Table of Contents

Related Documents

51-Bidirectional NAT and NAT Server Configuration Examples

Title	Size	Download
51-Bidirectional NAT and NAT Server Configuration Examples	78.71 KB

Contents

Example: Configuring bidirectional NAT and NAT Server 1

Network configuration· 1

Procedures· 1

Configuring Device A· 1

Configuring Host B· 3

Verifying the configuration· 3

Configuration files· 4

Example: Configuring bidirectional NAT and NAT Server

Network configuration

As shown in Figure 1, Host A accesses the Internet after NAT on Device A. A CGN card is installed on slot 2 of Device A, which provides address translation. The company uses private IP addresses on network 192.168.1.0/24 and public IP address 202.38.1.100 to provide FTP services.

Configure bidirectional NAT and NAT Server to meet the following requirements:

· Both Host A and Host B can access the FTP server by using IP address 202.38.1.100 and port 21.

· Only users on subnet 192.168.1.0/24 can access the Internet by using public IP addresses 202.38.1.2 and 202.38.1.3.

Figure 1 Network diagram

Procedures

Configuring Device A

1. Specify IPv4 addresses for the interfaces on Device A.

<DeviceA> system-view

[DeviceA] interface ten-gigabitethernet 3/1/1

[DeviceA-Ten-GigabitEthernet3/1/1] ip address 192.168.1.1 255.255.255.0

[DeviceA-Ten-GigabitEthernet3/1/1] quit

[DeviceA] interface ten-gigabitethernet 3/1/2

[DeviceA-Ten-GigabitEthernet3/1/2] ip address 202.38.1.10 255.255.255.0

[DeviceA-Ten-GigabitEthernet3/1/2] quit

2. Configure an ACL:

# Configure ACL 3002 to permit all packets.

[DeviceA] acl advanced 3002

[DeviceA-acl-ipv4-adv-3002] rule 5 permit ip source any

[DeviceA-acl-ipv4-adv-3002] quit

3. Configure a failover group:

# Specify the CGN card in slot 2 as the primary node in failover group cgn1.

[DeviceA] failover group cgn1 id 1

[DeviceA-failover-group-cgn] bind slot 2 primary

[DeviceA-failover-group-cgn] quit

4. Create service instance group 1 and associate it with failover group cgn1.

[[DeviceA] service-instance-group 1

[DeviceA-service-instance-group 1] failover-group cgn1

[DeviceA-service-instance-group 1] quit

5. Configure an address group:

# Configure address group 0 and add an address range from 202.38.1.2 to 202.38.1.3.

[DeviceA] nat address-group 0

[DeviceA-address-group-0] address 202.38.1.2 202.38.1.3

[DeviceA-address-group-0] quit

6. Configure a NAT instance:

# Create a NAT instance named a with ID 1.

[DeviceA] nat instance a id 1

# Associate NAT instance a with service instance group 1.

[DeviceA-nat-instance-a] service-instance-group 1

# Configure outbound dynamic NAT to use NAT address group 0 to translate packets permitted by ACL 3002.

[DeviceA-nat-instance-a] nat outbound 3002 address-group 0

# Configure a NAT server mapping to allow external users to access the FTP server by using the address 202.38.1.100 and port 21.

[DeviceA-nat-instance-a] nat server protocol tcp global 202.38.1.100 21 inside 192.168.1.3 ftp

[Device-nat-instance-a] quit

7. Configure a QoS policy to redirect traffic to the NAT instance for address translation:

# Configure traffic class cgn and traffic behavior cgn.

[DeviceA] traffic classifier cgn operator and

[DeviceA-classifier-cgn] if-match acl 3002

[DeviceA-classifier-cgn] quit

[DeviceA] traffic behavior cgn

[DeviceA-behavior-cgn] bind nat-instance a

[DeviceA-behavior-cgn] quit

# Create QoS policy cgn and associate the traffic class with the traffic behavior.

[DeviceA] qos policy cgn

[DeviceA-qospolicy-cgn] classifier cgn behavior cgn

[DeviceA-qospolicy-cgn] quit

# Apply the QoS policy to the inbound traffic on Ten-GigabitEthernet3/1/1.

[DeviceA] interface ten-gigabitethernet 3/1/1

[DeviceA-Ten-GigabitEthernet3/1/1] qos apply policy cgn inbound

[DeviceA-Ten-GigabitEthernet3/1/1] quit

Configuring Host B

Make sure Host B and Device A can reach each other.

Verifying the configuration

# Access the FTP server by using IP address 202.38.1.100 and port 21 on Host A. Display NAT session information generated on Device A when Host A accesses the FTP server.

[DeviceA] display nat session verbose

Slot 2:

Initiator:

Source IP/port: 192.168.1.2/22213

Destination IP/port: 202.38.1.100/21

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/1

Responder:

Source IP/port: 192.168.1.3/21

Destination IP/port: 202.38.1.3/1024

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/1

State: TCP_ESTABLISHED

Application: FTP

Role: Master

Failover group ID: 1

Start time: 2023-03-06 15:40:47 TTL: 3592s

Initiator->Responder: 0 packets 0 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

# Enter the IP address of the WWW server in the address bar of the Web browser on Host A. Display NAT session information generated on Device A when Host A accesses the WWW server.

[DeviceA] display nat session verbose

Slot 2:

Initiator:

Source IP/port: 192.168.1.2/4481

Destination IP/port: 200.1.1.20/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/1

Responder:

Source IP/port: 200.1.1.20/80

Destination IP/port: 202.38.1.2/1029

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/2

State: TCP_ESTABLISHED

Application: HTTP

Role: Master

Failover group ID: 1

Start time: 2023-03-06 15:50:33 TTL: 3583s

Initiator->Responder: 0 packets 0 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

# Access the FTP server by using IP address 202.38.1.100 and port 21 on Host B. Display NAT session information generated on Device A when Host B accesses the FTP server.

[DeviceA] display nat session verbose

Slot 2:

Initiator:

Source IP/port: 200.1.1.10/60738

Destination IP/port: 202.38.1.100/21

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/2

Responder:

Source IP/port: 192.168.1.3/21

Destination IP/port: 200.1.1.10/60738

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/1

State: TCP_ESTABLISHED

Application: FTP

Role: Master

Failover group ID: 1

Start time: 2023-03-06 15:55:40 TTL: 3593s

Initiator->Responder: 0 packets 0 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

Configuration files

Device A:

failover group cgn1 id 1

bind slot 2 primary

service-instance-group 1

failover-group cgn1

nat instance a id 1

service-instance-group 1

nat outbound 3002 address-group 0

nat server protocol tcp global 202.38.1.100 21 inside 192.168.1.3 21

traffic classifier cgn operator and

if-match acl 3002

traffic behavior cgn

bind nat-instance a

qos policy cgn

classifier cgn behavior cgn

interface Ten-GigabitEthernet3/1/1

ip address 192.168.1.1 255.255.255.0

qos apply policy cgn inbound

interface Ten-GigabitEthernet3/1/2

ip address 202.38.1.10 255.255.255.0

nat address-group 0

address 202.38.1.2 202.38.1.3

acl advanced 3002

rule 5 permit ip

03-Typical Configuration Example

Example: Configuring bidirectional NAT and NAT Server

Network configuration

Procedures

Configuring Device A

Configuring Host B

Verifying the configuration

Configuration files

Cloud & AI

Intelligent Connection

Intelligent Computing

Intelligent Storage

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Technical Blogs

Training & Certification

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Partner Business Management

Service Business

Profile

News & Events

Online Exhibition Center

Contact Us