NAT Configuration. Contents. 1 NAT Configuration. 1.1 NAT Overview. 6 3 2014 NAT Configuration



Similar documents
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Topic 7 DHCP and NAT. Networking BAsics.

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

21.4 Network Address Translation (NAT) NAT concept

Network Protocol Configuration

2. IP Networks, IP Hosts and IP Ports

Configuring Network Address Translation (NAT)

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Understanding and Configuring NAT Tech Note PAN-OS 4.1

This page displays the device information, such as Product type, Device ID, Hardware version, and Software version.

Configuring Static and Dynamic NAT Translation

UIP1868P User Interface Guide

Sample Configuration Using the ip nat outside source list C

Technical White Paper for Traversal of Huawei Videoconferencing Systems Between Private and Public Networks

HP 5820X & 5800 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract

Evaluation guide. Vyatta Quick Evaluation Guide

Configuring Static and Dynamic NAT Simultaneously

Configuring the PIX Firewall with PDM

Configuring Network Address Translation

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Troubleshooting Tools

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

IP Addressing A Simplified Tutorial

Knowledgebase Solution

Broadband Phone Gateway BPG510 Technical Users Guide

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Multi-Homing Security Gateway

Firewall Defaults and Some Basic Rules

Understanding Slow Start

Cisco Expressway Basic Configuration

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

BASIC ANALYSIS OF TCP/IP NETWORKS

Guideline for setting up a functional VPN

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

- Introduction to Firewalls -

Securing Networks with PIX and ASA

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Configuring PA Firewalls for a Layer 3 Deployment

SSL VPN Technology White Paper

Sample Configuration Using the ip nat outside source static

Network Address Translation (NAT)

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

HP A5820X & A5800 Switch Series Network Management and Monitoring. Configuration Guide. Abstract

Chapter 10 Troubleshooting

Firewalls P+S Linux Router & Firewall 2013

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

CSCE 465 Computer & Network Security

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Configuring IP Load Sharing in AOS Quick Configuration Guide

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Lab Exercise Configure the PIX Firewall and a Cisco Router

ICS 351: Today's plan

Policy Based Forwarding

Implementing Network Address Translation and Port Redirection in epipe

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Transport and Network Layer

Configuring the Transparent or Routed Firewall

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

IP Filtering for Patton RAS Products

NAT REFERENCE GUIDE. VYATTA, INC. Vyatta System NAT. Title

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

1 PC to WX64 direction connection with crossover cable or hub/switch

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

CCT vs. CCENT Skill Set Comparison

H3C SSL VPN RADIUS Authentication Configuration Example

Network Address Translation (NAT)

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

IOS NAT Load Balancing for Two ISP Connections

Networking Test 4 Study Guide

Lab Configuring Access Policies and DMZ Settings

Advanced VSAT Solutions Bridge Point-to-Multipoint (BPM) Overview

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 11 Network Address Translation

Optimum Business SIP Trunk Set-up Guide

Technical Support Information Belkin internal use only

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

VegaStream Information Note Considerations for a VoIP installation

Cisco Configuring Commonly Used IP ACLs

Chapter 4 Customizing Your Network Settings

Configuring Network Address Translation

GregSowell.com. Mikrotik Basics

Virtual Fragmentation Reassembly

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

VMware vcloud Air Networking Guide

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Proxy Server, Network Address Translator, Firewall. Proxy Server

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

The information in this document is based on these software and hardware versions:

Quidway MPLS VPN Solution for Financial Networks

Firewall VPN Router. Quick Installation Guide M73-APO09-380

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Transcription:

NAT Configuration Contents 1 NAT Configuration 1.1 NAT Overview 1.2 NAT Features Supported by the AR1200 1.3 Configuring NAT 1.3.1 Establishing the Configuration Task 1.3.2 Configuring an Address Pool 1.3.3 Associating an ACL with an Address Pool 1.3.4 Configuring Easy IP 1.3.5 Configuring an Internal Server 1.3.6 Configuring Static NAT 1.3.7 Enabling NAT ALG 1.3.8 Configuring NAT Filtering 1.3.9 Configuring NAT Mapping 1.3.10 Configuring DNS Mapping 1.3.11 Configuring Twice NAT 1.3.12 Configuring NAT Log Output 1.3.13 Checking the Configuration 1.4 Configuration Examples 1.4.1 Example for Configuring Static NAT 1.4.2 Example for Configuring the NAT Server 1.4.3 Example for Configuring Outbound NAT 1.4.4 Example for Configuring Twice NAT 1 NAT Configuration Network Address Translation (NAT) translates private addresses into public addresses. It conserves IPv4 addresses and improves network security by shielding the private network topology. NAT Overview NAT enables hosts on a private network to access the public network. NAT Features Supported by the AR1200 The AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance. Configuring NAT To implement communication between the private network and the public network through NAT, use Easy IP for a single user and an address pool for multiple users. Configuration Examples This section provides several configuration examples of NAT. Parent topic: Configuration Guide - IP Service 1.1 NAT Overview NAT enables hosts on a private network to access the public network. Private Network Address and Public Network Address A private network address, which is also called a private address, is the IP address of an internal network or host. A public network address, which is also called a public address, is a unique IP address on the Internet. The Internet Assigned Number Authority (IANA) defines the following IP addresses as private addresses: Class A: 10.0.0.0-10.255.255.255 Class B: 172.16.0.0-172.31.255.255 Class C: 192.168.0.0-192.168.255.255 After planning the scale of the intranet, an enterprise chooses the proper private address segment. The private address segments of enterprises can overlap each other. If an intranet does not use the IP address in the defined private address segments, errors may occur during communication with other networks. Principle of NAT As shown in Figure 1, the private address must be translated when a host on a private network accesses the Internet or interworks with the hosts on a public network. Figure 1 Networking of NAT http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 1/15

The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. The host 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public network in Web mode. The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to 203.196.3.23:32814, and the destination address/port remains unchanged. The AR1200 maintains a mapping table between addresses and ports. After the web server responds to the host, the AR1200 translates the destination IP address/port in the returned data packet to 10.1.1.48:6084. In this way, the host on the private network can access the server on the public network. Parent topic: NAT Configuration NAT Features Supported by the 1.2 AR1200 The AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance. Static NAT Static NAT maps a private address to a public address. That is, the number of private addresses is equal to the number of public addresses. Static NAT cannot save public addresses, but can shield the topology of the private network. When a packet is sent from a private network to the public network, static NAT translates the source IP address of the packet to a public address. When the public network returns a response, static NAT translates the destination IP address of the response packet to the private address. PAT Port address translation (PAT), which is also called network address port translation (NAPT), maps a public address to multiple private addresses. Therefore, public addresses are saved. PAT translates source IP addresses of packets from hosts that reside on the private network to a public address. The translated port numbers of these packets are different, and the private addresses can share a public address. A mapping table between private addresses and ports is configured for PAT. Before packets from different private addresses are sent to the public network, the PAT-enabled device replaces the source addresses with the same public address. The source port numbers of the packets, however, are replaced with different port numbers. When the public network returns response packets to private networks, the PAT-enabled device translates the destination IP addresses to private addresses according to the port numbers. Figure 1 shows how PAT translates IP addresses and port numbers. Figure 1 PAT working process Internal Server NAT can shield internal hosts. In applications, users on the public network may need to access the internal hosts. For example, users on the public network need to access a Web server or a file transfer protocol (FTP) server. NAT allows you to flexibly configure IP addresses for internal servers. For example, you can use 202.110.10.10 or even 202.110.10.12:8080 as the public address of a Web server, and use 202.110.10.11 as the public address of an FTP server. Multiple servers (Web servers for example) can be provided for external user. You can configure an internal server and map the public address and port to the internal server. In this way, hosts on the public network can access the internal server. NAT Mapping The NAT function saves IPv4 addresses and improves network security. NAT implementation of different vendors may be different; therefore, the applications using the simple traversal of UDP through NAT (STUN), traversal using relay NAT (TURN), and Interactive Connectivity Establishment (ICE) technologies may fail to traverse the NAT devices of these vendors. These technologies are commonly used on the SIP proxy. NAT mapping enables these applications to traverse the NAT devices. http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 2/15

NAT Filtering A NAT device filters the traffic from external network to internal network. After a host on the internal network sends an access request to a host on the external network, the host on the external network transmits traffic to the internal host. The NAT device filters the traffic sent to the internal host. Easy IP Easy IP takes the public IP address of the interface as the source address after NAT is performed. In addition, it uses the Access Control List (ACL) to control the private addresses to be translated. NAT ALG Some protocols are sensitive to the NAT function and cannot work correctly without special processing. Packets of these protocols contain the IP address and/or port number in the payload, which affects protocol interaction. The NAT ALG function allows such protocol packets to traverse NAT devices. It replaces the IP address and port number in the payload to implement transparent transmission and relay of protocol packets. The NAT ALG of the AR1200 supports the domain name system (DNS), FTP, Real-Time Streaming Protocol (RTSP) and Session Initiation Protocol (SIP). Twice NAT Basic NAT translates only the source or destination address of packets, whereas twice NAT translates both the source and destination addresses. The twice NAT technology applies to the scenario where IP addresses of hosts on private and public networks overlap. As shown in Figure 2, the IP address of PC1 on the private network is the same as the IP address of PC3 on the public network. If PC2 on the private network sends a packet to PC3, the packet will be forwarded to PC1. Twice NAT translates the overlapping IP address into a unique temporary address (based on basic NAT) according to the mapping between the overlapping address pool and the temporary address pool. In this way, packets can be forwarded correctly. Figure 2 Networking of twice NAT You can configure twice NAT on the AR1200 as follows: 1. Configure basic NAT (many-to-many NAT): Configure an NAT address pool that contains IP addresses 200.0.0.1 to 200.0.0.100 and apply it to the interface connecting to the WAN. 2. Configure the mapping from overlapping addresses to temporary addresses: 10.0.0.0 to 3.0.0.0. The mapping indicates that one overlapping address pool maps one temporary address pool. The translation rules are as follows: Temporary address = Start IP address in the temporary address pool + (Overlapping IP address - Start IP address in the overlapping address pool) Overlapping address = Start IP address in the overlapping address pool + (Temporary IP address - Start IP address in the temporary address pool) When PC2 on the private network accesses PC3 on the public network using the domain name, packets are processed as follows: 1. PC2 sends a DNS request for resolving the domain name www.web.com of the web server. After the DNS server resolves the DNS request, the AR1200 receives the response packet from the DNS server. The AR1200 resolves the address 10.0.0.1 in the payload of the response packet and detects that the address is an overlapping address (it is in the overlapping address pool). The AR1200 translates the address 10.0.0.1 into the temporary address 3.0.0.1, and translates the destination address of the response packet using basic NAT. Then the AR1200 sends the packet to PC2. 2. PC2 sends an access request packet with the temporary address 3.0.0.1 corresponding to www.web.com to access the public network. When the packet reaches the AR1200, the AR1200 translates the source address of the packet using basic NAT and then translates the destination address (temporary address) to the overlapping address 10.0.0.1. 3. The AR1200 sends the packet to the WAN-side outbound interface. The packet is then forwarded to PC3 hop by hop. 4. When the packet sent from PC3 to PC2 reaches the AR1200, the AR1200 checks the source address 10.0.0.1, which is the overlapping address (it is in the overlapping address pool). The AR1200 translates the source address to the temporary address 3.0.0.1, and translates the destination address using basic NAT. Then the AR1200 sends it to PC2. Source Address Associated with the VPN Before NAT Is Performed The NAT-enabled AR1200 allows users on private networks to access the public network and allows users in different VPNs to access the public network through the same egress. In addition, users in the VPNs with the same IP address can access the public network. NAT Server Associated with VPNs The NAT-enabled AR1200 supports association between VPNs and NAT server, and allows users on the public network to access hosts in the VPNs. This function is applicable when IP addresses of multiple VPNs overlap. Parent topic: NAT Configuration 1.3 Configuring NAT To implement communication between the private network and the public network through NAT, use Easy IP for a single user and an address pool for multiple users. Establishing the Configuration Task Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Configuring an Address Pool Configure a NAT address pool when multiple users on the private network need to access the public network. http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 3/15

Associating an ACL with an Address Pool Network administrators can use ACLs to control which users can access public networks using NAT. Configuring Easy IP Easy IP uses an interface IP address as the source address of data packets matching an ACL. Configuring an Internal Server Deploying a server on the private network improves security of the server and prevents attacks from the public network. Users on the private and public networks can access the server. Configuring Static NAT Static NAT maps a private address to a public address. Static NAT does not save public addresses but shields the private network topology. Enabling NAT ALG Errors may occur when NAT translates protocol packets encapsulated in IP data packets. The NAT ALG function ensures that the protocol packets are translated successfully. Configuring NAT Filtering A NAT device filters the traffic from external network to internal network. After an internal host sends an access request to an external host, the external host transmits traffic to the internal host. The NAT device filters the traffic sent to the internal host. Configuring NAT Mapping NAT mapping allows applications using the STUN, TURN, and ICE technologies to traverse the NAT server. Configuring DNS Mapping A private network may deploy different servers such as FTP servers and web servers, but has no DNS server deployed. If hosts on the private network need to differentiate and access servers using domain names, configure DNS mapping. Configuring Twice NAT Twice NAT translates both the source and destination IP addresses of a data packet. It applies to the situation where IP addresses of internal hosts and external hosts overlap. Configuring NAT Log Output The NAT log output function enables the AR1200 to collect and record information about the NAT session table in real time, enhancing network security. According to the NAT logs, you can easily find users that have accessed a network using NAT. Checking the Configuration After NAT is configured, you can view information about NAT. Parent topic: NAT Configuration 1.3.1 Establishing the Configuration Task Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Applicable Environment NAT must be configured at the boundary between the private network and the public network so that it can translate private and public addresses. Pre-configuration Tasks Before configuring NAT, complete the following task: Creating a basic ACL or an advanced ACL and configuring ACL rules Data Preparation To configure NAT, you need the following data. No. Data 1 Number of the public address pool, start IP address, and end IP address 2 Number of the basic ACL or advanced ACL 3 Information about the internal server, including the protocol type, public address, public port number, private address (the VPN instance may be included), and (optional) private port number 4 Information about static NAT, including the protocol type, public address, public port number, private address (the VPN instance may be included), (optional) private port number, and subnet mask 5 Index of the overlapping address pool and temporary address pool, start IP address, address pool length, and (optional) VPN instance 6 Domain name, public address, and public port number 1.3.2 Configuring an Address Pool Configure a NAT address pool when multiple users on the private network need to access the public network. nat address-group group-index start-address end-address http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 4/15

A public address pool is configured. A public address pool is a set of public addresses. When performing NAT on data packets from the private network, the AR1200 selects an IP address from the address pool as the source address. The public address pool IDs are numerals. Up to 8 address pools can be configured. By default, no public address pool is configured on the AR1200. 1.3.3 Associating an ACL with an Address Pool Network administrators can use ACLs to control which users can access public networks using NAT. interface interface-type interface-number The interface view is displayed. 3. Run: nat outbound acl-number [ address-group group-index [ no-pat ] interface loopback interface-number ] An ACL is associated with an address pool. After an ACL is associated with an address pool, the AR1200 translates source addresses of data packets matching the ACL to an IP address in the address pool. Different IP address translation entries can be configured on an interface. In the command, no-pat indicates one-to-one NAT, that is, only the IP address is translated and the port number is not translated 1.3.4 Configuring Easy IP Easy IP uses an interface IP address as the source address of data packets matching an ACL. interface interface-type interface-number The interface view is displayed. 3. Run: nat outbound acl-number [ address-group group-index [ no-pat ] interface loopback interface-number ] Easy IP is configured. 1.3.5 Configuring an Internal Server Deploying a server on the private network improves security of the server and prevents attacks from the public network. Users on the private and public networks can access the server. interface interface-type interface-number The interface view is displayed. 3. Run: nat server protocol { tcp udp } global { global-address current-interface } global-port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ] nat server protocol { tcp udp } global interface loopback interface-number global-port [ vpn-instance vpn-instance-name ] inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ] nat server [ protocol { protocol-number icmp tcp udp } ] global global-address inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ] An internal server is configured. Users on the public network can access the configured internal server. When a host on the public network sends a connection request to the public address (global-address) of the internal server, NAT translates the destination address of the request to a private address (host-address). The AR1200 then forwards the request the server. http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 5/15

NOTE: When configuring an internal server, ensure that global-address and host-address are different from interface IP addresses and IP addresses in the user address pool. 1.3.6 Configuring Static NAT Static NAT maps a private address to a public address. Static NAT does not save public addresses but shields the private network topology. interface interface-type interface-number The interface view is displayed. 3. Run: nat static protocol { tcp udp } global { global-address current-interface } global-port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ] nat static protocol { tcp udp } global interface loopback interface-number global-port [ vpn-instance vpn-instance-name ]inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ] nat static [ protocol { protocol-number icmp tcp udp } ] global global-address inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ] Static NAT is configured. NOTE: When configuring static NAT, ensure that global-address and host-address are different from interface IP addresses and IP addresses in the user address pool. 1.3.7 Enabling NAT ALG Errors may occur when NAT translates protocol packets encapsulated in IP data packets. The NAT ALG function ensures that the protocol packets are translated successfully. nat alg { all dns ftp rtsp sip } enable The NAT ALG function is enabled. After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT server. The application protocol cannot work without the NAT ALG function. In the command, all indicates that NAT traversal applies to the DNS, FTP, SIP, and RTSP protocols. 1.3.8 Configuring NAT Filtering A NAT device filters the traffic from external network to internal network. After an internal host sends an access request to an external host, the external host transmits traffic to the internal host. The NAT device filters the traffic sent to the internal host. Context NAT filtering has the following modes: Endpoint-independent filtering Address-dependent filtering Address and port-dependent filtering nat filter-mode { endpoint-dependent endpoint-independent endpoint-and-port-dependent } The NAT filtering mode is set. NAT filtering applies to the traffic from an external network to an internal network. The default mode is endpoint-and-port-dependent. In this mode, the system uses the http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 6/15

source IP address, source port, destination IP address, destination port, and protocol number as the index to search the NAT mapping table. 1.3.9 Configuring NAT Mapping NAT mapping allows applications using the STUN, TURN, and ICE technologies to traverse the NAT server. Context The NAT function saves IPv4 addresses and improves network security. NAT mapping has the following modes: Endpoint-independent mapping: reuses the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. Address-dependent mapping: reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address, regardless of the external port. Address and port-dependent mapping: reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port while the mapping is still active. nat mapping-mode endpoint-independent [ tcp udp ] [ dest-port port-number ] The NAT mapping mode is set. NAT mapping applies to the traffic from an internal network to an external network. The default mode is address and port-dependent mapping. 1.3.10 Configuring DNS Mapping A private network may deploy different servers such as FTP servers and web servers, but has no DNS server deployed. If hosts on the private network need to differentiate and access servers using domain names, configure DNS mapping. nat dns-map domain-name global-address global-port { tcp udp } The mapping from a domain name to a public IP address, port number, and protocol type is configured. Up to 32 mapping entries can be configured on the AR1200. 3. Run: nat alg { all dns ftp rtsp sip } enable The NAT ALG function is enabled for DNS. CAUTION: The NAT ALG function allows hosts on a private network to access servers on the private network through the external DNS server. 1.3.11 Configuring Twice NAT Twice NAT translates both the source and destination IP addresses of a data packet. It applies to the situation where IP addresses of internal hosts and external hosts overlap. Context When IP addresses of internal hosts and external hosts overlap, configure the mapping between the overlapping address pool and the temporary address pool. Then the overlapping address is translated to a unique temporary address and packets can be forwarded correctly. In addition, configure outbound NAT to implement twice NAT. nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-insta Twice NAT is configured. The overlapping address pool and temporary address pool contain consecutive IP addresses. The lengths of the two address pools are the same, and up to 255 IP addresses can be configured in each of the two address pools. Up to 8 mapping entries between the overlapping address pool and the temporary address pool can be configured. http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 7/15

When the VPN instance in the NAT mapping is deleted, the twice NAT configuration is also deleted. 1.3.12 Configuring NAT Log Output The NAT log output function enables the AR1200 to collect and record information about the NAT session table in real time, enhancing network security. According to the NAT logs, you can easily find users that have accessed a network using NAT. Context NAT logs are generated when the AR1200 performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT. The AR1200 can send NAT logs to a specified log host, as shown in Figure 1. Figure 1 Sending NAT logs to a specified log host firewall log session enable The firewall log function is enabled. 3. Run: firewall log session nat enable The NAT session log function is enabled. 4. Run: info-center enable The information center is enabled. 5. Run: info-center loghost ip-address [ channel { channel-number channel-name } facility local-number { language language-name The channel through which logs are output to the log host is configured. The AR1200 supports a maximum of eight log hosts to implement backup among log hosts. NOTE: For details on how to configure the AR1200 to send logs to a log host, see Example for Outputting Log Information to a Log Host in "Information Center Configuration" of the Huawei AR1200 Series Enterprise Routers Configuration Guide - Device Management. 1.3.13 Checking the Configuration After NAT is configured, you can view information about NAT. Run the display nat alg command to check whether the NAT ALG function is enabled. Run the display nat address-group [ group-index ] [ verbose ] command to check the configuration of the NAT address pool. Run the display nat dns-map [ domain-name ] command to check information about DNS mapping. Run the display nat outbound [ acl acl-number address-group group-index interface { EthernetGigabitEthernet } interface-number.subnumber ] command to check information about outbound NAT. Run the display nat overlap-address { map-index all inside-vpn-instance inside-vpn-instance-name } command to check information about twice NAT. Run the display nat server [ global global-address inside host-address [ vpn-instance vpn-instance-name ] interface interface-type interface-number.subnumber ] command to check the configuration of the NAT server. Run the display nat static [ global global-address inside host-address [ vpn-instance vpn-instance-name ] interface interface-type interface-name ] command to check the configuration of static NAT. Run the display nat mapping table { all number } command to view the NAT mapping table information or number of entries in the table. 1.4 Configuration Examples http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 8/15

This section provides several configuration examples of NAT. Example for Configuring Static NAT Example for Configuring the NAT Server Example for Configuring Outbound NAT Example for Configuring Twice NAT Parent topic: NAT Configuration 1.4.1 Example for Configuring Static NAT Networking Requirements As shown in Figure 1, the server is the internal server of a company and needs to provide services for external users.the private IP address of the web server is 192.168.20.2 and its public address is 202.169.10.5/24. The IP address of the carrier device connected to the router is 202.169.10.2/24. It is required that external users use the public address of the internal server to access the internal server. Figure 1 Networking diagram for configuring static NAT Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces and configure static NAT on the WAN-side interface to allow external users to access the internal server. 2. Configure a default route. 1. Configure IP addresses for interfaces and configure static NAT on the router. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address 202.169.10.1 24 [Huawei-GigabitEthernet3/0/0] nat static global 202.169.10.5 inside 192.168.20.2 [Huawei-GigabitEthernet3/0/0] quit 2. Configure a default route with next hop address 202.169.10.2 on the router. [Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 3. Verify the configuration. Configuration Files Run the display nat static command on the router. The command output is as follows: [Huawei] display nat static Static Nat Information: Interface : GigabitEthernet3/0/0 Global IP/Port : 202.169.10.5/---- Inside IP/Port : 192.168.20.2/---- Protocol : ---- VPN instance-name : ---- Acl number : ---- Netmask : 255.255.255.255 Description : ---- Total : 1 Verify that external users can access the server. vlan batch 100 interface Vlanif100 ip address 192.168.20.1 255.255.255.0 http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 9/15

interface Ethernet2/0/0 port link-type access port default vlan 100 interface GigabitEthernet 3/0/0 ip address 202.169.10.1 255.255.255.0 nat static global 202.169.10.5 inside 192.168.20.2 ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 return Parent topic: Configuration Examples 1.4.2 Example for Configuring the NAT Server Networking Requirements As shown in Figure 1, a company is connected to the wide area network (WAN) through the AR1200 enabled with the network address translation (NAT) function. The company provides the web server and FTP server for users on the public network to access. The private IP address of the web server is 192.168.20.2:8080 and its public address is 202.169.10.5/24. The private IP address of the FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24.and the interface address of the AR1200 connected to the carrier device is 202.169.10.2/24. Figure 1 Network diagram for configuring the NAT server Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces and configure the NAT servers on the WAN-side interface to allow external users to access the internal servers. 2. Configure a default route. 3. Enable the FTP NAT ALG function to allow the external FTP packets to traverse the NAT servers. 1. Configure IP addresses for the interfaces on the AR1200 and configure the NAT server on the WAN-side interface. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit [Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address 10.0.0.1 24 [Huawei-Vlanif200] quit [Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200 [Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] ip address 202.169.10.1 24 [Huawei-Ethernet2/0/0] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 [Huawei-Ethernet2/0/0] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp [Huawei-Ethernet2/0/0] quit 2. On the AR1200, configure a static route with the next hop address 202.169.10.2 [Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 3. Enable the NAT ALG function for FTP packets on the AR1200. http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 10/15

[Huawei] nat alg ftp enable 4. Verify the configuration. Run the display nat server command on the AR1200 to view the NAT server configuration. [Huawei] display nat server Nat Server Information: Interface : Ethernet2/0/0 Global IP/Port : 202.169.10.5/80(www) Inside IP/Port : 192.168.20.2/8080 Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Global IP/Port : 202.169.10.33/21(ftp) Inside IP/Port : 10.0.0.3/21(ftp) Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Total : 2 Run the display nat alg command on the AR1200, and the command output is as follows: [Huawei] display nat alg NAT Application Level Gateway Information: ---------------------------------- Application Status ---------------------------------- dns Disabled ftp Enabled rtsp Disabled sip Disabled ---------------------------------- Configuration Files Verify that external users can access the web server and FTP server. vlan batch 100 200 nat alg ftp enable interface Vlanif100 ip address 192.168.20.1 255.255.255.0 interface Vlanif200 ip address 10.0.0.1 255.255.255.0 interface Ethernet0/0/0 port link-type access port default vlan 100 interface Ethernet0/0/1 port link-type access port default vlan 200 interface Ethernet2/0/1 ip address 202.169.10.1 255.255.255.0 nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0/0 return Parent topic: Configuration Examples 1.4.3 Example for Configuring Outbound NAT Networking Requirements As shown in Figure 1, the intranet of area A is connected to the wide area network (WAN) through the AR1200. The network address translation (NAT) function is enabled on the AR1200. To ensure the security of company A's intranet, you need to use the IP addresses in the public address pool (202.169.10.100-202.169.10.200) to replace the host addresses of area A on the network segment 192.168.20.0/24. The hosts of area A then can access servers on the WAN. The intranet of area B is also connected to the WAN through the AR1200. Only a few public IP addresses are allocated to area B. To save the public IP addresses and improve the security of company B's intranet, you need to use the IP addresses in the public address pool (202.169.10.80-202.169.10.83) to replace the host addresses of area B on the network segment 10.0.0.0/24. The hosts of company B then can access servers on the WAN. On the AR1200, the public address of Ethernet2/0/0 on the AR1200 is 202.169.10.1/24 and the interface address of the AR1200 connected to the carrier device is 202.169.10.2/24. Figure 1 Network diagram for configuring outbound NAT http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 11/15

Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Configure a default route. 3. Configure outbound NAT on the WAN-side interface to allow internal hosts to access external networks. 1. Configure IP addresses for the interfaces of the AR1200. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit [Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address 10.0.0.1 24 [Huawei-Vlanif200] quit [Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200 [Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] ip address 202.169.10.1 24 [Huawei-Ethernet2/0/0] quit 2. On the AR1200, configure a static route with the next hop address 202.169.10.2. [Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 3. Configure outbound NAT on the AR1200. [Huawei] nat address-group 1 202.169.10.100 202.169.10.200 [Huawei] nat address-group 2 202.169.10.80 202.169.10.83 [Huawei] acl 2000 [Huawei-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Huawei-acl-basic-2000] quit [Huawei] acl 2001 [Huawei-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 [Huawei-acl-basic-2001] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] nat outbound 2000 address-group 1 no-pat [Huawei-Ethernet2/0/0] nat outbound 2001 address-group 2 [Huawei-Ethernet2/0/0] quit 4. Verify the configuration. Run the display nat outbound command on the AR1200, and the command output is as follows: [Huawei] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- Ethernet2/0/0 2000 1 no-pat Ethernet2/0/0 2001 2 pat ----------------------------------------------------------------- Total : 2 http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 12/15

Configuration Files Perform the ping operation on the AR1200. <Huawei> ping -a 192.168.20.1 202.169.10.2 PING 202.169.10.2: 56 data bytes, press CTRL_C to break Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms <Huawei> ping -a 10.0.0.1 202.169.10.2 PING 202.169.10.2: 56 data bytes, press CTRL_C to break Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms vlan batch 100 200 acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 interface Vlanif100 ip address 192.168.20.1 255.255.255.0 interface Vlanif200 ip address 10.0.0.1 255.255.255.0 interface Ethernet0/0/0 port link-type access port default vlan 100 interface Ethernet0/0/1 port link-type access port default vlan 200 interface Ethernet2/0/0 ip address 202.169.10.1 255.255.255.0 nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 nat address-group 1 202.169.10.100 202.169.10.200 nat address-group 2 202.169.10.80 202.169.10.83 ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0/0 return Parent topic: Configuration Examples 1.4.4 Example for Configuring Twice NAT Networking Requirements As shown in Figure 1, the IP address of PC1 on the private network is the same as the IP address of host A on the public network. When PC2 sends a packet to host A, the packet may be forwarded to PC1. In addition to the network address translation function, twice NAT of the AR1200 specifies the mapping between the overlapping address pool and the temporary address pool. The overlapping IP address is translated to a unique temporary address so that packets can be forwarded correctly. Figure 1 Networking diagram for twice NAT configuration Configuration Roadmap http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 13/15

The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Configure DNS mappings to allow users to access servers by using domain names. 3. Map the overlapping address pool to the temporary address pool. 4. Configure outbound NAT to allow internal users to access external networks. 1. Configure IP addresses for the interfaces of the AR1200. <Huawei> [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit [Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address 10.0.0.1 24 [Huawei-Vlanif200] quit [Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200 [Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] ip address 202.169.10.2 24 [Huawei-Ethernet2/0/0] quit 2. Configure DNS mappings on the AR1200. [Huawei] nat alg dns enable [Huawei] nat dns-map www.server.com 192.168.20.2 80 tcp 3. Configure the mapping between the overlapping address pool and the temporary address pool on the AR1200. [Huawei] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 4. Configure a static route on the AR1200 from the temporary address pool to outbound interface Ethernet2/0/0. [Huawei] ip route-static 202.169.100.2 32 ethernet 2/0/0 202.169.10.2 5. Configure outbound NAT on outbound interface Ethernet2/0/0 of the AR1200. a. Create an ACL and configure an ACL rule to permit the packets of host A. [Huawei] acl 3180 [Huawei-acl-adv-3180] rule permit ip source 192.168.20.0 0.0.0.255 [Huawei-acl-adv-3180] quit b. Configure the NAT address pool for outbound NAT. [Huawei] nat address-group 1 160.160.0.2 160.160.0.254 c. Configure outbound NAT on outbound interface Ethernet2/0/0. 6. Verify the configuration. Configuration Files [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] nat outbound 3180 address-group 1 [Huawei-Ethernet2/0/0] quit Run the display nat overlap-address all command on the AR1200 to view the mapping between address pools. [Huawei] display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------- Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------- 0 192.168.20.2 202.169.100.2 254 ------------------------------------------------------------------------------- Total : 1 Run the display nat outbound command on the AR1200 to view outbound NAT information. [Huawei] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- Ethernet2/0/0 3180 1 pat ----------------------------------------------------------------- Total : 1 http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 14/15

vlan batch 100 200 acl number 3180 rule 5 permit ip source 192.168.20.0 0.0.0.255 nat alg dns enable nat address-group 1 160.160.0.2 160.160.0.254 nat dns-map www.server.com 192.168.20.2 80 tcp nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 ip route-static 202.169.100.2 255.255.255.255 Ethernet2/0/0 202.169.10.2 interface Vlanif100 ip address 192.168.20.1 255.255.255.0 interface Vlanif200 ip address 10.0.0.1 255.255.255.0 interface Ethernet0/0/0 port link-type access port default vlan 100 interface Ethernet0/0/1 port link-type access port default vlan 200 interface Ethernet2/0/0 ip address 202.169.10.1 255.255.255.0 nat outbound 3180 address-group 1 return Parent topic: Configuration Examples http://localhost:7890/printtopics.html?time=thu%20mar%2006%202014%2000:07:34%20gmt+0200%20(gtb%20standard%20time) 15/15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information