Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-NAT configuration | 377.14 KB |
Contents
NAT entries and relation entries
Device access with overlapping addresses
Configuring outbound bidirectional NAT for internal-to-external access through domain name
Restrictions and guidelines: NAT configuration
Interface-based NAT tasks at a glance
Restrictions and guidelines for static NAT configuration
Prerequisites for static NAT configuration
Configuring outbound one-to-one static NAT
Configuring outbound net-to-net static NAT
Restrictions and guidelines for dynamic NAT configuration
Prerequisites for dynamic NAT configuration
Configuring outbound dynamic NAT
Configuring NAT server mappings
Configuring common NAT server mappings on an interface
Configuring load sharing NAT server mappings on an interface
Setting the maximum number of VPN users sharing one single public IP address
Configuring NAT logging and SNMP notifications
Configuring NAT session logging
Configuring SNMP notifications for NAT
Display and maintenance commands for NAT
Example: Configuring outbound one-to-one static NAT
Example: Configuring outbound dynamic NAT (non-overlapping addresses)
Example: Configuring NAT Server for external-to-internal access
Example: Configuring NAT Server for external-to-internal access through domain name
Example: Configuring NAT hairpin in C/S mode
Example: Configuring load sharing NAT Server
Example: Configuring NAT DNS mapping
Example: Configuring NAT log export to the information center
Example: Configuring NAT log export to the log server
NAT overview
Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server.
Basic NAT concepts
The following describes basic NAT concepts:
· NAT device—A device configured with NAT. Typically, NAT is configured on the edge device that connects the internal and external networks.
· NAT interface—An interface configured with NAT.
· NAT rule—A rule that NAT follows to translate addresses.
· NAT address—A public IP address used for address translation, and this address is reachable from the external network. The NAT address can be manually assigned or dynamically obtained.
· NAT entry—Stores the mapping between a private IP address and a public IP address. For more information, see "NAT entries."
· Easy IP—Uses the IP address of an interface as the NAT address. The IP address of the interface can be manually assigned or be obtained through DHCP or PPPoE.
Basic NAT operating mechanism
Figure 1 shows the basic NAT operating mechanism.
2. Upon receiving a response from the server, NAT translates the destination public address to the private address, and forwards the packet to the host.
The NAT operation is transparent to the terminals (the host and the server). NAT hides the private network from the external users and shows that the IP address of the internal host is 20.1.1.1.
NAT applications
Traditional NAT
Traditional NAT is configured on the interface that connects to the public network. It translates the source IP addresses of outgoing packets and destination IP addresses of incoming packets.
Twice NAT
Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface. The receiving and sending interfaces are both NAT interfaces.
Twice NAT allows VPNs with overlapping addresses to access each other.
Bidirectional NAT
NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface.
Bidirectional NAT supports active access to external network resources from internal users when the internal and external IP addresses overlap.
NAT hairpin
NAT hairpin allows internal hosts to access each other through NAT. The source and destination IP address of the packets are translated on the interface connected to the internal network.
NAT hairpin includes P2P and C/S modes:
· P2P—Allows internal hosts to access each other through NAT. The internal hosts first register their public addresses to an external server. Then, the hosts communicate with each other by using the registered IP addresses.
· C/S—Allows internal hosts to access internal servers through NAT addresses. The destination IP address of the packet going to the internal server is translated by matching the NAT Server configuration. The source IP address is translated by matching the outbound dynamic or static NAT entries.
NAT DNS mapping
The DNS server is typically on the public network. For the users on the public network to access an internal server, you can configure the NAT Server feature on the NAT interface that connects to the public network. The NAT Server maps the public IP address and port number to the private IP address and port number of the internal server. Then the public users can access the internal server through the server's domain name or public IP address.
When a user is in the private network, the user cannot access the internal server by using the domain name of the server. This is because the DNS response contains the public IP address of the server. In this case, you can configure NAT DNS mapping to solve the problem.
As shown in Figure 2, NAT DNS mapping works as follows:
1. The host sends a DNS request containing the domain name of the internal Web server.
2. Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using the domain name in the response. A NAT DNS mapping maps the domain name to the public IP address, public port number, and the protocol type for the internal server.
3. If a match is found, the NAT continues to compare the public address, public port number, and the protocol type with the NAT Server configuration. The NAT Server configuration maps the public IP address and port number to the private IP address and port number for the internal server.
4. If a match is found, NAT translates the public IP address in the response into the private IP address of the Web server.
5. The internal host receives the DNS response, and obtains the private IP address of the Web server.
NAT control
You can use ACLs to implement NAT control. The match criteria in the ACLs include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, user group, and VPN instance. Only packets permitted by an ACL are processed by NAT.
NAT translation methods
Static NAT
Static NAT creates a fixed mapping between a private address and a public address. It supports connections initiated from internal users to external network and from external users to the internal network. Static NAT applies to regular communications.
Dynamic NAT
Dynamic NAT uses an address pool to translate addresses. It applies to the scenario where a large number of internal users access the external network.
NO-PAT
Not Port Address Translation (NO-PAT) translates a private IP address to an IP public address. The public IP address cannot be used by another internal host until it is released.
NO-PAT supports all IP packets.
PAT
Port Address Translation (PAT) translates multiple private IP addresses to a single public IP address by mapping the private IP address and source port to the public IP address and a unique port. PAT supports TCP and UDP packets, and ICMP packets.
Figure 3 PAT operation
As shown in Figure 3, PAT translates the source IP addresses of the three packets to the same IP public address and translates their port numbers to different port numbers. Upon receiving a response, PAT translates the destination address and port number of the response, and forwards it to the target host.
PAT supports the following mappings:
· Endpoint-Independent Mapping (EIM)—Uses the same IP and port mapping (EIM entry) for packets from the same source IP and port to any destinations. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. It allows internal hosts behind different NAT gateways to access each other.
· Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.
NAT Server
The NAT Server feature maps a public address and port number to the private IP address and port number of an internal server. This feature allows servers in the private network to provide services for external users.
Figure 4 shows how NAT Server works:
1. Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server.
2. Upon receiving a response from the server, NAT translates the private source IP address and port number to the public IP address and port number.
NAT entries and relation entries
NAT session entry
NAT creates a NAT session entry for a session and creates an address mapping for the first packet in the session.
A NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry.
· If the direction of the subsequent packets is the same as the direction of the first translated packet, NAT performs the source and destination address translation the same as the first packet.
· If the direction of the subsequent packets is opposite to the direction of the first translated packet, NAT perform reverse address translation. For example, if the source address of the first packet is translated, then the destination address of the subsequent packets is translated.
The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.
EIM entry
If EIM is configured on the NAT device, the PAT mode will create an EIM entry. The EIM entry is a 3-tuple entry, and it maps a private address/port to a public address/port. The EIM entry ensures:
· Subsequent new connections originating from the same source IP and port uses the same translation as the initial connection.
· Translates the address for new connections initiated from external hosts to the NAT address and port number based on the EIM entry.
NO-PAT entry
A NO-PAT entry maps a private address to a public address. The same mapping applies to subsequent connections originating from the same source IP.
A NO-PAT entry can also be created during the ALG process for NAT.
A NO-PAT entry ages out after all related NAT session entries age out.
Relation entry
NAT ALG translates the IP addresses or port numbers contained in the payload of application-layer packets. On receiving the first packet, the NAT device enabled with ALG creates a relation entry to record the address information carried in the packet. Subsequent packets of the session are translated by using this entry. The address and port information after NAT is used to establish a dynamic channel, and subsequent connections that match the address information will transmit data through the dynamic channel. For more information about relation entries, see session management in Security Configuration Guide.
VRF-aware NAT
VRF-aware NAT allows users from different VRF (VPN instances) to access external networks and to access each other.
1. Upon receiving a request from a user in a VRF to an external network, NAT performs the following tasks:
¡ Translates the private source IP address and port number to a public IP address and port number.
¡ Records the VRF information, such as the VRF name.
2. When a response packet arrives, NAT performs the following tasks:
¡ Translates the destination public IP address and port number to the private IP address and port number.
¡ Forwards the packet to the target VRF.
The NAT Server feature supports VRF-aware NAT for external users to access the servers in a VPN instance. For example, to enable a host at 10.110.1.1 in VPN 1 to provide Web services for Internet users, configure NAT Server to use 202.110.10.20 as the public IP address of the Web server.
Device access with overlapping addresses
Configuring twice NAT
As shown in Figure 5, two hosts are in different VPN instances with overlapping addresses. For the hosts to access each other, both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device.
1. Configure a static outbound NAT mapping between 192.168.1.1 in VPN 1 and 172.16.1.1 in VPN 2.
2. Configure a static outbound NAT mapping between 192.168.1.1 in VPN 2 and 172.16.2.1 in VPN 1.
3. When the twice NAT takes effect, the hosts can access each other.
Figure 5 VPN access with overlapping address
Configuring outbound bidirectional NAT for internal-to-external access through domain name
As shown in Figure 6, the IP address of the Web server overlaps with the private host at 192.168.1.0/24. Configure dynamic NAT ALG and outbound dynamic NAT to allow the internal host to access the external Web server by using the server's domain name.
1. The host sends a DNS request to the DNS server in the external network.
2. After receiving a DNS reply, the NAT device with NAT ALG configured translates the Web server's IP address in the DNS reply payload to a dynamically assigned public address 10.1.1.1.
3. Configure inbound dynamic NAT ALG to make sure the internal host reaches the Web server instead of another internal host. NAT ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address 10.1.1.1.
4. After receiving the DNS reply from the NAT device, the host sends a packet with the source IP address 192.168.1.1 and destination IP address 10.1.1.1.
5. The NAT device with outbound dynamic NAT configured translates the source IP address of the packet to a dynamically assigned public address 20.1.1.1. NAT ALG translates the destination IP address of the packet to the IP address of the Web server.
Figure 6 Internal-to-external access through domain name
Configuring NAT
Restrictions and guidelines: NAT configuration
· If you perform all the translation methods, the NAT rules are sorted in the following descending order:
a. NAT Server.
b. Static NAT.
c. Dynamic NAT.
· After NAT is configured, editing the ACL rule in a QoS policy affects only subsequent traffic and does not affect the NATed traffic.
· When you use a QoS policy to redirect traffic to a NAT instance, the device works as follows:
¡ If the traffic matches both the portal-free rule and the QoS policy applied to an interface, the device performs the forwarding action according to the portal-free rule and does not match the traffic with the QoS policy.
¡ If the QoS policy applied to an interface and the policy-based routing configured on the interface matches the same traffic (for example, they use the same ACL rule), the policy-based routing configuration takes effect. The device does not match the traffic with the QoS policy.
· After you switch the traffic redirecting action to redirecting traffic to a specified card, or from redirecting to a specified card to another redirecting action, clear the fast forwarding table for the card by using the reset ip fast-forwarding cache slot command.
Interface-based NAT tasks at a glance
To configure NAT on an interface, perform the following tasks:
1. Configuring a translation method and port allocation on an interface
¡ Configuring outbound dynamic NAT for interface-based NAT
¡ Configuring common NAT server mappings on an interface
¡ Configuring load sharing NAT server mappings on an interface
2. (Optional.) Setting the maximum number of VPN users sharing one single public IP address
3. (Optional.) Configuring NAT hairpin
4. (Optional.) Configuring NAT DNS mapping
5. (Optional.) Configuring NAT logging and SNMP notifications
Configuring static NAT
Restrictions and guidelines for static NAT configuration
Typically, configure inbound static NAT with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT.
Prerequisites for static NAT configuration
Before configuring static NAT, you must perform the following tasks:
· Configure an ACL to identify the IP addresses to be translated. For more information about ACLs, see ACL and QoS Configuration Guide.
· Manually add a route for inbound static NAT. Use local-ip or local-network as the destination address, and use global-ip, an address in global-network, or the next hop directly connected to the output interface as the next hop.
Configuring outbound one-to-one static NAT
About this task
For address translation from a private IP address to a public IP address, configure outbound one-to-one static NAT on the interface connected to the external network.
· When the source IP address of a packet from the private network matches the local-ip, the source IP address is translated into the global-ip.
· When the destination IP address of a packet from the public network matches the global-ip, the destination IP address is translated into the local-ip.
Configuring outbound one-to-one static NAT on an interface
1. Enter system view.
system-view
2. Configure a one-to-one mapping for outbound static NAT.
nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]
3. Enter interface view.
interface interface-type interface-number
4. Enable static NAT on the interface.
nat static enable
By default, static NAT is disabled.
Configuring outbound net-to-net static NAT
About this task
For address translation from a private network to a public network, configure outbound net-to-net static NAT on the interface connected to the external network.
· When the source IP address of a packet from the private network matches the private address range, the source IP address is translated into a public address in the public address range.
· When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range.
Configuring outbound net-to-net static NAT on an interface
1. Enter system view.
system-view
2. Configure a net-to-net mapping for outbound static NAT.
nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]
3. Enter interface view.
interface interface-type interface-number
4. Enable static NAT on the interface.
nat static enable
By default, static NAT is disabled.
Configuring dynamic NAT
Restrictions and guidelines for dynamic NAT configuration
You can configure multiple inbound or outbound dynamic NAT rules.
· A NAT rule with an ACL takes precedence over a rule without any ACL.
· If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.
· In the NAT and BRAS unification scenario, the device goes through NAT rules on all the interfaces in ascending order of interface index after a user passes authentication. When a packet matches an ACL permit rule on an interface with smaller interface index, the matching process stops. To avoid incorrect traffic matching and translation, configure ACL rules in the NAT rules appropriately.
Prerequisites for dynamic NAT configuration
Before configuring dynamic NAT, you must perform the following tasks:
· Configure an ACL to identify the IP addresses to be translated. For more information about ACLs, see ACL and QoS Configuration Guide.
· Determine whether to enable the Easy IP feature. If you use the IP address of an interface as the NAT address, you are configuring Easy IP.
· Determine a public IP address range for address translation.
· Determine whether to translate port numbers. Use NO-PAT to translate only IP addresses and PAT to translate both IP addresses and port numbers.
Configuring outbound dynamic NAT
About this task
Outbound dynamic NAT translates private IP addresses into public IP addresses.
Restrictions and guidelines
Interface-based outbound dynamic NAT is typically configured on the interface connected to the external network.
Configuring outbound dynamic NAT for interface-based NAT
1. Enter system view.
system-view
2. (Optional.) Specify the Endpoint-Independent Mapping mode for outbound dynamic PAT.
nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *
The default mapping mode is Connection-Dependent Mapping.
This command takes effect only on outbound PAT for a device predefined to create three-tuple session entries.
3. Create a NAT address group and enter its view.
nat address-group group-id
4. Add an address range to the address group.
address start-address end-address
By default, an address group does not have any address ranges.
You can add multiple address ranges to an address group, but the address ranges must not overlap.
5. Return to system view.
quit
6. Enter interface view.
interface interface-type interface-number
7. Configure outbound dynamic NAT on the interface. Choose the options to configure as needed:
¡ Configure NO-PAT.
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]
¡ Configure PAT.
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]
You can configure multiple outbound dynamic NAT rules on an interface.
|
Parameter |
Description |
|
address-group |
If you do not specify this keyword, the IP address of the interface is used as the NAT address. Easy IP is implemented. |
|
no-pat reversible |
If you specify these keywords, you enable reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network. The destination address is translated into the private IP address in the matching NO-PAT entry. |
Configuring NAT server mappings
About NAT server mappings
Typically, the NAT Server feature is configured on the interface connected to the external network to allow servers in the private network or VPN instance to provide services for external users. It maps a public IP address and port number to the private IP address and port number of the internal server.
The NAT Server feature can be implemented by the following methods:
· Common NAT server mappings—Maps the private IP address and the port number of the internal server to a public IP address and a port number. This method allows external hosts to access the internal server by using the specified public IP address.
· Load sharing NAT server mappings—You can add multiple internal servers to an internal server group so that these servers provide the same service for external hosts. The NAT device chooses one internal server based on the weight and number of connections of the servers to respond to a request from an external host to the public address of the internal server group.
· ACL-based NAT server mappings—An extension of common NAT server mapping. A common NAT server mapping maps the private IP address of the internal server to a single public IP address. An ACL-based NAT server mapping the private IP address of the internal server to a set of public IP addresses defined by an ACL. If the destination address of a packet matches a permit rule in the ACL, the destination address is translated into the private IP address of the internal server.
Configuring common NAT server mappings on an interface
Restrictions and guidelines
Typically, interface-based NAT server mappings are configured on the interface connected to the external network.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure common NAT server mappings. Choose the options to configure as needed:
¡ A single public address with a single or no public port:
nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ]
¡ A single public address with consecutive public ports:
nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
¡ Consecutive public addresses with no public port:
nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
¡ Consecutive public addresses with a single public port:
nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
You can configure multiple NAT server mappings on an interface.
Configuring load sharing NAT server mappings on an interface
Restrictions and guidelines
When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:
· One public address and N consecutive public port numbers are mapped to one internal server group.
· N consecutive public addresses and one public port number are mapped to one internal server group.
Procedure
1. Enter system view.
system-view
2. Create a NAT Server group and enter its view.
nat server-group group-id
By default, no NAT Server groups exist.
3. Add an internal server into the group.
inside ip inside-ip port port-number [ weight weight-value ]
You can add multiple internal servers to a group.
4. Return to system view.
quit
5. Enter interface view.
interface interface-type interface-number
6. Configure load sharing NAT server mapping.
nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
You can configure multiple load sharing NAT server mappings on an interface.
Setting the maximum number of VPN users sharing one single public IP address
About this task
In PAT mode, multiple VPN users can share one single public IP address. If the number of VPN users exceeds the upper limit, the device fails to assign ports to users. New users cannot access the external network, and existing online users cannot initiate new connections. To prevent too many VPN users from using one single public IP address, you can perform this task to evenly distribute users among public IP addresses.
Restrictions and guidelines
The feature takes effect only on new online users and does not affect existing online users.
Procedure
1. Enter system view.
system-view
2. Enter NAT address group view.
nat address-group group-id
3. Set the maximum number of VPN users that can share one single public IP address.
nat per-global-ip user-limit max-number
By default, the number of VPN users that can share one single public IP address is not limited.
Configuring NAT hairpin
Restrictions and guidelines
NAT hairpin works in conjunction with NAT Server, outbound dynamic NAT, or outbound static NAT. To provide service correctly, you must configure NAT hairpin on the same interface module as its collaborative NAT feature.
To configure the P2P mode, you must configure outbound PAT on the interface connected to the external network and enable the EIM mapping mode.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable NAT hairpin.
nat hairpin enable
By default, NAT hairpin is disabled.
Configuring NAT DNS mapping
Restrictions and guidelines
NAT DNS mapping works in conjunction with NAT Server. NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server.
Procedure
1. Enter system view.
system-view
2. Configure a NAT DNS mapping.
nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port
You can configure multiple NAT DNS mappings.
Configuring NAT logging and SNMP notifications
Configuring NAT session logging
About this task
NAT session logging records NAT session information, including translation information and access information.
A NAT device generates NAT session logs for the following events:
· NAT session establishment.
· NAT session removal. This event occurs when you add a configuration with a higher priority, remove a configuration, change ACLs, when a NAT session ages out, or when you manually delete a NAT session.
· Active NAT session logging. Active NAT flows refer to NAT sessions that exist within a period of time. When the specified interval for logging active NAT flows expires, the device records the existing NAT session information and generates a log.
Procedure
1. Enter system view.
system-view
2. Enable NAT logging.
nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]
By default, NAT logging is disabled.
3. Enable NAT session logging.
¡ For NAT session establishment events:
nat log flow-begin
¡ For NAT session removal events:
nat log flow-end
¡ For active NAT flows:
nat log flow-active time-value
By default, NAT session logging is disabled.
Configuring SNMP notifications for NAT
About this task
The device generates an SNMP notification in the following scenarios:
· If SNMP notifications are enabled for the address group resource usage:
¡ The device reports a threshold violation event when the address group resource usage reaches or exceeds the threshold.
¡ The device reports a threshold recovery event when the address group resource usage drops below 87.5% of the threshold from a threshold crossing value.
To set the threshold for address group resource usage, execute the nat address-group-usage threshold command.
· If SNMP notifications are enabled for port allocation failures in a NAT address group:
¡ The device generates a notification when the public port resources are used up.
¡ The device reports a recovery event when the port usage in the address group drops below 87.5%.
For the notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for NAT.
snmp-agent trap enable nat [ address-group-alloc-fail | address-group-usage | port-alloc-fail | port-usage ]
By default, SNMP notifications are enabled for NAT.
Display and maintenance commands for NAT
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display all NAT configuration information. |
display nat all |
|
Display NAT address group information. |
display nat address-group [ group-id ] [ resource-usage [ verbose ] ] |
|
Display NAT DNS mapping configuration. |
display nat dns-map |
|
Display information about NAT EIM entries. |
display nat eim [ slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] |
|
Display NAT EIM entry statistics. |
display nat eim statistics [ slot slot-number ] |
|
Display NAT logging configuration. |
display nat log |
|
Display information about NAT NO-PAT entries. |
display nat no-pat [ slot slot-number ] |
|
Display outbound dynamic NAT configuration. |
display nat outbound |
|
Display NAT server mappings. |
display nat server |
|
Display internal server group configuration. |
display nat server-group [ group-id ] |
|
Display NAT sessions. |
display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn -instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number ] [ brief | verbose ] |
|
Display static NAT mappings. |
display nat static |
|
Display NAT statistics. |
display nat statistics [ summary ] [ slot slot-number ] |
|
Display online user information. |
display nat user-table [ local { ipv4 ipv4-address | ipv6 ipv6–address } | user-id user-id | user-name user-name | nat-instance instance-name ] [ slot slot-number ] [ verbose ] |
|
Delete NAT EIM entries. |
reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ slot slot-number ] |
|
Clear NAT sessions. |
reset nat session [ protocol { tcp | udp } ] [ slot slot-number ] |
NAT configuration examples
Example: Configuring outbound one-to-one static NAT
Network configuration
Configure static NAT to allow the host at 10.110.10.8/24 to access the Internet.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2001 to identify packets from subnet 10.110.10.0.
<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
# Configure a QoS policy to redirect packets matching ACL 2001 to the local card.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2001
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect local
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] qos apply policy 1 inbound
[Router-Ten-GigabitEthernet3/0/1] quit
[Router] quit
# Configure a one-to-one static NAT mapping between the private address 10.110.10.8 and the public address 202.38.1.100.
<Router> system-view
[Router] nat static outbound 10.110.10.8 202.38.1.100
# Enable static NAT on Ten-GigabitEthernet 3/0/2.
[Router] interface ten-gigabitethernet 3/0/2
[Router-Ten-GigabitEthernet3/0/2] nat static enable
[Router-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Verify that the host at 10.110.10.8/24 can access the server on the Internet. (Details not shown.)
# Display static NAT configuration.
[Router] display nat static
Static NAT mappings:
Totally 1 outbound static NAT mappings.
IP-to-IP:
Local IP : 10.110.10.8
Global IP : 202.38.1.100
Config status: Active
Interfaces enabled with static NAT:
Totally 1 interfaces enabled with static NAT.
Interface: Ten-GigabitEthernet3/0/2
Config status: Active
# Display NAT session information.
[Router] display nat session verbose
Initiator:
Source IP/port: 10.110.10.8/42496
Destination IP/port: 202.38.1.111/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Ten-GigabitEthernet3/0/1
Responder:
Source IP/port: 202.38.1.111/42496
Destination IP/port: 202.38.1.100/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Ten-GigabitEthernet3/0/2
State: ICMP_REPLY
Application: INVALID
Role: -
Failover group ID: -
Start time: 2012-08-16 09:30:49 TTL: 27s
Initiator->Responder: 5 packets 420 bytes
Responder->Initiator: 5 packets 420 bytes
Total sessions found: 1
Example: Configuring outbound dynamic NAT (non-overlapping addresses)
Network configuration
As shown in Figure 8, a company has a private address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on subnet 192.168.1.0/24 to access the Internet.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2001 to identify packets from subnet 192.168.1.0. In this example, the packets redirected to the card that provides NAT services require address translation. As a result, the ACL rule defined in ACL 2001 is the same as that defined in ACL 2000. You can define different ACL rules as required.
<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
# Configure a QoS policy to redirect packets matching ACL 2001 to the local card.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2001
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect local
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] qos apply policy 1 inbound
[Router-Ten-GigabitEthernet3/0/1] quit
[Router] quit
# Configure address group 0, and add an address range from 202.38.1.2 to 202.38.1.3 to the group.
<Router> system-view
[Router] nat address-group 0
[Router-address-group-0] address 202.38.1.2 202.38.1.3
[Router-address-group-0] quit
# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit
# Enable outbound dynamic PAT on Ten-GigabitEthernet 3/0/2. The source IP addresses of the packets permitted by the ACL rule is translated into the addresses in address group 0.
[Router] interface ten-gigabitethernet 3/0/2
[Router-Ten-GigabitEthernet3/0/2] nat outbound 2000 address-group 0
[Router-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Verify that Host A can access the WWW server, while Host B cannot. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all
NAT address group information:
Totally 1 NAT address groups.
Address group name/ID: 0/0
Address information:
Start address End address
202.38.1.2 202.38.1.3
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: Ten-GigabitEthernet3/0/2
ACL: 2000 Address group: 0 Port-preserved: N
NO-PAT: N Reversible: N
Config status: Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(Threshold: 40%)
NAT mapping behavior:
Mapping mode : Connection-dependent
NAT ALG:
DNS : Disabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
# Display NAT session information generated when Host A accesses the WWW server.
[Router] display nat session verbose
Initiator:
Source IP/port: 192.168.1.10/52992
Destination IP/port: 200.1.1.10/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Ten-GigabitEthernet3/0/1
Responder:
Source IP/port: 200.1.1.10/4
Destination IP/port: 202.38.1.3/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Ten-GigabitEthernet3/0/2
State: ICMP_REPLY
Application: INVALID
Role: -
Failover group ID: -
Start time: 2012-08-15 14:53:29 TTL: 12s
Initiator->Responder: 1 packets 84 bytes
Responder->Initiator: 1 packets 84 bytes
Total sessions found: 1
Example: Configuring NAT Server for external-to-internal access
Network configuration
As shown in Figure 9, two Web servers, one FTP server and one SMTP server are in the internal network to provide services for external users. The internal network address is 10.110.0.0/16. The company has three public IP addresses from 202.38.1.1/24 to 202.38.1.3/24.
Configure the NAT Server feature to allow the external user to use public address 202.38.1.1/24 to access the internal servers.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2001 to identify packets from subnet 10.110.10.0.
<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
# Configure a QoS policy to redirect packets matching ACL 2001 to the local card.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2001
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect local
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] qos apply policy 1 inbound
[Router-Ten-GigabitEthernet3/0/1] quit
[Router] quit
# Enter interface view of Ten-GigabitEthernet 3/0/2.
<Router> system-view
[Router] interface ten-gigabitethernet 3/0/2
# Configure a NAT server mapping to allow external users to access the FTP server by using the address 202.38.1.1 and port 21.
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.1 21 inside 10.110.10.3 ftp
# Configure a NAT server mapping to allow external users to access the Web server 1 by using the address 202.38.1.1 and port 80.
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1 http
# Configure a NAT server mapping to allow external users to access the Web server 2 by using the address 202.38.1.1 and port 8080.
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.1 8080 inside 10.110.10.2 http
# Configure a NAT server mapping to allow external users to access the SMTP server by using the address 202.38.1.1 and port number defined by SMTP.
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.1 smtp inside 10.110.10.4 smtp
[Router-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Verify that the host on the external network can access the internal servers by using the public addresses. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all
NAT internal server information:
Totally 4 internal servers.
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.1/21
Local IP/port : 10.110.10.3/21
Config status : Active
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.1/25
Local IP/port : 10.110.10.4/25
Config status : Active
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.1/80
Local IP/port : 10.110.10.1/80
Config status : Active
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.1/8080
Local IP/port : 10.110.10.2/80
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(Threshold: 40%)
NAT mapping behavior:
Mapping mode : Connection-dependent
NAT ALG:
DNS : Disabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
# Display NAT session information generated when Host accesses the FTP server.
[Router] display nat session verbose
Initiator:
Source IP/port: 202.38.1.10/1694
Destination IP/port: 202.38.1.1/21
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/2
Responder:
Source IP/port: 10.110.10.3/21
Destination IP/port: 202.38.1.10/1694
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/1
State: TCP_ESTABLISHED
Application: FTP
Role: -
Failover group ID: -
Start time: 2012-08-15 14:53:29 TTL: 3597s
Initiator->Responder: 7 packets 308 bytes
Responder->Initiator: 5 packets 312 bytes
Total sessions found: 1
Example: Configuring NAT Server for external-to-internal access through domain name
Network configuration
As shown in Figure 10, Web server at 10.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.
Configure NAT Server to allow external users to access the internal Web server by using the domain name.
Analysis
To meet the network configuration requirements, you must perform the following tasks:
· Configure NAT Server to map the private IP address and port of the DNS server to a public address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.
· Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP address of the Web server in the payload of the DNS response packet into a public IP address.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2001 to identify packets from subnet 10.110.10.0.
<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
# Configure a QoS policy to redirect packets matching ACL 2001 to the local card.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2001
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect local
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] qos apply policy 1 inbound
[Router-Ten-GigabitEthernet3/0/1] quit
[Router] quit
# Enable NAT ALG for DNS.
<Router> system-view
[Router] nat alg dns
# Configure ACL 2000 to identify packets from 10.110.10.2.
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0
[Router-acl-ipv4-basic-2000] quit
# Create address group 1.
[Router] nat address-group 1
# Add address 202.38.1.3 to the group.
[Router-address-group-1] address 202.38.1.3 202.38.1.3
[Router-address-group-1] quit
# Configure NAT Server on Ten-GigabitEthernet 3/0/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server.
[Router] interface ten-gigabitethernet 3/0/2
[Router-Ten-GigabitEthernet3/0/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns
# Enable outbound NO-PAT on Ten-GigabitEthernet 3/0/2. Use the address in address group 1 to translate the private address in DNS response payload, and allow reversible NAT.
[Router-Ten-GigabitEthernet3/0/2] nat outbound 2000 address-group 1 no-pat reversible
[Router-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all
NAT address group information:
Totally 1 NAT address groups.
Address group name/ID: 1/1
Address information:
Start address End address
202.38.1.3 202.38.1.3
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: Ten-GigabitEthernet3/0/2
ACL: 2000 Address group: 1 Port-preserved: N
NO-PAT: Y Reversible: Y
Config status: Active
NAT internal server information:
Totally 1 internal servers.
Interface: Ten-GigabitEthernet3/0/2
Protocol: 17(UDP)
Global IP/port: 202.38.1.2/53
Local IP/port : 10.110.10.3/53
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(Threshold: 40%)
NAT mapping behavior:
Mapping mode : Connection-dependent
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
# Display NAT session information generated when Host accesses Web server.
[Router] display nat session verbose
Initiator:
Source IP/port: 200.1.1.2/1694
Destination IP/port: 202.38.1.3/8080
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/2
Responder:
Source IP/port: 10.110.10.2/8080
Destination IP/port: 202.1.1.2/1694
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/1
State: TCP_ESTABLISHED
Application: HTTP
Role: -
Failover group ID: -
Start time: 2012-08-15 14:53:29 TTL: 3597s
Initiator->Responder: 7 packets 308 bytes
Responder->Initiator: 5 packets 312 bytes
Total sessions found: 1
Example: Configuring NAT hairpin in C/S mode
Network configuration
As shown in Figure 11, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.
Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.
Requirements analysis
To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.
To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:
· Enable NAT hairpin on the interface connected to the internal network.
· Configure outbound NAT on the interface where the NAT server mapping is configured. The destination address is translated by matching the NAT server mapping. The source address is translated by matching the outbound NAT.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure a QoS policy on the router to redirect traffic that needs NAT to the card. (Details not shown.)
# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.
<Router> system-view
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit
# Configure a NAT server mapping on Ten-GigabitEthernet 3/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.
[Router] interface ten-gigabitethernet 3/0/2
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp
# Enable outbound NAT with Easy IP on Ten-GigabitEthernet 3/0/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of Ten-GigabitEthernet 3/0/2.
[Router-Ten-GigabitEthernet3/0/2] nat outbound 2000
# Enable NAT hairpin on Ten-GigabitEthernet 3/0/1.
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] nat hairpin enable
[Router-Ten-GigabitEthernet3/0/1] quit
Verifying the configuration
# Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)
# Display all NAT configuration and statistics.
[Router]display nat all
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: Ten-GigabitEthernet3/0/2
ACL: 2000 Address group: --- Port-preserved: N
NO-PAT: N Reversible: N
Config status: Active
NAT internal server information:
Totally 1 internal servers.
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.2/21
Local IP/port : 192.168.1.4/21
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(Threshold: 40%)
NAT hairpinning:
Totally 1 interfaces enabled with NAT hairpinning.
Interface: Ten-GigabitEthernet3/0/1
Config status: Active
NAT mapping behavior:
Mapping mode : Connection-dependent
NAT ALG:
DNS : Disabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
# Display NAT session information generated when Host A accesses the FTP server.
[Router] display nat session verbose
Initiator:
Source IP/port: 192.168.1.2/1694
Destination IP/port: 202.38.1.2/21
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/1
Responder:
Source IP/port: 192.168.1.4/21
Destination IP/port: 202.38.1.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/1
State: TCP_ESTABLISHED
Application: FTP
Role: -
Failover group ID: -
Start time: 2012-08-15 14:53:29 TTL: 3597s
Initiator->Responder: 7 packets 308 bytes
Responder->Initiator: 5 packets 312 bytes
Example: Configuring load sharing NAT Server
Network configuration
As shown in Figure 12, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2001 to identify packets from subnet 10.110.10.0.
<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
# Configure a QoS policy to redirect packets matching ACL 2001 to the local card.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2001
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect local
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] qos apply policy 1 inbound
[Router-Ten-GigabitEthernet3/0/1] quit
[Router] quit
# Create NAT Server group 0, and add members to the group.
<Router> system-view
[Router] nat server-group 0
[Router-nat-server-group-0] inside ip 10.110.10.1 port 21
[Router-nat-server-group-0] inside ip 10.110.10.2 port 21
[Router-nat-server-group-0] inside ip 10.110.10.3 port 21
[Router-nat-server-group-0] quit
# Associate NAT Server group 0 with Ten-GigabitEthernet 3/0/2 so that servers in the server group can provide FTP services.
[Router] interface ten-gigabitethernet 3/0/2
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.1 ftp inside server-group 0
[Router-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Verify that external hosts can access the internal FTP server group. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all
NAT server group information:
Totally 1 NAT server groups.
Group Number Inside IP Port Weight
0 10.110.10.1 21 100
10.110.10.2 21 100
10.110.10.3 21 100
NAT internal server information:
Totally 1 internal servers.
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.1/21
Local IP/port : server group 0
10.110.10.1/21 (Connections: 1)
10.110.10.2/21 (Connections: 2)
10.110.10.3/21 (Connections: 2)
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(Threshold: 40%)
NAT mapping behavior:
Mapping mode : Connection-dependent
NAT ALG:
DNS : Disabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
# Display NAT session information generated when external hosts access an internal FTP server.
[Router] display nat session verbose
Initiator:
Source IP/port: 202.38.1.25/53957
Destination IP/port: 202.38.1.1/21
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/2
Responder:
Source IP/port: 10.110.10.3/21
Destination IP/port: 202.38.1.25/53957
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/1
State: TCP_ESTABLISHED
Application: FTP
Role: -
Failover group ID: -
Start time: 2012-08-16 11:06:07 TTL: 26s
Initiator->Responder: 1 packets 60 bytes
Responder->Initiator: 2 packets 120 bytes
Total sessions found: 1
Example: Configuring NAT DNS mapping
Network configuration
As shown in Figure 13, the internal Web server at 10.110.10.1/16 and FTP server at 10.110.10.2/16 provide services for external user. The company has three public addresses 202.38.1.1 through 202.38.1.3. The DNS server at 202.38.1.4 is on the external network.
Configure NAT so that:
· The public IP address 202.38.1.2 is used by external users to access the Web and FTP servers.
· External users can use the public address or domain name of internal servers to access them.
· Internal users can access the internal servers by using their domain names.
Requirements analysis
To meet the network requirements, perform the following tasks:
· Configure NAT Server by mapping the public IP addresses and port numbers of the internal servers to a public address and port numbers so that external users can access the internal servers.
· Configure NAT DNS mapping and ALG so that the public IP address of the internal server in the payload of the DNS response packet can be translated to the private IP address.
Procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2001 to identify packets from subnet 10.110.10.0.
<Router> system-view
[Router] acl basic 2001
[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-ipv4-basic-2001] quit
# Configure a QoS policy to redirect packets matching ACL 2001 to the local card.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2001
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect local
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] qos apply policy 1 inbound
[Router-Ten-GigabitEthernet3/0/1] quit
[Router] quit
# Enable NAT ALG for DNS.
<Router> system-view
[Router] nat alg dns
# Enter interface view of Ten-GigabitEthernet 3/0/2.
[Router] interface ten-gigabitethernet 3/0/2
# Configure NAT Server to allow external hosts to access the internal Web server by using the address 202.38.1.2.
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.1 http
# Configure NAT Server to allow external hosts to access the internal FTP server by using the address 202.38.1.2.
[Router-Ten-GigabitEthernet3/0/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.2 ftp
# Enable outbound NAT with Easy IP on Ten-GigabitEthernet 3/0/2.
[Router-Ten-GigabitEthernet3/0/2] nat outbound
# Configure two NAT DNS mapping entries by mapping the domain name www.server.com of the Web server to 202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2.
[Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port http
[Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp
[Router] quit
Verifying the configuration
# Verify that both internal and external hosts can access the internal servers by using domain names. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: Ten-GigabitEthernet3/0/2
ACL: --- Address group: --- Port-preserved: N
NO-PAT: N Reversible: N
Config status: Active
NAT internal server information:
Totally 2 internal servers.
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.2/21
Local IP/port : 10.110.10.2/21
Config status : Active
Interface: Ten-GigabitEthernet3/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.2/80
Local IP/port : 10.110.10.1/80
Config status : Active
NAT DNS mapping information:
Totally 2 NAT DNS mappings.
Domain name: ftp.server.com
Global IP : 202.38.1.2
Global port: 21
Protocol : TCP(6)
Config status: Active
Domain name: www.server.com
Global IP : 202.38.1.2
Global port: 80
Protocol : TCP(6)
Config status: Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(Threshold: 40%)
NAT mapping behavior:
Mapping mode : Connection-dependent
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Example: Configuring NAT log export to the information center
Network configuration
As shown in Figure 14, configure NAT on the device for the internal host to access the Internet. Configure NAT logging on the device and configure the device to export the NAT logs to the information center. The NAT logs in the information center are used for monitoring the internal host.
Prerequisites
Assign IP addresses to interfaces on the device and make sure the device and the host can reach each other.
Procedure
# Specify the information center as the destination for flow log export.
<Device> system-view
[Device] userlog flow syslog
# Enable NAT logging.
[Device] nat log enable
# Enable logging for NAT session establishment events.
[Device] nat log flow-begin
# Enable logging for NAT session removal events.
[Device] nat log flow-end
# Enable logging for active NAT flows and set the logging interval to 10 minutes.
[Device] nat log flow-active 10
[Device] quit
Verifying the configuration
# Display the internal host's access records in the log buffer.
<Device> dir
Directory of cf:/
38 -rw- 141 Aug 07 2015 17:54:43 ifindex.dat
39 drw- - May 20 2015 14:36:20 logfile
249852 KB total (232072 KB free)
File system type of cf: FAT32
<Device> cd logfile
<Device> dir
<Device> more logfile.log
…
%Aug 10 20:06:30:182 2015 Device NAT/6/NAT_FLOW: Protocol(1001)=ICMP;SrcIPAd
dr(1003)=10.110.10.8;SrcPort(1004)=259;NatSrcIPAddr(1005)=202.38.1.100;NatSrcPor
t(1006)=0;DstIPAddr(1007)=202.38.1.2;DstPort(1008)=2048;NatDstIPAddr(1009)=202.3
8.1.2;NatDstPort(1010)=259;InitPktCount(1044)=0;InitByteCount(1046)=0;RplyPktCou
nt(1045)=0;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;Rcv
DSLiteTunnelPeer(1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1013)=08102015200
630; EndTime_e(1014)=08102015200700;Event(1048)=(8)Session created;
…
Table 1 Command output
|
Field |
Description |
|
Protocol(1001)=ICMP |
Protocol type. |
|
SrcIPAddr(1003)=10.110.10.8 |
Source IP address before NAT. |
|
SrcPort(1004)=259 |
Source TCP or UDP port before NAT. |
|
NatSrcIPAddr(1005)=202.38.1.100 |
Source IP address after NAT. |
|
NatSrcPort(1006)=0 |
Source TCP or UDP port after NAT. |
|
DstIPAddr(1007)=202.38.1.2 |
Destination IP address before NAT. |
|
DstPort(1008)=2048 |
Destination TCP or UDP port before NAT. |
|
NatDstIPAddr(1009)=202.38.1.2 |
Destination IP address after NAT. |
|
NatDstPort(1010)=259 |
Destination TCP or UDP port after NAT. |
|
BeginTime_e(1013)=08102015200630 |
Start time of the flow, in the MMDDYYYYHHMMSS format. |
|
EndTime_e(1014)=08102015200700 |
End time of the flow, in the MMDDYYYYHHMMSS format. |
Example: Configuring NAT log export to the log server
Network configuration
As shown in Figure 15, configure the device to export the NAT logs to the log server. The NAT logs in the log server are used for monitoring the internal user.
Prerequisites
Assign IP addresses to interfaces on the device. Make sure the routes between the device and the user and between the device and the log server are reachable.
Procedure
# Enable NAT logging.
<Device> system-view
[Device] nat log enable
# Enable logging for NAT session establishment events.
[Device] nat log flow-begin
# Enable logging for NAT session removal events.
[Device] nat log flow-end
# Enable logging for active NAT flows and set the logging interval to 10 minutes.
[Device] nat log flow-active 10
# Set the flow log version to 3.0.
[Device] userlog flow export version 3
# Export flow log entries to port 2000 on the log host at 1.2.3.6.
[Device] userlog flow export host 1.2.3.6 port 2000
# Specify 2.2.2.2 as the source IP address for flow log packets.
[Device] userlog flow export source-ip 2.2.2.2
[Device] quit
Verifying the configuration
# Display the flow log configuration and statistics.
<Device> display userlog export
Flow:
Export flow log as UDP Packet.
Version: 3.0
Source ipv4 address: 2.2.2.2
Source ipv6 address:
Log load balance function: Disabled
Local time stamp: Disabled
Number of log hosts: 1
Log host 1:
Host/Port: 1.2.3.6/2000
Total logs/UDP packets exported: 112/87
