CLI example: Configuring twice NAT

Network configuration

As shown in Figure 1, two departments are in different VPN instances with overlapping addresses. Configure twice NAT so that Host A and Host B in different departments can access each other.

Figure 1 Network diagram

 

Requirements analysis

This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device.

To allow VPNs to access each other, configure the interzone policies to allow VPN packets to pass through.

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device.

Procedures

# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Allow VPN packets to pass through in the interzone policies. Make sure the network connections are available. (Details not shown.)

# Configure a static outbound NAT mapping between 192.168.1.2 in vpn 1 and 172.16.1.2 in vpn 2.

<Device> system-view

[Device] nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2

# Configure a static outbound NAT mapping between 192.168.1.2 in vpn 2 and 172.16.2.2 in vpn 1.

[Device] nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1

# Enable static NAT on GigabitEthernet 1/0/2.

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] nat static enable

[Device-GigabitEthernet1/0/2] quit

# Enable static NAT on GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] nat static enable

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that Host A and Host B can access each other. The public address for Host A is 172.16.1.2 and that for Host B is 172.16.2.2. (Details not shown.)

# Display all NAT configuration and statistics.

[Device] display nat all

Static NAT mappings:

  Totally 2 outbound static NAT mappings.

  IP-to-IP:

    Local IP     : 192.168.1.2

    Global IP    : 172.16.1.2

    Local VPN    : vpn1

    Global VPN   : vpn2

    Config status: Active

 

  IP-to-IP:

    Local IP     : 192.168.1.2

    Global IP    : 172.16.2.2

    Local VPN    : vpn2

    Global VPN   : vpn1

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: GigabitEthernet1/0/1

    Config status: Active

 

  Interface: GigabitEthernet1/0/2

    Config status: Active

 

NAT logging:

  Log enable          : Disabled

  Flow-begin          : Disabled

  Flow-end            : Disabled

  Flow-active         : Disabled

  Port-block-assign   : Disabled

  Port-block-withdraw : Disabled

  Alarm               : Disabled

  NO-PAT IP usage     : Disabled

 

NAT mapping behavior:

  Mapping mode : Address and Port-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Enabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Enabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SCTP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

 

Static NAT load balancing:     Disabled

 

NAT link-switch recreate-session: Disabled

 

NAT configuration-for-new-connection: Disabled

# Display NAT sessions that are generated when Host A accesses Host B.

[Device] display nat session verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.2/42496

  Destination IP/port: 172.16.2.2/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn1/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/1

  Source security zone: Trust

Responder:

  Source      IP/port: 192.168.1.2/42496

  Destination IP/port: 172.16.1.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn2/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/2

  Source security zone: Trust

State: ICMP_REPLY

Application: INVALID

Rule ID: -/-/-

Rule name:

Start time: 2012-08-16 09:30:49  TTL: 27s

Initiator->Responder:            5 packets        420 bytes

Responder->Initiator:            5 packets        420 bytes

 

Total sessions found: 1

Configuration files

#

ip vpn-instance vpn1

#

ip vpn-instance vpn2

#

 security-zone intra-zone default permit

#

 nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2

 nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1

#

interface GigabitEthernet1/0/1

 ip binding vpn-instance vpn1

 ip address 192.168.1.1 255.255.255.0

 nat static enable

#

interface GigabitEthernet1/0/2

 ip binding vpn-instance vpn2

 ip address 192.168.1.1 255.255.255.0

 nat static enable

#

security-zone name Trust

 import ip 192.168.1.0 24 vpn-instance vpn1

 import ip 192.168.1.0 24 vpn-instance vpn2

#