As shown in Figure 1, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.
Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.
To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.
To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:
Enable NAT hairpin on the interface connected to the internal network.
Configure outbound NAT on the interface where NAT Server is configured. The destination address is translated by matching the NAT server mapping. The source address is translated by matching the outbound NAT.
This configuration example was created and verified on F9900 of the F5000-AI120 device.
# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)
# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24 to be translated.
<Device> system-view
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Device-acl-ipv4-basic-2000] quit
# Configure a NAT server mapping on GigabitEthernet 1/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp
# Enable outbound NAT with Easy IP on GigabitEthernet 1/0/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of interface GigabitEthernet 1/0/2.
[Device-GigabitEthernet1/0/2] nat outbound 2000
[Device-GigabitEthernet1/0/2] quit
# Enable NAT hairpin on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] nat hairpin enable
[Device-GigabitEthernet1/0/1] quit
# Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)
# Display all NAT configuration and statistics.
[Device] display nat all
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: GigabitEthernet1/0/2
ACL: 2000
Address group ID: ---
Port-preserved: N NO-PAT: N Reversible: N
Config status: Active
NAT internal server information:
Totally 1 internal servers.
Interface: GigabitEthernet1/0/2
Protocol: 6(TCP)
Global IP/port: 202.38.1.2/21
Local IP/port : 192.168.1.4/21
Rule name : ServerRule_1
NAT counting : 0
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT hairpinning:
Totally 1 interfaces enabled with NAT hairpinning.
Interface: GigabitEthernet1/0/1
Config status: Active
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SCTP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
NAT link-switch recreate-session: Disabled
NAT configuration-for-new-connection: Disabled
# Display NAT sessions that are generated when Host A accesses the FTP server.
[Device] display nat session verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.2/1694
Destination IP/port: 202.38.1.2/21
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.4/21
Destination IP/port: 202.38.1.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: TCP_ESTABLISHED
Application: FTP
Rule ID: -/-/-
Rule name:
Start time: 2017-06-15 14:53:29 TTL: 3597s
Initiator->Responder: 7 packets 308 bytes
Responder->Initiator: 5 packets 312 bytes
Total sessions found: 1
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/2
ip address 202.38.1.1 255.255.255.0
nat outbound 2000
nat server protocol tcp global 202.38.1.2 21 inside 192.168.1.4 21
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust