Web example: Configuring outbound one-to-one static NAT

Network configuration

As shown in Figure 1, configure static NAT to allow the host at 172.16.100.1/24 to access the server at 100.100.100.100/24 on the Internet by using public IP address 200.2.2.254/24.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device.

Restrictions and guidelines

Do not configure both the NAT translation methods and a global NAT policy.

Procedure

  1. Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

  1. Select the Untrust security zone.

  1. On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 200.2.2.254/24.

  1. Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 172.16.100.254/24 in the same way you configure GE 1/0/1.

  1. Configure settings for routing.

This example configures a static route. If dynamic routes are required, configure a dynamic routing protocol.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static route to permit packets from the device to the server:

  1. Specify the IP address of the server as the destination IP. In this example, the address is 100.100.100.100.

  1. Enter the mask length. In this example, enter 24.

  1. Specify the next-hop address as 200.2.2.253.

  1. Click OK.

  1. Configure a security policy.

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create and click Create a policy.

# In the dialog box that opens, configure policy parameters as follows:

  1. Enter a policy name. In this example, the name is Secpolicy.

  1. Select the source zone. In this example, the source zone is Trust.

  1. Select the destination zone. In this example, the destination zone is Untrust.

  1. Select IPv4 as the type.

  1. Select Permit as the action.

  1. Specify the IP address of the host as the source IPv4 address. In this example, the address is 172.16.100.1.

  1. Specify the IP address of the server as the destination IPv4 address. In this example, the address is 100.100.100.100.

  1. Click OK.

  1. Create a static NAT mapping.

# On the top navigation bar, click Policies.

# From the navigation pane, select Interface NAT > IPv4 > Static NAT.

# Click Create.

# Create a static NAT mapping, as shown in Figure 2.

Figure 2 Creating a static NAT mapping

 

# Click OK.

  1. Apply the static NAT mapping.

# On the top navigation bar, click Policies.

# From the navigation pane, select Interface NAT > IPv4 > Static NAT.

# Select GE 1/0/1 and click Enable. The mapping has been applied to the interface, as shown in Figure 3.

Figure 3 Applying the static NAT mapping

 

Verifying the configuration

  1. Verify that the host can successfully ping the server on the external network.

C:\Users\abc>ping 100.100.100.100

 

Pinging host.com [100.100.100.100] with 32 bytes of data:

Reply from 100.100.100.100: bytes=32 time<1ms TTL=253

Reply from 100.100.100.100: bytes=32 time<1ms TTL=253

Reply from 100.100.100.100: bytes=32 time<1ms TTL=253

Reply from 100.100.100.100: bytes=32 time<1ms TTL=253

 

Ping statistics for 100.100.100.100:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

  1. Verify that a NAT session is generated when the host accesses the server.

# On the top navigation bar, click Monitor.

# From the navigation pane, select Sessions.

Figure 4 Session list