NAT Configuration. Contents. 1 NAT Configuration. 1.1 NAT Overview NAT Configuration

Transcription

1 NAT Configuration Contents 1 NAT Configuration 1.1 NAT Overview 1.2 NAT Features Supported by the AR Configuring NAT Establishing the Configuration Task Configuring an Address Pool Associating an ACL with an Address Pool Configuring Easy IP Configuring an Internal Server Configuring Static NAT Enabling NAT ALG Configuring NAT Filtering Configuring NAT Mapping Configuring DNS Mapping Configuring Twice NAT Configuring NAT Log Output Checking the Configuration 1.4 Configuration Examples Example for Configuring Static NAT Example for Configuring the NAT Server Example for Configuring Outbound NAT Example for Configuring Twice NAT 1 NAT Configuration Network Address Translation (NAT) translates private addresses into public addresses. It conserves IPv4 addresses and improves network security by shielding the private network topology. NAT Overview NAT enables hosts on a private network to access the public network. NAT Features Supported by the AR1200 The AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance. Configuring NAT To implement communication between the private network and the public network through NAT, use Easy IP for a single user and an address pool for multiple users. Configuration Examples This section provides several configuration examples of NAT. Parent topic: Configuration Guide - IP Service 1.1 NAT Overview NAT enables hosts on a private network to access the public network. Private Network Address and Public Network Address A private network address, which is also called a private address, is the IP address of an internal network or host. A public network address, which is also called a public address, is a unique IP address on the Internet. The Internet Assigned Number Authority (IANA) defines the following IP addresses as private addresses: Class A: Class B: Class C: After planning the scale of the intranet, an enterprise chooses the proper private address segment. The private address segments of enterprises can overlap each other. If an intranet does not use the IP address in the defined private address segments, errors may occur during communication with other networks. Principle of NAT As shown in Figure 1, the private address must be translated when a host on a private network accesses the Internet or interworks with the hosts on a public network. Figure 1 Networking of NAT 1/15

2 The private network uses network segment and its public address is The host on the private network accesses the server on the public network in Web mode. The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to :32814, and the destination address/port remains unchanged. The AR1200 maintains a mapping table between addresses and ports. After the web server responds to the host, the AR1200 translates the destination IP address/port in the returned data packet to :6084. In this way, the host on the private network can access the server on the public network. Parent topic: NAT Configuration NAT Features Supported by the 1.2 AR1200 The AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance. Static NAT Static NAT maps a private address to a public address. That is, the number of private addresses is equal to the number of public addresses. Static NAT cannot save public addresses, but can shield the topology of the private network. When a packet is sent from a private network to the public network, static NAT translates the source IP address of the packet to a public address. When the public network returns a response, static NAT translates the destination IP address of the response packet to the private address. PAT Port address translation (PAT), which is also called network address port translation (NAPT), maps a public address to multiple private addresses. Therefore, public addresses are saved. PAT translates source IP addresses of packets from hosts that reside on the private network to a public address. The translated port numbers of these packets are different, and the private addresses can share a public address. A mapping table between private addresses and ports is configured for PAT. Before packets from different private addresses are sent to the public network, the PAT-enabled device replaces the source addresses with the same public address. The source port numbers of the packets, however, are replaced with different port numbers. When the public network returns response packets to private networks, the PAT-enabled device translates the destination IP addresses to private addresses according to the port numbers. Figure 1 shows how PAT translates IP addresses and port numbers. Figure 1 PAT working process Internal Server NAT can shield internal hosts. In applications, users on the public network may need to access the internal hosts. For example, users on the public network need to access a Web server or a file transfer protocol (FTP) server. NAT allows you to flexibly configure IP addresses for internal servers. For example, you can use or even :8080 as the public address of a Web server, and use as the public address of an FTP server. Multiple servers (Web servers for example) can be provided for external user. You can configure an internal server and map the public address and port to the internal server. In this way, hosts on the public network can access the internal server. NAT Mapping The NAT function saves IPv4 addresses and improves network security. NAT implementation of different vendors may be different; therefore, the applications using the simple traversal of UDP through NAT (STUN), traversal using relay NAT (TURN), and Interactive Connectivity Establishment (ICE) technologies may fail to traverse the NAT devices of these vendors. These technologies are commonly used on the SIP proxy. NAT mapping enables these applications to traverse the NAT devices. 2/15

3 NAT Filtering A NAT device filters the traffic from external network to internal network. After a host on the internal network sends an access request to a host on the external network, the host on the external network transmits traffic to the internal host. The NAT device filters the traffic sent to the internal host. Easy IP Easy IP takes the public IP address of the interface as the source address after NAT is performed. In addition, it uses the Access Control List (ACL) to control the private addresses to be translated. NAT ALG Some protocols are sensitive to the NAT function and cannot work correctly without special processing. Packets of these protocols contain the IP address and/or port number in the payload, which affects protocol interaction. The NAT ALG function allows such protocol packets to traverse NAT devices. It replaces the IP address and port number in the payload to implement transparent transmission and relay of protocol packets. The NAT ALG of the AR1200 supports the domain name system (DNS), FTP, Real-Time Streaming Protocol (RTSP) and Session Initiation Protocol (SIP). Twice NAT Basic NAT translates only the source or destination address of packets, whereas twice NAT translates both the source and destination addresses. The twice NAT technology applies to the scenario where IP addresses of hosts on private and public networks overlap. As shown in Figure 2, the IP address of PC1 on the private network is the same as the IP address of PC3 on the public network. If PC2 on the private network sends a packet to PC3, the packet will be forwarded to PC1. Twice NAT translates the overlapping IP address into a unique temporary address (based on basic NAT) according to the mapping between the overlapping address pool and the temporary address pool. In this way, packets can be forwarded correctly. Figure 2 Networking of twice NAT You can configure twice NAT on the AR1200 as follows: 1. Configure basic NAT (many-to-many NAT): Configure an NAT address pool that contains IP addresses to and apply it to the interface connecting to the WAN. 2. Configure the mapping from overlapping addresses to temporary addresses: to The mapping indicates that one overlapping address pool maps one temporary address pool. The translation rules are as follows: Temporary address = Start IP address in the temporary address pool + (Overlapping IP address - Start IP address in the overlapping address pool) Overlapping address = Start IP address in the overlapping address pool + (Temporary IP address - Start IP address in the temporary address pool) When PC2 on the private network accesses PC3 on the public network using the domain name, packets are processed as follows: 1. PC2 sends a DNS request for resolving the domain name of the web server. After the DNS server resolves the DNS request, the AR1200 receives the response packet from the DNS server. The AR1200 resolves the address in the payload of the response packet and detects that the address is an overlapping address (it is in the overlapping address pool). The AR1200 translates the address into the temporary address , and translates the destination address of the response packet using basic NAT. Then the AR1200 sends the packet to PC2. 2. PC2 sends an access request packet with the temporary address corresponding to to access the public network. When the packet reaches the AR1200, the AR1200 translates the source address of the packet using basic NAT and then translates the destination address (temporary address) to the overlapping address The AR1200 sends the packet to the WAN-side outbound interface. The packet is then forwarded to PC3 hop by hop. 4. When the packet sent from PC3 to PC2 reaches the AR1200, the AR1200 checks the source address , which is the overlapping address (it is in the overlapping address pool). The AR1200 translates the source address to the temporary address , and translates the destination address using basic NAT. Then the AR1200 sends it to PC2. Source Address Associated with the VPN Before NAT Is Performed The NAT-enabled AR1200 allows users on private networks to access the public network and allows users in different VPNs to access the public network through the same egress. In addition, users in the VPNs with the same IP address can access the public network. NAT Server Associated with VPNs The NAT-enabled AR1200 supports association between VPNs and NAT server, and allows users on the public network to access hosts in the VPNs. This function is applicable when IP addresses of multiple VPNs overlap. Parent topic: NAT Configuration 1.3 Configuring NAT To implement communication between the private network and the public network through NAT, use Easy IP for a single user and an address pool for multiple users. Establishing the Configuration Task Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Configuring an Address Pool Configure a NAT address pool when multiple users on the private network need to access the public network. 3/15

4 Associating an ACL with an Address Pool Network administrators can use ACLs to control which users can access public networks using NAT. Configuring Easy IP Easy IP uses an interface IP address as the source address of data packets matching an ACL. Configuring an Internal Server Deploying a server on the private network improves security of the server and prevents attacks from the public network. Users on the private and public networks can access the server. Configuring Static NAT Static NAT maps a private address to a public address. Static NAT does not save public addresses but shields the private network topology. Enabling NAT ALG Errors may occur when NAT translates protocol packets encapsulated in IP data packets. The NAT ALG function ensures that the protocol packets are translated successfully. Configuring NAT Filtering A NAT device filters the traffic from external network to internal network. After an internal host sends an access request to an external host, the external host transmits traffic to the internal host. The NAT device filters the traffic sent to the internal host. Configuring NAT Mapping NAT mapping allows applications using the STUN, TURN, and ICE technologies to traverse the NAT server. Configuring DNS Mapping A private network may deploy different servers such as FTP servers and web servers, but has no DNS server deployed. If hosts on the private network need to differentiate and access servers using domain names, configure DNS mapping. Configuring Twice NAT Twice NAT translates both the source and destination IP addresses of a data packet. It applies to the situation where IP addresses of internal hosts and external hosts overlap. Configuring NAT Log Output The NAT log output function enables the AR1200 to collect and record information about the NAT session table in real time, enhancing network security. According to the NAT logs, you can easily find users that have accessed a network using NAT. Checking the Configuration After NAT is configured, you can view information about NAT. Parent topic: NAT Configuration Establishing the Configuration Task Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Applicable Environment NAT must be configured at the boundary between the private network and the public network so that it can translate private and public addresses. Pre-configuration Tasks Before configuring NAT, complete the following task: Creating a basic ACL or an advanced ACL and configuring ACL rules Data Preparation To configure NAT, you need the following data. No. Data 1 Number of the public address pool, start IP address, and end IP address 2 Number of the basic ACL or advanced ACL 3 Information about the internal server, including the protocol type, public address, public port number, private address (the VPN instance may be included), and (optional) private port number 4 Information about static NAT, including the protocol type, public address, public port number, private address (the VPN instance may be included), (optional) private port number, and subnet mask 5 Index of the overlapping address pool and temporary address pool, start IP address, address pool length, and (optional) VPN instance 6 Domain name, public address, and public port number Configuring an Address Pool Configure a NAT address pool when multiple users on the private network need to access the public network. nat address-group group-index start-address end-address 4/15

5 A public address pool is configured. A public address pool is a set of public addresses. When performing NAT on data packets from the private network, the AR1200 selects an IP address from the address pool as the source address. The public address pool IDs are numerals. Up to 8 address pools can be configured. By default, no public address pool is configured on the AR Associating an ACL with an Address Pool Network administrators can use ACLs to control which users can access public networks using NAT. interface interface-type interface-number The interface view is displayed. 3. Run: nat outbound acl-number [ address-group group-index [ no-pat ] interface loopback interface-number ] An ACL is associated with an address pool. After an ACL is associated with an address pool, the AR1200 translates source addresses of data packets matching the ACL to an IP address in the address pool. Different IP address translation entries can be configured on an interface. In the command, no-pat indicates one-to-one NAT, that is, only the IP address is translated and the port number is not translated Configuring Easy IP Easy IP uses an interface IP address as the source address of data packets matching an ACL. interface interface-type interface-number The interface view is displayed. 3. Run: nat outbound acl-number [ address-group group-index [ no-pat ] interface loopback interface-number ] Easy IP is configured Configuring an Internal Server Deploying a server on the private network improves security of the server and prevents attacks from the public network. Users on the private and public networks can access the server. interface interface-type interface-number The interface view is displayed. 3. Run: nat server protocol { tcp udp } global { global-address current-interface } global-port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ] nat server protocol { tcp udp } global interface loopback interface-number global-port [ vpn-instance vpn-instance-name ] inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ] nat server [ protocol { protocol-number icmp tcp udp } ] global global-address inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ] An internal server is configured. Users on the public network can access the configured internal server. When a host on the public network sends a connection request to the public address (global-address) of the internal server, NAT translates the destination address of the request to a private address (host-address). The AR1200 then forwards the request the server. 5/15

6 NOTE: When configuring an internal server, ensure that global-address and host-address are different from interface IP addresses and IP addresses in the user address pool Configuring Static NAT Static NAT maps a private address to a public address. Static NAT does not save public addresses but shields the private network topology. interface interface-type interface-number The interface view is displayed. 3. Run: nat static protocol { tcp udp } global { global-address current-interface } global-port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ] nat static protocol { tcp udp } global interface loopback interface-number global-port [ vpn-instance vpn-instance-name ]inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ] nat static [ protocol { protocol-number icmp tcp udp } ] global global-address inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ] Static NAT is configured. NOTE: When configuring static NAT, ensure that global-address and host-address are different from interface IP addresses and IP addresses in the user address pool Enabling NAT ALG Errors may occur when NAT translates protocol packets encapsulated in IP data packets. The NAT ALG function ensures that the protocol packets are translated successfully. nat alg { all dns ftp rtsp sip } enable The NAT ALG function is enabled. After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT server. The application protocol cannot work without the NAT ALG function. In the command, all indicates that NAT traversal applies to the DNS, FTP, SIP, and RTSP protocols Configuring NAT Filtering A NAT device filters the traffic from external network to internal network. After an internal host sends an access request to an external host, the external host transmits traffic to the internal host. The NAT device filters the traffic sent to the internal host. Context NAT filtering has the following modes: Endpoint-independent filtering Address-dependent filtering Address and port-dependent filtering nat filter-mode { endpoint-dependent endpoint-independent endpoint-and-port-dependent } The NAT filtering mode is set. NAT filtering applies to the traffic from an external network to an internal network. The default mode is endpoint-and-port-dependent. In this mode, the system uses the 6/15

7 source IP address, source port, destination IP address, destination port, and protocol number as the index to search the NAT mapping table Configuring NAT Mapping NAT mapping allows applications using the STUN, TURN, and ICE technologies to traverse the NAT server. Context The NAT function saves IPv4 addresses and improves network security. NAT mapping has the following modes: Endpoint-independent mapping: reuses the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. Address-dependent mapping: reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address, regardless of the external port. Address and port-dependent mapping: reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port while the mapping is still active. nat mapping-mode endpoint-independent [ tcp udp ] [ dest-port port-number ] The NAT mapping mode is set. NAT mapping applies to the traffic from an internal network to an external network. The default mode is address and port-dependent mapping Configuring DNS Mapping A private network may deploy different servers such as FTP servers and web servers, but has no DNS server deployed. If hosts on the private network need to differentiate and access servers using domain names, configure DNS mapping. nat dns-map domain-name global-address global-port { tcp udp } The mapping from a domain name to a public IP address, port number, and protocol type is configured. Up to 32 mapping entries can be configured on the AR Run: nat alg { all dns ftp rtsp sip } enable The NAT ALG function is enabled for DNS. CAUTION: The NAT ALG function allows hosts on a private network to access servers on the private network through the external DNS server Configuring Twice NAT Twice NAT translates both the source and destination IP addresses of a data packet. It applies to the situation where IP addresses of internal hosts and external hosts overlap. Context When IP addresses of internal hosts and external hosts overlap, configure the mapping between the overlapping address pool and the temporary address pool. Then the overlapping address is translated to a unique temporary address and packets can be forwarded correctly. In addition, configure outbound NAT to implement twice NAT. nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-insta Twice NAT is configured. The overlapping address pool and temporary address pool contain consecutive IP addresses. The lengths of the two address pools are the same, and up to 255 IP addresses can be configured in each of the two address pools. Up to 8 mapping entries between the overlapping address pool and the temporary address pool can be configured. 7/15

8 When the VPN instance in the NAT mapping is deleted, the twice NAT configuration is also deleted Configuring NAT Log Output The NAT log output function enables the AR1200 to collect and record information about the NAT session table in real time, enhancing network security. According to the NAT logs, you can easily find users that have accessed a network using NAT. Context NAT logs are generated when the AR1200 performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT. The AR1200 can send NAT logs to a specified log host, as shown in Figure 1. Figure 1 Sending NAT logs to a specified log host firewall log session enable The firewall log function is enabled. 3. Run: firewall log session nat enable The NAT session log function is enabled. 4. Run: info-center enable The information center is enabled. 5. Run: info-center loghost ip-address [ channel { channel-number channel-name } facility local-number { language language-name The channel through which logs are output to the log host is configured. The AR1200 supports a maximum of eight log hosts to implement backup among log hosts. NOTE: For details on how to configure the AR1200 to send logs to a log host, see Example for Outputting Log Information to a Log Host in "Information Center Configuration" of the Huawei AR1200 Series Enterprise Routers Configuration Guide - Device Management Checking the Configuration After NAT is configured, you can view information about NAT. Run the display nat alg command to check whether the NAT ALG function is enabled. Run the display nat address-group [ group-index ] [ verbose ] command to check the configuration of the NAT address pool. Run the display nat dns-map [ domain-name ] command to check information about DNS mapping. Run the display nat outbound [ acl acl-number address-group group-index interface { EthernetGigabitEthernet } interface-number.subnumber ] command to check information about outbound NAT. Run the display nat overlap-address { map-index all inside-vpn-instance inside-vpn-instance-name } command to check information about twice NAT. Run the display nat server [ global global-address inside host-address [ vpn-instance vpn-instance-name ] interface interface-type interface-number.subnumber ] command to check the configuration of the NAT server. Run the display nat static [ global global-address inside host-address [ vpn-instance vpn-instance-name ] interface interface-type interface-name ] command to check the configuration of static NAT. Run the display nat mapping table { all number } command to view the NAT mapping table information or number of entries in the table. 1.4 Configuration Examples 8/15

9 This section provides several configuration examples of NAT. Example for Configuring Static NAT Example for Configuring the NAT Server Example for Configuring Outbound NAT Example for Configuring Twice NAT Parent topic: NAT Configuration Example for Configuring Static NAT Networking Requirements As shown in Figure 1, the server is the internal server of a company and needs to provide services for external users.the private IP address of the web server is and its public address is /24. The IP address of the carrier device connected to the router is /24. It is required that external users use the public address of the internal server to access the internal server. Figure 1 Networking diagram for configuring static NAT Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces and configure static NAT on the WAN-side interface to allow external users to access the internal server. 2. Configure a default route. 1. Configure IP addresses for interfaces and configure static NAT on the router. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address [Huawei-GigabitEthernet3/0/0] nat static global inside [Huawei-GigabitEthernet3/0/0] quit 2. Configure a default route with next hop address on the router. [Huawei] ip route-static Verify the configuration. Configuration Files Run the display nat static command on the router. The command output is as follows: [Huawei] display nat static Static Nat Information: Interface : GigabitEthernet3/0/0 Global IP/Port : /---- Inside IP/Port : /---- Protocol : ---- VPN instance-name : ---- Acl number : ---- Netmask : Description : ---- Total : 1 Verify that external users can access the server. vlan batch 100 interface Vlanif100 ip address /15

10 interface Ethernet2/0/0 port link-type access port default vlan 100 interface GigabitEthernet 3/0/0 ip address nat static global inside ip route-static return Parent topic: Configuration Examples Example for Configuring the NAT Server Networking Requirements As shown in Figure 1, a company is connected to the wide area network (WAN) through the AR1200 enabled with the network address translation (NAT) function. The company provides the web server and FTP server for users on the public network to access. The private IP address of the web server is :8080 and its public address is /24. The private IP address of the FTP server is /24 and its public address is /24.and the interface address of the AR1200 connected to the carrier device is /24. Figure 1 Network diagram for configuring the NAT server Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces and configure the NAT servers on the WAN-side interface to allow external users to access the internal servers. 2. Configure a default route. 3. Enable the FTP NAT ALG function to allow the external FTP packets to traverse the NAT servers. 1. Configure IP addresses for the interfaces on the AR1200 and configure the NAT server on the WAN-side interface. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit [Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address [Huawei-Vlanif200] quit [Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200 [Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] ip address [Huawei-Ethernet2/0/0] nat server protocol tcp global www inside [Huawei-Ethernet2/0/0] nat server protocol tcp global ftp inside ftp [Huawei-Ethernet2/0/0] quit 2. On the AR1200, configure a static route with the next hop address [Huawei] ip route-static Enable the NAT ALG function for FTP packets on the AR /15

11 [Huawei] nat alg ftp enable 4. Verify the configuration. Run the display nat server command on the AR1200 to view the NAT server configuration. [Huawei] display nat server Nat Server Information: Interface : Ethernet2/0/0 Global IP/Port : /80(www) Inside IP/Port : /8080 Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Global IP/Port : /21(ftp) Inside IP/Port : /21(ftp) Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Total : 2 Run the display nat alg command on the AR1200, and the command output is as follows: [Huawei] display nat alg NAT Application Level Gateway Information: Application Status dns Disabled ftp Enabled rtsp Disabled sip Disabled Configuration Files Verify that external users can access the web server and FTP server. vlan batch nat alg ftp enable interface Vlanif100 ip address interface Vlanif200 ip address interface Ethernet0/0/0 port link-type access port default vlan 100 interface Ethernet0/0/1 port link-type access port default vlan 200 interface Ethernet2/0/1 ip address nat server protocol tcp global www inside nat server protocol tcp global ftp inside ftp ip route-static Ethernet 2/0/0 return Parent topic: Configuration Examples Example for Configuring Outbound NAT Networking Requirements As shown in Figure 1, the intranet of area A is connected to the wide area network (WAN) through the AR1200. The network address translation (NAT) function is enabled on the AR1200. To ensure the security of company A's intranet, you need to use the IP addresses in the public address pool ( ) to replace the host addresses of area A on the network segment /24. The hosts of area A then can access servers on the WAN. The intranet of area B is also connected to the WAN through the AR1200. Only a few public IP addresses are allocated to area B. To save the public IP addresses and improve the security of company B's intranet, you need to use the IP addresses in the public address pool ( ) to replace the host addresses of area B on the network segment /24. The hosts of company B then can access servers on the WAN. On the AR1200, the public address of Ethernet2/0/0 on the AR1200 is /24 and the interface address of the AR1200 connected to the carrier device is /24. Figure 1 Network diagram for configuring outbound NAT 11/15

12 Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Configure a default route. 3. Configure outbound NAT on the WAN-side interface to allow internal hosts to access external networks. 1. Configure IP addresses for the interfaces of the AR1200. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit [Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address [Huawei-Vlanif200] quit [Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200 [Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] ip address [Huawei-Ethernet2/0/0] quit 2. On the AR1200, configure a static route with the next hop address [Huawei] ip route-static Configure outbound NAT on the AR1200. [Huawei] nat address-group [Huawei] nat address-group [Huawei] acl 2000 [Huawei-acl-basic-2000] rule 5 permit source [Huawei-acl-basic-2000] quit [Huawei] acl 2001 [Huawei-acl-basic-2001] rule 5 permit source [Huawei-acl-basic-2001] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] nat outbound 2000 address-group 1 no-pat [Huawei-Ethernet2/0/0] nat outbound 2001 address-group 2 [Huawei-Ethernet2/0/0] quit 4. Verify the configuration. Run the display nat outbound command on the AR1200, and the command output is as follows: [Huawei] display nat outbound NAT Outbound Information: Interface Acl Address-group/IP/Interface Type Ethernet2/0/ no-pat Ethernet2/0/ pat Total : /15

13 Configuration Files Perform the ping operation on the AR1200. <Huawei> ping -a PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=255 time=1 ms Reply from : bytes=56 Sequence=2 ttl=255 time=1 ms Reply from : bytes=56 Sequence=3 ttl=255 time=1 ms Reply from : bytes=56 Sequence=4 ttl=255 time=1 ms Reply from : bytes=56 Sequence=5 ttl=255 time=1 ms <Huawei> ping -a PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=255 time=1 ms Reply from : bytes=56 Sequence=2 ttl=255 time=1 ms Reply from : bytes=56 Sequence=3 ttl=255 time=1 ms Reply from : bytes=56 Sequence=4 ttl=255 time=1 ms Reply from : bytes=56 Sequence=5 ttl=255 time=1 ms vlan batch acl number 2000 rule 5 permit source acl number 2001 rule 5 permit source interface Vlanif100 ip address interface Vlanif200 ip address interface Ethernet0/0/0 port link-type access port default vlan 100 interface Ethernet0/0/1 port link-type access port default vlan 200 interface Ethernet2/0/0 ip address nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 nat address-group nat address-group ip route-static Ethernet 2/0/0 return Parent topic: Configuration Examples Example for Configuring Twice NAT Networking Requirements As shown in Figure 1, the IP address of PC1 on the private network is the same as the IP address of host A on the public network. When PC2 sends a packet to host A, the packet may be forwarded to PC1. In addition to the network address translation function, twice NAT of the AR1200 specifies the mapping between the overlapping address pool and the temporary address pool. The overlapping IP address is translated to a unique temporary address so that packets can be forwarded correctly. Figure 1 Networking diagram for twice NAT configuration Configuration Roadmap 13/15

14 The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Configure DNS mappings to allow users to access servers by using domain names. 3. Map the overlapping address pool to the temporary address pool. 4. Configure outbound NAT to allow internal users to access external networks. 1. Configure IP addresses for the interfaces of the AR1200. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit [Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address [Huawei-Vlanif200] quit [Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200 [Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] ip address [Huawei-Ethernet2/0/0] quit 2. Configure DNS mappings on the AR1200. [Huawei] nat alg dns enable [Huawei] nat dns-map tcp 3. Configure the mapping between the overlapping address pool and the temporary address pool on the AR1200. [Huawei] nat overlap-address pool-length Configure a static route on the AR1200 from the temporary address pool to outbound interface Ethernet2/0/0. [Huawei] ip route-static ethernet 2/0/ Configure outbound NAT on outbound interface Ethernet2/0/0 of the AR1200. a. Create an ACL and configure an ACL rule to permit the packets of host A. [Huawei] acl 3180 [Huawei-acl-adv-3180] rule permit ip source [Huawei-acl-adv-3180] quit b. Configure the NAT address pool for outbound NAT. [Huawei] nat address-group c. Configure outbound NAT on outbound interface Ethernet2/0/0. 6. Verify the configuration. Configuration Files [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] nat outbound 3180 address-group 1 [Huawei-Ethernet2/0/0] quit Run the display nat overlap-address all command on the AR1200 to view the mapping between address pools. [Huawei] display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name Total : 1 Run the display nat outbound command on the AR1200 to view outbound NAT information. [Huawei] display nat outbound NAT Outbound Information: Interface Acl Address-group/IP/Interface Type Ethernet2/0/ pat Total : /15

15 vlan batch acl number 3180 rule 5 permit ip source nat alg dns enable nat address-group nat dns-map tcp nat overlap-address pool-length 254 ip route-static Ethernet2/0/ interface Vlanif100 ip address interface Vlanif200 ip address interface Ethernet0/0/0 port link-type access port default vlan 100 interface Ethernet0/0/1 port link-type access port default vlan 200 interface Ethernet2/0/0 ip address nat outbound 3180 address-group 1 return Parent topic: Configuration Examples 15/15