Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server.

Restrictions and guidelines

The global NAT policy has priority over interface-based NAT. If both are configured, a packet is translated based on the global NAT policy when the packet matches an ACL rule in the global NAT policy. The interface-based source and destination address translation rules do not take effect. As a best practice, do not configure the global NAT and interface-based NAT policies both.

A NATed packet will not be AFTed.

When you use NAT, the NAT module advertises the host routes of the public IP addresses. If the public IP addresses are a range of addresses, the NAT module divides the public IP address range into several network segments. The mask lengths for the network segments are 8, 16, 24, 26, 28, and 30. For example, for public IP address range 122.90.12.128 to 122.90.12.135, the destination addresses and mask lengths of the host routes advertised by the NAT module are 122.90.12.128/30 and 122.90.12.132/30.

Basic NAT concepts

The following describes basic NAT concepts:

· NAT device—A device configured with NAT. Typically, NAT is configured on the edge device that connects the internal and external networks.

· NAT interface—An interface configured with NAT.

· NAT rule—Rules that define how to perform address translation.

· NAT address—A public IP address used for address translation, and this address is reachable from the external network. The NAT address can be manually assigned or dynamically obtained.

· NAT entry—Stores the mapping between a private IP address and a public IP address. For more information, see "NAT entries."

· Easy IP—Uses the IP address of an interface as the NAT address. The IP address of the interface can be manually assigned or be obtained through DHCP.

· Global NAT—Uses NAT rules configured for the global NAT policy to translate packets.

· Interface-based NAT—Uses NAT rules configured on a per interface basis to translate packets.

Basic NAT operating mechanism

Figure 1 shows the basic NAT operating mechanism.

1. Upon receiving a request from the host to the server, NAT translates the private source address 192.168.1.3 to the public address 20.1.1.1 and forwards the NATed packet. NAT adds a mapping for the two addresses to its NAT table.

2. Upon receiving a response from the server, NAT translates the destination public address to the private address, and forwards the packet to the host.

The NAT operation is transparent to the terminals (the host and the server). NAT hides the private network from the external users and shows that the IP address of the internal host is 20.1.1.1.

Figure 1 Basic NAT operation

‌

NAT control

You can use ACLs to implement NAT control. The match criteria in the ACLs include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance. Only packets permitted by an ACL are processed by NAT.

NAT translation methods

Static NAT

Static NAT creates a fixed mapping between a private address and a public address. It supports connections initiated from internal users to external network and from external users to the internal network. Static NAT applies to regular communications.

Source address translation

Source address translation is dynamic NAT translation that uses an address pool to translate addresses. It applies to the scenario where a large number of internal users access the external network.

The NO-PAT, port-based PAT, and port block-based PAT modes are supported.

NO-PAT

Not Port Address Translation (NO-PAT) translates a private IP address to an IP public address. The public IP address cannot be used by another internal host until it is released.

NO-PAT supports all IP packets.

Port-based PAT

Port Address Translation (PAT) translates multiple private IP addresses to a single public IP address by mapping the private IP address and source port to the public IP address and a unique port. PAT supports TCP and UDP packets, and ICMP request packets.

Figure 2 PAT operation

‌

As shown in Figure 2, PAT translates the source IP addresses of the three packets to the same IP public address and translates their port numbers to different port numbers. Upon receiving a response, PAT translates the destination address and port number of the response, and forwards it to the target host.

PAT supports the following mappings:

· Endpoint-Independent Mapping (EIM)—Uses the same IP and port mapping (EIM entry) for packets from the same source IP and port to any destinations. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. It allows internal hosts behind different NAT gateways to access each other.

· Address and Port-Dependent Mapping (APDM)—Uses different IP and port mappings for packets from the same source IP and port to different destination IP addresses and ports. APDM allows an external host to initiate connections to an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

Port block-based NAT

Port block-based NAT is a PAT translation based on port ranges. It maps multiple private IP addresses to one public IP address and uses a different port block for each private IP address. For example, the private IP address 10.1.1.1 of an internal host is mapped to the public IP address 202.1.1.1 and port block 10001 to 10256. When the internal host accesses public hosts, the source IP address 10.1.1.1 is translated to 202.1.1.1, and the source ports are translated to ports in the port block 10001 to 10256.

Port block-based NAT includes static and dynamic mappings. It applies to NAT444 and DS-Lite networks.

Static port block mapping

The NAT gateway computes a static port block mapping before address translation. The mapping is between a private IP address and a public IP address with a port block.

When an internal user initiates a connection to the external network, the system performs the following operations:

· Locates a static mapping based on the private IP address of the user and obtains the public IP address and the port block in the mapping.

· Selects a public port number in the port block.

· Translates the private IP address to the public IP address and assigns the selected public port number.

The NAT gateway uses private IP addresses, public IP addresses, a port range, and a port block size to compute static mappings:

1. Divides the port range by the port block size to get the number of available port blocks for each public IP address.

This value is the base number for mapping.

2. Sorts the port blocks in ascending order of the start port number in each block.

3. Sorts the private IP addresses and the public IP addresses separately in ascending order.

4. Maps the first base number of private IP addresses to the first public IP address and its port blocks in ascending order.

For example, the number of available port blocks of each public IP address is m. The first m private IP addresses are mapped to the first public IP address and the m port blocks in ascending order. The next m private IP addresses are mapped to the second IP address and the m port blocks in ascending order. The other static port block mappings are created by analogy.

Dynamic port block mapping

When an internal user initiates a connection to the external network, the dynamic port block-based NAT operates as follows:

1. Uses ACLs to implement translation control. It processes only packets that match an ACL permit rule.

2. Creates a mapping from the internal user's private IP address to a public IP address and a port block.

3. Translates the private IP address to the public IP address, and the source ports to ports in the selected port block for subsequent connections from the private IP address.

4. Withdraws the port block and deletes the dynamic port block mapping when all connections from the private IP address are disconnected.

Dynamic port block mapping supports port block extending. If the ports in the port block for a private address are all occupied, dynamic port block mapping translates the source port to a port in an extended port block.

Destination address translation

Destination address translation maps a public address and port number to the private IP address and port number of an internal server. This feature allows servers in the private network to provide services for external users.

Figure 3 shows how destination address translation works:

1. Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server.

2. Upon receiving a response from the server, NAT translates the private source IP address and port number to the public IP address and port number.

Figure 3 Destination address translation operation

‌

NAT entries

NAT session entry

NAT creates a NAT session entry for a session and creates an address mapping for the first packet in the session.

A NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry.

· If the direction of the subsequent packets is the same as the direction of the first translated packet, NAT performs the source and destination address translation the same as the first packet.

· If the direction of the subsequent packets is opposite to the direction of the first translated packet, NAT perform reverse address translation. For example, if the source address of the first packet is translated, then the destination address of the subsequent packets is translated.

The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.

EIM entry

If EIM is configured on the NAT device, the PAT mode will first create a NAT session entry, and then an EIM entry. The EIM entry is a 3-tuple entry, and it maps a private address/port to a public address/port. The EIM entry ensures:

· Subsequent new connections originating from the same source IP and port uses the same translation as the initial connection.

· Translates the address for new connections initiated from external hosts to the NAT address and port number based on the EIM entry.

An EIM entry ages out after all related NAT session entries age out.

NO-PAT entry

A NO-PAT entry maps a private address to a public address. The same mapping applies to subsequent connections originating from the same source IP.

A NO-PAT entry can also be created during the ALG process for NAT. For information about NAT ALG, see "NAT ALG."

A NO-PAT entry ages out after all related NAT session entries age out.

Port block-based entry

A port block-based entry maps a private IP address to a public IP address and a port block.

Port block-based entries include static and dynamic port block mappings. For information about these mappings, see "Static port block mapping" and "Dynamic port block mapping."

VRF-aware NAT

VRF-aware NAT allows users from different VRF (VPN instances) to access external networks and to access each other.

1. Upon receiving a request from a user in a VRF to an external network, NAT performs the following tasks:

¡ Translates the private source IP address and port number to a public IP address and port number.

¡ Records the VRF information, such as the VRF name.

2. When a response packet arrives, NAT performs the following tasks:

¡ Translates the destination public IP address and port number to the private IP address and port number.

¡ Forwards the packet to the target VRF.

The NAT Server feature supports VRF-aware NAT for external users to access the servers in a VPN instance. For example, to enable a host at 10.110.1.1 in VPN 1 to provide Web services for Internet users, configure NAT Server to use 202.110.10.20 as the public IP address of the Web server.

VRF-aware NAT is supported only in the global NAT policy in the current software version.

NAT hairpin

NAT hairpin allows internal hosts to access each other through NAT. The source and destination IP address of the packets are translated on the interface connected to the internal network.

NAT hairpin includes P2P and C/S modes:

· P2P—Allows internal hosts to access each other through NAT. The internal hosts first register their public addresses to an external server. Then, the hosts communicate with each other by using the registered IP addresses.

· C/S—Allows internal hosts to access internal servers through NAT addresses.

NAT ALG

NAT ALG (Application Level Gateway) translates address or port information in the application layer payloads to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information for data connection establishment.

NAT DNS mapping

The DNS server is typically on the public network. For the users on the public network to access an internal server, you can configure the NAT Server feature on the NAT device. The NAT Server maps the public IP address and port number to the private IP address and port number of the internal server. Then the public users can access the internal server through the server's domain name or public IP address.

When a user is in the private network, the user cannot access the internal server by using the domain name of the server. This is because the DNS response contains the public IP address of the server. In this case, you can configure NAT DNS mapping to solve the problem.

Figure 4 NAT DNS mapping

‌

As shown in Figure 4, NAT DNS mapping works as follows:

1. The host sends a DNS request containing the domain name of the internal Web server.

2. Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using the domain name in the response. A NAT DNS mapping maps the domain name to the public IP address, public port number, and the protocol type for the internal server.

3. If a match is found, the NAT continues to compare the public address, public port number, and the protocol type with the NAT Server configuration. The NAT Server configuration maps the public IP address and port number to the private IP address and port number for the internal server.

4. If a match is found, NAT translates the public IP address in the response into the private IP address of the Web server.

5. The internal host receives the DNS response, and obtains the private IP address of the Web server.

Support for sending gratuitous ARP packets

The NAT module manages public IPv4 address resources as follows:

1. Issues public IPv4 addresses to the address management module.

2. Sends gratuitous ARP packets to advertise the mappings between the MAC addresses of local physical interfaces and those issued public IPv4 addresses. This makes sure other devices in the same LAN can update ARP entries and MAC address entries in time, which avoids service anomalies caused by updating ARP entries or MAC address entries too late.

Meanwhile, the NAT module also responds to the gratuitous ARP packets received from other devices in the same LAN.

For more information about gratuitous ARP, see ARP configuration in Layer 3—IP Services Configuration Guide.

NAT support for hot backup in collaboration with virtual IP addresses

You configure NAT on a hot backup system in collaboration with virtual IP addresses (also known as floating addresses). After NAT, both the hot backup active and standby devices advertise the mappings between the IP addresses after translation and MAC addresses of their own physical interfaces to all nodes in the same LAN. As a result, the upstream Layer 3 device directly connected to the hot backup system might incorrectly send downlink packets to the hot backup standby device, causing service anomalies.

To avoid such an issue, configure only the hot backup active device to advertise the mappings between the IP addresses after translation and virtual MAC address corresponding to the virtual IP address.

Upon receiving an ARP reply from the hot backup active device, the upstream Layer 3 device updates the IP-MAC mapping. Then, it encapsulates downlink packets in which the destination IP address is a translated IP address with the virtual MAC address. The device sends the packets to the hot backup active device to ensure normal services.

NAT444

About NAT444

NAT444 provides carrier-grade NAT by unifying the NAT444 gateway, AAA server, and log server. NAT444 introduces a second layer of NAT on the carrier side, with few changes on the customer side and the application server side. With port block assignment, NAT444 supports user tracking. It has become a preferred solution for carriers in transition to IPv6.

Centralized NAT444 deployment

Centralized NAT444 deployment is implemented by installing a NAT processing slot on the CR device or by connecting a NAT444 device to the CR.

As shown in Figure 5, when an internal user accesses the external network, NAT444 is implemented as follows:

1. The CPE device performs the first NAT.

2. After the user passes AAA authentication on the BRAS device, this user is assigned a private IP address.

3. When the packet destined to the external network, the NAT444 gateway performs the second NAT.

Figure 5 Centralized NAT444 deployment

‌

Device access with overlapping addresses

Configuring twice NAT

As shown in Figure 6, two hosts are in different VPN instances with overlapping addresses. For the hosts to access each other, both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device.

1. Configure a static outbound NAT mapping between 192.168.1.1 in VPN 1 and 172.16.1.1 in VPN 2.

2. Configure a static outbound NAT mapping between 192.168.1.1 in VPN 2 and 172.16.2.1 in VPN 1.

3. When the twice NAT takes effect, the hosts can access each other.

Figure 6 VPN access with overlapping address

Configuring outbound bidirectional NAT for internal-to-external access through domain name

As shown in Figure 7, the IP address of the Web server overlaps with the private host at 192.168.1.0/24. Configure dynamic NAT ALG and outbound dynamic NAT to allow the internal host to access the external Web server by using the server's domain name.

1. The host sends a DNS request to the DNS server in the external network.

2. After receiving a DNS reply, the NAT device with NAT ALG configured translates the Web server's IP address in the DNS reply payload to a dynamically assigned public address 10.1.1.1.

3. Configure inbound dynamic NAT ALG to make sure the internal host reaches the Web server instead of another internal host. NAT ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address 10.1.1.1.

4. After receiving the DNS reply from the NAT device, the host sends a packet with the source IP address 192.168.1.1 and destination IP address 10.1.1.1.

5. The NAT device with outbound dynamic NAT configured translates the source IP address of the packet to a dynamically assigned public address 20.1.1.1. NAT ALG translates the destination IP address of the packet to the IP address of the Web server.

Figure 7 Internal-to-external access through domain name

NAT in the DS-Lite network

DS-Lite combines tunneling and NAT to allow an IPv4 private network to access the IPv4 public network over an IPv6 network. For more information about DS-Lite, see tunneling configuration in VPN Configuration Guide.

DS-Lite B4 address translation is configured on the AFTR and performs port block-based translation based on the IPv6 address of the B4 element. The B4 element refers to a B4 router or a DS-Lite host. DS-Lite B4 address translation dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.

DS-Lite B4 address translation supports user tracing for DS-Lite hosts based on the port block.

Only dynamic port block mapping is supported for B4 address translation.

Figure 8 DS-Lite B4 address translation

‌

Configuring global NAT

About the global NAT policy

The global NAT policy is applicable to the scenario where the external interface is not fixed. Compared with interface-based NAT policies, you do not need to change relevant configurations if the external interface changes, which reduces maintenance costs.

The global NAT policy contains NAT rules. A NAT rule contains the following elements:

· Packet match criteria—The packet match criteria can match packets by source IP address, destination IP address, service type, source security zone, or destination security zone. You can configure different packet match criteria for different NAT rules. The device translates the IP addresses of the matching packets. A matching packet refers to a packet that matches all match criteria in a NAT rule.

· Action—Action to take on matching packets, which can be source address translation (SNAT) or destination address translation (DNAT). SNAT can hide the IP addresses of internal hosts to external devices. DNAT is commonly used for internal servers to access external users. A combination of SNAT and DNAT translates the source and destination IP addresses of packets.

NAT rules include the following types:

· SNAT rule—Used for source address translation.

· DNAT rule—Used for destination address translation.

· SNAT+ DNAT rule—Used for source address translation and destination address translation both.

Global NAT tasks at a glance

1. Configuring the global NAT policy

a. Creating the global NAT policy

b. Configuring NAT-type rules

c. Configuring NAT64-type rules

d. Configuring NAT66-type rules

e. Rearranging NAT rules in the policy to adjust their priority

f. Disabling NAT rules

2. (Optional) Configuring NAT address groups

3. (Optional.) Configuring NAT ALG

4. (Optional.) Configuring NAT DNS mapping

5. (Optional.) Enabling the NAT module to send gratuitous ARP packets

6. (Optional.) Configuring high availability for NAT

¡ Enabling NAT port halving

¡ Configuring hot backup for NAT

7. (Optional.) Configuring NAT in specific networks

¡ Enabling NAT reply redirection

¡ Enabling the deletion of timestamps in TCP SYN and SYN ACK packets

¡ Configuring source and destination address translation based on the NAT-type SNAT+DNAT rule in a global NAT policy to be prior to security policy matching

8. (Optional.) Configuring NAT maintenance

¡ Configuring periodic NAT statistics collection

¡ Enabling statistics collection for NAT session creation rate

¡ Specifying a probe method for detecting reachability of NAT address group members

¡ Enabling sending ICMP error messages for NAT failures

¡ Enabling NAT configuration changes to take effect only on traffic of new connections

9. (Optional.) Configuring logging and SNMP notifications for NAT

¡ Configuring NAT session logging

¡ Configuring NAT444 user logging

¡ Configuring NAT alarm logging

¡ Enabling logging for IP usage of a NAT address group in NO-PAT mode

¡ Setting an alarm threshold for the dynamic port block usage

¡ Setting an alarm threshold for the unavailable IP address exclusion rate

¡ Setting an alarm threshold for the IP usage of NAT address groups in NO-PAT mode

Configuring the global NAT policy

About the global NAT policy

The global NAT policy contains a set of NAT rules to identify and translate matching packets. Compared with interface-based NAT policies, you do not need to apply the global NAT policy to any interface.

The global NAT policy contains NAT rules. A NAT rule contains the following elements:

· Action—Action to take on matching packets, which can be source address translation or destination address translation.

NAT rules include the following types:

· NAT type—Used for translation between IPv4 addresses. For more information about NAT, see NAT Configuration Guide.

· NAT64 type—Used for translation between IPv4 addresses and IPv6 addresses. For more information about NAT64, see AFT in NAT Configuration Guide.

· NAT66 type—Used for translation between IPv6 addresses or translation between IPv6 address prefixes. For more information about NAT66, see NAT Configuration Guide.

Restrictions and guidelines for global NAT policy configuration

If no object group or security zone is specified for a NAT rule, this rule matches all packets.

NAT rules in the global NAT policy take effect only when the Config status of the policy is Active. You can use the display nat global-policy command to verify the status of the global policy.

· If the status is Active, a NAT rule appearing earlier on the rule list has a higher priority for packet matching. The matching process stops when a packet matches a NAT rule.

· If the status is Inactive, the NAT rules are not used to match packets.

Up to 10000 NAT rules can be created for the global NAT policy.

When you configure a NAT server mapping, if you change the TCP or UDP port number to an unknown port number, the NAT device does not perform ALG. As a result, users cannot use services provided by the NAT server. To resolve this issue, use one of the following methods:

· Edit the NAT server mapping to use the well-known port number of TCP or UDP.

· Use the port-mapping command to create a general port mapping of the port specified in the NAT server mapping to TCP or UDP. For more information about this command, see APR configuration in Security Configuration Guide.

Creating the global NAT policy

1. Enter system view

system-view

2. Create the global NAT policy and enter its view.

nat global-policy

Configuring NAT-type rules

Restrictions and guidelines

When you configure a DNAT or SNAT+DNAT rule, the packet match criteria cannot match packets by destination security zone.

For a SNAT rule that uses the static NAT method to take effect, the object group referenced by the rule cannot have excluded addresses.

Procedure

1. Enter system view.

system-view

2. Enter the global NAT policy view.

nat global-policy

3. Create a NAT-type rule and enter its view.

rule name rule-name [ type nat ]

By default, no NAT rule exists.

4. (Optional.) Configure a description for the NAT rule.

description text

By default, no description is configured for the NAT rule.

5. (Optional.) Specify an alias and a tenant ID for the NAT rule on a Yundi network.

yundi alias alias-name tenant tenant-id

By default, no alias or tenant ID is specified for a NAT rule on a Yundi network.

Typically, the alias and tenant ID for a NAT rule is assigned by the remote controller. As a best practice, do not perform this task manually on the device.

6. Specify packet match criteria for the rule.

¡ Specify a source IP address match criterion.

source-ip { object-group-name | host ip-address | subnet subnet-ip-address mask-length }

By default, no source IP address match criterion is specified for the NAT rule.

¡ Specify a destination IP address match criterion.

destination-ip { object-group-name | host ip-address | subnet subnet-ip-address mask-length }

By default, no destination IP address match criterion is specified for the NAT rule.

¡ Specify a service object group.

service object-group-name

By default, no service type is specified for the NAT rule.

¡ Specify a source security zone.

source-zone source-zone-name

By default, no source security zone is specified for the NAT rule.

¡ Specify a destination security zone.

destination-zone destination-zone-name

By default, no destination security zone is specified for the NAT rule.

¡ Specify a VPN instance.

vrf vrf-name

By default, no VPN instance is specified for the NAT rule.

7. Specify an address translation method for the NAT rule.

¡ Specify a source address translation method.

NO-PAT:

action snat { address-group { group-id | name group-name } | object-group ipv4-object-group-name } no-pat [ reversible ] [ vrrp virtual-router-id ] [ vrf vrf-name ]

PAT:

action snat { address-group { group-id | name group-name } | object-group ipv4-object-group-name } [ port-preserved ] [ vrrp virtual-router-id ] [ vrf vrf-name ]

Easy IP:

action snat easy-ip [ port-preserved ] [ vrf vrf-name ]

Static translation:

action snat static { ip-address global-address | object-group object-group-name | subnet subnet-ip-address mask-length } [ vrrp virtual-router-id ] [ vrf vrf-name ]

NO-NAT:

action snat no-nat

By default, no source address translation method is specified for the NAT rule.

¡ Specify a destination address translation method.

Server mapping:

action dnat { ip-address local-address | object-group ipv4-object-group-name } [ local-port { local-port1 [ to local-port2 ] }&<1-32> ] [ vrrp virtual-router-id ] [ vrf vrf-name ]

NO-NAT:

action dnat no-nat

By default, no destination address translation method is specified for the NAT rule.

8. (Optional.) Enable hit counting for the NAT rule.

counting enable

By default, hit counting is disabled for the NAT rule.

9. Specify a translation mode for PAT.

a. Return to global NAT policy view

quit

b. Return to system view.

quit

c. Apply the Endpoint-Independent Mapping mode for address translation.

nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number | name ipv4-acl-name } ]

By default, the Address and Port-Dependent Mapping mode applies.

This command takes effect only on outbound PAT.

Configuring NAT64-type rules

About this task

NAT64-type rules use the AFT function, and are applicable to the following scenarios:

· Access initiated on the IPv6 side—In the earlier stage of transition from IPv4 to IPv6, most services are in IPv4 networks. When an IPv6 network user accesses an IPv4 network service, both the source address and destination address of user packets are IPv6 addresses. In this case, the source address and destination address must be translated to IPv4 addresses.

· Access initiated on the IPv4 side—In the later stage of transition from IPv4 to IPv6, most services are in IPv6 networks. When an IPv4 network user accesses an IPv6 network service, both the source address and destination address of user packets are IPv4 addresses. In this case, the source address and destination address must be translated to IPv6 addresses.

In the scenarios above, both source address translation and destination address translation are required.

Restrictions and guidelines

If you configure multiple packet match criteria in a NAT64-type rule, the type of IP addresses in the later configured packet match criteria must be the same as that in the earlier configured packet match criteria. For example, if you first execute the source-ip host 192.168.1.1 command, the source-ip host 100::1 command later executed does not take effect. Select an IP type as needed.

When you use the prefix method for address translation, the IPv6 address prefix length in the match criteria must meet the general prefix, IVI prefix, or NAT64 prefix requirements in the NAT action.

Procedure

1. Enter system view.

system-view

2. Enter global NAT policy view.

nat global-policy

3. Create a NAT64-type rule and enter its view.

rule name rule-name type nat64

By default, no NAT rule exists.

4. (Optional.) Configure a description for the NAT rule.

description text

By default, no description is configured for the NAT rule.

5. Specify packet match criteria for the rule.

¡ Specify a source IP address match criterion.

source-ip { { ipv4-object-group-name | ipv6-object-group-name } | host { ipv4-address | ipv6-address } | subnet { subnet-ipv4-address mask-length | subnet-ipv6-address prefix-length } }

By default, no source IP address match criterion is specified for the NAT rule.

¡ Specify a destination IP address match criterion.

destination-ip { { ipv4-object-group-name | ipv6-object-group-name } | host { ipv4-address | ipv6-address } | subnet { subnet-ipv4-address mask-length | subnet-ipv6-address prefix-length } }

¡ Specify a service object group.

service object-group-name

By default, no service object group is specified for the NAT rule.

¡ Specify a source security zone.

source-zone source-zone-name

By default, no source security zone is specified for the NAT rule.

¡ Specify a VPN instance.

vrf vrf-name

By default, no VPN instance is specified for the NAT rule.

6. Specify an address translation method for the NAT rule.

¡ Specify a source address translation method.

NO-PAT:

action snat object-group ipv4-object-group-name no-pat [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

action snat object-group ipv6-object-group-name no-pat [ vrf vrf-name ]

PAT:

action snat object-group ipv4-object-group-name [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

action snat object-group ipv6-object-group-name [ vrf vrf-name ]

Prefix translation:

action snat prefix { general { v4tov6 prefix-general general-prefix-length | v6tov4 } | ivi v6tov4 | nat64 v4tov6 prefix-nat64 nat64-prefix-length } [ vrf vrf-name ]

Static translation:

action snat static ip-address global-ipv4-address [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

action snat static ip-address global-ipv6-address [ ipv6-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Specify a destination address translation method.

Static translation:

action dnat static ip-address local-ipv4-address [ ipv6-vrrp virtual-router-id ] [ vrf vrf-name ]

action dnat static ip-address local-ipv6-address [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

Server mapping:

action dnat server ip-address local-ipv4-address [ local-port local-port ] [ vrf vrf-name ]

action dnat server ip-address local-ipv6-address [ local-port local-port ] [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

Prefix method:

action dnat prefix { general v6tov4 | nat64 v6tov4 } [ vrf vrf-name ]

action dnat prefix { general v4tov6 prefix-general prefix-length | ivi v4tov6 prefix-ivi } [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

7. (Optional.) Enable hit counting for the NAT rule.

counting enable

By default, hit counting is disabled for the NAT rule.

Configuring NAT66-type rules

About this task

NAT66 is used for translation between IPv6 addresses. Available translation methods include dynamic, static, and NPTv6. An IPv6 address includes a network prefix and an interface identifier. The NPTv6 method translates the network prefix to a new network prefix, and the interface identifier of the IPv6 address will be adjusted according to RFC 6296. For more information about the algorithm, see RFC 6296. The other two methods translate an IPv6 address to a new IPv6 address. When a large number of IPv6 addresses exist and you are not sensitive to the addresses after translation, as a best practice, use the NPTv6 method.

Restrictions and guidelines

When you configure a DNAT or SNAT+DNAT rule, the packet match criteria cannot match packets by destination security zone.

Procedure

1. Enter system view.

system-view

2. Enter global NAT policy view.

nat global-policy

3. Create a NAT66-type rule and enter its view.

rule name rule-name type nat66

By default, no NAT rule exists.

4. (Optional.) Configure a description for the NAT rule.

description text

By default, no description is configured for the NAT rule.

5. Specify packet match criteria for the rule.

¡ Specify a source IP address match criterion.

source-ip { ipv6-object-group-name | host ipv6-address | subnet subnet-ipv6-address prefix-length }

By default, no source IP address match criterion is specified for the NAT rule.

¡ Specify a destination IP address match criterion.

destination-ip { ipv6-object-group-name | host ipv6-address | subnet subnet-ipv6-address prefix-length }

¡ Specify a service object group.

service object-group-name

By default, no service object group is specified for the NAT rule.

¡ Specify a source security zone.

source-zone source-zone-name

By default, no source security zone is specified for the NAT rule.

¡ Specify a destination security zone.

destination-zone destination-zone-name

By default, no destination security zone is specified for the NAT rule.

¡ Specify a VPN instance.

vrf vrf-name

By default, no VPN instance is specified for the NAT rule.

6. Specify an address translation method for the NAT rule.

¡ Specify a source address translation method.

NO-PAT:

action snat object-group ipv6-object-group-name no-pat [ vrf vrf-name ]

PAT:

action snat object-group ipv6-object-group-name [ vrf vrf-name ]

Static translation:

action snat static ip-address global-ipv6-address [ ipv6-vrrp virtual-router-id ] [ vrf vrf-name ]

NPTv6:

action snat nptv6 translated-ipv6-prefix nptv6-prefix-length [ vrf vrf-name ]

NO-NAT:

action snat no-nat

¡ Specify a destination address translation method.

Server mapping:

action dnat ip-address local-ipv6-address [ local-port local-port ] [ vrf vrf-name ]

NPTv6:

action dnat nptv6 translated-ipv6-prefix nptv6-prefix-length [ vrf vrf-name ]

NO-NAT:

action dnat no-nat

7. (Optional.) Enable hit counting for the NAT rule.

counting enable

By default, hit counting is disabled for the NAT rule.

Rearranging NAT rules in the policy to adjust their priority

About this task

A NAT rule appearing earlier on the rule list has a higher priority for packet matching. You can use this feature to rearrange the NAT rules to adjust their priority.

Rearranging NAT rules change the priority values of the NAT rules. A smaller priority value indicates a higher priority. You can move the location of the NAT rules to adjust their priority as the following rules:

· Move the rule nat-rule-name1 to the line after the rule nat-rule-name2 (called the reference rule). The priority value of the reference rule is not changed. The priority value of the moved rule equals the priority value of the reference rule plus one.

· Move the rule nat-rule-name1 to the line before the rule nat-rule-name2. The priority value of the reference rule is not changed. The priority value of the moved rule equals the priority value of the reference rule minus one.

To view the priority of the NAT rules, use the display this command in global NAT policy view. The priority of NAT rules is affected by the configuration order and translation action.

· The priority of DNAT rules and SNAT+DNAT rules is higher than SNAT rules.

· The priority of DNAT rules and SNAT+DNAT rules is determined by the configuration order. A rule configured earlier has a higher priority.

· If a newly created DNAT rule or SNAT+DNAT rule is located after all existing DNAT rules and SNAT+DNAT rules, the newly created rule has a lower priority than all existing DNAT rules and SNAT+DNAT rules.

· The priority of SNAT rules is determined by the configuration order. A rule configured earlier has a higher priority.

· If a newly created SNAT rule is located after all existing SNAT rules, the newly created rule has a lower priority than all existing SNAT rules.

Once the device matches a receiving packet with a DNAT rule or SNAT+DNAT rule, it does not match the packet against SNAT rules. You can rearrange NAT rules to change their priority. Make sure all DNAT rules and SNAT+DNAT rules are placed before SNAT rules.

· Do not place a DNAT rule or SNAT+DNAT rule after a SNAT rule.

· Do not place a SNAT rule before a DNAT rule or SNAT+DNAT rule.

Procedure

1. Enter system view.

system-view

2. Enter the global NAT policy view.

nat global-policy

3. Rearrange NAT rules to change their priority.

rule move rule-name1 [ type { nat | nat64 | nat66 } ] { after | before } [ rule-name2 [ type { nat | nat64 | nat66 } ] ]

Before you use this command to rearrange NAT rules to change their priority, make sure the NAT rules already exist.

You can do not specify a NAT rule type. If you want to specify a NAT rule type, make sure the specified NAT rule type is correct.

Disabling NAT rules

Restrictions and guidelines

This feature does not delete a NAT rule, but makes the rule ineffective. To delete a NAT rule, use the undo rule name command.

Procedure

1. Enter system view.

system-view

2. Enter the global NAT policy view.

nat global-policy

3. Enter the view of a NAT rule.

rule name rule-name [ type { nat | nat64 | nat66 } ]

4. Disable the NAT rule.

disable

By default, NAT rules are enabled.

Configuring NAT address groups

About this task

A NAT address group can contain multiple address ranges. For global NAT, NAT-type SNAT rules can use the addresses in a NAT address group as translated addresses.

Procedure

1. Create a NAT address group, and enter its view.

nat address-group group-id [ name group-name ]

2. (Optional.) Configure a description for the NAT address group.

description text

By default, no description is configured for the NAT address group.

3. (Optional.) Specify an alias and a tenant ID for the NAT address group on a Yundi network.

yundi alias alias-name tenant tenant-id

By default, no alias or tenant ID is specified for a NAT address group on a Yundi network.

Typically, the alias and tenant ID for a NAT address group is assigned by the remote controller. As a best practice, do not perform this task manually on the device.

4. Add addresses to the NAT address group.

a. Add IP address ranges to the NAT address group.

address start-address end-address

You can add multiple public IP address ranges to an address group.

The IP address ranges in address groups cannot overlap.

b. Execute the following command to exclude IP addresses from being used in address translation.

exclude-ip start-address end-address

The end-address must not be lower than the start-address. If they are the same, you specify only one IP address.

5. (Optional.) Configure the port range for the public IP addresses.

port-range start-port-number end-port-number

By default, the port range is 1 to 65535.

The configuration takes effect only on PAT translation mode.

6. (Optional.) Configure port block parameters.

port-block block-size block-size [ extended-block-number extended-block-number ]

By default, no port block parameters exist.

The configuration takes effect only on PAT translation mode.

Configuring NAT ALG

1. Enter system view.

system-view

2. Configure NAT ALG for a protocol or all protocols.

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

By default, NAT ALG is enabled for the DNS, FTP, PPTP, RSTP protocols and ICMP error messages only.

By default, NAT ALG is enabled for DNS, FTP, ICMP error messages, PPTP, and RTSP, and is disabled for the other supported protocols.

Configuring NAT DNS mapping

About this task

NAT DNS mapping is applicable to scenarios that internal users access an internal server by using the domain name of the server when the DNS server is located at the external network.

Enabled with this feature, NAT translates the public IP address in the DNS reply payload into the private IP address. So that the internal users access the internal server by using the private IP address.

NAT DNS mapping works in conjunction with address translation of the server mapping method:

1. A NAT DNS mapping maps the domain name to the public IP address, public port number, and the protocol type for the internal server.

2. To specify the mapped public IP address for the internal server, configure the destination IP address match criterion. To specify the mapped service type and public port number for the internal server, configure the service type match criterion. Address translation specifies the translated private IP address.

3. Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using the domain name in the response. If a match is found, NAT translates the public IP address in the response into the private IP address.

Procedure

1. Enter system view.

system-view

2. Enable NAT ALG for DNS.

nat alg dns

By default, NAT ALG is enabled for DNS.

3. Configure a NAT DNS mapping.

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

You can configure multiple NAT DNS mappings.

E nabling the NAT module to send gratuitous ARP packets

About this task

By default, the NAT module advertises public IP-MAC mappings in gratuitous ARP packets to other nodes in the same LAN. When the NAT module has too many public IP addresses, it takes a long time to send gratuitous ARP packets, which might cause ARP service anomalies. To make sure the ARP service can operate correctly, you can temporarily disable the NAT module from advertising public IP-MAC mappings in gratuitous ARP packets. After you disable this feature, the NAT module does not send gratuitous ARP packets but responds to the gratuitous ARP packets received from other nodes in the same LAN.

Restrictions and guidelines

Disable this feature with caution, because the NAT module will not send gratuitous ARP packets upon the following events:

· A public IP address changes or the VRRP group corresponding to a public IP address changes in the NAT module.

· The MAC address or virtual MAC address of an interface changes.

· Link flapping occurs on an equal-cost egress.

As a result, other nodes in the same LAN might not be able to update MAC address entries in time, resulting in service anomalies. Before disabling this feature, make sure you have understood the potential impact.

Procedure

1. Enter system view.

system-view

2. Enable the NAT module to advertise public IP-MAC mappings in gratuitous ARP packets.

nat gratuitous-arp enable

By default, the NAT module advertises public IP-MAC mappings in gratuitous ARP packets.

Enabling NAT port halving

About this task

After you enable NAT port halving in VRRP load balancing on an IRF fabric, each port block will be equally divided between the two devices. The two devices will use different ports to translate packets from the same IP address, avoiding port assignment conflicts.

For more information about the IRF fabric, see Virtual Technologies Configuration Guide.

Restrictions and guidelines

Do not use this feature in VRRP standard mode on an IRF fabric.

Procedure

1. Enter system view.

system-view

2. Enable NAT port halving.

nat port-load-balance enable slot slot-number

By default, NAT port halving is disabled.

Configuring hot backup for NAT

About hot backup for NAT

If only one NAT device is deployed in the internal network, internal users cannot access the external network when the NAT device fails. To avoid this situation, configure a two-node hot backup system to provide redundant NAT services. The two devices in the system synchronize session entries, session relation entries, NAT port block entries, and NAT configurations through the hot backup channel. When one device fails, the other device takes over.

For more information about configuring a hot backup system, see RBM-based hot backup configuration in High Availability Configuration Guide.

Operating mechanism

Typically, the master device in the VRRP group processes NAT services in the hot backup system. The following example illustrates how the hot backup system in active/standby mode ensures uninterrupted NAT services when the master device fails.

As shown in Figure 17, Device A acts as the primary device and Device B acts as the secondary device in a hot backup system. Device A synchronizes its session entries, session relation entries, and port block entries to Device B in real time through the hot backup channel. Downlinks of Device A and Device B are in VRRP group 1 and uplinks of Device A and Device B are in VRRP group 2. VRRP groups are associated with the hot backup system. RBM selects Device A as the master device for address translation based on the link status or forwarding capability of Device A.

Figure 9 Hot backup system in active/standby mode

‌

As shown in Figure 18, when Interface A2 of Device A fails, Device B becomes the master device in the VRRP group. Because Device B has NAT configuration information and service entries, NAT services are not interrupted after link switchover.

Figure 10 Traffic switchover in active/standby mode

‌

Configuring NAT on a hot backup system in active/standby mode

About this task

On an active/standby hot backup system, some translation rules for static, source, or destination address translation issue the translated public IP addresses or the public IP addresses of internal servers to the address management module. Then, both the active and standby devices advertise the mappings between the public IP addresses and MAC addresses of their own physical interfaces to all nodes in the same LAN or local link. As a result, the upstream Layer 3 device directly connected to the hot backup system might incorrectly send downlink packets to a VRRP backup device, causing service anomalies.

To avoid such an issue, bind address translation methods to the VRRP group in use. This ensures that only the VRRP master device responds to the ARP requests or NS requests for the translated public IP addresses or the public IP addresses of internal servers. The MAC addresses in the responses are the virtual MAC address of the VRRP group. For more information about configuring the HA group, see High Availability Configuration Guide.

Restrictions and guidelines

Bind an address translation method to a VRRP group in NAT rule view on the primary device in the hot backup system. The virtual IP address of the VRRP group must be on the same segment as the public IP address after translation or the public IP address of the internal server.

Procedure (NAT-type rule)

1. Enter system view.

system-view

2. Enter global NAT policy view.

nat global-policy

3. Enter NAT rule view.

rule name rule-name [ type nat ]

4. Bind a translation method to a VRRP group. Choose the options to configure as needed:

¡ Bind the NO-PAT method to a VRRP group for source address translation.

action snat address-group { group-id | name group-name } no-pat [ reversible ] vrrp virtual-router-id

¡ Bind the PAT method to a VRRP group for source address translation.

action snat address-group { group-id | name group-name } [ port-preserved ] vrrp virtual-router-id

¡ Bind the static source address translation method to a VRRP group.

action snat static { ip-address global-address | object-group object-group-name | subnet subnet-ip-address mask-length } vrrp virtual-router-id

¡ Bind the server mapping method to a VRRP group for destination address translation.

action dnat { ip-address local-address | object-group ipv4-object-group-name } [ local-port { local-port1 [ to local-port2 ] }&<1-32> ] vrrp virtual-router-id

By default, a translation method is not bound to any VRRP group.

Procedure (NAT64-type rule)

1. Enter system view.

system-view

2. Enter global NAT policy view.

nat global-policy

3. Create a NAT64-type rule and enter its view.

rule name rule-name type nat64

4. Bind a translation method to a VRRP group. Choose the options to configure as needed:

¡ Bind the NO-PAT method to a VRRP group for source address translation.

action snat object-group ipv4-object-group-name no-pat [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the PAT method to a VRRP group for source address translation.

action snat object-group ipv4-object-group-name [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the IPv6-to-IPv4 static source address translation method to a VRRP group.

action snat static ip-address global-ipv4-address [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the IPv4-to-IPv6 static source address translation method to a VRRP group.

action snat static ip-address global-ipv6-address [ ipv6-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the IPv6-to-IPv4 static destination address translation method to a VRRP group.

action dnat static ip-address local-ipv4-address [ ipv6-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the IPv4-to-IPv6 static destination address translation method to a VRRP group.

action dnat static ip-address local-ipv6-address [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the server mapping method to a VRRP group for IPv4-to-IPv6 destination address translation.

action dnat server ip-address local-ipv6-address [ local-port local-port ] [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

¡ Bind the prefix method to a VRRP group for IPv4-to-IPv6 destination address translation.

action dnat prefix { general v4tov6 prefix-general prefix-length | ivi v4tov6 prefix-ivi } [ ipv4-vrrp virtual-router-id ] [ vrf vrf-name ]

By default, a translation method is not bound to any VRRP group.

Procedure (NAT66-type rule)

1. Enter system view.

system-view

2. Enter global NAT policy view.

nat global-policy

3. Create a NAT66-type rule and enter its view.

rule name rule-name type nat66

4. Bind the static source address translation method to a VRRP group.

action snat static ip-address global-ipv6-address [ ipv6-vrrp virtual-router-id ] [ vrf vrf-name ]

By default, a static source address translation method is not bound to any VRRP group.

Configuring NAT on a hot backup system in dual-active mode

About this task

On a dual-active hot backup system, the upstream Layer 3 device directly connected to the hot backup system might incorrectly send downlink packets to a VRRP backup device, causing service anomalies.

Restrictions and guidelines

Select one of the following configuration methods:

· The two devices share a NAT address group. To prevent different VRRP master devices from using the same IP-port mapping for different hosts, specify the PAT translation mode for NAT rules and execute the nat remote-backup port-alloc command on the hot backup primary device.

· As a best practice to prevent different master devices from using the same IP-port mapping for different hosts, configure the two devices to use different public IP addresses for address translation. For example, if the two devices use addresses in different NAT address groups, user traffic with different source IP addresses is identified by source IP address match criteria in NAT rules. To enable different VRRP master devices to translate the forward user traffic, specify different gateway addresses for different internal users. To direct the reverse traffic to different VRRP master devices, bind the address translation method to different VRRP groups on the hot backup primary device for load sharing.

Bind an address translation method to a VRRP group in NAT rule view on the primary device in the hot backup system. The virtual IP address of the VRRP group and the public IP address after translation or public IP address of the internal server are on the same segment.