Firewall NAT Intelligent Routing Comprehensive Lab Configuration
Lab Topology and IP Addressing
This lab implements a complex network environment with the following components:
- Headquarters Firewall (FW2): USG6000V1 as the core security gateway
- ISP Router (R1): Simulates external network with Telecom (12.0.0.0/24) and Mobile (21.0.0.0/24) links
- Office Zone: Internal users requiring dual-ISP internet access
- DMZ Zone: Contains HTTP server at 10.0.3.10
- Branch Office: Located behind FW2, needs access to HQ DMZ resources
- Guest Zone: Restricted to mobile network access only
Network Interface Planning
| Interface | IP Address | Zone | Purpose |
|---|---|---|---|
| GE0/0/0 | 192.168.81.1/24 | Trust | Management interface |
| GE1/0/0 | 10.0.1.1/24 | Office | Office zone gateway |
| GE1/0/1 | 10.0.2.1/24 | Office | Office zone gateway |
| GE1/0/2 | 10.0.3.1/24 | DMZ | DMZ zone gateway |
| GE2/0/0 | 12.0.0.1/24 | Telecom | ISP Telecom connection |
| GE2/0/1 | 21.0.0.1/24 | Mobile | ISP Mobile connection |
| GE4/0/0 | 100.0.0.1/24 | Untrust | External network simulation |
Phase 1: Initial Firewall Configuration
Basic Interface Setup
<USG6000V1>system-view
[USG6000V1]interface GigabitEthernet 0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.81.1 24
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit
[USG6000V1-GigabitEthernet0/0/0]quit
[USG6000V1]interface GigabitEthernet 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 10.0.1.1 24
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 10.0.2.1 24
[USG6000V1-GigabitEthernet1/0/1]quit
[USG6000V1]interface GigabitEthernet 1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip address 10.0.3.1 24
[USG6000V1-GigabitEthernet1/0/2]quit
Zone Creation and Interface Assignment
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/2
[USG6000V1-zone-dmz]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 2/0/0
[USG6000V1-zone-untrust]add interface GigabitEthernet 2/0/1
[USG6000V1-zone-untrust]quit
Phase 2: Office Zone Dual-ISP NAT Configuration
ISP Zone Separation
Create separate security zones for each ISP to enable independent policy management:
[USG6000V1]firewall zone name telecom
[USG6000V1-zone-telecom]set priority 15
[USG6000V1-zone-telecom]add interface GigabitEthernet 2/0/0
[USG6000V1-zone-telecom]quit
[USG6000V1]firewall zone name mobile
[USG6000V1-zone-mobile]set priority 16
[USG6000V1-zone-mobile]add interface GigabitEthernet 2/0/1
[USG6000V1-zone-mobile]quit
NAT Pool Configuration with IP Reservation
Configure address pools for each ISP, reserving one public IP address from each pool:
Telecom NAT Pool (Reserving 12.0.0.10):
[USG6000V1]nat address-group telecom_pool
[USG6000V1-nat-address-group-telecom_pool]section 0 12.0.0.1 12.0.0.9
[USG6000V1-nat-address-group-telecom_pool]section 1 12.0.0.11 12.0.0.254
[USG6000V1-nat-address-group-telecom_pool]quit
Mobile NAT Pool (Reserving 21.0.0.10):
[USG6000V1]nat address-group mobile_pool
[USG6000V1-nat-address-group-mobile_pool]section 0 21.0.0.1 21.0.0.9
[USG6000V1-nat-address-group-mobile_pool]section 1 21.0.0.11 21.0.0.254
[USG6000V1-nat-address-group-mobile_pool]quit
NAT Policy Creation
Telecom Outbound NAT Policy:
[USG6000V1]nat policy interzone trust telecom outbound
[USG6000V1-nat-policy-interzone-trust-telecom-outbound]policy 1
[USG6000V1-nat-policy-interzone-trust-telecom-outbound-policy-1]action source-nat
[USG6000V1-nat-policy-interzone-trust-telecom-outbound-policy-1]policy source 10.0.1.0 255.255.255.0
[USG6000V1-nat-policy-interzone-trust-telecom-outbound-policy-1]policy source 10.0.2.0 255.255.255.0
[USG6000V1-nat-policy-interzone-trust-telecom-outbound-policy-1]address-group telecom_pool
[USG6000V1-nat-policy-interzone-trust-telecom-outbound-policy-1]quit
[USG6000V1-nat-policy-interzone-trust-telecom-outbound]quit
Mobile Outbound NAT Policy:
[USG6000V1]nat policy interzone trust mobile outbound
[USG6000V1-nat-policy-interzone-trust-mobile-outbound]policy 1
[USG6000V1-nat-policy-interzone-trust-mobile-outbound-policy-1]action source-nat
[USG6000V1-nat-policy-interzone-trust-mobile-outbound-policy-1]policy source 10.0.1.0 255.255.255.0
[USG6000V1-nat-policy-interzone-trust-mobile-outbound-policy-1]policy source 10.0.2.0 255.255.255.0
[USG6000V1-nat-policy-interzone-trust-mobile-outbound-policy-1]address-group mobile_pool
[USG6000V1-nat-policy-interzone-trust-mobile-outbound-policy-1]quit
[USG6000V1-nat-policy-interzone-trust-mobile-outbound]quit
Security Policy Configuration
Allow office zone to access both ISP zones:
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name office_to_telecom
[USG6000V1-policy-security-rule-office_to_telecom]source-zone trust
[USG6000V1-policy-security-rule-office_to_telecom]destination-zone telecom
[USG6000V1-policy-security-rule-office_to_telecom]source-address 10.0.1.0 255.255.255.0
[USG6000V1-policy-security-rule-office_to_telecom]source-address 10.0.2.0 255.255.255.0
[USG6000V1-policy-security-rule-office_to_telecom]action permit
[USG6000V1-policy-security-rule-office_to_telecom]quit
[USG6000V1-policy-security]rule name office_to_mobile
[USG6000V1-policy-security-rule-office_to_mobile]source-zone trust
[USG6000V1-policy-security-rule-office_to_mobile]destination-zone mobile
[USG6000V1-policy-security-rule-office_to_mobile]source-address 10.0.1.0 255.255.255.0
[USG6000V1-policy-security-rule-office_to_mobile]source-address 10.0.2.0 255.255.255.0
[USG6000V1-policy-security-rule-office_to_mobile]action permit
[USG6000V1-policy-security-rule-office_to_mobile]quit
Phase 3: DMZ Server Publishing
Dual-ISP Port Mapping Configuration
Publish the internal HTTP server (10.0.3.10) through both ISP connections:
Telecom Port Mapping (12.0.0.2 -> 10.0.3.10):
[USG6000V1]nat server telecom_server global 12.0.0.2 inside 10.0.3.10 protocol tcp
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name allow_telecom_to_dmz
[USG6000V1-policy-security-rule-allow_telecom_to_dmz]source-zone telecom
[USG6000V1-policy-security-rule-allow_telecom_to_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-allow_telecom_to_dmz]destination-address 10.0.3.10 255.255.255.255
[USG6000V1-policy-security-rule-allow_telecom_to_dmz]service protocol tcp destination-port 80
[USG6000V1-policy-security-rule-allow_telecom_to_dmz]action permit
[USG6000V1-policy-security-rule-allow_telecom_to_dmz]quit
Mobile Port Mapping (21.0.0.2 -> 10.0.3.10):
[USG6000V1]nat server mobile_server global 21.0.0.2 inside 10.0.3.10 protocol tcp
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name allow_mobile_to_dmz
[USG6000V1-policy-security-rule-allow_mobile_to_dmz]source-zone mobile
[USG6000V1-policy-security-rule-allow_mobile_to_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-allow_mobile_to_dmz]destination-address 10.0.3.10 255.255.255.255
[USG6000V1-policy-security-rule-allow_mobile_to_dmz]service protocol tcp destination-port 80
[USG6000V1-policy-security-rule-allow_mobile_to_dmz]action permit
[USG6000V1-policy-security-rule-allow_mobile_to_dmz]quit
Branch Office NAT Policy
Configure NAT for branch office to access HQ DMZ server:
[USG6000V1]nat policy interzone branch_dmz outbound
[USG6000V1-nat-policy-interzone-branch_dmz-outbound]policy 1
[USG6000V1-nat-policy-interzone-branch_dmz-outbound-policy-1]action source-nat
[USG6000V1-nat-policy-interzone-branch_dmz-outbound-policy-1]policy source 192.168.100.0 255.255.255.0
[USG6000V1-nat-policy-interzone-branch_dmz-outbound-policy-1]address-group telecom_pool
[USG6000V1-nat-policy-interzone-branch_dmz-outbound-policy-1]quit
Phase 4: Multi-Exit Routing with Bandwidth-Based Load Balancing
Link Bandwidth Configuration
Configure bandwidth parameters for both ISP links:
[USG6000V1]interface GigabitEthernet 2/0/0
[USG6000V1-GigabitEthernet2/0/0]bandwidth ingress 100000 ratio 50
[USG6000V1-GigabitEthernet2/0/0]bandwidth egress 100000 ratio 50
[USG6000V1-GigabitEthernet2/0/0]quit
[USG6000V1]interface GigabitEthernet 2/0/1
[USG6000V1-GigabitEthernet2/0/1]bandwidth ingress 100000 ratio 50
[USG6000V1-GigabitEthernet2/0/1]bandwidth egress 100000 ratio 50
[USG6000V1-GigabitEthernet2/0/1]quit
Overload Protection Configuration
Enable link overload protection with 80% threshold:
[USG6000V1]link-load-balance steering
[USG6000V1-link-load-balance-steering]overload protect enable
[USG6000V1-link-load-balance-steering]overload protect threshold 80
[USG6000V1-link-load-balance-steering]quit
Intelligent Routing Policy
Configure destination-based routing with fallback to bandwidth proportion:
[USG6000V1]load-balance policy route_policy
[USG6000V1-load-balance-policy-route_policy]rule 1
[USG6000V1-load-balance-policy-route_policy-rule-1]destination 0.0.0.0 0.0.0.0
[USG6000V1-load-balance-policy-route_policy-rule-1]link-load-balance weighted-round-robin
[USG6000V1-load-balance-policy-route_policy-rule-1]link-group telecom mobile
[USG6000V1-load-balance-policy-route_policy-rule-1]enable
[USG6000V1-load-balance-policy-route_policy-rule-1]quit
Specific Routing for 10.0.2.10 via Telecom Only
Force specific host (10.0.2.10) to use Telecom link exclusively:
[USG6000V1]policy-based-route host_10_0_2_10 permit node 1
[USG6000V1-policy-pbr-host_10_0_2_10-1]source-ip 10.0.2.10 0.0.0.0
[USG6000V1-policy-pbr-host_10_0_2_10-1]action route next-hop 12.0.0.2
[USG6000V1-policy-pbr-host_10_0_2_10-1]quit
Apply PBR to the office zone interface:
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip policy-based-route host_10_0_2_10
[USG6000V1-GigabitEthernet1/0/1]quit
Phase 5: Domain-Based Server Access
DNS Configuration
Configure DNS mapping for internal server access:
[USG6000V1]dns resolve
[USG6000V1-dns-resolve]dns server 8.8.8.8
[USG6000V1-dns-resolve]quit
[USG6000V1]dns domain example.com 10.0.3.10
Bi-directional NAT for Domain Access
Configure NAT to allow both internal and external users to access server via domain:
[USG6000V1]nat server global_dns global 12.0.0.100 inside 10.0.3.10 protocol tcp
[USG6000V1]nat server global_dns2 global 21.0.0.100 inside 10.0.3.10 protocol tcp
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name allow_internal_to_server
[USG6000V1-policy-security-rule-allow_internal_to_server]source-zone trust
[USG6000V1-policy-security-rule-allow_internal_to_server]destination-zone dmz
[USG6000V1-policy-security-rule-allow_internal_to_server]destination-address 10.0.3.10 255.255.255.255
[USG6000V1-policy-security-rule-allow_internal_to_server]service protocol tcp destination-port 80
[USG6000V1-policy-security-rule-allow_internal_to_server]action permit
[USG6000V1-policy-security-rule-allow_internal_to_server]quit
Phase 6: Guest Zone Mobile-Only Access
Guest Zone Configuration
Create dedicated guest zone and assign interface:
[USG6000V1]firewall zone name guest
[USG6000V1-zone-guest]set priority 20
[USG6000V1-zone-guest]quit
[USG6000V1]interface GigabitEthernet 1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip address 10.0.4.1 24
[USG6000V1-GigabitEthernet1/0/3]quit
[USG6000V1]firewall zone guest
[USG6000V1-zone-guest]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-guest]quit
Guest Zone NAT Policy (Mobile Only)
Configure NAT to restrict guest traffic to mobile ISP only:
[USG6000V1]nat policy interzone guest mobile outbound
[USG6000V1-nat-policy-interzone-guest-mobile-outbound]policy 1
[USG6000V1-nat-policy-interzone-guest-mobile-outbound-policy-1]action source-nat
[USG6000V1-nat-policy-interzone-guest-mobile-outbound-policy-1]policy source 10.0.4.0 255.255.255.0
[USG6000V1-nat-policy-interzone-guest-mobile-outbound-policy-1]address-group mobile_pool
[USG6000V1-nat-policy-interzone-guest-mobile-outbound-policy-1]quit
Guest Zone Security Policy
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name guest_to_mobile
[USG6000V1-policy-security-rule-guest_to_mobile]source-zone guest
[USG6000V1-policy-security-rule-guest_to_mobile]destination-zone mobile
[USG6000V1-policy-security-rule-guest_to_mobile]action permit
[USG6000V1-policy-security-rule-guest_to_mobile]quit
[USG6000V1-policy-security]rule name deny_guest_to_telecom
[USG6000V1-policy-security-rule-deny_guest_to_telecom]source-zone guest
[USG6000V1-policy-security-rule-deny_guest_to_telecom]destination-zone telecom
[USG6000V1-policy-security-rule-deny_guest_to_telecom]action deny
[USG6000V1-policy-security-rule-deny_guest_to_telecom]quit
Verification Commands
[USG6000V1]display ip interface brief
[USG6000V1]display zone
[USG6000V1]display nat policy
[USG6000V1]display nat server
[USG6000V1]display security-policy rule all
[USG6000V1]display link-load-balance steering
[USG6000V1]display policy-based-route
Expected Results
| Test Scenario | Expected Outcome |
|---|---|
| Office users internet access | Traffic distriubted between Telecom and Mobile links |
| DMZ HTTP access from external | Accessible via both 12.0.0.2 and 21.0.0.2 |
| Host 10.0.2.10 internet access | Routes exclusively through Telecom link |
| Domain-based server access | Resolves correctly from both internal and external networks |
| Guest zone internet access | Traffic only permitted through Mobile link |
