Currently, LS81VSNP
boards installed in S7500 series switches support NAT feature. In this manual,
the board is called line processor unit (LPU).
As described in RFC1631, network address
translation (NAT) is the procedure translating the IP address in the header of
an IP packet into another IP address. By using abundant private IP addresses,
NAT supports private networks with limited public IP addresses to access the
Internet, and therefore saves the IP address resources.
Private IP
addresses refer to the addresses of hosts on an intranet. Public IP addresses
refer to IP addresses globally unique on the Internet.
RFC1918 reserves the
following three blocks of IP addresses for private networks:
l
Class A: from 10.0.0.0 to 10.255.255.255
l
Class B: from 172.16.0.0 to 172.31.255.255
l
Class C: from 192.168.0.0 to 192.168.255.255
IP addresses in the
above three blocks are not for use on the Internet, and users can use them
within their enterprises freely without applying to the ISP or NIC.
The following figure depicts a basic NAT
application.
Figure 1-1 Basic NAT procedure
As shown in Figure
1-1, the switch used as a NAT server is located at the joint of the
enterprise intranet and the external networks, and packets are exchanged
between an internal PC and an external server as follows:
l
When packet 1 sourced from the internal PC with
an IP address of 192.168.1.3 and destined for the external server with an IP
address of 202.120.10.2 arrives at the NAT server, the NAT process checks the
packet header. If it finds that the packet is destined for an external site and
accords with the rule of NAT, the process translates the private IP address
(192.168.1.3) in the source address field of the packet header into the public
IP address (202.169.10.1), which can be identified on the Internet, and sends
the packet out on demand while recording the address mapping in the NAT table.
l
When response packet 2 sent from the external
server to the internal PC with destination address 202.169.10.1 arrives at the
NAT server, the NAT process checks the contents of the packet header, looks up
the corresponding mapping in the NAT table, and replaces the destination
address in the packet header with the private IP address of the internal PC.
The previously described NAT procedure is
transparent to the communicating ends such as the internal PC and external
server in Figure 1-1. The external server assumes
that the IP address of the internal PC is 202.169.10.1 and does not know the
address 192.168.1.3 at all. In this way, NAT ‘hides’ the enterprise
intranet.
The advantage of NAT is that it enables
internal hosts to access the external network resources with privacy protected.
However, it has also a disadvantage: packets containing IP addresses or ports
to be translated cannot be encrypted. For example, the encrypted FTP connection
cannot be used; otherwise, the FTP port cannot be translated correctly.
According to the NAT procedure illustrated
in Figure 1-1, when an internal host tries to
access the external networks, NAT selects a proper public address and
substitutes it for the source address in the packets. In Figure
1-1, the IP address defined on the outbound interface of the NAT server is
selected. In this case, only one internal host can access external networks at
a time. This mode is called one-to-one NAT. When multiple internal hosts
request to access external networks simultaneously, this type of NAT can only
satisfy one of them.
A variation of NAT responds to concurrent
requests. It allows a NAT server to be equipped with multiple public IP
addresses. When the first internal host tries to access external networks, the
NAT process selects a public address for it and adds a mapping record in the
NAT table; when the second internal host tries to access external networks, the
NAT process selects another public address, and so on. In this way, concurrent
requests from multiple internal hosts are satisfied. This mode is called
many-to-many NAT.
The features of the two NAT modes are
described in the following table:
Table 1-1 NAT modes
|
Mode
|
Feature
|
|
One-to-one NAT
|
The NAT server has only one public IP
address.
Only one internal host can access
external networks at a time.
|
|
Many-to-many NAT
|
The NAT server has multiple public IP
addresses.
Concurrent requests from multiple
internal hosts can be satisfied.
|
l
Since the probability for all internal hosts to
request to access external networks is very low, the number of internal hosts
can be much larger than that of public addresses for the NAT server.
l
The number of public IP addresses needed depends
on the statistical number of internal hosts that may request to access external
networks at traffic peak.
Many-to-many NAT can be implemented by
defining an address pool, and the control of NAT can be achieved by employing
access control lists (ACLs).
1)
An address pool is a collection of public IP
addresses for NAT. Its configuration depends on the number of available public
IP addresses, the number of internal hosts, and the practical application.
During address translation, the NAT process selects an address from the address
pool to use as the translated source address.
In practice, it is possible that only some
specific internal hosts are expected to have access to the Internet. That is,
when the NAT process checks the header of a packet, it determines whether the
included source IP address is in the address range with Internet access
authority, and refuses to perform address translation for those ineligible. You
can control the NAT process by employing ACL-associated NAT access rules to
permit only some specific hosts have the authority to access the Internet.
Normal NAT maps the IP address of an
internal host to a public IP address. In this way, a public IP address
currently used by an internal host is unavailable to other internal hosts as
long as it is used by the internal host.
NAPT (network address port translation) is
a variation of NAT. It enables the mapping of multiple internal addresses to
the same public address, thereby making multiple internal hosts be able to
access external networks simultaneously. This saves public addresses in a more
efficient way.
NAPT mapping involves the mapping of IP
addresses and transport layer protocol port numbers. Different internal
addresses can be mapped to the same public address, while their port numbers
are mapped to different port numbers of the public address, enabling those
internal addresses to share the same public address. That is, NAPT implements
the translation between <private address + port> and <public address +
port>.
NAPT is also known as PAT or address
overloading.
The following figure illustrates the
fundamentals of NAPT.
Figure 1-2 NAPT address multiplexing
As shown in Figure
1-2, four packets containing internal addresses arrive at the switch acting
as the NAT server:
l
Packets 1 and 2 carry the same internal address
but have different source port numbers.
l
Packets 3 and 4 carry different internal
addresses but have the same source port number.
By using NAPT mapping, the four packets are
translated into the packets that carry the same public address and different
source port numbers. In this way, the differences between the four packets are
kept, through which the NAT process can determine the internal hosts to which a
received response packet is to be forwarded by the destination address and port
number carried by the packet.
The Easy IP feature enables you to use the
IP address of a VLAN interface connected to an external network as the source
IP address of a NAT-translated packet by configuring nat outbound rules.
This feature applies when only one public IP address is available or there are
a limited number of internal hosts.
NAT conceals the internal network topology
and acts as a shield for internal hosts. But in practical applications, it
might be required to provide some chances for external hosts to access certain
internal devices such as internal WWW servers or FTP servers. By using NAT, you
can flexibly add internal servers. For example, you can:
l
Use a public IP address (such as 202.169.10.10)
as the public address for an internal WWW server.
l
Use a public IP address (such as 202.110.10.11)
as that for an FTP server.
l
Use a public IP address and a port number (such
as 202.110.10.12:8080) as the public address for an internal WWW server.
The Comware NAT platform not only
implements the general NAT features, but also provides perfect NAT
application-level gateway mechanism, enabling itself to support a variety of
special application protocols without any change. It has excellent scalability.
The special protocols supported by NAT
include Internet control message protocol (ICMP), domain name system (DNS),
Internet locator service (ILS), H.323, FTP, and NetMeeting 3.01.
Table 1-2
describes the NAT configuration tasks.
Table 1-2 NAT
configuration
An address pool is a collection of consecutive
public IP addresses. During address translation, the NAT server selects an IP
address from the address pool to be the translated source address. Use the nat
address-group command to configure an address pool.
Table 1-3 Configure an address pool
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure an address pool
|
nat address-group group-number start-addr end-addr
|
Required
|
Caution:
l
The number of addresses included in this address
pool (the length of an address pool) cannot exceed 256.
l
Any IP address in a NAT address pool cannot be
used in the internal network.
l
Any IP address in a NAT address pool cannot be
configured as the broadcast IP address or the segment IP address.
l
You cannot delete an address pool associated to
an ACL.
By configuring the association between ACLs
and the NAT address pool (or the interface addresses), you can make the NAT
server perform address translation for packets matching the ACL rules only.
Packets that do not match the ACL rules are forwarded on Layer 3 instead of
being translated. Before a packet from the intranet is forwarded to external
networks, it is first checked against the ACLs to see if it matches the
translation criteria. If it does, the NAT process will find the corresponding
address pool or the interface address by referring to the association, and then
translate it.
Use the nat outbound command to
associate an ACL with an address pool or interface address. Different NAT modes
need different configurations.
I. Configuring NAT
Use the following command to associate an
ACL with an address pool and designate the LPU implementing NAT.
Table 1-4 Configure
one-to-one NAT
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface vlan-id
|
—
|
|
Configure one-to-one NAT
|
nat outbound acl-number address-group group-number
no-pat slot slot-number
|
Required
|
The no-pat keyword indicates that
only IP addresses included in data packets are translated while the port number
information in the TCP/UDP protocol is left unchanged. That is, NAT is based on
the mapping between the internal IP address and the external IP address only.
II. Configuring NAPT
Use the following command to associate an
ACL with an address pool.
Table 1-5 Configure
NAPT
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface vlan-id
|
—
|
|
Configure NAPT
|
nat outbound acl-number address-group group-number
slot slot-number
|
Required
|
By comparing Table
1-4 and Table 1-5, we can draw the following
conclusions:
l
With the no-pat keyword, only the IP
addresses of data packets are translated while the port number information
remains unchanged, that is, one-to-one NAT.
l
Without the no-pat keyword, NAPT is
enabled, both the IP addresses and port number of data packets are translated,
and then you can implement many-to-one NAT.
Caution:
In the NAPT mode,
the address pool can have up to three addresses.
III. Configuring the
Easy IP feature
If you do not specify the address-group keyword
in the NAT command, the Easy IP feature is enabled. That is, when performing
NAT, the IP address of the VLAN interface on the NAT server is used as the
translated source address. By employing ACLs, you can also control the internal
network addresses eligible for NAT.
Table 1-6 Configure the Easy IP feature
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface vlan-id
|
—
|
|
Configure the NAT Easy IP feature
|
nat outbound acl-number slot slot-number
|
Required
|
Caution:
l
For NAT function, basic ACL (2000 to 2999) supports only source IP address as the filtering item,
advanced ACL (3000 to 3999) supports both source IP address and
destination IP address as filtering items. Other ACL filtering items are not
supported currently.
l
After you have configured the nat outbound
command, modifications to the ACL (add/delete a rule) have no effect.
l
You can configure rules on the same VLAN
interface by executing the nat outbound command, but these rules can
only be configured on the same LPU.
l
If a VLAN interface is configured with multiple nat outbound rules, the device refers to
the ACL numbers bound to the rules to determine their priorities, and the
bigger the ACL number the higher the priority. The priority of a rule in an ACL
depends on your configuration order, that is, the smaller the rule number is
configured, the higher its priority is.
By configuring internal servers, you can
map external addresses and ports to internal servers, enabling external hosts
to access internal servers. Use the nat server command to configure the
mapping table between internal servers and external hosts. The information you
need to input includes: external addresses, external ports, the addresses and
port numbers of the internal servers, and the service protocol.
Table 1-7 Configure an internal server
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface vlan-id
|
—
|
|
Configure an internal server
|
When employing TCP/UDP
|
nat server protocol pro-type global global-addr global-port inside
host-addr host-port slot slot-number
|
Perform configuration as required
|
|
Employ protocols other than TCP/UDP
|
nat server protocol pro-type global global-add inside host-addr
slot slot-number
|
|
Configure a group of consecutive internal
servers
|
nat server
protocol pro-type global global-addr global-port1
global-port2 inside host-addr1 host-addr2 host-port slot
slot-number
|
Caution:
l
Up to 128 internal servers can be configured for
a nat server command.
l
Up to 768 nat server commands can be configured for a VLAN interface.
l
Up to 4096 internal servers can be configured
for a VLAN interface.
l
Up to 1024 nat server commands and 4096 internal servers can be configured in a system.
In the previous commands, the global-addr
and global-port arguments indicate respectively the IP address and
service port number provided for external devices to access the internal
servers; the host-addr and host-port arguments indicate
respectively the IP address and service port number of the server in the
internal network. The global-port and host-port arguments are not
needed if protocols other than TCP and UPD are employed.
Note that the valid range for the host-port
argument is from 0 to 65,535. You can use a keyword to indicate a frequently
used port number. For example, you can use www for WWW service port
number 80, and ftp for ftp service port number 21. Port number 0 indicates
that the keyword is any and the internal server can provide any service,
but this is not supported currently.
l
If an internal server operates as an ICMP
server, and its public IP address overlaps with that of the VLAN interface on
the NAT device, the external public IP address cannot be successfully pinged by
the NAT device. However, if you specify the source IP address through the -a
keyword before pinging the external IP address, this problem can be avoided.
l
Currently, twice address translations to one NAT
connection is not supported.
l
Hosts on an intranet can only access the
internal servers through the Private IP address instead of the public IP
addresses of the internal servers.
l
To use the NetMeeting software or enable an
internal FTP server, you have to configure both the nat server and nat
outbound commands. For details, refer to 1.3.3 “Configuring
NAT”.
Different from that of a standard internal
FTP server, the range of the ports of a non-standard internal FTP server
available to the private network is enlarged, as described in the following.
l
As for a standard internal FTP server, ports 0
through 12,287 are available to the public network. But only port 21 is
available to the private network.
l
As for a non-standard internal FTP server, ports
0 through 12,287 are available to the public network (the same as that of a
standard internal FTP server). Ports 0 through 65,535 are available to the
private network.
Caution:
Among the ports of
a non-standard internal FTP server available to the private network (that is,
port 0 through port 65,535), do not use the well-known ports other than port
21. (You will be prompted in CLI if you specify them in the commands listed in
the following commands.)
Table 1-8 Configure a non-standard
internal FTP server
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface vlan-id
|
—
|
|
Configure a non-standard internal FTP
server
|
nat ftp server global global-addr global-port inside host-addr host-port slot
slot-number
|
|
By configuring NAT blacklist attributes, you
can control the number of connections and the set-up rate, and set the
thresholds for controlling the number of connections and set-up rate. Use the nat
blacklist commands to configure NAT blacklist attributes.
Table 1-9 Configure NAT blacklist
attributes
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable the NAT blacklist feature for a
specified LPU
|
nat blacklist start slot slot-number
|
Required
By default, this function is disabled
|
|
Set the control mode of the NAT blacklist
feature
|
nat blacklist mode { all | amount | rate }
|
Required
|
|
Set the threshold for controlling the
number of the connections
|
nat blacklist limit amount [ source user-ip ] amount-value
|
Optional
|
|
Set the threshold for controlling the
set-up rate
|
nat blacklist limit rate [ source ip ] cir cir-value [ cbs
cbs-value ebs ebs-value ]
|
Optional
|
|
Set the IP address that needs special
mode for limiting setup rate
|
nat blacklist limit rate source user-ip
|
Optional
|
Caution:
l
Each command used to modify blacklist
feature-related configurations that are not source IP address-specific must be
coupled with the reset nat session command.
l
Although each LPU installed in a switch
maintains the blacklist information of its own, a blacklist-related command
executed on the switch applies to all LPUs that have the blacklist function
enabled in the switch.
1.3.7 Configuring the Aging Time of NAT Connections
You can use the nat aging-time
command to set the NAT connection aging times for CPU-processed ALG
(application layer gateway) NAT mapping entries and NP-processed NAT mapping
entries. A mapping entry of either of these two types is removed from the NAT
mapping table when the corresponding aging time expires. (NP: short for network
processor)
Table 1-10 Configure the aging time of
NAT connections
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure the aging time of NAT connections
|
nat aging-time { alg time-value | np slow } slot slot-number
|
Optional.
By default, the aging time of an ALG NAT
mapping entry is 120 seconds. An NP uses the fast aging timer, and the aging
time is 300 seconds
|
Security log is used to log the detailed
procedure information of the NAT process.
Security log includes the following items:
l
The source IP addresses and port numbers for
translating
l
The destination IP addresses and port numbers
for translating
l
The translated source IP addresses and port
numbers
l
The start time and end time of the NAT process
I. Enabling NAT logging
Use the ip userlog nat command to
enable NAT logging.
Table 1-11 Enable NAT logging
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable NAT logging
|
ip userlog nat slot slot-number acl acl-number
|
Optional
By default, this function is disabled
|
II. Setting the time the
NAT process must wait before logging a NAT connection
If a connection is still active after a
configured period, the NAT process will log the connection. Use the ip
userlog nat active-time command to set the time after which the NAT process
starts to perform logging.
Perform the following configuration in system
view.
Table 1-12 Set the time the NAT process
must wait before logging a NAT connection
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the time the NAT process must wait
before starting logging a NAT connection
|
ip userlog nat active-time minutes
|
Optional
By default, this function is disabled
|
III. Setting the address
and port number of the destination server for log packets
Use the ip userlog nat export command
to set the address and port number of the destination server for log packets.
Table 1-13 Set the address and port
number of the destination server for log packets
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the address and port number of the destination
server for log packets
|
ip userlog nat export [ slot slot-number ] host ip-address
udp-port
|
Optional
By default, the value of ip-address
is 0.0.0.0. It means the logging function is disabled. The value of udp-port
is 0
|
If you specify the slot-number argument,
the configuration is only effective for the specified NAT board; otherwise, the
configuration is effective for all NAT boards.
IV. Setting the source
IP address of log packets
Use the ip userlog nat export
source-ip command to set the source address of the log packets.
Table 1-14 Set the source address of the
log packets
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the source address of the log packet
|
ip userlog nat export source-ip src-address
|
Optional
By default, the source IP address of the
log packet is 0.0.0.0
|
V. Setting the version
of the log packets
Use the ip userlog nat export version command
to set the version of the log packets.
Table 1-15 Set the version of the log
packets
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the version of the log packet
|
ip userlog nat export version version-number
|
Optional
By default, the version of the log packet
is 1
|
VI. Setting NAT logging
mode
Choose one of the following two NAT logging
modes:
l
Perform logging only when a NAT connection is
deleted.
l
Perform logging when a NAT connection is
established or deleted.
Use the ip userlog nat mode flow-begin command
to make the NAT server start logging when a NAT connection is established.
Table 1-16 Set NAT logging mode
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the NAT server to start logging when
a connection is established
|
ip userlog nat mode flow-begin
|
Optional
By default, the NAT server performs
logging only when a NAT connection is deleted
|
After the above
configurations, execute the display command in any view to display and
verify NAT configurations.
You can clear the NAT mapping table by
using the reset nat session command in user view.
Table 1-17 Display NAT configuration
|
Operation
|
Command
|
|
Display the configuration of the address
pool
|
display nat address-group
|
|
Display the aging time of NAT table entries
for various protocols
|
display nat aging-time
|
|
Display the configurations and operation
states of blacklists |
