.113.1 255.255.255.0 ip nat outside ! interface ethernet 2 enable ip address 100.64.101.1 255.255.255.0 ip nat inside ! interface ethernet 3 enable ! ! cgnv6 server syslog1 203.0.113.110 port 514 udp ! cgnv6 server syslog2 203.0.113.111 port 514 udp ! cgnv6 service-group SG-CGN-LOG udp member syslog1 514 member syslog2 514 ! cgnv6 template logging CGN-LOG-TEMPLATE log sessions service-group SG-CGN-LOG ! cgnv6 nat pool CGN_Server_Pool 203.0.113.2 netmask /32 ! cgnv6 lsn logging default-template CGN-LOG-TEMPLATE ! cgnv6 lsn port-reservation inside 100.64.101.101 22 22 nat 203.0.113.2 2022 2022 ! cgnv6 lsn port-reservation inside 100.64.101.102 80 80 nat 203.0.113.2 8080 8080 ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! fw template logging FW-LOG format ascii service-group SG-CGN-LOG ! fw logging FW-LOG ! rule-set FWPOLICY rule rule1 action permit cgnv6 log source ipv4-address 203.0.113.102/32 source zone any dest ipv4-address 203.0.113.2/32 dest zone any service tcp dst eq 2022 rule rule2 action permit cgnv6 log source ipv4-address 203.0.113.102/32 source zone any dest ipv4-address 203.0.113.2/32 dest zone any service tcp dst eq 8080 rule rule3 action deny log source ipv4-address any source zone any dest ipv4-address any dest zone any service any ! fw active-rule-set FWPOLICY ! end !Current config commit point for partition 0 is 0 & config mode is classical-mode vThunder-CGN#