CLI example: Configuring NAT Server for external-to-internal access through domain name (overlapping addresses)

Network configuration

As shown in Figure 1, an intranet uses the subnet 192.168.1.0/24. The Web server at 192.168.1.2/24 provides Web services for external users and the DNS server at 192.168.1.3/24 resolves the domain name of the Web server. The company has three public addresses 202.38.1.2, 202.38.1.3, and 202.38.1.4.

Configure NAT to allow external host at 192.168.1.2 in the external network to use the domain name to access the internal Web server.

Figure 1 Network diagram

Requirements analysis

To meet the network requirements, you must perform the following tasks:

• Configure a NAT server mapping to map the private IP address and port of the DNS server to a public IP address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.

• Configure outbound dynamic NAT and enable NAT ALG for DNS. The Web server's IP address is the same as the external host's IP address. NAT ALG can translate the Web server's private address in the payload of the DNS response packet to a dynamically assigned public address.

• Configure inbound dynamic NAT. The external host's IP address is the same as the Web server's IP address. Inbound dynamic NAT can translate the external host's IP address into a dynamically assigned public address.

• Add a static route to the public IP address of the external host with GigabitEthernet 1/0/2 as the output interface.

Software versions used

This configuration example was created and verified on R9071 of the M9000-AI-E8 device.

Procedures

# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

# Enable NAT ALG for DNS.

<Device> system-view

[Device] nat alg dns

# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.

[Device] acl basic 2000

[Device-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Device-acl-ipv4-basic-2000] quit

# Create address group 1.

[Device] nat address-group 1

# Add address 202.38.1.2 to the address group.

[Device-address-group-1] address 202.38.1.2 202.38.1.2

[Device-address-group-1] quit

# Create address group 2.

[Device] nat address-group 2

# Add address 202.38.1.3 to the address group.

[Device-address-group-2] address 202.38.1.3 202.38.1.3

[Device-address-group-2] quit

# Configure a NAT server mapping on GigabitEthernet 1/0/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4.

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.3 dns

# Enable outbound NO-PAT on GigabitEthernet 1/0/2 to translate IP address of the Web server in the DNS response payload into the address in address group 1, and allow reversible NAT.

[Device-GigabitEthernet1/0/2] nat outbound 2000 address-group 1 no-pat reversible

# Enable inbound PAT on interface GigabitEthernet 1/0/2 to translate the source address of packets going to the internal network to the address in address group 2.

[Device-GigabitEthernet1/0/2] nat inbound 2000 address-group 2

# Configure a static route to 202.38.1.3 with GigabitEthernet 1/0/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.)

[Device] ip route-static 202.38.1.3 32 gigabitethernet 1/0/2 20.2.2.2

Verifying the configuration

# Verify that the host on the external network can use the domain name to access the internal Web server whose address is the same as the host. (Details not shown.)

# Display all NAT configuration and statistics.

[Device] display nat all

NAT address group information:

  Totally 2 NAT address groups.

  Address group ID: 1

    Port range: 1-65535

    Address information:

      Start address         End address

      202.38.1.2            202.38.1.2

    Exclude address information:

      Start address         End address

      ---                   ---

  Address group ID: 2

    Port range: 1-65535

    Address information:

      Start address         End address

      202.38.1.3            202.38.1.3

    Exclude address information:

      Start address         End address

      ---                   ---

NAT inbound information:

  Totally 1 NAT inbound rules.

  Interface: GigabitEthernet1/0/2

    ACL: 2000

    Address group ID: 2

    Add route: N         NO-PAT: N         Reversible: N

    Config status: Active

NAT outbound information:

  Totally 1 NAT outbound rules.

  Interface: GigabitEthernet1/0/2

    ACL: 2000

    Address group ID: 1

    Port-preserved: N    NO-PAT: Y         Reversible: Y

    Config status: Active

NAT internal server information:

  Totally 1 internal servers.

  Interface: GigabitEthernet1/0/2

    Protocol: 17(UDP)

    Global IP/port: 202.38.1.4/53

    Local IP/port : 200.1.1.3/53

    Rule name     : ServerRule_1

    NAT counting  : 0

    Config status : Active

NAT logging:

  Log enable          : Disabled

  Flow-begin          : Disabled

  Flow-end            : Disabled

  Flow-active         : Disabled

  Port-block-assign   : Disabled

  Port-block-withdraw : Disabled

  Alarm               : Disabled

  NO-PAT IP usage     : Disabled

NAT mapping behavior:

  Mapping mode : Address and Port-Dependent

  ACL          : ---

  Config status: Active

NAT ALG:

  DNS        : Enabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Enabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SCTP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

Static NAT load balancing:     Disabled

NAT link-switch recreate-session: Disabled

NAT configuration-for-new-connection: Disabled

# Display NAT sessions that are generated when Host accesses the Web server.

[Device] display nat session verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.2/1694

  Destination IP/port: 202.38.1.2/8080

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.1.2/8080

  Destination IP/port: 202.38.1.3/1025

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/1

  Source security zone: Trust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: -/-/-

Rule name:

Start time: 2017-06-15 14:53:29  TTL: 3597s

Initiator->Responder:            7 packets        308 bytes

Responder->Initiator:            5 packets        312 bytes

Total sessions found: 1

Configuration files

#

nat address-group 1

 address 202.38.1.2 202.38.1.2

#

nat address-group 2

 address 202.38.1.3 202.38.1.3

#

interface GigabitEthernet1/0/1

 ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 20.2.2.1 255.255.255.0

 nat inbound 2000 address-group 2

 nat outbound 2000 address-group 1 no-pat reversible

 nat server protocol udp global 202.38.1.4 53 inside 192.168.1.3 53

#

security-zone name Trust

 import interface GigabitEthernet1/0/1

#

security-zone name Untrust

 import interface GigabitEthernet1/0/2

#

 ip route-static 202.38.1.3 32 GigabitEthernet1/0/2 20.2.2.2

#

acl basic 2000

 rule 0 permit source 192.168.1.0 0.0.0.255

#

security-policy ip

 rule 0 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

 rule 1 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

#