H3C Routers
Outbound Bidirectional NAT
Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 2

Prerequisites· 2

Example: Configuring outbound bidirectional NAT· 2

Network configuration· 2

Analysis· 2

Software versions used· 3

Procedures· 3

Verifying the configuration· 3

Configuration files· 6

Related documentation· 6

 

Introduction

The following information provides examples for configuring outbound bidirectional NAT on routers.

Prerequisites

This document applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the router.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of NAT.

Example: Configuring outbound bidirectional NAT

Network configuration

As shown in Figure 1, the router acts as the gateway through which the company accesses the public network. The private network where the Web server resides overlaps with the company private network 192.168.1.0/24. The company has two public IP addresses 202.38.1.2 and 202.38.1.3. Configure NAT to allow the host to access the external Web server by using the server's domain name.

Figure 1 Network diagram

‌

Analysis

·     Configure inbound dynamic NAT ALG to make sure the internal host can reach the Web server. NAT ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address.

·     Configure outbound dynamic NAT to translate the source IP address of packets from the internal host to a dynamically assigned public address.

·     Add a static route to the public IP address of the external Web server.

Software versions used

This configuration example was created and verified on R9141P16 of the MSR2630E-X1 device.

Procedures

# Specify IP addresses for the interfaces on the router.

<Router> system-view

[Router] interface gigabitethernet 0/0/1

[Router-GigabitEthernet0/0/1] ip address 192.168.1.1 24

[Router-GigabitEthernet0/0/1] quit

[Router] interface gigabitethernet 0/0/2

[Router-GigabitEthernet0/0/2] ip address 10.0.1.1 24

[Router-GigabitEthernet0/0/2] quit

# Enable NAT with ALG and DNS.

[Router] nat alg dns

# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.

[Router] acl number 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Create address group 1.

[Router] nat address-group 1

# Add address 202.38.1.2 to address group 1.

[Router-nat-address-group-1] address 202.38.1.2 202.38.1.2

[Router-nat-address-group-1] quit

# Create address group 2.

[Router] nat address-group 2

# Add address 202.38.1.3 to address group 2.

[Router-nat-address-group-2] address 202.38.1.3 202.38.1.3

[Router-nat-address-group-2] quit

# Enable inbound NO-PAT on GigabitEthernet 0/0/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reverse translation.

[Router] interface gigabitethernet 0/0/2

[Router-GigabitEthernet0/0/2] nat inbound 2000 address-group 1 no-pat reversible

# Enable outbound PAT on GigabitEthernet 0/0/2 to translate the source address of outgoing packets into the address in address group 2.

[Router-GigabitEthernet0/0/2] nat outbound 2000 address-group 2

[Router-GigabitEthernet0/0/2] quit

# Configure a static route to 202.38.1.2 with GigabitEthernet 0/0/2 as the output interface and 10.0.1.1 as the next hop.

[Router] ip route-static 202.38.1.2 32 gigabitethernet 0/0/2 10.0.1.1

Verifying the configuration

# Verify that the host can access the Web server by using its domain name. (Details not shown.)

# Execute the display nat all command to display all NAT configuration and statistics.

[Router] display nat all

NAT address group information:

  Totally 2 NAT address groups.

  Address group 1:

  Port range: 1-65535

    Address information:

      Start address         End address

      202.38.1.2            202.38.1.2

 

  Address group 2:

  Port range: 1-65535

    Address information:

      Start address         End address

      202.38.1.3            202.38.1.3

 

NAT inbound information:

  Totally 1 NAT inbound rules.

  Interface: GigabitEthernet0/0/2

    ACL: 2000

    Address group ID: 1

    Add route: N             NO-PAT: Y  Reversible: Y

    NAT counting: 0

    Config status: Active

 

NAT outbound information:

  Totally 1 NAT outbound rules.

  Interface: GigabitEthernet0/0/2

    ACL: 2000

    Address group ID: 2

    Port-preserved: N        NO-PAT: N  Reversible: N

    NAT counting: 0

    Config status: Active

 

NAT logging:

  Log enable          : Disabled

  Flow-begin          : Disabled

  Flow-end            : Disabled

  Flow-active         : Disabled

  Port-block-assign   : Disabled

  Port-block-withdraw : Disabled

  Alarm               : Disabled

  NO-PAT IP usage     : Disabled

 

NAT mapping behavior:

  Mapping mode: Address and Port-Dependent

  ACL         : ---

  Config status: Active

 

NAT ALG:

  DNS        : Enabled

  FTP        : Enabled

  H323       : Enabled

  ICMP-ERROR : Enabled

  ILS        : Enabled

  MGCP       : Enabled

  NBT        : Enabled

  PPTP       : Enabled

  RTSP       : Enabled

  RSH        : Enabled

  SCCP       : Enabled

  SCTP       : Enabled

  SIP        : Enabled

  SQLNET     : Enabled

  TFTP       : Enabled

  XDMCP      : Enabled

 

Static NAT load balancing:     Disabled

 

NAT link-switch recreate-session: Disabled

 

NAT configuration-for-new-connection: Disabled

 

NAT global-policy compatible-previous-version rule-type ipv4-snat-and-dnat trans

late-before-secp : Disabled

# Execute the display nat session verbose command to display NAT sessions that are generated when the host accesses the Web server.

[Router] display nat session verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.10/1694

  Destination IP/port: 202.38.1.2/8080

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet0/0/1

Responder:

  Source      IP/port: 192.168.1.10/8080

  Destination IP/port: 202.38.1.3/1025

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet0/0/2

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: -/-/-

Rule name:

Start time: 2013-08-15 14:53:29  TTL: 3597s

Initiator->Responder:            7 packets        308 bytes

Responder->Initiator:            5 packets        312 bytes

 

Total sessions found: 1

Configuration files

#

interface GigabitEthernet0/0/1

 port link-mode route

 ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 port link-mode route

 ip address 10.0.1.1 255.255.255.0

 nat inbound 2000 address-group 1 no-pat reversible

 nat outbound 2000 address-group 2

#

 ip route-static 202.38.1.2 32 GigabitEthernet0/0/2 10.0.1.1

#

acl number 2000

 rule 0 permit source 192.168.1.0 0.0.0.255

#

nat address-group 1

 address 202.38.1.2 202.38.1.2

#

nat address-group 2

 address 202.38.1.3 202.38.1.3

#

Related documentation

·     NAT and IPv6 Transition Technologies Configuration Guide in H3C MSR1000[2600][3600] Routers Configuration Guides(V9)

·     NAT and IPv6 Transition Technologies Command Reference in H3C MSR1000[2600][3600] Routers Command References(V9)