As shown in Figure 1, the private network where the Web server resides overlaps with the company private network 192.168.1.0/24. The company has two public IP addresses 202.38.1.2 and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using the server's domain name.
To meet the network requirements, you must perform the following tasks:
Configure inbound dynamic NAT ALG to make sure the internal host reaches the Web server instead of another internal host. NAT ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address.
Configure outbound dynamic NAT to translate the source IP address of packets from an internal host to a dynamically assigned public address.
Add a static route to the public IP address of the external Web server.
This configuration example was created and verified on E8371 of the F5000-AI160 device.
# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)
# Enable NAT ALG for DNS.
<Device> system-view
[Device] nat alg dns
# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Device-acl-ipv4-basic-2000] quit
# Create address group 1.
[Device] nat address-group 1
# Add address 202.38.1.2 to the group.
[Device-address-group-1] address 202.38.1.2 202.38.1.2
[Device-address-group-1] quit
# Create address group 2.
[Device] nat address-group 2
# Add address 202.38.1.3 to the group.
[Device-address-group-2] address 202.38.1.3 202.38.1.3
[Device-address-group-2] quit
# Enable inbound NO-PAT on GigabitEthernet 1/0/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] nat inbound 2000 address-group 1 no-pat reversible
# Enable outbound PAT on GigabitEthernet 1/0/2 to translate the source address of outgoing packets into the address in address group 2.
[Device-GigabitEthernet1/0/2] nat outbound 2000 address-group 2
[Device-GigabitEthernet1/0/2] quit
# Configure a static route to 202.38.1.2 with GigabitEthernet 1/0/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.)
[Device] ip route-static 202.38.1.2 32 gigabitethernet 1/0/2 20.2.2.2
# Verify that Host A can access the Web server by using its domain name. (Details not shown.)
# Display all NAT configuration and statistics.
[Device] display nat all
NAT address group information:
Totally 2 NAT address groups.
Address group ID: 1
Port range: 1-65535
Address information:
Start address End address
202.38.1.2 202.38.1.2
Exclude address information:
Start address End address
--- ---
Address group ID: 2
Port range: 1-65535
Address information:
Start address End address
202.38.1.3 202.38.1.3
Exclude address information:
Start address End address
--- ---
NAT inbound information:
Totally 1 NAT inbound rules.
Interface: GigabitEthernet1/0/2
ACL: 2000
Address group ID: 1
Add route: N NO-PAT: Y Reversible: Y
Config status: Active
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: GigabitEthernet1/0/2
ACL: 2000
Address group ID: 2
Port-preserved: N NO-PAT: N Reversible: N
Config status: Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SCTP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
NAT link-switch recreate-session: Disabled
NAT configuration-for-new-connection: Disabled
# Display NAT sessions that are generated when Host A accesses the Web server.
[Device] display nat session verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.10/51716
Destination IP/port: 202.38.1.2/80
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 202.38.1.2/80
Destination IP/port: 202.38.1.3/1059
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Untrust
State: TCP_ESTABLISHED
Application: HTTP
Rule ID: -/-/-
Rule name:
Start time: 2017-05-21 15:36:29 TTL: 1197s
Initiator->Responder: 125 packets 6304 bytes
Responder->Initiator: 223 packets 325718 bytes
Total sessions found: 1
#
nat address-group 1
address 202.38.1.2 202.38.1.2
#
nat address-group 2
address 202.38.1.3 202.38.1.3
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 20.2.2.1 255.255.255.0
nat inbound 2000 address-group 1 no-pat reversible
nat outbound 2000 address-group 2
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
ip route-static 202.38.1.2 32 GigabitEthernet1/0/2 20.2.2.2
#
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust