- Table of Contents
-
- 11-NAT Configuration
- 01-ER G3 Routers Port Mapping Configuration Examples (Web)
- 02-MSR Routers Port Mapping Configuration Examples (Web)
- 03-MSR Routers Configure Internal Users to Access Internal Servers by Using Public Addresses
- 04-MSR Routers Configure Internal and External Users to Access Internal Servers
- Related Documents
-
Title | Size | Download |
---|---|---|
04-MSR Routers Configure Internal and External Users to Access Internal Servers | 78.10 KB |
|
MSR Routers |
Configure Internal and External Users to Access Internal Servers |
|
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring internal and external users to access internal servers by using NAT addresses
Introduction
The following information provides examples for configuring internal and external users to access internal servers by using NAT addresses on MSR routers.
Prerequisites
This document applies to Comware 7-based MSR router series. Procedures and information in the examples might be slightly different depending on the software or hardware version of the router.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of NAT.
Example: Configuring internal and external users to access internal servers by using NAT addresses
Network configuration
As shown in Figure 1, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.
Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.
Analysis
· To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.
· To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:
¡ Enable NAT hairpin on the interface connected to the internal network.
¡ Configure outbound NAT on the interface where the NAT server mapping is configured. The destination address is translated by matching the NAT server mapping. The source address is translated by matching the outbound NAT.
Software versions used
This configuration example was created and verified on R6749P14 of the MSR3610-X1 router.
Procedures
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.
<Router> system-view
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit
# Configure a NAT server mapping on GigabitEthernet 1/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp
# Enable outbound NAT with Easy IP on GigabitEthernet 1/0/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of GigabitEthernet 1/0/2.
[Router-GigabitEthernet1/0/2] nat outbound 2000
# Enable NAT hairpin on GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] nat hairpin enable
Verifying the configuration
# Display all NAT configuration information.
[Router] display nat all
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: GigabitEthernet1/0/2
ACL: 2000
Address group ID: ---
Port-preserved: N NO-PAT: N Reversible: N
Config status: Active
NAT internal server information:
Totally 1 internal servers.
Interface: GigabitEthernet1/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.2/21
Local IP/port : 192.168.1.4/21
Rule name : ServerRule_1
NAT counting : 0
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT hairpinning:
Totally 1 interfaces enabled with NAT hairpinning.
Interface: GigabitEthernet1/0/1
Config status: Active
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Enabled
ICMP-ERROR : Enabled
ILS : Enabled
MGCP : Enabled
NBT : Enabled
PPTP : Enabled
RTSP : Enabled
RSH : Enabled
SCCP : Enabled
SIP : Enabled
SQLNET : Enabled
TFTP : Enabled
XDMCP : Enabled
Static NAT load balancing: Disabled
# Display detailed information about NAT sessions generated when Host A accesses the FTP server.
[Router] display nat session verbose
Slot 0:
Total sessions found: 0
Slot 2:
Initiator:
Source IP/port: 192.168.1.2/1694
Destination IP/port: 202.38.1.2/21
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Responder:
Source IP/port: 192.168.1.4/21
Destination IP/port: 202.38.1.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
State: TCP_ESTABLISHED
Application: FTP
Rule ID: -/-/-
Rule name:
Start time: 2012-08-15 14:53:29 TTL: 3597s
Initiator->Responder: 7 packets 308 bytes
Responder->Initiator: 5 packets 312 bytes
Total sessions found: 1
Configuration files
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 192.168.1.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 202.38.1.1 255.255.255.0
nat outbound 2000
nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 21
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
Related documentation
· Layer 3—IP Services Configuration Guide in H3C MSR Router Series Comware 7 Configuration Guides
· Layer 3—IP Services Command Reference in H3C MSR Router Series Comware 7 Command References