Login
- Table of Contents
-
- 04-Layer 3 Configuration Guide
- 00-Preface
- 01-Basic IP Routing Configuration
- 02-Static Routing Configuration
- 03-IPv6 Static Routing Configuration
- 04-IP Addressing Configuration
- 05-IPv6 Basics Configuration
- 06-DHCP Configuration
- 07-DHCPv6 Configuration
- 08-DNS Configuration
- 09-IPv6 DNS Configuration
- 10-IP Performance Optimization Configuration
- 11-ARP Configuration
- 12-IP Forwarding Basics Configuration
- 13-NAT Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-NAT Configuration | 171.90 KB |
Configuring address translation
Configuring an internal server
Configuring a common internal server
Enabling aging out NAT entries upon master link failure
Displaying and maintaining NAT
Overview
Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to another IP address. NAT enables a large number of private users to access the Internet by using a small number of public IP addresses. NAT effectively alleviates the depletion of IP addresses.
A private IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique.
According to RFC 1918, three blocks of IP addresses are reserved for private networks:
· In Class A, 10.0.0.0 to 10.255.255.255.
· In Class B, 172.16.0.0 to 172.31.255.255.
· In Class C, 192.168.0.0 to 192.168.255.255.
No host with an IP address in the three ranges exists on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or a registration center.
In addition to translating private addresses to public addresses, NAT can also perform address translation between any two networks. In this document, the two networks refer to an internal network and an external network. Generally a private network is an internal network, and a public network is an external network.
Figure 1 shows the NAT operation.
1. The internal host with IP address 192.168.1.3 sends an IP packet to the external server with IP address 1.1.1.2 through the NAT device.
2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the external network. The NAT device then translates the private address 192.168.1.3 to the globally unique public address 20.1.1.1 and forwards the packet to the server on the external network. Meanwhile, the NAT device adds the mapping of the two addresses into its NAT table.
3. The external server responds to the internal host with an IP packet whose destination IP address is 20.1.1.1. Upon receiving the packet, the NAT device checks the IP header, looks into its NAT table for the mapping, replaces the destination address with the private address of 192.168.1.3, and then sends the new packet to the internal host.
The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages:
· Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to the application protocol packets when the contained IP address or port number needs to be translated. For example, you cannot encrypt an FTP connection, or its port command cannot work correctly.
· Network debugging becomes more difficult. For example, when a host in a private network tries to attack other networks, it is harder to pinpoint the attacking host because the host IP address has been hidden.
NAT control
Typically, an enterprise allows some hosts in the internal network to access external networks and prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP address is among addresses denied, the NAT device does not translate the address. In addition, the NAT device only translates private addresses to specified public addresses.
You can achieve NAT control through an access control list (ACL) and an address pool.
· Only packets matching the ACL rules are served by NAT.
· An address pool is a collection of consecutive public IP addresses for address translation. You can specify an address pool based on the number of available public IP addresses, the number of internal hosts, and network requirements. The NAT device selects an address from the address pool as the public address of an IP packet.
NAT operation
Basic NAT
As shown in Figure 1, when an internal host accesses an external network, the NAT device uses a public IP address to replace the private source IP address. In Figure 1, NAT uses the IP address of the outgoing interface as the public IP address. All internal hosts use the same public IP address to access external networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, the NAT device chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks simultaneously.
The number of public IP addresses that a NAT device needs is usually far less than the number of internal hosts because not all internal hosts access external networks at the same time. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours.
NAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers.
Figure 2 NAPT operation
As shown in Figure 2, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 1 and 3 are from different internal addresses but have the same source port number. NAPT maps the three IP packets to the same external address but with different source port numbers. Therefore, the packets can still be differentiated. When receiving the response packets, the NAT device forwards them to the corresponding hosts according to the destination addresses and port numbers.
NAPT improves utilization of IP address resources, enabling more internal hosts to access the external network at the same time.
NAPT supports the following NAT mapping behavior modes:
· Endpoint-Independent Mapping—The NAT device uses entries, each of which comprises the source IP address, source port number, and protocol type to translate addresses and filter packets. The same NAPT mapping applies to packets sent from the same internal IP address and port to any external IP address and port. The NAT device also allows external hosts to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT devices.
· Address and Port-Dependent Mapping—The NAT device uses entries each comprising the source IP address, source port number, protocol type, destination IP address, and destination port number to translate addresses and filter packets. For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAPT mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers. The NAT device allows the hosts only on the corresponding external networks where these destination addresses reside to access the internal network. This mode is secure but inconvenient for communication among hosts that connect to different NAT devices.
Internal server
NAT hides the internal network structure, including the identities of internal hosts. However, some internal hosts such as an internal Web server or FTP server may need to be accessed by external hosts. NAT satisfies this need by supporting internal servers.
You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like 20.1.1.12:8080 as an internal Web server's external address and port number.
In Figure 3, when the NAT device receives a packet destined for the public IP address of an internal server, it looks in the NAT entries and translates the destination address and port number in the packet to the private IP address and port number of the internal server. When the NAT device receives a response packet from the internal server, it translates the source private IP address and port number of the packet into the public IP address and port number of the internal server.
Figure 3 Internal server operation
Easy IP
Easy IP uses the public IP address of an interface on the device as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.
Support for special protocols
Apart from the basic address translation function, NAT also provides an application layer gateway (ALG) mechanism that supports some special application protocols without requiring the NAT platform to be modified. This allows for high scalability. The IP addresses or port numbers contained in such protocol messages need address translation.
The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling Protocol (PPTP), Internet Control Message Protocol (ICMP), Domain Name System (DNS), Internet Locator Service (ILS), Real Time Streaming Protocol (RTSP), Netmeeting 3.01, and NetBIOS over TCP/IP (NBT).
NAT configuration task list
|
Task |
Remarks |
|
|
Either is required. |
||
|
Required. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and reboot the device (or use the reset nat session command to manually clear the relevant NAT entries), to avoid the following problems:
· After you delete the NAT-related configuration, address translation can still work for sessions already created.
· If you configure NAT when NAT is running, the same configuration may have different results because of different configuration orders.
Configuring address translation
A NAT device can be configured with or dynamically generate mappings to translate between internal and external network addresses. Address translation can be classified into static and dynamic NAT.
· Static NAT—Mappings between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users.
· Dynamic NAT—A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface's address) to access the external network. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Dynamic NAT can meet external access requirements of a large number of users.
Configuring static NAT
You need to configure static NAT in system view, and make it effective in interface view.
Static NAT translates a private IP address into a public IP address. The device supports one-to-one static NAT in the current release.
To configure one-to-one static NAT:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
1. Configure a one-to-one static NAT mapping. |
nat static [ acl-number ] local-ip global-ip |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Enable static NAT on the interface. |
nat outbound static |
Configuring dynamic NAT
Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an interface) on an interface.
· To select the address of an interface as the translated address, use Easy IP.
· To select an address from an address pool as the translated address, use No-PAT or NAPT for dynamic address translation. No-PAT is used in many-to-many address translation but does not translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating also TCP/UDP port numbers.
When a first packet of a flow from an internal host to the external network arrives at the device, NAT determines whether to translate the packet based on the ACL. If yes, NAT chooses an address from the associated address pool or gets the associated interface address, performs address translation, and then saves the address mapping in the address translation table. All subsequent packets from the internal host are serviced by NAT directly according to the mapping entry.
Configuration prerequisites
· Configure an ACL to specify IP addresses permitted to be translated. For more information about ACL, see ACL and QoS Configuration Guide.
· Decide whether to use an interface's IP address as the translated source address.
· Determine a public IP address pool for address translation.
· Decide whether to translate port information.
Configuring NAT address pools
The NAT device selects an IP address from a specified NAT address pool as the source address of a packet. The device supports address pools each consisting of consecutive addresses.
To configure an address pool:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure an address pool. |
nat address-group group-number start-address end-address |
Address pools must not overlap. |
Configuring Easy IP
Easy IP allows the device to use the IP address of one of its interfaces as the source address of NATed packets.
To configure Easy IP:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Enable Easy IP by associating an ACL with the IP address of the interface. |
nat outbound [ acl-number ] |
Configuring No-PAT
With a specific ACL associated with an address pool or interface address, No-PAT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, without using the port information.
To configure No-PAT:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Configure No-PAT. |
nat outbound [ acl-number ] [ address-group group-number ] |
Configuring NAPT
With a specific ACL associated with an address pool or interface address, NAPT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, with using the port information.
To configure NAPT:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Configure NAPT by associating an ACL with an IP address pool on the outbound interface for translating both IP address and port number. |
nat outbound [ acl-number ] [address-group group-number ] |
Configuring an internal server
To configure an internal server, you need to map an external IP address and port number to the internal server. This is done through executing the nat server command on an interface.
Internal server configurations include external network information (external IP address global-address and external port number global-port), internal network information (internal IP address local-address and internal port number local-port), and internal server protocol type.
Configuring a common internal server
After mapping the internal IP address/port number (local-address and local-port) of a common internal server to an external IP address/port number (global-address and global-port), hosts in external networks can access the server located in the internal network.
The device supports using the interface address as the external address of an internal server, which is the Easy IP feature. If you want to specify an interface, the interface must be a loopback interface and must already exist.
If you configure an internal server using Easy IP but do not configure an IP address for the interface, the internal server configuration does not take effect.
To configure a common internal server (1):
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure a common internal server. |
· nat server protocol pro-type global global-address [ global-port ] inside local-address [ local-port ] · nat server protocol pro-type global global-address global-port1 global-port2 inside local-address1 local-address2 local-port |
Use either command. |
To configure a common internal server (2):
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure a common internal server. |
· nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] · nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port |
Use either command. |
To configure a common internal server (3):
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure a common internal server. |
· nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] · nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port |
Use either command. |
Configuring NAT aging time
NAT aging time configuration supports multiple protocols.
To set the NAT aging time:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set NAT aging time for a specified protocol. |
nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } seconds |
Optional. The default NAT aging time varies by protocol: · 10 seconds for DNS. · 300 seconds for FTP control links. · 300 seconds for FTP data links. · 10 seconds for ICMP. · 240 seconds in NO-PAT mode. · 300 seconds for PPTP. · 300 seconds for TCP. · 10 seconds for TCP FIN and RST connections. · 10 seconds for TCP SYN connections. · 240 seconds for UDP. |
Configuring NAT ALG
NAT ALG configuration supports multiple protocols.
To configure NAT ALG:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NAT ALG. |
nat alg { all | dns | ftp | ils | nbt | pptp } |
Optional. Enabled by default. |
Configuring NAT logging
With NAT logging enabled, a NAT device logs IP address translation information such as the source IP address, source port number, destination IP address, destination port number, translated source IP address, translated source port number and user operations.
As multiple internal users share the same external IP address or the same range of external IP addresses when accessing external networks through a NAT device, it is hard to identify each of the users. The NAT logging function helps in tracking access of internal users to external networks, thus enhancing network security.
NAT logging logs only access of internal network users to external networks. It does not log access of external users to internal servers.
Enabling NAT logging
To enable NAT logging:
|
Step |
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
|
2. Enable NAT logging. |
nat log enable [ acl acl-number ] |
Disabled by default. |
|
|
3. Enable NAT logging. |
·
Enable logging of NAT session
establishment events: ·
Enable logging for active NAT sessions
and set the logging interval: |
Use either command. By default: · No log is generated when a NAT session is established. · Logging for active NAT sessions is disabled. |
|
Exporting NAT logs
NAT logs can be exported to either the information center or the log server:
· To the information center—NAT logs are converted into system logs and exported to the local device's information center. Depending on the configuration of the information center, NAT logs are then exported to their final destination. Up to 10 NAT logs can be exported to the information center at one time.
· To the log server—NAT logs are encapsulated into UDP packets and sent to the log server, as shown in Figure 4. The output NAT logs can be in several versions, each with a different UDP packet format. Only version 1 is used. A UDP packet is composed of a header and one or more NAT logs.
If you configure both destinations, the system automatically exports NAT logs to the information center
Figure 4 Exporting NAT logs to the NAT log server
Exporting NAT logs to the information center
Exporting NAT logs to the information center consumes storage space of the device. Use this approach when the volume of NAT logs is relatively small.
NAT logs to the information center are prioritized as informational, meaning that they are ordinary message information. For more information about NAT log priority, see Network Management and Monitoring Configuration Guide.
To configure the device to export NAT logs to the information center:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Export NAT logs to the information center. |
userlog nat syslog |
NAT logs are exported to the NAT log server by default. |
Exporting NAT logs to the log server
For the device to export NAT logs to the log server in UDP packets, you can configure three parameters:
· IP address and UDP port number of the NAT log server. NAT logs cannot be exported successfully if you do not configure the information center export direction and specify the log server address.
· Source IP address of NAT logs. This address allows the log server to identify the log source. Use the loopback interface address as the source IP address of NAT logs.
· Version number of NAT logs. NAT logs may come in several versions, each with a different packet format. The device supports only version 1.
To configure the device to export NAT logs to a NAT log server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the IP address and UDP port number of the NAT log server. |
userlog nat export host { ipv4-address | ipv6 ipv6-address } udp-port |
The IP address of the NAT log server must be a valid IPv4 or IPv6 unicast address. Use a port number greater than 1024 to avoid conflicting with the system-defined port numbers. |
|
3. Specify the source IP address for the UDP packets that carry NAT logs. |
userlog nat export source-ip ip-address |
Optional. By default, the source IP address is the IP address of the interface through which the UDP packets are sent. |
|
4. Specify the version number of the NAT log packets. |
userlog nat export version version-number |
Optional. Version 1 by default. |
Enabling aging out NAT entries upon master link failure
In a link backup environment where NAT is enabled on the master and backup interfaces of a gateway device, if the master link fails, the backup link switches to the master state. If this feature is enabled on the gateway, all existing NAT entries on the failed link are aged out immediately, so that new NAT entries can be created for subsequent packets on the new master link, and thus existing NAT streams can be directed to the new link immediately.
To enable aging out NAT entries upon master link failure:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable aging out NAT entries upon master link failure. |
nat link-down reset-session enable |
Disabled by default. |
Displaying and maintaining NAT
|
|
IMPORTANT: Clearing the NAT log buffer implies loss of all NAT logs. In general, H3C recommends you not to use this command. |
|
Task |
Command |
Remarks |
|
Display information about NAT address pools. |
display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the NAT aging time settings for various protocols. |
display nat aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display all NAT configuration information. |
display nat all [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display NAT configuration information. |
display nat bound [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the internal server information. |
display nat server [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display internal server group information. |
display nat server-group [ group-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display static NAT information. |
display nat static [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display dynamic NAT entries. |
display nat session [ source { global global-address | inside inside-address } ] [ destination dst-address ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display NAT statistics. |
display nat statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display NAT log information. |
display nat log [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the configurations and statistics of output logs. |
display userlog export [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear the records in the NAT log buffer. |
reset userlog nat logbuffer |
Available in user view. |
|
Clear the statistics of NAT logs. |
reset userlog nat export |
Available in user view. |
|
Clear the address translation table and release the corresponding storage space. |
reset nat session |
Available in user view. |
Troubleshooting NAT
Symptom 1
Abnormal translation of IP addresses.
Solution
1. Enable debugging for NAT. Try to locate the problem based on the debugging display.
2. Use other commands, if necessary, to further identify the problem. Pay special attention to the source address after the address translation and make sure this address is the address that you intend to change to. If not, there may be an address pool bug.
3. Also make sure a route is available between the destination network and the address pool segment.
Symptom 2
The internal server functions abnormally.
Solution
1. Verify that the internal server host is properly configured.
2. Verify the router is correctly configured with respect to the internal server parameters, such as the internal server IP address.
