Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server.

Figure 1 NAT operation

As shown in Figure 1:

1. Upon receiving a request from the host to the server, NAT translates the private source address 192.168.1.3 to the public address 20.1.1.1 and forwards the NATed packet. NAT adds a mapping for the two addresses to its NAT table.

2. Upon receiving a response from the server, NAT translates the destination public address to the private address, and forwards the packet to the host.

The NAT operation is transparent to the terminals. NAT hides the private network from the external users and shows that the IP address of the internal host is 20.1.1.1.

Terminology

The following describes NAT terminologies:

· NAT device—A device configured with NAT.

· NAT interface—An interface enabled with NAT.

· NAT entry—Stores the mapping between a private address and a public address. For more information, see "NAT entries."

· Easy IP—Uses the IP address of an interface as the public address. The IP address of the interface is obtained through DHCP or PPPoE.

NAT types

Traditional NAT

Traditional NAT applies to the interface connected to the public network. It translates the source IP addresses of outgoing packets and destination IP addresses of incoming packets.

Bidirectional NAT

NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface.

Bidirectional NAT is applied when source and destination addresses overlap.

Twice NAT

Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface. The receiving and sending interfaces are both NAT interfaces.

Twice NAT allows VPNs with overlapping addresses to access each other.

NAT hairpin

NAT hairpin allows internal hosts to access each other through NAT. The source and destination IP address of the packets are translated on the interface connected to the internal network.

NAT hairpin includes P2P and C/S modes:

· P2P—Allows internal hosts to access each other through NAT.

· C/S—Allows internal hosts to access internal servers through NAT.

NAT control

You can use ACLs to implement NAT control. The match criteria in the ACLs include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance. Only packets permitted by an ACL are processed by NAT.

NAT implementations

Static NAT

Static NAT creates a fixed mapping between a private address and a public address. Static NAT allows bidirectional connection initiation, both from and to the internal host. Static NAT applies to regular communications.

Dynamic NAT

Dynamic NAT uses an address pool to translate addresses. Dynamic NAT includes Not Port Address Translation (NO-PAT) and Port Address Translation (PAT) modes.

NO-PAT

NO-PAT translates a private address to a public address. The public address cannot be used by another internal host until it is released.

NO-PAT supports all IP packets.

PAT

PAT translates multiple private addresses to a single public address by mapping the private address and source port to the public address and a unique port. PAT supports TCP and UDP packets, and ICMP request packets.

Figure 2 PAT operation

As shown in Figure 2, PAT translates the source IP addresses of the three packets to the same public address and translates their port numbers to different port numbers. Upon receiving a response, PAT translates the destination address and port number of the response, and forwards it to the target host.

PAT supports the following mappings:

· Endpoint-Independent Mapping (EIM)—Uses the same IP and port mapping (EIM entry) for packets from the same source IP and port to any destinations. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. It allows internal hosts behind different NAT gateways to access each other.

· Address and Port-Dependent Mapping (ADPM)—Uses different IP and port mappings for packets from the same source IP and port to different destination IP addresses and ports. APDM allows an external host to initiate connections to an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

NAT Server

The NAT Server feature maps a public address and port number to the private IP address and port number of an internal server. This feature allows servers in the private network to provide services for external users.

Figure 3 NAT Server operation

Figure 3 displays how NAT Server works:

1. Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server.

2. Upon receiving a response from the server, NAT translates the private source IP address and port number to the public IP address and port number.

NAT444

NAT444 provides carrier-grade NAT. It is a preferred solution for carriers to mitigate IPv4 address exhaustion. It introduces a second layer of NAT on the carrier side, with few changes on the customer side and the application server side.

NAT444 provides port block-based PAT translation. It maps multiple private IP addresses to one public IP address and uses a different port block for each private IP address. For example, the private IP address 10.1.1.1 of an internal host is mapped to the public IP address 202.1.1.1 and port block 10001 to 10256. When the internal host accesses public hosts, the source IP address 10.1.1.1 is translated to 202.1.1.1, and the source ports are translated to ports in the port block 10001 to 10256.

NAT444 includes static NAT444 and dynamic NAT444.

As shown in Figure 4, the NAT444 architecture includes the following entities:

· CPE—Provides NAT services on the customer side.

· BRAS—Provides Internet access services.

· NAT444 gateway—Provides carrier-grade NAT services.

· AAA server—Cooperates with BRAS to provide user authentication, authorization, and accounting services.

· Log server—Records user access logs and responds to queries for user access information.

The AAA server authenticates the internal users and starts accounting after users pass the authentication. The BRAS device assigns private IP addresses to authenticated users. When a user accesses the external network, the NAT444 gateway assigns the user a public IP address and port block, and sends the mapping to the log server. The next time the user accesses the external network, the NAT444 gateway assigns a new mapping if the former mapping ages out and sends the new mapping to the log server. The log server uses the mappings for user tracing.

Figure 4 NAT444 application diagram

Static NAT444

The NAT444 gateway computes a static NAT444 mapping before address translation. The mapping is between a private IP address and a public IP address with a port block.

The NAT444 gateway uses private IP addresses, public IP addresses, a port range, and a port block size to compute static mappings:

1. Divides the port range by the port block size to get the number of available port blocks for each public IP address.

This value is the base number for mapping.

2. Sorts the port blocks in ascending order of the start port number in each block.

3. Sorts the private IP addresses and the public IP addresses separately in ascending order.

4. Maps the first base number of private IP addresses to the first public IP address and its port blocks in ascending order.

For example, the number of available port blocks of each public IP address is m. The first m private IP addresses are mapped to the first public IP address and the m port blocks in ascending order. The next m private IP addresses are mapped to the second IP address and the m port blocks in ascending order. The other static NAT444 mappings are created by analogy.

Dynamic NAT444

Dynamic NAT444 works as follows:

1. Creates a mapping from the internal host's private IP address to a public IP address and a port block when the host initiates a connection to the public network.

2. Translates the private IP address to the public IP address, and the source ports to ports in the selected port block for subsequent connections from the private IP address.

3. Withdraws the port block and deletes the dynamic NAT444 mapping when all connections from the private IP address are disconnected.

Dynamic NAT444 uses ACLs to implement translation control. It processes only packets that match an ACL permit rule.

Dynamic NAT444 supports port block extending. If the ports in the port block for a private address are all occupied, dynamic NAT444 translates the source port to a port in an extended port block.

NAT444 gateway unified with BRAS device

NAT444 gateway and BRAS device unification is supported only for PPP users.

To unify the NAT444 gateway and BRAS device, specify the user address type in the ISP domain. Supported user address types include private IPv4 address, private-DS address, and DS-Lite address.

As shown in Figure 5, the NAT444 gateway and BRAS device function as follows after the unification:

1. After a user of the specified address type passes authentication and obtains a private address, NAT444 immediately assigns a public IP address and a port block to the user.

2. NAT444 sends the NAT444 mapping to the BRAS.

3. The BRAS records the mapping and reports it to the AAA server.

Compared to the separation of BRAS and NAT444, the unification provides the following functions:

· If the NAT444 resources have been used up, the BRAS logs off the user, which ensures accurate accounting on the AAA server.

· The AAA server maintains one mapping for each online user until the user goes offline. This solution implements user tracing without requiring an extra log server.

Figure 5 NAT444 gateway unified with BRAS device

NOTE:

If the NAT444 configuration changes, NAT444 mappings for online users also change. The change cannot be synchronized to the AAA server, affecting user tracing accuracy. As a best practice, log off the users immediately after you change the NAT444 configuration. When the users come online, NAT444 creates new mappings for them.

DS-Lite NAT444

DS-Lite combines tunneling and NAT to allow an IPv4 private network to access the IPv4 public network over an IPv6 network. For more information about DS-Lite, see "Configuring tunneling."

DS-Lite NAT444 is configured on the AFTR and performs dynamic NAT444 based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host. DS-Lite NAT444 dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.

DS-Lite NAT444 supports user tracing for DS-Lite hosts based on the port block.

Figure 6 DS-Lite NAT444

NAT entries

NAT session entry

NAT creates a NAT session entry for a session and creates an address mapping for the first packet in the session.

A NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry.

The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.

EIM entry

An EIM entry maps a private address/port to a public address/port. The same EIM entry applies to subsequent connections originating from the same source IP and port.

An EIM entry ages out after all related NAT session entries age out.

NO-PAT entry

A NO-PAT entry maps a private address to a public address. The same mapping applies to subsequent connections originating from the same source IP.

A NO-PAT entry can also be created during the ALG process for NAT. For information about NAT with ALG, see "NAT with ALG."

A NO-PAT entry ages out after all related NAT session entries age out.

NAT444 entry

A NAT444 entry maps a private IP address to a public IP address and a port block.

NAT444 entries include static and dynamic NAT444 mappings. For information about these mappings, see "Static NAT444" and "Dynamic NAT444."

Using NAT with other features

VRF-aware NAT

VRF-aware NAT allows users from different VRF (VPN instances) to access external networks and to access each other.

1. Upon receiving a request from a user in a VRF to an external network, NAT performs the following tasks:

¡ Translates the private source IP address and port number to a public IP address and port number.

¡ Records the VRF information, such as the VRF name.

2. When a response packet arrives, NAT performs the following tasks:

¡ Translates the destination public IP address and port number to the private IP address and port number.

¡ Forwards the packet to the target VRF.

NAT with DNS mapping

NAT with DNS mapping allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network.

NAT with DNS mapping must operate with the NAT Server feature.

Figure 7 NAT with DNS mapping

As shown in Figure 7, NAT with DNS mapping works as follows:

1. The host sends a DNS request containing the domain name of the internal Web server.

2. Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using the domain name in the response. A DNS mapping for NAT maps the domain name to the public IP address, public port number, and the protocol type for the internal server.

3. If a match is found, the NAT continues to compare the public address, public port number, and the protocol type with the NAT Server configuration. The NAT Server configuration maps the public IP address and port number to the private IP address and port number for the internal server.

4. If a match is found, NAT translates the public IP address in the response into the private IP address of the Web server.

5. The internal host receives the DNS response, and obtains the private IP address of the Web server.

DNS mapping can also be used by DNS ALG. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

NAT with ALG

NAT with ALG translates address or port information in the application layer payloads to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT with ALG to translate the address and port information for data connection establishment.

NAT configuration task list

Tasks at a glance	Remarks
Perform one or more of the following tasks: · Configuring static NAT · Configuring dynamic NAT · Configuring NAT Server · Configuring NAT444 · Configuring DS-Lite NAT444	If you perform all the tasks on an interface, the NAT rules are sorted in the following order: · NAT Server. · Static NAT. · Static NAT444. · Dynamic NAT, dynamic NAT444, and DS-Lite NAT444. Dynamic NAT, dynamic NAT444, and DS-Lite NAT444 have the same priority. Dynamic NAT rules and dynamic NAT444 rules are sorted in descending order of ACL numbers and are effective for IPv4 packets. DS-Lite NAT444 rules are effective for IPv6 packets.
(Optional.) Configuring NAT with DNS mapping	N/A
(Optional.) Configuring NAT hairpin	N/A
(Optional.) Configuring NAT with ALG	N/A
(Optional.) Configuring NAT logging	N/A
(Optional.) Enabling sending ICMP error messages for NAT failures	N/A
(Optional.) Enabling NAT reply redirection	N/A
(Optional.) Enabling the deletion of timestamps in TCP SYN and SYN ACK packets	N/A

NAT configuration restrictions and guidelines

If NAT is configured on an aggregate interface, you must specify a traffic processing slot for the interface. For more information about Ethernet link aggregation, see Layer 2—LAN Switching Configuration Guide.

If fast forwarding load sharing is enabled, response packets sent or received on a different interface than request packets are NATed according to fast forwarding entries. If fast forwarding load sharing is disabled, these packets cannot be NATed. For more information about fast forwarding load sharing, see "Configuring fast forwarding."

Configuring static NAT

Static NAT includes one-to-one static NAT and net-to-net static NAT for outbound and inbound translation. Do not configure inbound static NAT alone. Typically, inbound static NAT functions with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT.

Configuration prerequisites

Perform the following tasks before configuring static NAT:

· Configure an ACL to identify the IP addresses to be translated. The match criteria include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance. For more information about ACLs, see ACL and QoS Configuration Guide.

· Manually add a route for inbound static NAT. Use local-ip or local-network as the destination address, and use global-ip, an address in global-network, or the next hop directly connected to the output interface as the next hop.

Configuring outbound one-to-one static NAT

For address translation from a private IP address to a public IP address, configure outbound one-to-one static NAT on the interface connected to the external network.

· When the source IP address of a packet from the private network matches the local-ip, the source IP address is translated into the global-ip.

· When the destination IP address of a packet from the public network matches the global-ip, the destination IP address is translated into the local-ip.

To configure outbound one-to-one static NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a one-to-one mapping for outbound static NAT.	nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } [ reversible ] ] [ disable ]	By default, no mappings exist. If you specify the acl keyword, NAT processes only packets matching the permit rule in the ACL.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable static NAT on the interface.	nat static enable	By default, static NAT is disabled.

Configuring outbound net-to-net static NAT

For address translation from a private network to a public network, configure outbound net-to-net static NAT on the interface connected to the external network.

· When the source IP address of a packet from the private network matches the private address range, the source IP address is translated into a public address in the public address range.

· When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range.

To configure outbound net-to-net static NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a net-to-net mapping for outbound static NAT.	nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length \| mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } [ reversible ] ] [ disable ]	By default, no mappings exist. If you specify the acl keyword, NAT processes only packets permitted by the ACL.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable static NAT on the interface.	nat static enable	By default, static NAT is disabled.

Configuring object group-based outbound static NAT

Configure object group-based outbound static NAT on the interface connected to the external network to translate private IP addresses into public IP addresses.

· When the source address of a packet from the private network matches the private address object group, the source address is translated into a public address in the public address object group.

· When the destination address of a packet from the public network matches the public address object group, the destination address is translated into a private address in the private address object group.

An IPv4 address object group used by an object group-based outbound static NAT mapping can only contain a host object or a subnet object. Otherwise, the configuration does not take effect.

To configure object group-based outbound static NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an object group-based outbound static NAT mapping.	nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } [ reversible ] ] [ disable ]	By default, no mappings exist. If you specify the acl keyword, NAT processes only packets permitted by the ACL.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable static NAT on the interface.	nat static enable	By default, static NAT is disabled.

Configuring inbound one-to-one static NAT

For address translation from a public IP address to a private IP address, configure inbound one-to-one static NAT.

· When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip.

· When the destination IP address of a packet from the private network to the public network matches the local-ip, the destination IP address is translated into the global-ip.

To configure inbound one-to-one static NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a one-to-one mapping for inbound static NAT.	nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } [ reversible ] ] [ disable ]	By default, no mappings exist. If you specify the acl keyword, NAT processes only packets permitted by the ACL.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable static NAT on the interface.	nat static enable	By default, static NAT is disabled.

Configuring inbound net-to-net static NAT

For address translation from a public network to a private network, configure inbound net-to-net static NAT.

· When the source IP address of a packet from the public network matches the public address range, the source IP address is translated into a private address in the private address range.

· When the destination IP address of a packet from the private network matches the private address range, the destination IP address is translated into a public address in the public address range.

To configure inbound net-to-net static NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a net-to-net mapping for inbound static NAT.	nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length \| mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } [ reversible ] ] [ disable ]	By default, no mappings exist. If you specify the acl keyword, NAT processes only packets permitted by the ACL.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable static NAT on the interface.	nat static enable	By default, static NAT is disabled.

Configuring object group-based inbound static NAT

Configure object group-based inbound static NAT to translate public IP addresses into private IP addresses.

· When the source address of a packet from the public network matches the public address object group, the source address is translated into a private address in the private address object group.

· When the destination address of a packet from the private network matches the private address object group, the destination address is translated into a public address in the public address object group.

An IPv4 address object group used by an object group-based inbound static NAT mapping can only contain a host object or a subnet object. Otherwise, the configuration does not take effect.

To configure object group-based inbound static NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an object group-based inbound static NAT mapping.	nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } [ reversible ] ] [ disable ]	By default, no mappings exist. If you specify the acl keyword, NAT processes only packets permitted by the ACL.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable static NAT on the interface.	nat static enable	By default, static NAT is disabled.

Configuring dynamic NAT

Dynamic NAT translates a group of private IP addresses into a smaller number of public addresses. You can specify an address group (or the IP address of an interface) and an ACL to implement dynamic NAT.

Configuration restrictions and guidelines

When you configure dynamic NAT, follow these restrictions and guidelines:

· You can configure multiple inbound or outbound dynamic NAT rules.

· A NAT rule with an ACL takes precedence over a rule without any ACL.

· The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher ACL number represents a higher priority.

Configuration prerequisites

Perform the following tasks before configuring dynamic NAT:

· Determine whether to enable the Easy IP feature. If you use the IP address of an interface as the public address, you are configuring Easy IP.

· Determine a public IP address pool for address translation.

· Determine whether to translate port numbers. Use NO-PAT to translate only IP addresses and PAT to translate both IP addresses and port numbers.

Configuring outbound dynamic NAT

To translate private IP addresses into public IP addresses, configure outbound dynamic NAT on the interface connected to the external network.

The source IP addresses of the outgoing packets that match the ACL permit rule are translated into IP addresses in the address group.

The reversible keyword enables the device to perform the following operations:

· Compare the destination IP address in the first packet from the public network with existing NO-PAT entries.

· Translate the destination address into the private address in a matching NO-PAT entry.

To configure outbound dynamic NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an address group and enter its view.	nat address-group group-id [ name group-name ]	By default, no address groups exist.
3. Add an address range to the address group.	address start-address end-address	By default, no address ranges exist. You can add multiple address ranges to an address group. The address ranges must not overlap.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Configure outbound dynamic NAT.	· Configure NO-PAT: nat outbound [ ipv4-acl-number \| name ipv4-acl-name ] address-group { group-id \| name group-name } [ vpn-instance vpn-instance-name ] no-pat [ reversible ] [ disable ] [ description text ] · Configure PAT: nat outbound [ ipv4-acl-number \| name ipv4-acl-name ] [ address-group { group-id \| name group-name } ] [ vpn-instance vpn-instance-name ] [ port-preserved ] [ disable ] [ description text ]	By default, no outbound dynamic NAT rules exist. You can configure multiple outbound dynamic NAT rules on an interface.
7. Return to system view.	quit	N/A
8. (Optional.) Configure a PAT mapping mode.	nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	The default mapping mode is Address and Port-Dependent Mapping. This command takes effect only on outbound dynamic NAT for PAT.

Configuring inbound dynamic NAT

Inbound dynamic NAT enables translation from public IP addresses to private IP addresses. Do not configure it alone. Typically, inbound dynamic NAT functions with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT.

The source IP address of a received packet that is permitted by the ACL is translated into a public address in the address group.

The add-route keyword enables the device to automatically add a route destined for the private address when an inbound dynamic NAT rule is matched. The output interface is the NAT interface, and the next hop is the source address before translation. If you do not specify this keyword, you must manually add the route. As a best practice, manually create a route because it takes time to automatically add routes.

The reversible keyword enables the device to perform the following operations:

· Compare the destination IP address in the first packet from the private network with existing NO-PAT entries.

· Translate the destination address into the public address in a matching NO-PAT entry.

Inbound dynamic NAT does not support Easy IP.

To configure inbound dynamic NAT:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an address group and enter its view.	nat address-group group-id [ name group-name ]	By default, no address groups exist.
3. Add an address range to the address group.	address start-address end-address	By default, no address ranges exist. You can add multiple address ranges to an address group. The address ranges must not overlap.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Configure inbound dynamic NAT.	nat inbound { ipv4-acl-number \| name ipv4-acl-name } address-group { group-id \| name group-name } [ vpn-instance vpn-instance-name ] [ no-pat [ reversible ] [ add-route ] ] [ disable ] [ description text ]	By default, no inbound dynamic NAT rules exist. You can configure multiple inbound dynamic NAT rules on an interface.

Configuring NAT Server

To configure NAT Server, map a public IP address and port number to the private IP address and port number of an internal server on the interface connected to the external network.

An internal server can be located in a common private network or a VPN instance. The NAT Server feature supports VRF-aware NAT for external users to access the servers in a VPN instance. For example, to enable a host at 10.110.1.1 in VPN 1 to provide Web services for Internet users, configure NAT Server to use 202.110.10.20 as the public IP address of the Web server.

If you specify the acl keyword for the common NAT Server or load sharing NAT Server configuration, only packets matching the ACL permit rule are translated. The match criteria include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance.

Configuring common NAT Server

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure one or more common NAT Server mappings.	· A single public address with a single or no public port: nat server [ protocol pro-type ] global { global-address \| current-interface \| interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } ] [ reversible ] [ disable ] [ description text ] · A single public address with consecutive public ports: nat server protocol pro-type global { global-address \| current-interface \| interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address \| local-address1 local-address2 } local-port \| local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } ] [ disable ] [ description text ] · Consecutive public addresses with a single or no public port: nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ] inside { local-address \| local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } ] [ disable ] [ description text ] · Consecutive public addresses with a single public port: nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside local-address local-port1 local-port2 [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } ] [ disable ] [ description text ]	By default, no NAT Server mappings exist. You can configure multiple NAT Server mappings on an interface.

Configuring load sharing NAT Server

You can add multiple internal servers to an internal server group so that these servers provide the same service for external hosts. The NAT device chooses one internal server based on the weight and number of connections of the servers to respond to a request from an external host to the public address of the internal server group.

When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

· One public address and N consecutive public port numbers are mapped to one internal server group.

· N consecutive public addresses and one public port number are mapped to one internal server group.

To configure load sharing NAT Server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a NAT Server group and enter its view.	nat server-group group-id	By default, no NAT Server groups exist.
3. Add an internal server into the group.	inside ip inside-ip port port-number [ weight weight-value ]	By default, no internal servers exist. You can add multiple internal servers to a group.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Configure load sharing NAT Server.	nat server protocol pro-type global { { global-address \| current-interface \| interface interface-type interface-number } { global-port \| global-port1 global-port2 } \| global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } ] [ disable ] [ description text ]	By default, no load sharing NAT Server mappings exist. You can configure multiple load sharing NAT Server mappings on an interface.

Configuring ACL-based NAT Server

ACL-based NAT Server is an extension of common NAT Server. Common NAT Server maps the private IP address of the internal server to a single public IP address. ACL-based NAT Server maps the private IP address of the internal server to a set of public IP addresses defined by an ACL. If the destination address of a packet matches a permit rule, the destination address is translated into the private IP address of the internal server.

To configure ACL-based NAT Server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure ACL-based NAT Server.	nat server global { ipv4-acl-number \| name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ disable ] [ description text ]	By default, no ACL-based NAT Server mappings exist. You can configure multiple NAT Server mappings on an interface.

Configuring NAT444

NAT444 provides outbound address translation, and it is configured on the interface connected to the public network.

Configuring static NAT444

Static NAT444 is applicable when the private IP addresses are fixed.

To configure static NAT444:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a NAT port block group, and enter its view.	nat port-block-group group-id	By default, no port block groups exist.
3. Add a private IP address range to the port block group.	local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]	By default, no private IP address ranges exist. You can add multiple private IP address ranges to one port block group, but they cannot overlap.
4. Add a public IP address range to the port block group.	global-ip-pool start-address end-address	By default, no public IP address ranges exist. You can add multiple public IP address ranges to one port block group, but they cannot overlap.
5. Configure the port range for the public IP addresses.	port-range start-port-number end-port-number	By default, the port range is 1 to 65535.
6. Set the port block size.	block-size block-size	By default, the port block size is 256.
7. Return to system view.	quit	N/A
8. Enter interface view.	interface interface-type interface-number	N/A
9. Apply the port block group to the outbound direction of the interface.	nat outbound port-block-group group-id	By default, no port block group is applied to the interface. You can apply multiple port block groups to one interface.
10. Return to system view.	quit	N/A
11. (Optional.) Configure a PAT mapping mode.	nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	The default mapping mode is Address and Port-Dependent Mapping.

Configuring dynamic NAT444

Dynamic NAT444 is applicable when the private IP addresses are not fixed.

To configure dynamic NAT444:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a NAT address group, and enter its view.	nat address-group group-id [ name group-name ]	By default, no NAT address groups exist.
3. Add a public IP address range to the NAT address group.	address start-address end-address	By default, no public IP address ranges exist. You can add multiple public IP address ranges to an address group, but they cannot overlap.
4. Configure the port range for the public IP addresses.	port-range start-port-number end-port-number	By default, the port range is 1 to 65535. The configuration takes effect only on PAT translation mode.
5. Configure port block parameters.	port-block block-size block-size [ extended-block-number extended-block-number ]	By default, no port block parameters exist. The configuration takes effect only on PAT translation mode.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Configure PAT for outbound dynamic NAT.	nat outbound [ ipv4-acl-number \| name ipv4-acl-name ] [ address-group { group-id \| name group-name } ] [ vpn-instance vpn-instance-name ] [ port-preserved ] [ disable ]	By default, no outbound dynamic NAT rules exist. The port-preserved keyword does not take effect on dynamic NAT444.
9. Return to system view.	quit	N/A
10. (Optional.) Configure a PAT mapping mode.	nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	The default mapping mode is Address and Port-Dependent Mapping.

Enabling global mapping sharing for dynamic NAT444

When multiple interfaces have dynamic NAT444 configured, the interfaces might create different NAT444 mappings for packets from the same IP address. You can perform this task to configure the interfaces to share the same NAT444 mapping for translating packets from the same IP address.

To enable global mapping sharing for dynamic NAT444:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable global mapping sharing for dynamic NAT444.	nat port-block global-share enable	By default, global mapping sharing is disabled for dynamic NAT444.

Configuring DS-Lite NAT444

DS-Lite NAT444 is configured on the AFTR's interface connected to the external network. DS-Lite NAT444 supports only dynamic NAT444.

The DS-Lite NAT444 configuration is similar to the dynamic NAT444 configuration. The difference is that DS-Lite NAT444 uses an IPv6 ACL and dynamic NAT444 uses an IPv4 ACL to identify packets to be NATed.

To configure DS-Lite NAT444:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a NAT address group, and enter its view.	nat address-group group-id [ name group-name ]	By default, no NAT address groups exist.
3. Add a public IP address range to the NAT address group.	address start-address end-address	By default, no public IP address ranges exist. You can add multiple public IP address ranges to an address group, but they cannot overlap.
4. Configure the port range for the public IP addresses.	port-range start-port-number end-port-number	By default, the port range is 1 to 65535. The configuration takes effect only on PAT translation mode.
5. Configure port block parameters.	port-block block-size block-size [ extended-block-number extended-block-number ]	By default, no port block parameters exist. The configuration takes effect only on PAT translation mode.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Configure DS-Lite NAT444.	nat outbound ds-lite-b4 { ipv6-acl-number \| name ipv6-acl-name } address-group { group-id \| name group-name } [ disable ]	By default, DS-Lite NAT444 is not configured.
9. Return to system view.	quit	N/A
10. (Optional.) Configure a PAT mapping mode.	nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	The default mapping mode is Address and Port-Dependent Mapping.

Configuring NAT with DNS mapping

NAT with DNS mapping must operate together with NAT Server and NAT with ALG.

To configure NAT with DNS mapping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a DNS mapping for NAT.	nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number \| ip global-ip } port global-port	By default, no DNS mapping for NAT exists. You can configure multiple DNS mappings for NAT.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a DNS mapping for NAT.

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

By default, no DNS mapping for NAT exists.

You can configure multiple DNS mappings for NAT.

Configuring NAT hairpin

Configure NAT hairpin on the interface connected to the internal network. NAT hairpin supports P2P mode and C/S mode.

· To configure the P2P mode, you must configure outbound PAT on the interface connected to the external network and enable the EIM mapping mode. Internal hosts first register their public addresses to an external server. Then, the hosts communicate with each other by using the registered IP addresses.

· In C/S mode, the destination IP address of the packet going to the internal server is translated by matching the NAT Server configuration. The source IP address is translated by matching the outbound dynamic or static NAT entries.

NAT hairpin typically operates with NAT Server, outbound dynamic NAT, or outbound static NAT. They must be configured on interfaces of the same interface card. Otherwise, NAT hairpin cannot function correctly.

To configure NAT hairpin:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable NAT hairpin.	nat hairpin enable	By default, NAT hairpin is disabled.

Configuring NAT with ALG

CAUTION:

In an IRF fabric, NAT configured on physical interfaces does not support ALG.

Configure NAT with ALG for a protocol to translate the IP addresses and port numbers in the payloads for application layer packets.

To configure NAT with ALG:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure NAT with ALG for a protocol or all supported protocols.	nat alg { all \| dns \| ftp \| h323 \| icmp-error \| ils \| mgcp \| nbt \| pptp \| rsh \| rtsp \| sccp \| sip \| sqlnet \| tftp \| xdmcp }	By default, NAT with ALG is enabled for DNS, FTP, ICMP error messages, RTSP, and PPTP, and is disabled for the other supported protocols.

Configuring NAT logging

Configuring NAT session logging

NAT session logging records NAT session information, including translation information and access information.

A NAT device generates NAT session logs for the following events:

· NAT session establishment.

· NAT session removal. This event occurs when you add a configuration with a higher priority, remove a configuration, change ACLs, when a NAT session ages out, or when you manually delete a NAT session.

· Active NAT session logging.

To enable NAT session logging:

Step	Command		Remarks
1. Enter system view.		system-view	N/A
2. Enable NAT logging.		nat log enable [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	By default, NAT logging is disabled.
3. Enable NAT session logging.		· For NAT session establishment events: nat log flow-begin · For NAT session removal events: nat log flow-end · For active NAT flows: nat log flow-active minutes	By default, NAT session logging is disabled.

Configuring NAT444 user logging

NAT444 user logs are used for user tracing. The NAT444 gateway generates a user log whenever it assigns or withdraws a port block. The log includes the private IP address, public IP address, and port block. You can use the public IP address and port numbers to locate the user's private IP address from the user logs.

A NAT444 gateway generates NAT user logs when one of the following events occurs:

· A port block is assigned.

For NAT444 with static mappings, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.

For NAT444 with dynamic mappings, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.

· A port block is withdrawn.

For NAT444 with static mappings, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.

For NAT444 with dynamic mappings, the NAT444 gateway generates a user log when all the following conditions are met:

¡ All connections from a private IP address are disconnected.

¡ The port blocks (including the extended ones) assigned to the private IP address are withdrawn.

¡ The corresponding mapping entry is deleted.

Before configuring NAT444 user logging, you must configure the custom NAT444 log generation and outputting features. For more information, see Network Management and Monitoring Configuration Guide.

To configure NAT444 user logging:

Step	Command		Remarks
1. Enter system view.		system-view	N/A
2. Enable NAT logging.		nat log enable [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	By default, NAT logging is disabled. The acl keyword does not take effect on NAT444 user logging.
3. Enable NAT444 user logging.		· For port block assignment: nat log port-block-assign · For port block withdrawal: nat log port-block-withdraw	By default, NAT444 user logging is disabled. You can enable logging for both port block assignment and withdrawal.

Configuring NAT alarm logging

Packets that need to be translated are dropped if the system lacks NAT resources. In No-PAT, the NAT resources refer to the public IP addresses. In EIM PAT, the NAT resources refer to public IP addresses and ports. In NAT444, the NAT resources refer to public IP addresses, port blocks, or ports in port blocks. NAT alarm logging monitors the usage of NAT resources and outputs logs if the NAT resources are not enough.

The NAT444 gateway generates alarm logs when the ports in the extended port blocks of a dynamic NAT444 mapping are all occupied.

Before configuring alarm logging for NAT444, you must configure the custom NAT444 log generation and outputting features. For more information about information center, see Network Management and Monitoring Configuration Guide.

To configure NAT alarm logging:

Step	Command		Remarks
1. Enter system view.		system-view	N/A
2. Enable NAT logging.		nat log enable [ acl { ipv4-acl-number \| name ipv4-acl-name } ]	By default, NAT logging is disabled. The acl keyword does not take effect on NAT alarm logging.
3. Enable NAT alarm logging.		nat log alarm	By default, NAT alarm logging is disabled.

Configuring port block usage threshold for dynamic NAT444

The system generates alarm logs if the port block usage exceeds the threshold.

To configure the port block usage threshold for dynamic NAT444:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the port block usage threshold for dynamic NAT444.	nat log port-block usage threshold threshold-value	The default threshold is 90%.

Enabling sending ICMP error messages for NAT failures

Disabling sending ICMP error messages for NAT failures reduces useless packets, saves bandwidth, and avoids exposing the IP address of the NAT device to the public network.

This feature is required for traceroute.

To enable sending ICMP error messages for NAT failures:

Step	Command		Remarks
1. Enter system view.		system-view	N/A
2. Enable sending ICMP error messages for NAT failures.		nat icmp-error reply	By default, no ICMP error messages are sent for NAT failures.

Enabling NAT reply redirection

In some network scenarios, the inbound dynamic NAT is configured with tunneling, and multiple tunnel interfaces use the same NAT address group. In this case, the device will translate the source IP addresses of packets from different tunnels into the same NAT address before forwarding them. When the forwarding interface receives the reply packets, the device, by default, will not look up the NAT session table. This will cause the incorrect forwarding of the reply packets. To solve the problem, you can enable the NAT reply redirection feature on the forwarding interface. NAT reply redirection allows the interface to use the NAT session table to translate the destination IP addresses for NAT reply packets and find the correct output interfaces for those NATed reply packets.

To enable NAT reply redirection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable NAT reply redirection.	nat redirect reply-route enable	By default, NAT reply redirection is disabled.

Enabling the deletion of timestamps in TCP SYN and SYN ACK packets

With this feature configured, the system deletes the timestamps from the TCP SYN and SYN ACK packets after dynamic address translation.

If PAT mode is configured on an interface by using nat inbound or nat outbound, and the tcp_timestams and tcp_tw_recycle function is configured on the TCP server, TCP connections might not be established. To solve the problem, you can shut down the tcp_tw_recycle function or configure the nat timestamp delete command.

To enable the deletion of timestamps in TCP SYN and SYN ACK packets:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the deletion of timestamps in TCP SYN and SYN ACK packets	nat timestamp delete [ vpn-instance vpn-instance-name ]	By default, the deletion of timestamps in TCP SYN and SYN ACK packets is disabled. You can enable this feature for multiple VPN instances by repeating the command with different VPN parameters.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable the deletion of timestamps in TCP SYN and SYN ACK packets

nat timestamp delete [ vpn-instance vpn-instance-name ]

By default, the deletion of timestamps in TCP SYN and SYN ACK packets is disabled.

You can enable this feature for multiple VPN instances by repeating the command with different VPN parameters.

Displaying and maintaining NAT

Execute display commands in any view and reset commands in user view.

Task	Command
Display the NAT with ALG status for all supported protocols.	display nat alg
Display all NAT configuration information.	display nat all
Display NAT address group information.	display nat address-group [ group-id ]
Display NAT with DNS mapping configuration.	display nat dns-map
Display information about NAT EIM entries (in standalone mode).	display nat eim [ slot slot-number ]
Display information about NAT EIM entries (in IRF mode).	display nat eim [ chassis chassis-number slot slot-number ]
Display information about inbound dynamic NAT.	display nat inbound
Display NAT logging configuration.	display nat log
Display information about NAT NO-PAT entries (in standalone mode).	display nat no-pat [ slot slot-number ]
Display information about NAT NO-PAT entries (in IRF mode).	display nat no-pat [ chassis chassis-number slot slot-number ]
Display information about outbound dynamic NAT.	display nat outbound
Display NAT Server configuration.	display nat server
Display internal server group configuration.	display nat server-group [ group-id ]
Display NAT session entries (in standalone mode).	display nat session [ [ responder ] { source-ip source-ip \| destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
Display NAT session entries (in IRF mode).	display nat session [ [ responder ] { source-ip source-ip \| destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
Display static NAT mappings.	display nat static
Display NAT statistics (in standalone mode).	display nat statistics [ summary ] [ slot slot-number ]
Display NAT statistics (in IRF mode).	display nat statistics [ summary ] [ chassis chassis-number slot slot-number ]
Display information about port block group application for NAT444.	display nat outbound port-block-group
Display information about NAT port block groups.	display nat port-block-group [ group-id ]
Display NAT444 mappings (in standalone mode).	display nat port-block { dynamic [ ds-lite-b4 ] \| static } [ slot slot-number ]
Display NAT444 mappings (in IRF mode).	display nat port-block { dynamic [ ds-lite-b4 ] \| static } [ chassis chassis-number slot slot-number ]
Display the port block usage for dynamic NAT444 address groups (in standalone mode).	display nat port-block-usage [ address-group group-id ] [ slot slot-number ]
Display the port block usage for dynamic NAT444 address groups (in IRF mode).	display nat port-block-usage [ address-group group-id ] [ chassis chassis-number slot slot-number ]
Clear NAT session entries (in standalone mode).	reset nat session [ slot slot-number ]
Clear NAT session entries (in IRF mode).	reset nat session [ chassis chassis-number slot slot-number ]

NAT configuration examples

Outbound one-to-one static NAT configuration example

Network requirements

Configure static NAT to allow the host at 10.110.10.8/24 to access the Internet.

Figure 8 Network diagram

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure a one-to-one static NAT mapping between the private address 10.110.10.8 and the public address 202.38.1.100.

<Router> system-view

[Router] nat static outbound 10.110.10.8 202.38.1.100

# Enable static NAT on GigabitEthernet 1/1/2.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat static enable

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that the host at 10.110.10.8/24 can access the server on the Internet. (Details not shown.)

# Display static NAT configuration.

[Router] display nat static

Static NAT mappings:

Totally 1 outbound static NAT mappings.

IP-to-IP:

Local IP : 10.110.10.8

Global IP : 202.38.1.100

Config status: Active

Interfaces enabled with static NAT:

Totally 1 interfaces enabled with static NAT.

Interface: GigabitEthernet1/1/2

Config status: Active

# Display NAT session information.

[Router] display nat session verbose

Initiator:

Source IP/port: 10.110.10.8/42496

Destination IP/port: 202.38.1.111/2048

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet1/1/1

Responder:

Source IP/port: 202.38.1.111/42496

Destination IP/port: 202.38.1.100/0

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet1/1/2

State: ICMP_REPLY

Application: INVALID

Start time: 2012-08-16 09:30:49 TTL: 27s

Initiator->Responder: 5 packets 420 bytes

Responder->Initiator: 5 packets 420 bytes

Total sessions found: 1

Outbound dynamic NAT configuration example (non-overlapping addresses)

Network requirements

As shown in Figure 9, a company has a private address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on subnet 192.168.1.0/24 to access the Internet.

Figure 9 Network diagram

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure address group 0, and add an address range from 202.38.1.2 to 202.38.1.3 to the group.

<Router> system-view

[Router] nat address-group 0

[Router-address-group-0] address 202.38.1.2 202.38.1.3

[Router-address-group-0] quit

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass through.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Enable outbound dynamic PAT on interface GigabitEthernet 1/1/2. The source IP addresses of the packets permitted by the ACL rule is translated into the addresses in address group 0.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat outbound 2000 address-group 0

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that Host A can access the WWW server, while Host B cannot. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT address group information:

Totally 1 NAT address groups.

Address group 0:

Port range: 1-65535

Address information:

Start address End address

202.38.1.2 202.38.1.3

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 0

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Disabled

ICMP-ERROR : Enabled

ILS : Disabled

MGCP : Disabled

NBT : Disabled

PPTP : Enabled

RTSP : Enabled

RSH : Disabled

SCCP : Disabled

SIP : Disabled

SQLNET : Disabled

TFTP : Disabled

XDMCP : Disabled

Static NAT load balancing: Disabled

# Display NAT session information generated when Host A accesses the WWW server.

[Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.10/52992

Destination IP/port: 200.1.1.10/2048

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet1/1/1

Responder:

Source IP/port: 200.1.1.10/4

Destination IP/port: 202.38.1.3/0

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet1/1/2

State: ICMP_REPLY

Application: INVALID

Start time: 2012-08-15 14:53:29 TTL: 12s

Initiator->Responder: 1 packets 84 bytes

Responder->Initiator: 1 packets 84 bytes

Total sessions found: 1

Outbound bidirectional NAT configuration example

Network requirements

As shown in Figure 10, the private network where the Web server resides overlaps with the company private network 192.168.1.0/24. The company has two public IP addresses 202.38.1.2 and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using the server's domain name.

Figure 10 Network diagram

Requirements analysis

To meet the network requirements, you must perform the following tasks:

· Configure inbound dynamic NAT with ALG to make sure the internal host reaches the Web server instead of another internal host. NAT with ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address.

· Configure outbound dynamic NAT to translate the source IP address of packets from an internal host to a dynamically assigned public address.

· Add a static route to the public IP address of the external Web server.

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Enable NAT with ALG and DNS.

<Router> system-view

[Router] nat alg dns

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass through.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Create address group 1.

[Router] nat address-group 1

# Add address 202.38.1.2 to the group.

[Router-address-group-1] address 202.38.1.2 202.38.1.2

[Router-address-group-1] quit

# Create address group 2.

[Router] nat address-group 2

# Add address 202.38.1.3 to the group.

[Router-address-group-2] address 202.38.1.3 202.38.1.3

[Router-address-group-2] quit

# Enable inbound NO-PAT on interface GigabitEthernet 1/1/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat inbound 2000 address-group 1 no-pat reversible

# Enable outbound PAT on interface GigabitEthernet 1/1/2 to translate the source address of outgoing packets into the address in address group 2.

[Router-GigabitEthernet1/1/2] nat outbound 2000 address-group 2

[Router-GigabitEthernet1/1/2] quit

# Configure a static route to 202.38.1.2 with GigabitEthernet 1/1/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.)

[Router] ip route-static 202.38.1.2 32 gigabitethernet 1/1/2 20.2.2.2

Verifying the configuration

# Verify that Host A can access the Web server by using its domain name. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT address group information:

Totally 2 NAT address groups.

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.38.1.2 202.38.1.2

Address group 2:

Port range: 1-65535

Address information:

Start address End address

202.38.1.3 202.38.1.3

NAT inbound information:

Totally 1 NAT inbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 1

Add route: N NO-PAT: Y Reversible: Y

Config status: Active

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 2

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

NAT ALG:

DNS : Enabled

...

# Display NAT session information generated when Host A accesses the Web server.

[Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.10/1694

Destination IP/port: 202.38.1.2/8080

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

Responder:

Source IP/port: 192.168.1.10/8080

Destination IP/port: 202.38.1.3/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/2

State: TCP_ESTABLISHED

Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s

Initiator->Responder: 7 packets 308 bytes

Responder->Initiator: 5 packets 312 bytes

Total sessions found: 1

NAT Server for external-to-internal access configuration example

Network requirements

As shown in Figure 11, two Web servers, one FTP server and one SMTP server are in the internal network to provide services for external users. The internal network address is 10.110.0.0/16. The company has three public IP addresses from 202.38.1.1/24 to 202.38.1.3/24.

Configure the NAT Server feature to allow the external user to access the internal servers with public address 202.38.1.1/24.

Figure 11 Network diagram

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Enter interface view of GigabitEthernet 1/1/2.

<Router> system-view

[Router] interface gigabitethernet 1/1/2

# Configure NAT Server to allow external users to access the FTP server by using the address 202.38.1.1 and port 21.

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.1 21 inside 10.110.10.3 ftp

# Configure NAT Server to allow external users to access the Web server 1 by using the address 202.38.1.1 and port 80.

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1 http

# Configure NAT Server to allow external users to access the Web server 2 by using the address 202.38.1.1 and port 8080.

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.1 8080 inside 10.110.10.2 http

# Configure NAT Server to allow external users to access the SMTP server by using the address 202.38.1.1 and port number defined by SMTP.

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.1 smtp inside 10.110.10.4 smtp

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that the host on the external network can access the internal servers by using the public addresses. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT internal server information:

Totally 4 internal servers.

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.1/21

Local IP/port : 10.110.10.3/21

Config status : Active

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.1/25

Local IP/port : 10.110.10.4/25

Config status : Active

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.1/80

Local IP/port : 10.110.10.1/80

Config status : Active

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.1/8080

Local IP/port : 10.110.10.2/80

Config status : Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

...

# Display NAT session information generated when Host accesses the FTP server.

[Router] display nat session verbose

Initiator:

Source IP/port: 202.38.1.10/1694

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/2

Responder:

Source IP/port: 10.110.10.3/21

Destination IP/port: 202.38.1.10/1694

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

State: TCP_ESTABLISHED

Application: FTP

Start time: 2012-08-15 14:53:29 TTL: 3597s

Initiator->Responder: 7 packets 308 bytes

Responder->Initiator: 5 packets 312 bytes

Total sessions found: 1

NAT Server for external-to-internal access through domain name configuration example

Network requirements

As shown in Figure 12, Web server at 10.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.

Configure NAT Server to allow external users to access the internal Web server by using the domain name.

Figure 12 Network diagram

Requirements analysis

To meet the network requirements, you must perform the following tasks:

· Configure NAT Server to map the private IP address and port of the DNS server to a public address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.

· Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP address of the Web server in the payload of the DNS response packet into a public IP address.

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Enable NAT with ALG for DNS.

<Router> system-view

[Router] nat alg dns

# Configure ACL 2000, and create a rule to permit packets only from 10.110.10.2 to pass through.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0

[Router-acl-ipv4-basic-2000] quit

# Create address group 1.

[Router] nat address-group 1

# Add address 202.38.1.3 to the group.

[Router-address-group-1] address 202.38.1.3 202.38.1.3

[Router-address-group-1] quit

# Configure NAT Server on interface GigabitEthernet 1/1/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns

# Enable outbound NO-PAT on interface GigabitEthernet 1/1/2. Use the address in address group 1 to translate the private address in DNS response payload, and allow reversible NAT.

[Router-GigabitEthernet1/1/2] nat outbound 2000 address-group 1 no-pat reversible

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT address group information:

Totally 1 NAT address groups.

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.38.1.3 202.38.1.3

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 1

Port-preserved: N NO-PAT: Y Reversible: Y

Config status: Active

NAT internal server information:

Totally 1 internal servers.

Interface: GigabitEthernet1/1/2

Protocol: 17(UDP)

Global IP/port: 202.38.1.2/53

Local IP/port : 10.110.10.3/53

Config status : Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

NAT ALG:

DNS : Enabled

...

# Display NAT session information generated when Host accesses Web server.

[Router] display nat session verbose

Initiator:

Source IP/port: 202.1.1.2/1694

Destination IP/port: 202.38.1.3/8080

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/2

Responder:

Source IP/port: 10.110.10.2/8080

Destination IP/port: 202.1.1.2/1694

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

State: TCP_ESTABLISHED

Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s

Initiator->Responder: 7 packets 308 bytes

Responder->Initiator: 5 packets 312 bytes

Total sessions found: 1

Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example

Network requirements

As shown in Figure 13, an intranet uses the subnet 192.168.1.0/24. The Web server at 192.168.1.2/24 provides Web services for external users and the DNS server at 192.168.1.3/24 resolves the domain name of the Web server. The company has 3 public addresses 202.38.1.2, 202.38.1.3, and 202.38.1.4.

Configure NAT to allow external host at 192.168.1.2 in the external network to use the domain name to access the internal Web server.

Figure 13 Network diagram

Requirements analysis

To meet the network requirements, you must perform the following tasks:

· Configure NAT Server to map the private IP address and port of the DNS server to a public IP address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.

· Configure outbound dynamic NAT and enable ALG for DNS. The Web server's IP address is the same as the external host's IP address. NAT with ALG can translate the Web server's private address in the payload of the DNS response packet to a dynamically assigned public address.

· Configure inbound dynamic NAT. The external host's IP address is the same as the Web server's IP address. Inbound dynamic NAT can translate the external host's IP address into a dynamically assigned public address.

· Add a static route to the public IP address of the external host with GigabitEthernet 1/1/2 as the output interface.

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Enable NAT with ALG for DNS.

<Router> system-view

[Router] nat alg dns

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass through.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Create address group 1.

[Router] nat address-group 1

# Add address 202.38.1.2 to the address group.

[Router-address-group-1] address 202.38.1.2 202.38.1.2

[Router-address-group-1] quit

# Create address group 2.

[Router] nat address-group 2

# Add address 202.38.1.3 to the address group.

[Router-address-group-2] address 202.38.1.3 202.38.1.3

[Router-address-group-2] quit

# Configure NAT Server on interface GigabitEthernet 1/1/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.3 dns

# Enable outbound NO-PAT on interface GigabitEthernet 1/1/2 to translate IP address of the Web server in the DNS response payload into the address in address group 1, and allow reversible NAT.

[Router-GigabitEthernet1/1/2] nat outbound 2000 address-group 1 no-pat reversible

# Enable inbound PAT on interface GigabitEthernet 1/1/2 to translate the source address of packets going to the internal network to the address in address group 2.

[Router-GigabitEthernet1/1/2] nat inbound 2000 address-group 2

[Router-GigabitEthernet1/1/2] quit

# Configure a static route to 202.38.1.3 with GigabitEthernet 1/1/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.)

[Router] ip route-static 202.38.1.3 32 gigabitethernet 1/1/2 20.2.2.2

Verifying the configuration

# Verify that the host on the external network can use the domain name to access the internal Web server whose address is the same as the host. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT address group information:

Totally 2 NAT address groups.

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.38.1.2 202.38.1.2

Address group 2:

Port range: 1-65535

Address information:

Start address End address

202.38.1.3 202.38.1.3

NAT inbound information:

Totally 1 NAT inbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 2

Add route: N NO-PAT: N Reversible: N

Config status: Active

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 1

Port-preserved: N NO-PAT: Y Reversible: Y

Config status: Active

NAT internal server information:

Totally 1 internal servers.

Interface: GigabitEthernet1/1/2

Protocol: 17(UDP)

Global IP/port: 202.38.1.4/53

Local IP/port : 200.1.1.3/53

Config status : Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

NAT ALG:

DNS : Enabled

...

# Display NAT session information generated when Host accesses the Web server.

[Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.2/1694

Destination IP/port: 202.38.1.2/8080

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/2

Responder:

Source IP/port: 192.168.1.2/8080

Destination IP/port: 202.38.1.3/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

State: TCP_ESTABLISHED

Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s

Initiator->Responder: 7 packets 308 bytes

Responder->Initiator: 5 packets 312 bytes

Total sessions found: 1

NAT hairpin in C/S mode configuration example

Network requirements

As shown in Figure 14, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.

Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.

Figure 14 Network diagram

Requirements analysis

To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.

To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:

· Enable NAT hairpin on the interface connected to the internal network.

· Configure outbound NAT on the interface where NAT Server is configured. The destination address is translated by matching the NAT Server. The source address is translated by matching the outbound NAT.

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated.

<Router> system-view

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Configure NAT Server on interface GigabitEthernet 1/1/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp

# Enable outbound NAT with Easy IP on interface GigabitEthernet 1/1/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of interface GigabitEthernet 1/1/2.

[Router-GigabitEthernet1/1/2] nat outbound 2000

[Router-GigabitEthernet1/1/2] quit

# Enable NAT hairpin on interface GigabitEthernet 1/1/1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] nat hairpin enable

Verifying the configuration

# Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)

# Display all NAT configuration and statistics.

[Router]display nat all

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: ---

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

NAT internal server information:

Totally 1 internal servers.

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.2/21

Local IP/port : 192.168.1.4/21

Config status : Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT hairpinning:

Totally 1 interfaces enabled with NAT hairpinning.

Interface: GigabitEthernet1/1/1

Config status: Active

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

...

# Display NAT session information generated when Host A accesses the FTP server.

[Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.2/1694

Destination IP/port: 202.38.1.2/21

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

Responder:

Source IP/port: 192.168.1.4/21

Destination IP/port: 202.38.1.1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

State: TCP_ESTABLISHED

Application: FTP

Start time: 2012-08-15 14:53:29 TTL: 3597s

Initiator->Responder: 7 packets 308 bytes

Responder->Initiator: 5 packets 312 bytes

Total sessions found: 1

NAT hairpin in P2P mode configuration example

Network requirements

In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients. An internal client must request the IP address and port number of another client from the external server before accessing the client.

Configure NAT hairpin so that:

· The internal clients can register the same public address to the external server.

· The internal clients can access each other through the IP address and port number obtained from the server.

Figure 15 Network diagram

Requirements analysis

To meet the network requirements, you must perform the following tasks:

· Configure outbound dynamic PAT on the interface connected to the external network, so the internal clients can access the external server for registration.

· Configure the mapping behavior for PAT as Endpoint-Independent Mapping because the registered IP address and port number should be accessible for any source address.

· Enable NAT hairpin on the interface connected to the internal network so that internal clients can access each other through the public address.

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated.

<Router> system-view

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 1/1/2. The IP address of GigabitEthernet 1/1/2 is used as the public address for the source address translation of the packets from internal to external.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat outbound 2000

[Router-GigabitEthernet1/1/2] quit

# Configure the Endpoint-Independent Mapping mode for PAT. For packets with the same source address and port number and permitted by ACL 2000, the source address and port number are translated to the same public address and port number.

[Router] nat mapping-behavior endpoint-independent acl 2000

# Enable NAT hairpin on interface GigabitEthernet 1/1/1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] nat hairpin enable

[Router-GigabitEthernet1/1/1] quit

Verifying the configuration

# Verify that Host A, Host B, and Host C can access each other after they register their IP addresses and port numbers to the external server. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: ---

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT hairpinning:

Totally 1 interfaces enabled with NAT hairpinning.

Interface: GigabitEthernet1/1/1

Config status: Active

NAT mapping behavior:

Mapping mode : Endpoint-Independent

ACL : 2000

Config status: Active

...

# Display NAT session information generated when Client A accesses Client B.

[Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.3/44929

Destination IP/port: 202.38.1.3/1

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound interface: GigabitEthernet1/1/1

Responder:

Source IP/port: 192.168.1.2/69

Destination IP/port: 202.38.1.3/1024

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound interface: GigabitEthernet1/1/1

State: UDP_READY

Application: TFTP

Start time: 2012-08-15 15:53:36 TTL: 46s

Initiator->Responder: 1 packets 56 bytes

Responder->Initiator: 1 packets 72 bytes

Total sessions found: 1

Twice NAT configuration example

Network requirements

As shown in Figure 16, two departments are in different VPN instances with overlapping addresses. Configure twice NAT so that Host A and Host B in different departments can access each other.

Figure 16 Network diagram

Requirements analysis

This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device.

Configuration procedure

# Specify VPN instances and IP addresses for the interfaces on the router. (Details not shown.)

# Configure a static outbound NAT mapping between 192.168.1.2 in vpn 1 and 172.16.1.2 in vpn 2.

<Router> system-view

[Router] nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2

# Configure a static outbound NAT mapping between 192.168.1.2 in vpn 2 and 172.16.2.2 in vpn 1.

[Router] nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1

# Enable static NAT on interface GigabitEthernet 1/1/2.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat static enable

[Router-GigabitEthernet1/1/2] quit

# Enable static NAT on interface GigabitEthernet 1/1/1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] nat static enable

[Router-GigabitEthernet1/1/1] quit

Verifying the configuration

# Verify that Host A and Host B can access each other. The public address for Host A is 172.16.1.2 and that for Host B is 172.16.2.2. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

Static NAT mappings:

Totally 2 outbound static NAT mappings.

IP-to-IP:

Local IP : 192.168.1.2

Global IP : 172.16.1.2

Local VPN : vpn1

Global VPN : vpn2

Config status: Active

IP-to-IP:

Local IP : 192.168.1.2

Global IP : 172.16.2.2

Local VPN : vpn2

Global VPN : vpn1

Config status: Active

Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.

Interface: GigabitEthernet1/1/1

Config status: Active

Interface: GigabitEthernet1/1/2

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

...

# Display NAT session information generated when Host A accesses Host B.

[Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.2/42496

Destination IP/port: 172.16.2.2/2048

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: vpn1/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet1/1/1

Responder:

Source IP/port: 192.168.1.2/42496

Destination IP/port: 172.16.1.2/0

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: vpn2/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet1/1/2

State: ICMP_REPLY

Application: INVALID

Start time: 2012-08-16 09:30:49 TTL: 27s

Initiator->Responder: 5 packets 420 bytes

Responder->Initiator: 5 packets 420 bytes

Total sessions found: 1

Load sharing NAT Server configuration example

Network requirements

As shown in Figure 17, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing.

Figure 17 Network diagram

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Create NAT Server group 0, and add members to the group.

<Router> system-view

[Router] nat server-group 0

[Router-nat-server-group-0] inside ip 10.110.10.1 port 21

[Router-nat-server-group-0] inside ip 10.110.10.2 port 21

[Router-nat-server-group-0] inside ip 10.110.10.3 port 21

[Router-nat-server-group-0] quit

# Associate NAT Server group 0 with GigabitEthernet 1/1/2 so that servers in the server group can provide FTP services.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.1 ftp inside server-group 0

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that external hosts can access the internal FTP server group. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT server group information:

Totally 1 NAT server groups.

Group Number Inside IP Port Weight

0 10.110.10.1 21 100

10.110.10.2 21 100

10.110.10.3 21 100

NAT internal server information:

Totally 1 internal servers.

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.1/21

Local IP/port : server group 0

10.110.10.1/21 (Connections: 1)

10.110.10.2/21 (Connections: 2)

10.110.10.3/21 (Connections: 2)

Config status : Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

...

# Display NAT session information generated when external hosts access an internal FTP server.

[Router] display nat session verbose

Initiator:

Source IP/port: 202.38.1.25/53957

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/2

Responder:

Source IP/port: 10.110.10.3/21

Destination IP/port: 202.38.1.25/53957

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/1/1

State: TCP_ESTABLISHED

Application: FTP

Start time: 2012-08-16 11:06:07 TTL: 26s

Initiator->Responder: 1 packets 60 bytes

Responder->Initiator: 2 packets 120 bytes

Total sessions found: 5

NAT with DNS mapping configuration example

Network requirements

As shown in Figure 18, the internal Web server at 10.110.10.1/16 and FTP server at 10.110.10.2/16 provide services for external user. The company has three public addresses 202.38.1.1 through 202.38.1.3. The DNS server at 202.38.1.4 is on the external network.

Configure NAT so that:

· The public IP address 202.38.1.2 is used by external users to access the Web and FTP servers.

· External users can use the public address or domain name of internal servers to access them.

· Internal users can access the internal servers by using their domain names.

Figure 18 Network diagram

Requirements analysis

To meet the network requirements, perform the following tasks:

· Configure NAT Server by mapping the public IP addresses and port numbers of the internal servers to a public address and port numbers so that external users can access the internal servers.

· Configure NAT with DNS mapping and ALG so that the public IP address of the internal server in the payload of the DNS response packet can be translated to the private IP address.

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Enable NAT with ALG for DNS.

<Router> system-view

[Router] nat alg dns

# Enter interface view of GigabitEthernet 1/1/2.

[Router] interface gigabitethernet 1/1/2

# Configure NAT Server to allow external hosts to access the internal Web server by using the address 202.38.1.2.

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.1 http

# Configure NAT Server to allow external hosts to access the internal FTP server by using the address 202.38.1.2.

[Router-GigabitEthernet1/1/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.2 ftp

# Enable outbound NAT with Easy IP on interface GigabitEthernet 1/1/2.

[Router-GigabitEthernet1/1/2] nat outbound

[Router-GigabitEthernet1/1/2] quit

# Configure two DNS mapping entries by mapping the domain name www.server.com of the Web server to 202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2.

[Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port http

[Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp

[Router] quit

Verifying the configuration

# Verify that both internal and external hosts can access the internal servers by using domain names. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: ---

Address group ID: ---

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

NAT internal server information:

Totally 2 internal servers.

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.2/21

Local IP/port : 10.110.10.2/21

Config status : Active

Interface: GigabitEthernet1/1/2

Protocol: 6(TCP)

Global IP/port: 202.38.1.2/80

Local IP/port : 10.110.10.1/80

Config status : Active

NAT DNS mapping information:

Totally 2 NAT DNS mappings.

Domain name: ftp.server.com

Global IP : 202.38.1.2

Global port: 21

Protocol : TCP(6)

Config status: Active

Domain name: www.server.com

Global IP : 202.38.1.2

Global port: 80

Protocol : TCP(6)

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode: Address and Port-Dependent

ACL : ---

Config status: Active

NAT ALG:

DNS : Enabled

...

Static NAT444 configuration example

Network requirements

As shown in Figure 19, configure static NAT444 to allow users at private IP addresses 10.110.10.1 to 10.110.10.10 to use public IP address 202.38.1.100 for accessing the Internet. Configure the port range as 10001 to 15000, and set the port block size to 500.

Figure 19 Network diagram

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Create NAT port block group 1.

<Router> system-view

[Router] nat port-block-group 1

# Add the private IP addresses from 10.110.10.1 to 10.110.10.10 to the port block group.

[Router-port-block-group-1] local-ip-address 10.110.10.1 10.110.10.10

# Add the public IP address 202.38.1.100 to the port block group.

[Router-port-block-group-1] global-ip-pool 202.38.1.100 202.38.1.100

# Set the port block size to 500.

[Router-port-block-group-1] block-size 500

# Configure the port range as 10001 to 15000.

[Router-port-block-group-1] port-range 10001 15000

[Router-port-block-group-1] quit

# Apply the port block group 1 to the outbound direction of GigabitEthernet 1/1/2.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat outbound port-block-group 1

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that users at the private IP addresses can access the Internet. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

...

NAT port block group information:

Totally 1 NAT port block groups.

Port block group 1:

Port range: 10001-15000

Block size: 500

Local IP address information:

Start address End address VPN instance

10.110.10.1 10.110.10.10 ---

Global IP pool information:

Start address End address

202.38.1.100 202.38.1.100

NAT outbound port block group information:

Totally 1 outbound port block group items.

Interface: GigabitEthernet1/1/2

Port block group: 1

Config status : Active

# Display static NAT444 mappings.

[Router] display nat port-block static

Static port-block mapping tables:

Local VPN Local IP Global IP Port block Connections

--- 10.110.10.1 202.38.1.100 10001-10500 2

--- 10.110.10.2 202.38.1.100 10501-11000 0

--- 10.110.10.3 202.38.1.100 11001-11500 0

--- 10.110.10.4 202.38.1.100 11501-12000 0

--- 10.110.10.5 202.38.1.100 12001-12500 1

--- 10.110.10.6 202.38.1.100 12501-13000 0

--- 10.110.10.7 202.38.1.100 13001-13500 0

--- 10.110.10.8 202.38.1.100 13501-14000 0

--- 10.110.10.9 202.38.1.100 14001-14500 0

--- 10.110.10.10 202.38.1.100 14501-15000 0

Dynamic NAT444 configuration example

Network requirements

As shown in Figure 20, a company uses private IP address on network 192.168.0.0/16 and public IP addresses 202.38.1.2 and 202.38.1.3. Configure dynamic NAT444 to the following requirements:

· Only users on subnet 192.168.1.0/24 can use public IP addresses 202.38.1.2 and 202.38.1.3 to access the Internet.

· The port range for the public IP addresses is 1024 to 65535.

· The port block size is 300.

· If the ports in the assigned port block are all used, extend another port block for users.

Figure 20 Network diagram

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Create public address group 0.

<Router> system-view

[Router] nat address-group 0

# Add the public IP addresses 202.38.1.2 and 202.38.1.3 to the NAT address group.

[Router-address-group-0] address 202.38.1.2 202.38.1.3

# Configure the port range as 1024 to 65535.

[Router-address-group-0] port-range 1024 65535

# Set the port block size to 300 and the extended port block number to 1.

[Router-address-group-0] port-block block-size 300 extended-block-number 1

[Router-address-group-0] quit

# Configure an ACL to identify packets from subnet 192.168.1.0/24.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Configure outbound NAT444 on interface GigabitEthernet 1/1/2.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] nat outbound 2000 address-group 0

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Verify that Host A can access external servers, but Host B and Host C cannot. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

NAT address group information:

Totally 1 NAT address groups.

Address group 0:

Port range: 1024-65535

Port block size: 300

Extended block number: 1

Address information:

Start address End address

202.38.1.2 202.38.1.3

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/2

ACL: 2000

Address group ID: 0

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

...

# Display NAT statistics.

[Router] display nat statistics

Total session entries: 0

Total EIM entries: 0

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 0

Total dynamic port block entries: 430

Active static port block entries: 0

Active dynamic port block entries: 1

DS-Lite NAT444 configuration example

Network requirements

As shown in Figure 21, configure DS-Lite tunneling and NAT to allow the DS-Lite host to access the IPv4 network over the IPv6 network.

Figure 21 Network diagram

Configuration procedure

Before configuration, make sure the DS-Lite host and AFTR can reach each other through IPv6.

1. Configure the AFTR:

# Specify an IPv4 address for GigabitEthernet 1/1/1.

<Router> system-view

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] ip address 20.1.1.1 24

[Router-GigabitEthernet1/1/1] quit

# Specify an IPv6 address for GigabitEthernet 1/1/2.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] ipv6 address 1::2 64

[Router-GigabitEthernet1/1/2] quit

# Create a tunnel interface on the AFTR.

[Router] interface tunnel 2 mode ds-lite-aftr

# Specify an IP address for the tunnel interface.

[Router-Tunnel2] ip address 30.1.2.2 255.255.255.0

# Specify GigabitEthernet 1/1/2 as the source interface for the tunnel.

[Router-Tunnel2] source gigabitethernet 1/1/2

[Router-Tunnel2] quit

# Enable DS-Lite tunneling on GigabitEthernet 1/1/1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] ds-lite enable

[Router-GigabitEthernet1/1/1] quit

# Create public address group 0.

[Router] nat address-group 0

# Add public IP addresses 20.1.1.11 and 20.1.1.12 to the NAT address group.

[Router-address-group-0] address 20.1.1.11 20.1.1.12

# Configure the port range as 1024 to 65535.

[Router-address-group-0] port-range 1024 65535

# Set the port block size to 300.

[Router-address-group-0] port-block block-size 300

[Router-address-group-0] quit

# Configure an IPv6 ACL to identify packets from subnet 1::/64.

[Router] acl ipv6 basic 2100

[Router-acl-ipv4-basic-2100] rule permit source 1::/64

[Router-acl-ipv4-basic-2100] quit

# Configure DS-Lite NAT444 on GigabitEthernet 1/1/1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] nat outbound ds-lite-b4 2100 address-group 0

[Router-GigabitEthernet1/1/1] quit

2. Configure the DS-Lite host:

# Configure the IPv4 and IPv6 addresses of the DS-Lite host as 10.0.0.1 and 1::1/64. (Details not shown.)

# Configure a static route to the destination IPv4 network. (Details not shown.)

Verifying the configuration

# Use the display tunnel interface command to verify that the tunnel interface is up on the AFTR. (Details not shown.)

# Verify that the DS-Lite host can ping the IPv4 application server.

C:\> ping 20.1.1.2

Pinging 20.1.1.2 with 32 bytes of data:

Reply from 20.1.1.2: bytes=32 time=51ms TTL=255

Reply from 20.1.1.2: bytes=32 time=44ms TTL=255

Reply from 20.1.1.2: bytes=32 time=1ms TTL=255

Ping statistics for 20.1.1.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 51ms, Average = 24ms

# Verify that the DS-Lite NAT444 configuration is correct.

[Router] display nat outbound

NAT outbound information:

Totally 1 NAT outbound rules.

Interface: GigabitEthernet1/1/1

DS-Lite B4 ACL: 2100

Address group ID: 0

Port-preserved: N NO-PAT: N Reversible: N

Config status: Active

# Verify that the DS-Lite NAT444 configuration takes effect by checking the port block assignment.

[Router] display nat statistics

Total session entries: 0

Total EIM entries: 0

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 0

Total dynamic port block entries: 430

Active static port block entries: 0

Active dynamic port block entries: 1

# Verify that a NAT444 mapping has been created for the DS-Lite host.

[Router] display nat port-block dynamic ds-lite-b4

Local VPN DS-Lite B4 addr Global IP Port block Connections

--- 1::1 20.1.1.11 1024-1323 1

Total entries found: 1

NAT444 gateway unified with BRAS device configuration example

Network requirements

As shown in Figure 22, the host, a PPPoE client, is connected to the Internet through the router. The router acts as the BRAS device and NAT444 gateway. Configure PPPoE server and NAT444 on the router to meet the following requirements:

· The PPPoE server cooperates with the RADIUS server to authenticate the host by using CHAP, and assigns a private IP address to the host.

· The PPPoE server uses shared key expert for secure RADIUS communication, and sends usernames with domain names to the RADIUS server.

· NAT444 cooperates with BRAS, and assigns a public IP address and a port block after the host passes authentication and obtains a private IP address.

Figure 22 Network diagram

Configuration procedure

1. Configure the RADIUS server (details not shown):

# Set the shared key for secure communication to expert.

# Add a user account and password for the PPP users connected to the router.

2. Configure the router:

# Create RADIUS scheme rad.

<Router> system-view

[Router] radius scheme rad

# Specify the IP address of the primary accounting server and the primary authentication server as 10.0.0.1, and the service port of the primary authentication server as 1812.

[Router-radius-rad] primary accounting 10.0.0.1

[Router-radius-rad] primary authentication 10.0.0.1 1812

# Set the shared key to plaintext expert for secure communication.

[Router-radius-rad] key authentication simple expert

# Include domain names in the usernames sent to the RADIUS server.

[Router-radius-rad] user-name-format with-domain

[Router-radius-rad] quit

# Create ISP domain cgn.

[Router] domain cgn

# Specify RADIUS scheme rad for PPP user authentication, authorization, and accounting.

[Router-isp-cgn] authentication ppp radius-scheme rad

[Router-isp-cgn] authorization ppp radius-scheme rad

[Router-isp-cgn] accounting ppp radius-scheme rad

# Specify the user address type as private IPv4 address.

[Router-isp-cgn] user-address-type private-ipv4

[Router-isp-cgn] quit

# Create a PPP address pool and add IP addresses 10.210.0.2 to 10.210.0.255 to the pool.

[Router] ip pool 1 10.210.0.2 10.210.0.255

# Configure interface Virtual-Template 1 to use CHAP for authentication and use PPP address pool 1 for IP address assignment.

[Router] interface virtual-template 1

[Router-Virtual-Template1] ppp authentication-mode chap domain cgn

[Router-Virtual-Template1] remote address pool 1

[Router-Virtual-Template1] ip address 10.210.0.1 24

# Enable PPPoE server on GigabitEthernet 1/1/1 and bind the interface to Virtual-Template 1.

[Router] interface gigabitethernet 1/1/1

[Router-GigabitEthernet1/1/1] pppoe-server bind virtual-template 1

[Router-GigabitEthernet1/1/1] quit

# Configure ACL 2000 to identify packets from subnet 10.210.0.0/24.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule 0 permit source 10.210.0.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Create address group 1. Add public address 111.8.0.200, specify the port range as 1024 to 65535, and set the port block size to 10.

[Router] nat address-group 1

[Router-address-group-1] port-block block-size 10

[Router-address-group-1] port-range 1024 65535

[Router-address-group-1] address 111.8.0.200 111.8.0.200

# Configure outbound dynamic NAT444 on GigabitEthernet 1/1/2 to use address group 1 to translate packets permitted by ACL 2000.

[Router] interface gigabitethernet 1/1/2

[Router-GigabitEthernet1/1/2] ip address 111.8.0.101 255.255.255.0

[Router-GigabitEthernet1/1/2] nat outbound 2000 address-group 1

[Router-GigabitEthernet1/1/2] quit

Verifying the configuration

# Initiate a connection from the PPPoE client by entering the username and password.

# Execute the display ppp access-user command to display PPP user information, including the private IP address, translated public IP address, and port block. (Details not shown.)

# Verify that a dynamic NAT444 entry has been created for the user.

[Router] display nat port-block dynamic

Local VPN Local IP Global IP Port block Connections

--- 10.210.0.4 111.8.0.200 1024-1323 0

Total entries found: 1

06-Layer 3 - IP Services Configuration Guide

Configuring NAT

Overview

Traditional NAT

Bidirectional NAT

Twice NAT

NAT hairpin

NAT implementations

NO-PAT

PAT

NAT444 gateway unified with BRAS device

NAT configuration task list

Configuring static NAT

Configuring dynamic NAT

Configuring NAT Server

Configuring NAT444

Configuring NAT with DNS mapping

Configuring NAT logging

Enabling NAT reply redirection

NAT configuration examples

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

NAT Server for external-to-internal access configuration example

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy