No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAT

NAT

Example for Configuring the NAT Function

This section provides an example for configuring the centralized NAT function to implement multiple-to-multiple translations from internal addresses of enterprise users to external addresses and allow only PCs on a specified network segment to access the Internet.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

On the network shown in Figure 1-44, the NE20E performs the NAT function to help PCs within the enterprise network access the Internet. The NE20E uses Ethernet interface 0/2/0 to connect to the enterprise network. The NE20E connects to the Internet using GE 0/2/1 interface. The enterprise has five public IP addresses ranging from 11.11.11.101/32 to 11.11.11.105/32.

Figure 1-44 shows the interface IP addresses that are configured to meet the following requirements:
  • Only PCs on the network segment of 192.168.10.0/24 can access the Internet.
  • Multiple-to-multiple NAT translation is performed for internal and external IP addresses.
Figure 1-44  NAT networking
NOTE:

In this example, interface 1 and interface 2 stand for GE 0/2/0 and GE 0/2/1, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure a NAT traffic policy.
Data Preparation
To complete the configuration, you need the following data:
  • service-location backup group index: 1

  • service-instance-group service instance group name: group1

  • NAT instance name: nat1; NAT instance index: 1

  • NAT address pool name for NATA: address-group1; NAT address pool ID: 1; IP address segment: 11.11.11.101 to 11.11.11.105

  • ACL name: 3001

  • Number and IP address of the interface that applies the NAT traffic policy

Procedure

  1. Configure basic NAT functions.
    1. Create a NAT instance named nat1 and bind it to the service board.

      <HUAWEI> system-view
      [~HUAWEI] sysname NATA
      [*HUAWEI] commit
      [~NATA] service-location 1
      [*NATA-service-location-1] location follow-forwarding-mode
      [*NATA-service-location-1] commit
      [~NATA-service-location-1] quit
      [~NATA] service-instance-group group1
      [*NATA-service-instance-group-group1] service-location 1
      [*NATA-service-instance-group-group1] commit
      [~NATA-service-instance-group-group1] quit
      [~NATA] nat instance nat1 id 1
      [*NATA-nat-instance-nat1] service-instance-group group1
      [*NATA-nat-instance-nat1] commit
      [~NATA-nat-instance-nat1] quit

    2. Configure a NAT address pool with IP addresses ranging from 11.11.11.101 to 11.11.11.105.

      [~NATA] nat instance nat1
      [~NATA-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
      [*NATA-nat-instance-nat1] commit
      [~NATA-nat-instance-nat1] quit

  2. Configure a NAT traffic policy.

    • Configure an outbound NAT traffic policy.
      1. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow only hosts with a network segment address of 192.168.10.0/24 to access the Internet.
        [~NATA] acl 3001
        [*NATA-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
        [*NATA-acl4-advance-3001] commit
        [~NATA-acl4-advance-3001] quit
      2. Apply the NAT traffic policy for ACL users in the view of GE 0/2/1.
        [~NATA] interface gigabitEthernet 0/2/1
        [~NATA-GigabitEthernet0/2/1] ip address 11.2.3.4 24
        [*NATA-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
        [*NATA-GigabitEthernet0/2/1] commit
        [~NATA-GigabitEthernet0/2/1] quit
      3. Assign an IP address to GE 0/2/0.
        [~NATA] interface gigabitEthernet 0/2/0
        [~NATA-GigabitEthernet0/2/0] ip address 192.168.10.1 24
        [*NATA-GigabitEthernet0/2/0] commit
        [~NATA-GigabitEthernet0/2/0] quit

  3. Verify the configuration.

    # Verify NAT user information.

    [~NATA] display nat user-information slot 9 verbose
    This operation will take a few minutes. Press 'Ctrl+C' to break ...             
    Slot: 9                                                                
    Total number:  1.                                                          
      ---------------------------------------------------------------------------                                                       
      User Type                             :  NAT444                                                                                   
      CPE IP                                :  192.168.10.100                                                                                 
      User ID : -
      VPN Instance : -
      Address Group : address-group1
      NoPAT Address Group : -
      NAT Instance : nat1
      Public IP : 11.11.11.102
      NoPAT Public IP : -
      Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
      Total/TCP/UDP/ICMP Session Current : 1/0/1/0
      Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
      Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
      Nat ALG Enable : NULL
      Aging Time(s) : -
      Left Time(s) : -
      Session Limit Discard Count : 0
      -->Transmit Packets : 1046632
      -->Transmit Bytes : 90409306
      -->Drop Packets : 0
      <--Transmit Packets : 0
      <--Transmit Bytes : 0
      <--Drop Packets : 0
      --------------------------------------------------------------------------- 

Configuration Files
  • NATA configuration file

    #
    sysname NATA
    #
    service-location 1
     location follow-forwarding-mode
    #
    service-instance-group group1      
     service-location 1      
    #
    nat instance nat1 id 1      
     service-instance-group group1      
     nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105     
    #
    acl number 3001
     rule 1 permit ip source 192.168.10.0 0.0.0.255
    #
    interface GigabitEthernet 0/2/0
     undo shutdown
     ip address 192.168.10.1 255.255.255.0
    #
    interface GigabitEthernet 0/2/1
     undo shutdown
     ip address 11.2.3.4 255.255.255.0
     nat bind acl 3001 instance nat1
    #
    return
    

Example for Configuring NAT Traffic Distribution on an Outbound Interface, Easy IP, and the Hairpin Function

This section provides an example for configuring NAT easy IP on an outbound interface and the hairpin function. The function combination allows internal hosts to access the Internet through the outbound NAT function and to access an internal server that is created using the easy IP function.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

In Figure 1-45, a host on a private network is connected to the Internet through the router on which NAT traffic distribution on an outbound interface is configured. The host uses a public IP address to access an internal server that is created in easy IP mode on the same NAT device. The router is connected to the private network through 0/2/0. The router's GE 0/2/1 is connected to the Internet. The public IP addresses 11.11.11.2/32 and 11.11.11.3/32 are available.

Figure 1-45 shows IP addresses of interfaces. The configuration requirements are as follows:
  • PCs on the private network segment of 10.91.100.4/24 can access the Internet.
  • PCs on the private network segment of 10.91.100.4/24 can access the internal server using a public IP address.
  • The host uses a public IP address to access an internal server that is created in easy IP mode on the same NAT device.
Figure 1-45  Scenario in which NAT traffic distribution on an outbound interface, easy IP, and the hairpin function are configured
NOTE:

In this example, interface 1 and interface 2 are GE 0/2/0 and GE 0/2/1, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a NAT instance.
  2. Configure an internal server in easy IP mode.
  3. Bind an outbound interface to the NAT instance.
Data Preparation
To complete the configuration, you need the following data:
  • NAT instance name (nat1) and index (1)

  • NAT Device's NAT address pool name (address-group1), address pool number (1), a range of public IP addresses (11.11.11.2 and 11.11.11.3)

  • ACL number (3001) to match traffic that a private network host sends to the Internet

  • ACL number (3002) to match traffic that a private network host sends to the private network server

  • Name and IP address of each interface to which a NAT traffic distribution policy is applied

Procedure

  1. Configure basic NAT functions.
    1. Configure a NAT instance named nat1.

      [~NAT Device] service-location 1
      [*NAT Device-service-location-1] location follow-forwarding-mode
      [*NAT Device-service-location-1] commit
      [~NAT Device-service-location-1] quit
      [~NAT Device] service-instance-group group1
      [*NAT Device-service-instance-group-group1] service-location 1
      [*NAT Device-service-instance-group-group1] commit
      [~NAT Device-service-instance-group-group1] quit
      [~NAT Device] nat instance nat1 id 1
      [*NAT Device-nat-instance-nat1] service-instance-group group1
      [*NAT Device-nat-instance-nat1] commit
      [~NAT Device-nat-instance-nat1] quit

    2. Configure a NAT address pool and specify a range of IP addresses 11.11.11.2 to 11.11.11.3 in the pool.

      [~NAT Device] nat instance nat1
      [~NAT Device-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.2 11.11.11.3
      [*NAT Device-nat-instance-nat1] commit
      [~NAT Device-nat-instance-nat1] quit

  2. Configure an internal server in easy IP mode.
    1. Configure the public network interface.

      [~NAT Device] interface gigabitEthernet 0/2/1
      [~NAT Device-GigabitEthernet0/2/1] ip address 11.11.11.1 255.255.255.0
      [*NAT Device-GigabitEthernet0/2/1] commit
      [~NAT Device-GigabitEthernet0/2/1] quit

    2. Configure an internal server. In this example, TCP port 80 is used on an internal server.

      [~NAT Device] nat instance nat1
      [~NAT Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface GigabitEthernet0/2/1 80 inside 10.91.100.254 80
      [*NAT Device-nat-instance-nat1] commit
      [~NAT Device-nat-instance-nat1] quit

  3. Configure a NAT traffic distribution policy on an outbound interface.
    1. Configure an ACL to match traffic that a private network host sends to the Internet.

      [~NAT Device] acl 3001
      [*NAT Device-acl4-advance-3001] rule 5 permit ip source 10.91.100.0 0.0.0.255
      [*NAT Device-acl4-advance-3001] commit
      [~NAT Device-acl4-advance-3001] quit

    2. Configure a NAT distribution policy on the public network outbound interface.

      [~NAT Device] interface gigabitEthernet 0/2/1
      [*NAT Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
      [*NAT Device-GigabitEthernet0/2/1] commit
      [~NAT Device-GigabitEthernet0/2/1] quit

    3. Configure an ACL to match traffic that a private network host sends to the private network server.

      [~NAT Device] acl 3002
      [*NAT Device-acl4-advance-3002] rule 5 permit tcp source 10.91.100.0 0.0.0.255 destination 10.91.100.254 0
      [*NAT Device-acl4-advance-3002] rule 10 permit tcp source 10.91.100.254 0 destination 10.91.100.0 0.0.0.255
      [*NAT Device-acl4-advance-3002] commit
      [~NAT Device-acl4-advance-3002] quit

    4. Configure a NAT distribution policy on the private network outbound interface.

      [~NAT Device] interface gigabitEthernet 0/2/0
      [*NAT Device-GigabitEthernet0/2/0] ip address 10.91.100.2 255.255.255.0
      [*NAT Device-GigabitEthernet0/2/0] nat bind acl 3002 instance nat1
      [*NAT Device-GigabitEthernet0/2/0] commit
      [~NAT Device-GigabitEthernet0/2/0] quit

Configuration File
# 
sysname NAT Device 
# 
service-location 1  
 location follow-forwarding-mode 
# 
service-instance-group group1       
 service-location 1       
# 
acl number 3001 
 rule 5 permit ip source 10.91.100.0 0.0.0.255
#
acl number 3002
 rule 5 permit tcp source 10.91.100.0 0.0.0.255 destination 10.91.100.254 0
 rule 10 permit tcp source 10.91.100.254 0 destination 10.91.100.0 0.0.0.255
#
nat instance nat1 id 1       
 service-instance-group group1       
 nat address-group address-group1 group-id 1 11.11.11.2 11.11.11.3
 nat outbound 3001 address-group address-group1 
 nat outbound 3002 address-group address-group1 
 nat server protocol tcp global unnumbered interface GigabitEthernet0/2/1 80 inside 10.91.100.254 80
#
 interface gigabitEthernet 0/2/0
 undo shutdown 
 ip address 10.91.100.2 255.255.255.0
 nat bind acl 3002 instance nat1
# 
interface gigabitEthernet 0/2/1
 undo shutdown 
 ip address 11.11.11.1 255.255.255.0
 nat bind acl 3001 instance nat1
# 
return 

Example for Configuring the Internal Server Through 1:1 NAT (On-board Scenario)

This section provides an example for configuring the internal server through 1:1 NAT. By specifying an internal NAT server and configuring the mapping entries between the internal server's private IP address/port and public IP address/port, an external host can access the internal server.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

On the network shown in Figure 1-46,the NE20E performs the NAT function to help PCs within the enterprise network access the Internet. The NE20E uses the GE 0/2/0 interface to connect to an internal network and the GE 0/2/1 interface to connect to the Internet.

The internal network address of the enterprise network is 192.168.0.0/16. The internal server address is 192.168.10.10/24. Only PCs on the network segment of 192.168.10.0/24 can access the Internet. External PCs can access the internal server. The enterprise has five valid IP addresses ranging from 11.11.11.101/24 to 11.11.11.105/24. The internal server of the enterprise has an independent public address 11.11.11.100. The internal server can be accessed from the external network address 13.13.13.2 through 1:1 NAT.

Figure 1-46  Networking of the internal NAT server
NOTE:

The configurations in this example are mainly performed on NAT A and Device B.

In this example, interface 1, interface 2, and interface 3 stand for GE 0/2/0, GE 0/2/1, and GE 0/3/0, respectively.


Configuration Roadmap
The configuration roadmap is as follows:
  1. Configure basic functions of NAT.
  2. Configure a NAT traffic policy.
  3. Configure an internal NAT server.
Data Preparation
To complete the configuration, you need the following data:
  • VSM HA backup group index: 1

  • VSM HA service instance group name: group1

  • NAT instance name: nat1; NAT instance index: 1

  • NAT address pool name for NAT A: address-group1; NAT address pool ID: 1; IP address segment: 11.11.11.101 to 11.11.11.105

  • ACL number: 3001

  • Traffic classifier name: classifier1

  • Traffic behavior name: behavior1

  • Traffic policy name: policy1

  • Number and IP address of the interface that applies the NAT traffic policy: 0/2/0, 192.168.10.1/24

  • Private IP address of the internal NAT server: 192.168.10.10; public IP address of the internal NAT server: 11.11.11.100

Procedure

  1. Configure basic functions of NAT.
    1. Create a NAT instance named nat1 and bind it to the service board.

      <HUAWEI> system-view
      [~HUAWEI] sysname NATA
      [*HUAWEI] commit
      [~NATA] service-location 1
      [*NATA-service-location-1] location follow-forwarding-mode
      [*NATA-service-location-1] commit
      [~NATA-service-location-1] quit
      [~NATA] service-instance-group group1
      [*NATA-service-instance-group-group1] service-location 1
      [*NATA-service-instance-group-group1] commit
      [~NATA-service-instance-group-group1] quit
      [~NATA] nat instance nat1 id 1
      [*NATA-nat-instance-nat1] service-instance-group group1
      [*NATA-nat-instance-nat1] commit
      [~NATA-nat-instance-nat1] quit

    2. Configure a NAT address pool with IP addresses ranging from 11.11.11.101 to 11.11.11.105.

      [~NATA] nat instance nat1
      [~NATA-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
      [*NATA-nat-instance-nat1] commit
      [~NATA-nat-instance-nat1] quit

  2. Configure a NAT traffic policy.
    1. Configure traffic classification rules based on ACL 3001.

      Rule 1: Only PCs with the internal network segment address as 192.168.10.0/24 can access the Internet.

      [~NATA] acl 3001
      [*NATA-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
      [*NATA-acl4-advance-3001] commit
      [~NATA-acl4-advance-3001] quit

    2. Configure a traffic classifier named classifier1 and define an ACL-based matching rule.

      [~NATA] traffic classifier classifier1
      [*NATA-classifier-classifier1] if-match acl 3001
      [*NATA-classifier-classifier1] commit
      [~NATA-classifier-classifier1] quit

    3. Configure a traffic behavior named behavior1 and bind it to the NAT instance.

      [~NATA] traffic behavior behavior1
      [*NATA-behavior-behavior1] nat bind instance nat1
      [*NATA-behavior-behavior1] commit
      [~NATA-behavior-behavior1] quit

    4. Define a NAT traffic policy named policy1 to associate the ACL rule with the traffic behavior.

      [~NATA] traffic policy policy1
      [*NATA-trafficpolicy-policy1] classifier classifier1 behavior behavior1
      [*NATA-trafficpolicy-policy1] commit
      [~NATA-trafficpolicy-policy1] quit

    5. Apply the NAT traffic policy in the interface view.

      [~NATA] interface gigabitEthernet 0/2/0
      [~NATA-GigabitEthernet0/2/0] ip address 192.168.10.1 24
      [*NATA-GigabitEthernet0/2/0] traffic-policy policy1 inbound
      [*NATA-GigabitEthernet0/2/0] commit
      [~NATA-GigabitEthernet0/2/0] quit

    6. Configure the IP address of GE0/2/1.

      [~NATA] interface gigabitEthernet 0/2/1
      [*NATA-GigabitEthernet0/2/1] ip address 12.12.12.1 24
      [*NATA-GigabitEthernet0/2/1] commit
      [~NATA-GigabitEthernet0/2/1] quit

  3. Define the internal server address as 192.168.10.10 and external address as 11.11.11.100. Use the address-level mode to ensure 1:1 relationship between the public and private IP addresses.

    [~NATA] nat instance nat1
    [~NATA-nat-instance-nat1] nat server global 11.11.11.100 inside 192.168.10.10
    [*NATA-nat-instance-nat1] commit
    [~NATA-nat-instance-nat1] quit

  4. Verify the configuration.

    # View server-map entries of all users.

    <NATA> display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...
    Slot: 9 
    Total number:  2.
      NAT Instance: nat1                                                                                                                  
      Protocol:ANY, VPN:--->-                                                                                                           
      Server:192.168.10.10[11.11.11.100]->ANY                                                                                                  
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.10.10                                                                                                                  
                                                                                                                                        
      NAT Instance: nat1                                                                                                                  
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->11.11.11.100[192.168.10.10]                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.10.10  

Configuration Files
  • NAT A configuration file

    #
     sysname NATA
    #
    service-location 1
     location follow-forwarding-mode
    #
    service-instance-group group1
     service-location 1
    #
    nat instance nat1 id 1
     service-instance-group group1
     nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105 
     nat server global 11.11.11.100 inside 192.168.10.10
    #
    acl number 3001
     rule 1 permit ip source 192.168.10.0 0.0.0.255
    #
    traffic classifier classifier1 operator or
     if-match acl 3001
    #
    traffic behavior behavior1
     nat bind instance nat1
    #
    traffic policy policy1
     classifier classifier1 behavior behavior1 precedence 1
    #
    interface GigabitEthernet 0/2/0
     undo shutdown
     ip address 192.168.10.1 255.255.255.0
     traffic-policy policy1 inbound
    #
    interface GigabitEthernet 0/2/1
     undo shutdown
     ip address 12.12.12.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 12.12.12.0 0.0.0.255
    #
     return
    
  • Device B configuration file

    #
     sysname DeviceB
    #
    interface GigabitEthernet 0/2/0
     undo shutdown
     ip address 13.13.13.1 255.255.255.0
    #
    interface GigabitEthernet 0/3/0
     undo shutdown
     ip address 12.12.12.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 12.12.12.0 0.0.0.255
      network 13.13.13.0 0.0.0.255
    #
     return
    

Example for Configuring Bidirectional NAT

This section provides an example for configuring bidirectional NAT on an enterprise network. This function protects data within the enterprise network and translates both the source and destination, without exposing internal server data. A configuration networking diagram is provided to help you understand the configuration procedure.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

On the network shown in Figure 1-47, the NE20E translates private IP address of servers A and B to public IP addresses before the servers communicate with the Internet. When server A attempts to access server B, server A sends a packet with a private source IP address of 10.78.1.2 and the destination IP address of 11.11.11.1 (server B's public address). When server B attempts to access server A, server B sends a packet with a private source IP address of 10.67.1.2 and the destination IP address of 11.11.11.2 (server A's public address).

Figure 1-47  Bidirectional NAT networking
NOTE:

In this example, interface 1 and interface 2 are GE 0/1/1 and GE 0/1/0, respectively.


Configuration Roadmap
The configuration roadmap is as follows:
  1. Create a NAT instance and associate a service board with the NAT instance.
  2. Configure a mapping between the NAT address pool, internal servers' private IP addresses, and public addresses.
  3. Configure an outbound NAT traffic distribution policy.
Data Preparation
To complete the configuration, you need the following data:
  • service-location backup group index: 1

  • service-instance-group service instance group name: group1

  • NAT instance names and indexes: nata with index 1; natb with index 2

  • NAT A's address pools: address-groupa and address-groupb

  • Server public IP address: 11.11.11.2 for server A and 11.11.11.1 for server B

  • ACL numbers: 2464 and 2465

  • Names and IP addresses of interfaces to which an outbound NAT traffic distribution policy applies: GE 0/1/1 with IP address 10.78.1.1/24 and GE 0/1/0 with IP address 10.67.1.1/24

Procedure

  1. Create a NAT instance and associate a service board with the NAT instance.

    <HUAWEI> system-view
    [~HUAWEI] sysname NATA
    [*HUAWEI] commit
    [~NATA] service-location 1
    [*NATA-service-location-1] location follow-forwarding-mode
    [*NATA-service-location-1] commit
    [~NATA-service-location-1] quit
    [~NATA] service-instance-group group1
    [*NATA-service-instance-group-group1] service-location 1
    [*NATA-service-instance-group-group1] commit
    [~NATA-service-instance-group-group1] quit
    [~NATA] nat instance nata id 1
    [*NATA-nat-instance-nata] service-instance-group group1
    [*NATA-nat-instance-nata] commit
    [~NATA-nat-instance-nata] quit
    [~NATA] nat instance natb id 2
    [*NATA-nat-instance-natb] service-instance-group group1
    [*NATA-nat-instance-natb] commit
    [~NATA-nat-instance-natb] quit

  2. Configure a mapping between the NAT address pool, internal servers' private IP addresses, and public addresses.

    # In the view of a NAT instance named nata, configure an IP address pool named address-groupa with an IP address segment ranging from 11.12.12.1 to 11.12.12.10 and map the NAT-A's private IP address of 10.78.1.2 to a public IP address of 11.11.11.2.

    [~NATA] nat instance nata
    [~NATA-nat-instance-nata] nat address-group address-groupa group-id 111 11.12.12.1 11.12.12.10
    [*NATA-nat-instance-nata] nat server protocol udp global 11.11.11.2 inside 10.78.1.2
    [*NATA-nat-instance-nata] commit
    [~NATA-nat-instance-nata] quit

    # In the view of a NAT instance named natb, configure an IP address pool named address-groupb with an IP address segment ranging from 11.12.12.11 to 11.12.12.20 and map the NAT-B's private IP address of 10.67.1.2 to a public IP address of 11.11.11.1.

    [~NATA] nat instance natb
    [~NATA-nat-instance-natb] nat address-group address-groupb group-id 112 11.12.12.11 11.12.12.20
    [*NATA-nat-instance-natb] nat server protocol udp global 11.11.11.1 inside 10.67.1.2
    [*NATA-nat-instance-natb] commit
    [~NATA-nat-instance-natb] quit

  3. Configure an outbound NAT traffic policy.
    1. An ACL rule is configured.

      Configure an ACL numbered 2464 and an ACL rule numbered 5 to allow only hosts with a network segment address of 10.78.1.0/24 to access the Internet.

      [~NATA] acl number 2464
      [*NATA-acl4-basic-2464] rule 5 permit source 10.78.1.0 0.0.0.255
      [*NATA-acl4-basic-2464] commit
      [~NATA-acl4-basic-2464] quit

      # Configure an ACL numbered 2465, an ACL rule numbered 5, and an ACL-based traffic classification rule to only allow hosts with a network segment address of 10.67.1.0/24 to access the Internet.

      [~NATA] acl number 2465
      [*NATA-acl4-basic-2465] rule 5 permit source 10.67.1.0 0.0.0.255
      [*NATA-acl4-basic-2465] commit
      [~NATA-acl4-basic-2465] quit

    2. Apply the outbound NAT traffic distribution policy to GE 0/1/0 and GE 0/1/1.

      # Bind the ACL numbered 2464 and the NAT instance named nata to GE 0/1/0.

      [~NATA] interface GigabitEthernet0/1/0
      [~NATA-GigabitEthernet0/1/1] ip address 10.67.1.1 24
      [~NATA-GigabitEthernet0/1/0] nat bind acl 2464 instance nata
      [*NATA-GigabitEthernet0/1/0] commit
      [~NATA-GigabitEthernet0/1/0] quit

      # Bind the ACL numbered 2465 and the NAT instance named natb to GE 0/1/1.

      [~NATA] interface GigabitEthernet0/1/1
      [~NATA-GigabitEthernet0/1/1] ip address 10.78.1.1 24
      [~NATA-GigabitEthernet0/1/1] nat bind acl 2465 instance natb
      [*NATA-GigabitEthernet0/1/1] commit
      [~NATA-GigabitEthernet0/1/1] quit

  4. Verify the configuration.

    # View NAT user information.

    [~NATA] display nat instance
    nat instance nata id 1
     service-instance-group group1
     nat address-group address-groupa group-id 111 11.12.12.1 11.12.12.10 
     nat server protocol udp global 11.11.11.2 inside 10.78.1.2
    nat instance natb id 2
     service-instance-group group1
     nat address-group address-groupb group-id 112 11.12.12.11 11.12.12.20 
     nat server protocol udp global 11.11.11.1 inside 10.67.1.2
    

    # View server-map entries of all users.

    [~NATA] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...
    Slot: 9 
    Total number:  4.                                                                                                                   
      NAT Instance: nata                                                                                                          
      Protocol:UDP, VPN:--->-                                                                                                           
      Server:10.78.1.2[11.11.11.2]->ANY                                                                                                 
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:10.78.1.2                                                                                                                   
                                                                                                                                        
      NAT Instance: nata                                                                                                          
      Protocol:UDP, VPN:--->-                                                                                                           
      Server reverse:ANY->11.11.11.2[10.78.1.2]                                                                                         
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:10.78.1.2 
                                                                                                                                        
      NAT Instance: natb                                                                                                           
      Protocol:UDP, VPN:--->-                                                                                                           
      Server:10.67.1.2[11.11.11.1]->ANY                                                                                                 
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:10.67.1.2                                                                                                                   
                                                                                                                                        
      NAT Instance: natb                                                                                                           
      Protocol:UDP, VPN:--->-                                                                                                           
      Server reverse:ANY->11.11.11.1[10.67.1.2]                                                                                         
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:10.67.1.2                                                                                                                   
    

Configuration Files

NAT A configuration file

#
sysname NATA
#
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
 service-location 1
#
nat instance nata id 1
 service-instance-group group1
 nat address-group address-groupa group-id 111 11.12.12.1 11.12.12.10 
 nat server protocol udp global 11.11.11.2 inside 10.78.1.2
nat instance natb id 2
 service-instance-group group1
 nat address-group address-groupb group-id 112 11.12.12.11 11.12.12.20 
 nat server protocol udp global 11.11.11.1 inside 10.67.1.2
#
acl number 2464
 rule 5 permit source 10.78.1.0 0.0.0.255
# 
acl number 2465
 rule 5 permit source 10.67.1.0 0.0.0.255
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.78.1.1 255.255.255.0
 undo dcn
 nat bind acl 2465 instance natb
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.67.1.1 255.255.255.0
 undo dcn
 nat bind acl 2464 instance nata
#
return

Example for Configuring Static NAT Source Tracing

This section provides an example for configuring static NAT source tracing so that one-to-many translation between the private and public IP addresses can be performed in an enterprise and only PCs on a specified network segment can access the Internet.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

On the network shown in Figure 1-48, the PCs in an enterprise use the CPE to perform NAT and then are connected to the BRAS. The BRAS is connected to the RADIUS server. The CR is connected to the NAT device in bypass mode for IPv4 network access. The service board of the NAT device is in slot 1. The NAT device is connected to the CR through GE 0/2/0. The enterprise has 100 public IP addresses ranging from 11.11.11.1/24 to 11.11.11.100/24.

The configuration requirement is as follows:
  • Only PCs on the network segment ranging from 10.0.0.1/24 to 10.0.0.255/24 can access the Internet.
Figure 1-48  Static NAT source tracing
NOTE:

In this example, interface 1 is GE 0/2/0.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a service-instance-group service instance group.
  2. Configure a NAT instance named nat1 and bind it to the NAT service board.
  3. Configure a traffic classification rule and NAT behavior.
  4. Configure static NAT trace sourcing algorithm mapping.
  5. Bind the static NAT source tracing to the NAT instance.
Data Preparation
  • Index of the service-location backup group: 1; name of the service-instance-group service instance group: group 1; index of the NAT instance named nat1: 1
  • Numbers of the private and public address pools for static NAT source tracing
  • Number and IP address of the interface that applies the NAT traffic policy
  • Private network address segment for static NAT source tracing: 10.0.0.1 to 10.0.0.255; public network address segment for static NAT source tracing 11.11.11.1 to 11.11.11.100
  • Port number range for the public address pool: 256 to 1023; port segment size: 256
  • ACL number: 3001; traffic classification rule name: c1; traffic behavior name: b1; traffic policy name: p1

Procedure

  1. Configure a service-instance-group service instance group.

    <HUAWEI> system-view
    [~HUAWEI] service-location 1
    [*HUAWEI-service-location-1] location slot 1 engine 0
    [*HUAWEI-service-location-1] commit
    [~HUAWEI-service-location-1] quit
    [~HUAWEI] service-instance-group group1
    [*HUAWEI-service-instance-group-group1] service-location 1
    [*HUAWEI-service-instance-group-group1] commit
    [~HUAWEI-service-instance-group-group1] quit

  2. Configure a NAT instance named nat1 and bind it to the CGN service board.

    [~HUAWEI] nat instance nat1 id 1
    [*HUAWEI-nat-instance-nat1] service-instance-group group1
    [*HUAWEI-nat-instance-nat1] commit
    [~HUAWEI-nat-instance-nat1] quit

  3. Configure a group of static NAT source tracing algorithm parameters, with the private address pool containing IP addresses from 10.0.0.1 to 10.0.0.255, the public address pool containing IP addresses from 11.11.11.1 to 11.11.11.100, the port range from 256 to 1023, and port segment size as 256.

    [~HUAWEI] nat static-mapping
    [*HUAWEI-nat-static-mapping] inside-pool 1
    [*HUAWEI-nat-static-mapping-inside-pool-1] section 1 10.0.0.1 10.0.0.255
    [*HUAWEI-nat-static-mapping-inside-pool-1] quit
    [*HUAWEI-nat-static-mapping] global-pool 1
    [*HUAWEI-nat-static-mapping-global-pool-1] section 1 11.11.11.1 11.11.11.100
    [*HUAWEI-nat-static-mapping-global-pool-1] quit
    [*HUAWEI-nat-static-mapping] static-mapping 10 inside-pool 1 global-pool 1 port-range 256 1023 port-size 256
    [*HUAWEI-nat-static-mapping] commit
    [~HUAWEI-nat-static-mapping] quit

  4. Enable static NAT source tracing algorithm on the NAT instance named nat1 and specify the algorithm ID as 10.

    [~HUAWEI] nat instance nat1
    [~HUAWEI-nat-instance-nat1] nat bind static-mapping 10
    [*HUAWEI-nat-instance-nat1] commit
    [~HUAWEI-nat-instance-nat1] quit

  5. Configure a traffic classification rule and NAT behavior.
    1. Configure an ACL rule for traffic classification. Only PCs with the internal network segment address as 10.0.0.0/24 can access the Internet.

      [~HUAWEI] acl 3001
      [*HUAWEI-acl4-advance-3001] rule 1 permit ip source 10.0.0.0 0.0.0.255
      [*HUAWEI-acl4-advance-3001] commit
      [~HUAWEI-acl4-advance-3001] quit

    2. Configure a traffic classifier and define an ACL-based matching rule.

      [~HUAWEI] traffic classifier c1
      [*HUAWEI-classifier-c1] if-match acl 3001
      [*HUAWEI-classifier-c1] commit
      [~HUAWEI-classifier-c1] quit

    3. Configure a traffic behavior and bind the traffic behavior to the NAT instance named nat1.

      [~HUAWEI] traffic behavior b1 
      [*HUAWEI-behavior-b1] nat bind instance nat1
      [*HUAWEI-behavior-b1] commit
      [~HUAWEI-behavior-b1] quit

    4. Define a NAT traffic policy to associate the ACL rule with the traffic behavior.

      [~HUAWEI] traffic policy p1
      [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
      [*HUAWEI-trafficpolicy-p1] commit
      [~HUAWEI-trafficpolicy-p1] quit

    5. Apply the NAT traffic policy in the interface view.

      [~HUAWEI] interface gigabitEthernet 0/2/0
      [~HUAWEI-GigabitEthernet0/2/0] traffic-policy p1 inbound
      [*HUAWEI-GigabitEthernet0/2/0] commit
      [~HUAWEI-GigabitEthernet0/2/0] quit

  6. Verify the configuration.

    # Display NAT user information on the device.

    <HUAWEI> display nat user-information slot 1 engine 0 verbose
    This operation will take a few minutes. Press 'Ctrl+C' to break ...                                                                 
    Slot: 1  Engine: 0                                                                                                                  
    Total number:  1.                                                                                                                   
      ---------------------------------------------------------------------------                                                       
      User Type                             :  NAT444                                                                                   
      CPE IP                                :  10.0.0.1                                                                                 
      User ID                               :  -                                                                                        
      VPN Instance                          :  -                                                                                        
      Address Group                         :  -                                                                                        
      NoPAT Address Group                   :  -                                                                                        
      NAT Instance                          :  nat1                                                                                     
      Public IP                             :  11.11.11.1                                                                              
      NoPAT Public IP                       :  -                                                                                        
      Start Port                            :  256                                                                                      
      Port Range                            :  256                                                                                      
      Port Total                            :  256                                                                                      
      Extend Port Alloc Times               :  0                                                                                        
      Extend Port Alloc Number              :  0                                                                                        
      First/Second/Third Extend Port Start  :  0/0/0                                                                                    
      Total/TCP/UDP/ICMP Session Limit      :  8192/10240/10240/512                                                                     
      Total/TCP/UDP/ICMP Session Current    :  1/0/1/0                                                                                  
      Total/TCP/UDP/ICMP Rev Session Limit  :  8192/10240/10240/512                                                                     
      Total/TCP/UDP/ICMP Rev Session Current:  0/0/0/0                                                                                  
      Total/TCP/UDP/ICMP Port Limit         :  0/0/0/0                                                                                  
      Total/TCP/UDP/ICMP Port Current       :  1/0/1/0                                                                                  
      Nat ALG Enable                        :  NULL                                                                                     
      Token/TB/TP                           :  0/0/0                                                                                    
      Port Forwarding Flag                  :  Non Port Forwarding                                                                      
      Port Forwarding Ports                 :  0 0 0 0 0                                                                                
      Aging Time(s)                         :  -                                                                                        
      Left Time(s)                          :  -                                                                                        
      Port Limit Discard Count              :  0                                                                                        
      Session Limit Discard Count           :  0                                                                                        
      Fib Miss Discard Count                :  0                                                                                        
      -->Transmit Packets                   :  150156628                                                                                
      -->Transmit Bytes                     :  19699109016                                                                              
      -->Drop Packets                       :  0                                                                                        
      <--Transmit Packets                   :  0                                                                                        
      <--Transmit Bytes                     :  0                                                                                        
      <--Drop Packets                       :  0                                                                                        
      ---------------------------------------------------------------------------  

Configuration Files

NAT device configuration file

#
sysname HUAWEI
#
license
 active nat session-table size 16 slot 1 engine 0
#
nat static-mapping
 inside-pool 1
  section 1 10.0.0.1 10.0.0.255
 global-pool 1
  section 1 11.11.11.1 11.11.11.100
 static-mapping 10 inside-pool 1 global-pool 1 port-range 256 1023 port-size 256
#
service-location 1
 locate slot 1 engine 0
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1 
 nat bind static-mapping 10
#
acl number 3001
 rule 1 permit ip source 10.0.0.0 0.0.0.255
#
traffic classifier c1
 if-match acl 3001
#
traffic behavior b1
 nat bind instance nat1
#
traffic policy p1
 classifier c1 behavior b1 precedence 1
#
interface GigabitEthernet 0/2/0
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
 traffic-policy p1 inbound
#
return

Example for Configuring NAT in the Address Pool Mode

This section provides an example for configuring NAT device performs the NAT function to help PCs within an enterprise network access the Internet.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

In Figure 1-49, NAT-Device performs the NAT function to help PCs within an enterprise network access the Internet. NAT-Device uses GE 0/2/0 to connect to the enterprise network. NAT-Device's GE 0/2/1 is connected to the Internet. The enterprise is assigned five public IP addresses of 11.11.11.101/32 through 11.11.11.105/32. The peer device connected to NAT-Device is assigned an IP address of 11.2.3.5.

Figure 1-49 shows IP addresses of interfaces. The configuration requirements are as follows:
  • PCs only on the network segment of 192.168.10.0/24 can access the Internet.
  • Multiple-to-multiple NAT translation is performed for IP addresses between private and public networks.
Figure 1-49  Configuring NAT in the address pool mode
NOTE:

In this example, interface 1 and interface 2 are GE 0/2/0 and GE 0/2/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure a NAT distribution policy.
  3. Apply the NAT distribution policy.
  4. Configure static routes.
Data Preparation

To complete the configuration, you need the following data:

  • NAT instance name (nat1) and index (1)
  • NAT-Device's NAT address pool name (address-group1), address pool number (1), a range of public IP addresses (11.11.11.101 through 11.11.11.105)
  • ACL number (3001)
  • Name and IP address of each interface to which a NAT distribution policy is applied

Procedure

  1. Configure basic NAT functions.
    1. Create a NAT instance named nat1.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      [~NAT-Device] nat instance nat1 id 1 simple-configuration
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

    2. Configure a NAT address pool and specify a range of IP addresses of 11.11.11.101 through 11.11.11.105 in the pool.

      [~NAT-Device] nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
      [*NAT-Device] commit
      

  2. Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.10.0/24 to access the Internet.

    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit

  3. Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1.

    [~NAT-Device] interface gigabitEthernet 0/2/1
    [~NAT-Device-GigabitEthernet0/2/1] ip address 11.2.3.4 24
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit

  4. Configure a default route as a static route and set the next hop address of the default route to 11.2.3.5.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.2.3.5
    [*NAT-Device] commit

  5. Verify the configuration.

    # Run the display nat user-information slot verbose command to view NAT user information.

    [~NAT-Device] display nat user-information slot 9 verbose
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9
    Total number:  1.                                                           
      ---------------------------------------------------------------------------                                                        
      User Type                             :  NAT444                                                                                    
      CPE IP                                :  192.168.10.100                                                                                  
      User ID                               :  -                                                                                         
      VPN Instance                          :  -                                                                                         
      Address Group                         :  address-group1                                                                                        
      NAT Instance                          :  nat1                                                                                        
      Public IP                             :  11.11.11.101                                                                                 
      Total/TCP/UDP/ICMP Session Limit      :  0/0/0/0                                                                                   
      Total/TCP/UDP/ICMP Session Current    :  64511/0/64511/0                                                                           
      Total/TCP/UDP/ICMP Rev Session Limit  :  8192/10240/10240/512                                                                      
      Total/TCP/UDP/ICMP Rev Session Current:  0/0/0/0                                                                                   
      Nat ALG Enable                        :  NULL                                                                                      
      Aging Time(s)                         :  -                                                                                         
      Left Time(s)                          :  -                                                                                         
      Session Limit Discard Count           :  0                                                                                         
      -->Transmit Packets                   :  9753259                                                                                   
      -->Transmit Bytes                     :  1111770864                                                                                
      -->Drop Packets                       :  0                                                                                         
      <--Transmit Packets                   :  0                                                                                         
      <--Transmit Bytes                     :  0                                                                                         
      <--Drop Packets                       :  0                                                                                         
      --------------------------------------------------------------------------- 
    

NAT-Device Configuration File
#
sysname NAT-Device 
# 
nat instance nat1 id 1 simple-configuration             
#
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105      
#
acl number 3001 
 rule 1 permit ip source 192.168.10.0 0.0.0.255 
# 
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 11.2.3.4 255.255.255.0 
 nat bind acl 3001 instance nat1 
#
ip route-static 0.0.0.0 0.0.0.0 11.2.3.5
#
return

Example for Configuring Easy IP for NAT

This section provides an example for configuring easy IP for NAT to send traffic from an enterprise network to an external carrier network.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

In Figure 1-50, traffic is to be sent from an enterprise network to an external carrier network. NAT-Device translates a private IP address of an enterprise network user to the IP address of a public network interface so that the user accesses the external carrier network.

NAT-Device uses GE 0/2/0 to connect to the enterprise network. NAT-Device uses GE 0/2/1 to connect to the Internet. The enterprise is assigned only the public IP address of 11.2.3.4. The peer device connected to NAT-Device is assigned an IP address of 11.2.3.5.

Figure 1-50 shows IP addresses of interfaces. The configuration requirements are as follows:
  • PCs only on the network segment of 192.168.10.0/24 can access the Internet.
  • NAT-Device uses only the IP address of a public network interface, not other public IP addresses.
Figure 1-50  Configuring easy IP for NAT
NOTE:

In this example, interface 1 and interface 2 are GE 0/2/0 and GE 0/2/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure a NAT distribution policy.
  3. Apply the NAT distribution policy.
  4. Configure static routes.
Data Preparation

To complete the configuration, you need the following data:

  • NAT instance name (nat1) and index (1)
  • NAT-Device's NAT address pool name (address-group1) and sequence number (1)
  • ACL number (3001)
  • Name (GE 0/2/1) and IP address (11.2.3.4/24) of an interface to which a NAT distribution policy is applied

Procedure

  1. Configure basic NAT functions.
    1. Create a NAT instance named nat1.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      [~NAT-Device] nat instance nat1 id 1 simple-configuration
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

    2. Assign an IP address to an outbound interface.

      [~NAT-Device] interface gigabitEthernet 0/2/1
      [~NAT-Device-GigabitEthernet0/2/1] ip address 11.2.3.4 24
      [*NAT-Device-GigabitEthernet0/2/1] commit
      [~NAT-Device-GigabitEthernet0/2/1] quit

    3. Configure a mapping between the address pool and the IP address of the outbound interface.

      [~NAT-Device] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
      [*NAT-Device] commit
      

  2. Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.10.0/24 to access the Internet.

    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit

  3. Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1.

    [~NAT-Device] interface gigabitEthernet 0/2/1
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit

  4. Configure a default route as a static route and set the next hop address of the default route to 11.2.3.5.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.2.3.5
    [*NAT-Device] commit

  5. Verify the configuration.

    # Run the display nat user-information slot verbose command to view NAT user information.

    [~NAT-Device] display nat user-information slot 9 verbose
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9
    Total number:  1.                                                           
      ---------------------------------------------------------------------------                                                        
      User Type                             :  NAT444                                                                                    
      CPE IP                                :  192.168.10.100                                                                                  
      User ID                               :  -                                                                                         
      VPN Instance                          :  -                                                                                         
      Address Group                         :  address-group1                                                                                        
      NAT Instance                          :  nat1                                                                                        
      Public IP                             :  11.2.3.4                                                                                 
      Total/TCP/UDP/ICMP Session Limit      :  0/0/0/0                                                                                   
      Total/TCP/UDP/ICMP Session Current    :  64511/0/64511/0                                                                           
      Total/TCP/UDP/ICMP Rev Session Limit  :  8192/10240/10240/512                                                                      
      Total/TCP/UDP/ICMP Rev Session Current:  0/0/0/0                                                                                   
      Nat ALG Enable                        :  NULL                                                                                      
      Aging Time(s)                         :  -                                                                                         
      Left Time(s)                          :  -                                                                                         
      Session Limit Discard Count           :  0                                                                                         
      -->Transmit Packets                   :  9753259                                                                                   
      -->Transmit Bytes                     :  1111770864                                                                                
      -->Drop Packets                       :  0                                                                                         
      <--Transmit Packets                   :  0                                                                                         
      <--Transmit Bytes                     :  0                                                                                         
      <--Drop Packets                       :  0                                                                                         
      ---------------------------------------------------------------------------

NAT-Device Configuration File
# 
sysname NAT-Device 
# 
nat instance nat1 id 1 simple-configuration             
#
nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
#
acl number 3001 
 rule 1 permit ip source 192.168.10.0 0.0.0.255

# 
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 11.2.3.4 255.255.255.0 
 nat bind acl 3001 instance nat1 
#
ip route-static 0.0.0.0 0.0.0.0 11.2.3.5
#
return

Example for Configuring Bidirectional NAT and an Internal Server

This section provides an example for configuring bidirectional NAT and an internal server. The private and public networks want to access the internal server using the public IP address.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

In Figure 1-51, NAT-Device's GE 0/2/0 with an IP address of 192.168.1.1/24 is connected to a private network. NAT-Device's GE 0/2/1 with an IP address of 11.11.11.1/8 is connected to the Internet. The internal server has a private IP address of 192.168.1.2/24 and a public IP address of 11.11.11.6. A private network host with an IP address of 192.168.1.3/24 attempts to access the internal server. The peer device connected to NAT-Device is assigned an IP address of 11.11.11.2.

The private and public networks want to access the internal server using the public IP address of 11.11.11.6.

Figure 1-51  Configuring NAT and an internal server
NOTE:

In this example, interface 1 and interface 2 are GE 0/2/0 and GE 0/2/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure an internal server.
  3. Configure a NAT distribution policy.
  4. Apply the NAT distribution policy.
  5. Configure static routes.
Data Preparation

To complete the configuration, you need the following data:

  • NAT instance name (nat1) and index (1)
  • NAT-Device's NAT address pool name (address-group1), address pool number (1), and IP address range in easy IP mode
  • ACL numbers (3001 and 3002)
  • Name (GE 0/2/0) and IP address (192.168.1.1/24) of an interface to which a NAT distribution policy is applied; name (GE 0/2/1) and IP address (11.1.1.1/24) of another interface to which a NAT distribution policy is applied

Procedure

  1. Configure basic NAT functions.
    1. Create a NAT instance named nat1.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      [~NAT-Device] nat instance nat1 id 1 simple-configuration
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

    2. Assign an IP address to an outbound interface.

      [~NAT-Device] interface gigabitEthernet 0/2/1
      [~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.1.1 8
      [*NAT-Device-GigabitEthernet0/2/1] commit
      [~NAT-Device-GigabitEthernet0/2/1] quit

    3. Configure a NAT address pool in easy IP mode.

      [~NAT-Device] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
      [*NAT-Device] commit

  2. Configure an internal server.

    [~NAT-Device] nat server global 11.11.11.6 inside 192.168.1.2
    [~NAT-Device] commit

  3. Configure a NAT distribution policy.

    • Configure an ACL-based traffic classification rule. Configure an ACL numbered 3001 and a rule numbered 1 for a private network host to access the internal server using the IP address of 11.11.11.6. The ACL is used to allow GE 0/2/0 to perform NAT only for services initiated inside the private network.
    • Configure an ACL numbered 3002, an ACL rule numbered 2, and an ACL-based traffic classification rule to allow the private network host to access the Internet.
    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit
    [~NAT-Device] acl 3002
    [*NAT-Device-acl4-advance-3002] rule 2 permit ip
    [*NAT-Device-acl4-advance-3002] commit
    [~NAT-Device-acl4-advance-3002] quit

  4. Apply the NAT distribution policy.

    • Apply the traffic classification policy with ACL 3001 to the view of GE 0/2/0.
    • Apply the traffic classification policy with ACL 3002 to the view of GE 0/2/1.
    [~NAT-Device] interface gigabitEthernet 0/2/0
    [~NAT-Device-GigabitEthernet0/2/0] ip address 192.168.1.1 24
    [*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/0] commit
    [~NAT-Device-GigabitEthernet0/2/0] quit
    [~NAT-Device] interface gigabitEthernet 0/2/1
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3002 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit

  5. Configure a default route as a static route and set the next hop address of the default route to 11.11.11.2.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
    [*NAT-Device] commit

  6. Verify the configuration.

    # Run the display nat server-map command to view the internal server information.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...                                                                 
    Slot: 9
    Total number:  2.                                                                                                                   
      NAT Instance: nat1                                                                                                                
      Protocol:ANY, VPN:--->-                                                                                                           
      Server:192.168.1.2[11.1.1.6]->ANY                                                                                                 
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.1.2                                                                                                                
                                                                                                                                        
      NAT Instance: nat1                                                                                                                
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->11.1.1.6[192.168.1.2]                                                                                         
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.1.2                        
      ---------------------------------------------------------------------------

NAT-Device Configuration File
# 
sysname NAT-Device 
# 
nat instance nat1 id 1 simple-configuration                                                                                                              
#
nat address-group 1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
#
nat server global 11.11.11.6 inside 192.168.1.2                                                         
#
acl number 3001
 rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0
#
acl number 3002
 rule 2 permit ip  
# 
interface GigabitEthernet 0/2/0 
 undo shutdown 
 ip address 192.168.1.1 255.255.255.0
 nat bind acl 3001 instance nat1 
# 
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 11.11.11.1 255.0.0.0
 nat bind acl 3002 instance nat1
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#
return

Example for Configuring NAT and an Internal Web Server

This section provides an example for configuring NAT and an internal web server to provide web services for internet or private network users.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

In Figure 1-52, the private IP address 192.168.0.100/24 and port 8080 are assigned to a web server to provide web services. The public IP address of the web server is 11.1.1.3/24, and the domain name is www.TestNat.com. The outbound interface GE 0/2/1 of NAT-Device is 11.1.1.2/24, and the LAN-side gateway's IP address is 192.168.0.1. The enterprise has no other public IP addresses. The IP address of the peer device on the carrier side is 11.1.1.1/24. The enterprise attempts to use the private network web server to provide web services for Internet users and to allow private network users to access the Internet. Private network users can also access the private network web server through a DNS server on the Internet.

The configuration requirements are as follows:
  • PCs only on the network segment of 192.168.0.200/24 can access the Internet.
  • NAT-Device uses the public IP address of a public interface and the public IP address of an internal server. No other public IP addresses are used.
  • Public network users access the internal web server at 192.168.0.100/24 using the public IP address of 11.1.1.3/24 and the domain name of www.TestNat.com.
  • Private network users access the internal web server at 192.168.0.100/24 using the public IP address of 11.1.1.3/24 and the domain name of www.TestNat.com.
Figure 1-52  Configuring NAT and an internal server
NOTE:

In this example, interface 1 and interface 2 are GE 0/2/0 and GE 0/2/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure an internal server.
  3. Configure DNS mapping.
  4. Enable the NAT ALG function for the DNS protocol.
  5. Configure a NAT distribution policy.
  6. Apply the NAT distribution policy.
  7. Configure static routes.
Data Preparation

To complete the configuration, you need the following data:

  • NAT instance name (nat1) and index (1)
  • NAT-Device's NAT address pool name (address-group1), address pool number (1), and IP address range in easy IP mode
  • ACL number (3001)
  • Name (GE 0/2/1) and IP address (11.1.1.2/24) of an interface to which a NAT distribution policy is applied

Procedure

  1. Configure basic NAT functions.
    1. Create a NAT instance named nat1.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      [~NAT-Device] nat instance nat1 id 1 simple-configuration
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

    2. Assign an IP address to an outbound interface.

      [~NAT-Device] interface gigabitEthernet 0/2/1
      [~NAT-Device-GigabitEthernet0/2/1] ip address 11.1.1.2 24
      [*NAT-Device-GigabitEthernet0/2/1] commit
      [~NAT-Device-GigabitEthernet0/2/1] quit

    3. Configure a NAT address pool in easy IP mode.

      [~NAT-Device] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
      [*NAT-Device] commit

  2. Configure an internal server.

    [~NAT-Device] nat server protocol tcp global 11.1.1.3 www inside 192.168.0.100 8080
    [~NAT-Device] commit

  3. Configure DNS mapping between the DNS domain name of www.TestNat.com, the public IP address of 11.1.1.3 and the private IP address of 192.168.0.100.

    [~NAT-Device] nat instance nat1
    [~NAT-Device-nat-instance-nat1] nat dns-mapping domain www.TestNat.com global-address 11.1.1.3 inside-address 192.168.0.100
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device-nat-instance-nat1] quit

  4. Enable the NAT ALG function for the DNS protocol.

    [~NAT-Device] nat instance nat1
    [~NAT-Device-nat-instance-nat1] nat alg dns
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device-nat-instance-nat1] quit

  5. Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.0.200/24 to access the Internet.

    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.200 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit

  6. Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1.

    [~NAT-Device] interface gigabitEthernet 0/2/1
    [~NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit

  7. Configure a default route as a static route and set the next hop address of the default route to 11.1.1.1.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.1.1.1
    [*NAT-Device] commit

  8. Verify the configuration.

    # Run the display nat server-map command to view the internal server information.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...                                                                 
    Slot: 9
    Total number:  2.                                                                                                                   
      NAT Instance: nat1                                                                                                                
      Protocol:TCP, VPN:--->-                                                                                                           
      Server:192.168.0.100:8080[11.1.1.3:80]->ANY                                                                                     
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.0.100                                                                                                              
                                                                                                                                        
      NAT Instance: nat1                                                                                                                
      Protocol:TCP, VPN:--->-                                                                                                           
      Server reverse:ANY->11.1.1.3:80[192.168.0.100:8080]                                                                             
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.0.100                                   
      ---------------------------------------------------------------------------

NAT-Device Configuration File
# 
sysname NAT-Device 
# 
nat instance nat1 id 1 simple-configuration                                                                                                              
#
nat address-group 1 group-id 1 unnumbered interface GigabitEthernet0/2/1                                                           
#
nat server protocol tcp global 11.1.1.3 www inside 192.168.0.100 8080                                                            
#
nat instance nat1
 nat alg dns                                                                                                                        
 nat dns-mapping domain www.TestNat.com global-address 11.1.1.3 inside-address 192.168.0.100      
#
acl number 3001 
 rule 1 permit ip source 192.168.0.200 0.0.0.255 
# 
interface GigabitEthernet 0/2/1
 undo shutdown 
 ip address 11.1.1.2 24
 nat bind acl 3001 instance nat1 
#
ip route-static 0.0.0.0 0.0.0.0 11.1.1.1
#
return

Example for Configuring Static 1:1 NAT

This section provides an example for configuring static 1:1 NAT to translate the private IP address to the public IP address within the Internet.

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

In Figure 1-53, the outbound interface GE 0/2/1 of NAT-Device is 1.1.1.2/24, and the LAN-side gateway's IP address is 192.168.0.1/24. The IP address of the peer carrier device is 1.1.1.1/24. The private IP address of the host is 192.168.0.2/24 and is mapped to a fixed IP address of 1.1.1.3/24 for NAT processing. The private IP address needs to be translated to the public IP address within the Internet to connect to the WAN.

Figure 1-53  Configuring static 1:1 NAT
NOTE:

In this example, interface 1 and interface 2 are GE 0/2/0 and GE 0/2/1, respectively.



Configuration Roadmap
The configuration roadmap is as follows:
  1. Configure basic NAT functions.
  2. Configure an internal server.
  3. Configure a NAT distribution policy.
  4. Apply the NAT distribution policy.
  5. Configure static routes.
Data Preparation
To complete the configuration, you need the following data:
  • NAT instance name (nat1) and index (1)
  • ACL number (3001)
  • Name (GE 0/2/1) and IP address (1.1.1.2/24) of an interface to which a NAT distribution policy is applied
  • Internal server's private IP address (192.168.0.2) and public IP address (1.1.1.3)

Procedure

  1. Configure basic NAT functions.
    1. Create a NAT instance named nat1.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      [~NAT-Device] nat instance nat1 id 1 simple-configuration
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

    2. Configure a NAT address pool and specify a range of IP addresses of 11.11.11.101 through 11.11.11.105 in the pool.

      [~NAT-Device] nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
      [*NAT-Device] commit

  2. Configure an internal server in 1:1 static NAT mapping. Set the internal server's private IP address to 192.168.0.21 and public IP address to 1.1.1.3.

    [*NAT-Device] nat server global 1.1.1.3 inside 192.168.0.2
    [*NAT-Device] commit

  3. Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.0.2/24 to access the Internet.

    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.0 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit

  4. Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1.

    [~NAT-Device] interface gigabitEthernet 0/2/1
    [~NAT-Device-GigabitEthernet0/2/1] ip address 1.1.1.2 24
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit

  5. Configure a default route as a static route and set the next hop address of the default route to 1.1.1.1.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
    [*NAT-Device] commit

  6. Verify the configuration.

    # Run the display nat server-map command to view server-map entries of all users.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9 
    Total number:  2.
      NAT Instance: nat1           
      Protocol:ANY, VPN:--->-    
      Server:192.168.0.2[1.1.1.3]->ANY
      Tag:0x0, TTL:-, Left-Time:-
      CPE IP:192.168.0.2           
                                 
      NAT Instance: nat1           
      Protocol:ANY, VPN:--->-    
      Server reverse:ANY->1.1.1.3[192.168.0.2]
      Tag:0x0, TTL:-, Left-Time:-
      CPE IP:192.168.0.2

NAT-Device Configuration File
# 
sysname NAT-Device 
# 
nat instance nat1 id 1 simple-configuration             
#
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105      
#
nat server global 1.1.1.3 inside 192.168.0.2
#
acl number 3001 
 rule 1 permit ip source 192.168.0.0 0.0.0.255
# 
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 1.1.1.2 255.255.255.0 
 nat bind acl 3001 instance nat1 
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#
return

Example for Configuring Traffic Diversion Policies to Assign Different NAT Address Pools to Intranet Users to Access the Internet

This section provides an example for configuring traffic diversion policies to assign different NAT address pools to intranet users to access the Internet.

Applicable Products and Versions

This example is applicable to NE20E-S series products running V800R010C00 and later versions.

Networking Requirements

In Figure 1-54, private network users in areas A and B of an enterprise are connected to the Internet. The public IP address of GE 0/2/1 on NAT-Device is 11.11.11.1/24, and the IP address of the peer device on the carrier side is 11.11.11.2/24. Users in area A want to replace private host IP addresses (on the network segment of 192.168.20.0/24) with public IP addresses in the address pool (11.11.11.100 through 11.11.11.200) in no-PAT mode before accessing the Internet. Since a few public IP addresses are used in area B, users in area B want to replace private host IP addresses (on the network segment of 10.0.0.0/24) with the public IP addresses and public port numbers in PAT mode in the public IP address pool (11.11.11.80 through 11.11.11.83) before accessing the Internet.

Figure 1-54 shows IP addresses of interfaces. The configuration requirements are as follows:
  • PCs on the private network segment of 192.168.20.0/24 can access the Internet.
  • PCs on the private network segment of 10.0.0.0/24 can access the Internet.
Figure 1-54  Networking for configuring NAT for VPN users
NOTE:

In this example, interface 1, interface 2, and interface 3 stand for GE 0/2/1, GE 0/2/2, and GE 0/2/3, respectively.



Configuration Roadmap
  1. Configure a NAT instance and a no-PAT address pool for users in area A.
  2. Configure a NAT instance and a PAT address pool for users in area B.
  3. Configure a NAT diversion policy.
  4. Apply the NAT diversion policy.
  5. Configure static routes.
Data Preparation
  • Area A's private network segment address (192.168.20.0/24)

  • In area A, NAT instance name (nat1) and index (1), NAT address pool name (address-group1), address pool number (1), and IP address range (11.11.11.100 through 11.11.11.200)

  • Area B's private network segment address (10.0.0.0/24)

  • In area B, NAT instance name (nat2) and index (2), NAT address pool name (address-group2), address pool number (2), and IP address range (11.11.11.80 through 11.11.11.83)

  • ACL numbers (3001 for area A and 3002 for area B)

  • Name (GE 0/2/1) and IP address (11.11.11.1/24) of an interface to which a NAT diversion policy is applied

Procedure

  1. Configure a NAT instance and a no-PAT address pool for users in area A.
    1. Create a NAT instance named nat1.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit

      [~NAT-Device] service-location 1
      [*NAT-Device-service-location-1] location follow-forwarding-mode
      [*NAT-Device-service-location-1] commit
      [~NAT-Device-service-location-1] quit
      [~NAT-Device] service-instance-group group1
      [*NAT-Device-service-instance-group-group1] service-location 1
      [*NAT-Device-service-instance-group-group1] commit
      [~NAT-Device-service-instance-group-group1] quit
      [~NAT-Device] nat instance nat1 id 1
      [*NAT-Device-nat-instance-nat1] service-instance-group group1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

    2. Configure a NAT address pool and specify a range of public IP addresses 11.11.11.100 through 11.11.11.200 in the pool. Set the no-PAT mode for the address pool.

      [~NAT-Device] nat instance nat1 id 1
      [~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.100 11.11.11.200 no-pat
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

  2. Configure a NAT instance and a PAT address pool for users in area B.
    1. Create a NAT instance named nat2.

      [~NAT-Device] nat instance nat2 id 2
      [*NAT-Device-nat-instance-nat2] service-instance-group group1
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

    2. Configure a NAT address pool and specify a range of public IP addresses 11.11.11.80 through 11.11.11.83 in the pool. Set the PAT mode for the address pool.

      [~NAT-Device] nat instance nat2 id 2
      [~NAT-Device-nat-instance-nat2] nat address-group address-group2 group-id 2 11.11.11.80 11.11.11.83
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

  3. Configure a NAT diversion policy.

    • In area A, configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.20.0/24 to access the Internet.
    • In area B, configure an ACL numbered 3002, an ACL rule numbered 2, and an ACL-based traffic classification rule to allow only hosts with a network segment address of 10.0.0.0/24 to access the Internet.
    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.20.0 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit
    [~NAT-Device] acl 3002
    [*NAT-Device-acl4-advance-3002] rule 2 permit ip source 10.0.0.0 0.0.0.255
    [*NAT-Device-acl4-advance-3002] commit
    [~NAT-Device-acl4-advance-3002] quit

  4. Apply the NAT diversion policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1.

    [~NAT-Device] interface GigabitEthernet 0/2/1
    [~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.11.1 24
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3002 instance nat2
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit

  5. Configure a default route as a static route and set the next hop address of the default route to 11.11.11.2.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
    [*NAT-Device] commit

  6. Verify the configuration.

    # Run the display nat user-information slot command to view NAT user information.

    [~NAT-Device] display nat user-information slot 9 verbose
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9
    Total number:  2.                                                           
      ---------------------------------------------------------------------------                                                        
      User Type                             :  NAT444                                                                                    
      CPE IP                                :  192.168.20.100                                                                                  
      User ID                               :  -                                                                                         
      VPN Instance                          :  -                                                                                         
      Address Group                         :  address-group1                                                                                        
      NAT Instance                          :  nat1                                                                                        
      Public IP                             :  -                                                                                 
      NoPAT Public IP                       :  11.11.11.100                                                                                 
      Total/TCP/UDP/ICMP Session Limit      :  8192/10240/10240/512                                                                                   
      Total/TCP/UDP/ICMP Session Current    :  64511/0/64511/0                                                                           
      Total/TCP/UDP/ICMP Rev Session Limit  :  8192/10240/10240/512                                                                      
      Total/TCP/UDP/ICMP Rev Session Current:  0/0/0/0                                                                                   
      Nat ALG Enable                        :  NULL                                                                                      
      Aging Time(s)                         :  -                                                                                         
      Left Time(s)                          :  -                                                                                         
      Session Limit Discard Count           :  0                                                                                         
      -->Transmit Packets                   :  9753259                                                                                   
      -->Transmit Bytes                     :  1111770864                                                                                
      -->Drop Packets                       :  0                                                                                         
      <--Transmit Packets                   :  0                                                                                         
      <--Transmit Bytes                     :  0                                                                                         
      <--Drop Packets                       :  0                                                                                         
      --------------------------------------------------------------------------- 
      ---------------------------------------------------------------------------                                                        
      User Type                             :  NAT444                                                                                    
      CPE IP                                :  10.0.0.1                                                                                  
      User ID                               :  -                                                                                         
      VPN Instance                          :  -                                                                                         
      Address Group                         :  address-group2                                                                                       
      NAT Instance                          :  nat2                                                                                        
      Public IP                             :  11.11.11.80                                                                                 
      NoPAT Public IP                       :  -                                                                                 
      Total/TCP/UDP/ICMP Session Limit      :  8192/10240/10240/512                                                                                   
      Total/TCP/UDP/ICMP Session Current    :  1/0/1/0                                                                           
      Total/TCP/UDP/ICMP Rev Session Limit  :  8192/10240/10240/512                                                                      
      Total/TCP/UDP/ICMP Rev Session Current:  0/0/0/0                                                                                   
      Nat ALG Enable                        :  NULL                                                                                      
      Aging Time(s)                         :  -                                                                                         
      Left Time(s)                          :  -                                                                                         
      Session Limit Discard Count           :  0                                                                                         
      -->Transmit Packets                   :  9753259                                                                                   
      -->Transmit Bytes                     :  1111770864                                                                                
      -->Drop Packets                       :  0                                                                                         
      <--Transmit Packets                   :  0                                                                                         
      <--Transmit Bytes                     :  0                                                                                         
      <--Drop Packets                       :  0                                                                                         
      ---------------------------------------------------------------------------

NAT-Device Configuration File
# 
sysname NAT-Device 
#
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1
 nat address-group address-group1 group-id 1 11.11.11.100 11.11.11.200 no-pat
#
nat instance nat2 id 2
 service-instance-group group1
 nat address-group address-group2 group-id 2 11.11.11.80 11.11.11.83
#
acl number 3001 
 rule 1 permit ip source 192.168.20.0 0.0.0.255 
#
acl number 3002 
 rule 2 permit ip source 10.0.0.0 0.0.0.255 
#
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 11.11.11.1 255.255.255.0
 nat bind acl 3001 instance nat1
 nat bind acl 3002 instance nat2 
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#
return

Example for Configuring NAT to Translate Both the Source and Destination IP Addresses

This section provides an example for configuring NAT to translate both the source and destination IP addresses when Internet users access an internal server.

Networking Requirements

In Figure 1-55, NAT-Device functions as a gateway of an enterprise, and the FTP server is an internal server on the enterprise network. Users on the Internet want to access the FTP server on the private network. During the access process, public IP addresses are translated so that no public network routes are imported to the private network. The peer device connected to NAT-Device is assigned an IP address of 11.11.1.2.

Figure 1-55 shows IP addresses of interfaces. The configuration requirements are as follows:
  • PCs on the Internet can access the FTP server inside the enterprise network.
  • NAT-Device does not import public network routes.
Figure 1-55  Networking for configuring NAT to translate both the source and destination IP addresses
NOTE:

In this example, interface 1 and interface 2 stand for GE 0/2/0 and GE 0/2/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure an internal server.
  3. Enable the NAT ALG function for FTP.
  4. Configure a NAT diversion policy.
  5. Apply the NAT diversion policy.
  6. Configure static routes.
Data Preparation

To complete the configuration, you need the following data:

  • NAT instance names (nat1 and nat2) and indexes (1 and 2)
  • NAT instance named nat1: NAT address pool name (address-group1), address pool number (1), a range of public IP addresses (11.11.11.10 through 11.11.11.15); NAT instance named nat2: NAT address pool name (address-group2), address pool number (2), a range of public IP addresses (11.11.11.16 through 11.11.11.20)
  • ACL numbers (3001 and 3002)
  • Name (GE 0/2/0) and IP address (192.168.1.1/24) of a private network interface to which a NAT diversion policy is applied; name (GE 0/2/1) and IP address (11.11.11.1) of a public network interface to which a NAT diversion policy is applied
  • Internal server's advertised public IP address (11.11.11.10) and internal IP address (192.168.1.2)

Procedure

  1. Configure basic NAT functions.
    1. Create a VSM HA backup group and a VSM HA service instance group and bind a NAT service board to the VSM HA backup group.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit

      [~NAT-Device] service-location 1
      [*NAT-Device-service-location-1] location follow-forwarding-mode
      [*NAT-Device-service-location-1] commit
      [~NAT-Device-service-location-1] quit
      [~NAT-Device] service-instance-group group1
      [*NAT-Device-service-instance-group-group1] service-location 1
      [*NAT-Device-service-instance-group-group1] commit
      [~NAT-Device-service-instance-group-group1] quit

    2. Create NAT instances named nat1 and nat2 and bind the VSM HA service instance group to the NAT instances so that service traffic can be processed by the NAT service board.

      [~NAT-Device] nat instance nat1 id 1
      [*NAT-Device-nat-instance-nat1] service-instance-group group1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [*NAT-Device-nat-instance-nat2] service-instance-group group1
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

    3. Configure a NAT address pool.

      [~NAT-Device] nat instance nat1 id 1
      [~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.10 11.11.11.15
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [~NAT-Device-nat-instance-nat1] nat address-group address-group2 group-id 2 11.11.11.16 11.11.11.20
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

  2. Configure an internal server.

    [~NAT-Device] nat instance nat1
    [~NAT-Device-nat-instance-nat1] nat server-mode enable
    [~NAT-Device-nat-instance-nat1] nat server global 11.11.11.10 inside 192.168.1.2
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device -nat-instance-nat1] quit

  3. Enable NAT ALG for FTP to translate the application-layer IP addresses and port numbers of traffic of the NAT instance named nat1.

    [~NAT-Device] nat instance nat1
    [~NAT-Device-nat-instance-nat1] nat alg ftp
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device -nat-instance-nat1] quit

  4. Configure a NAT diversion policy.

    • Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.1.0/24 to access the Internet.
    • Configure an ACL-based traffic classification rule and set the ACL number to 3002 and ACL rule number to 2 to allow any packets to match the rule.
    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit
    [~NAT-Device] acl 3002
    [*NAT-Device-acl4-advance-3002] rule 2 permit ip source any
    [*NAT-Device-acl4-advance-3002] commit
    [~NAT-Device-acl4-advance-3002] quit

  5. Apply the NAT diversion policy.

    • Apply the traffic classification policy with ACL 3001 to the view of GE 0/2/1 on the public network side.
    • Apply the traffic classification policy with ACL 3002 to the view of GE 0/2/0 on the private network side.
    [~NAT-Device] interface gigabitEthernet 0/2/1
    [~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.11.1 24
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit
    [~NAT-Device] interface gigabitEthernet 0/2/0
    [~NAT-Device-GigabitEthernet0/2/0] ip address 192.168.1.1 24
    [*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3002 instance nat2
    [*NAT-Device-GigabitEthernet0/2/0] commit
    [~NAT-Device-GigabitEthernet0/2/0] quit

  6. Configure a default route as a static route and set the next hop address of the default route to 11.11.11.2.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
    [*NAT-Device] commit

  7. Verify the configuration.

    # Run the display nat server-map command to view the internal server information.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9 
    Total number:  2.
      NAT Instance: nat1                                                                                                                  
      Protocol:ANY, VPN:--->-                                                                                                           
      Server:192.168.1.2[11.11.11.10]->ANY                                                                                                  
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.10.10
                                                                                                                                                                                                               
      NAT Instance: nat1                                                                                                                  
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->11.11.11.10[192.168.1.2]                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:192.168.10.10

NAT-Device Configuration File
# 
sysname NAT-Device 
# 
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1
 nat server-mode enable
 nat address-group address-group1 group-id 1 11.11.11.10 11.11.11.15
 nat server global 11.11.11.10 inside 192.168.1.2
#
nat instance nat2 id 2
 service-instance-group group1
 nat address-group address-group2 group-id 2 11.11.11.16 11.11.11.20
 nat alg ftp 
#
acl number 3001 
 rule 1 permit ip source 192.168.1.0 0.0.0.255
#
acl number 3002 
 rule 2 permit ip source any
#
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 11.11.11.1 255.255.255.0 
 nat bind acl 3001 instance nat1
#
interface GigabitEthernet 0/2/0 
 undo shutdown 
 ip address 192.168.1.1 255.255.255.0 
 nat bind acl 3002 instance nat2 
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#
return

Example for Configuring Bidirectional NAT and Using Easy IP to Create an Internal Server

This section provides an example for configuring bidirectional NAT and using easy IP to create an internal server so that traffic of public network users and the public network server can be forwarded through NAT-Device.

Applicable Products and Versions

This example is applicable to NE20E-S series products running V800R010C00 and later versions.

Networking Requirements

In Figure 1-56, an enterprise deploys an FTP server on the Internet, and NAT-Device functions as the gateway of the enterprise network. To secure traffic transmission, the enterprise wants that traffic exchanged between public network users and the FTP server is forwarded by NAT-Device and that public network users and the FTP server are not aware of IP addresses of one another.

Figure 1-56  Networking for configuring bidirectional NAT and using easy IP to create an internal server
NOTE:

In this example, interface 1 and interface 2 stand for GE 0/2/1 and GE 0/2/2, respectively.



Configuration Roadmap
  1. Configure basic NAT functions.
  2. Configure an internal server.
  3. Enable the FTP ALG function.
  4. Configure a NAT diversion policy.
  5. Apply the NAT diversion policy.
Data Preparation
  • NAT instance names (nat1 and nat2) and indexes (1 and 2)
  • NAT-Device's address pool names (address-group1 and address-group2) and address pool numbers (1 and 2), and easy-IP address range
  • ACL number (3001)
  • Names (GE 0/2/1 and GE 0/2/2) and IP addresses (1.1.1.1/24 and 2.1.1.1/24) of interfaces that apply a NAT diversion policy

Procedure

  1. Configure basic NAT functions.
    1. Create NAT instances named nat1 and nat2.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit

      [~NAT-Device] service-location 1
      [*NAT-Device-service-location-1] location follow-forwarding-mode
      [*NAT-Device-service-location-1] commit
      [~NAT-Device-service-location-1] quit
      [~NAT-Device] service-instance-group group1
      [*NAT-Device-service-instance-group-group1] service-location 1
      [*NAT-Device-service-instance-group-group1] commit
      [~NAT-Device-service-instance-group-group1] quit
      [~NAT-Device] nat instance nat1 id 1
      [*NAT-Device-nat-instance-nat1] service-instance-group group1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [*NAT-Device-nat-instance-nat2] service-instance-group group1
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

    2. Assign IP addresses to interfaces.

      [~NAT-Device] interface GigabitEthernet 0/2/1
      [~NAT-Device-GigabitEthernet0/2/1] ip address 1.1.1.1 24
      [*NAT-Device-GigabitEthernet0/2/1] commit
      [~NAT-Device-GigabitEthernet0/2/1] quit
      [~NAT-Device] interface GigabitEthernet 0/2/2
      [~NAT-Device-GigabitEthernet0/2/2] ip address 2.1.1.1 24
      [*NAT-Device-GigabitEthernet0/2/2] commit
      [~NAT-Device-GigabitEthernet0/2/2] quit

    3. Configure a NAT address pool in easy IP mode.

      [~NAT-Device] nat instance nat1 id 1
      [~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet0/2/1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [~NAT-Device-nat-instance-nat2] nat address-group address-group2 group-id 2 unnumbered interface GigabitEthernet0/2/2
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

  2. Configure an internal server.

    [~NAT-Device] nat instance nat1 id 1
    [~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface GigabitEthernet0/2/1 ftp inside 2.1.1.2 ftp
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device-nat-instance-nat1] quit
    [~NAT-Device] nat instance nat2 id 2
    [~NAT-Device-nat-instance-nat2] nat server protocol tcp global unnumbered interface GigabitEthernet0/2/2 ftp inside 1.1.1.2 ftp
    
    [*NAT-Device-nat-instance-nat2] commit
    [~NAT-Device-nat-instance-nat2] quit

  3. Enable the FTP ALG function.

    [~NAT-Device] nat instance nat1
    [~NAT-Device-nat-instance-nat1] nat alg ftp  
    [*NAT-Device-nat-instance-nat1] commit 
    [~NAT-Device-nat-instance-nat1] quit
    [~NAT-Device] nat instance nat2
    [~NAT-Device-nat-instance-nat2] nat alg ftp  
    [*NAT-Device-nat-instance-nat2] commit 
    [~NAT-Device-nat-instance-nat2] quit

  4. Configure a NAT diversion policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts to access the Internet.

    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit source any
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit

  5. Apply the NAT diversion policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1 and GE 0/2/2.

    [~NAT-Device] interface GigabitEthernet 0/2/1
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit
    [~NAT-Device] interface GigabitEthernet 0/2/2
    [*NAT-Device-GigabitEthernet0/2/2] nat bind acl 3001 instance nat2
    [*NAT-Device-GigabitEthernet0/2/2] commit
    [~NAT-Device-GigabitEthernet0/2/2] quit

  6. Verify the configuration.

    # Run the display nat server-map command to view server-map entries of all users accessing the internal server.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...                                                                 
    Slot: 9
    Total number:  4.                                                                                                                   
      NAT Instance: nat1                                                                                                                   
      Protocol:TCP, VPN:--->-                                                                                                           
      Server reverse:ANY->1.1.1.1:21[2.1.1.2:21]                                                                                  
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:2.1.1.2                                                                                                                 
                                                                                                                                        
      NAT Instance: nat1                                                                                                                   
      Protocol:TCP, VPN:--->-                                                                                                           
      Server:2.1.1.2:21[1.1.1.1:21]->ANY                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:2.1.1.2                                                                                                                 
                                                                                                                                        
      NAT Instance: nat2                                                                                                                   
      Protocol:TCP, VPN:--->-                                                                                                           
      Server reverse:ANY->2.1.1.1:21[1.1.1.2:21]                                                                                  
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:1.1.1.2                                                                                                                 
                                                                                                                                        
      NAT Instance: nat2                                                                                                                   
      Protocol:TCP, VPN:--->-                                                                                                           
      Server:1.1.1.2:21[2.1.1.1:21]->ANY                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP:1.1.1.2                                                                                                              
      ---------------------------------------------------------------------------

NAT-Device Configuration File
# 
sysname NAT-Device
#
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1
 nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet0/2/1
 nat server protocol tcp global unnumbered interface GigabitEthernet0/2/1 ftp inside 2.1.1.2 ftp
 nat alg ftp
# 
nat instance nat2 id 2
 service-instance-group group1
 nat address-group address-group2 group-id 2 unnumbered interface GigabitEthernet0/2/2
 nat server protocol tcp global unnumbered interface GigabitEthernet0/2/2 ftp inside 1.1.1.2 ftp
 nat alg ftp
#
acl number 3001
 rule 1 permit source any  
# 
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 1.1.1.1 24
 nat bind acl 3001 instance nat1 
# 
interface GigabitEthernet 0/2/2 
 undo shutdown 
 ip address 2.1.1.1 24
 nat bind acl 3001 instance nat2
#
return

Example for Configuring an Enterprise Network to Be Dual-Homed to the Internet, with NAT and an Internal Server Deployed

This section provides an example for configuring two outbound interfaces on NAT-Device so that Internet users access the internal server' IP addresses through different outbound interfaces.

Applicable Products and Versions

This example is applicable to NE20E-S series products running V800R010C00 and later versions.

Networking Requirements

In Figure 1-57, NAT-Device functions as an enterprise network gateway and is dual-homed to the Internet through GE 0/2/1 and GE 0/2/2. NAT is configured to translate private IP addresses to public IP addresses. The enterprise network wants to provide an FTP server access service for Internet users. The FTP server is assigned two IP addresses of 192.168.1.1/24 and 192.168.1.2/24.

Figure 1-57 shows IP addresses of interfaces. The configuration requirements are as follows:
  • PCs on the Internet can access the FTP server inside the enterprise network. Packets destined for 192.168.1.1 travel through GE 0/2/1, and packets destined for 192.168.1.2 travel through GE 0/2/2.
  • Packets destined for 192.168.1.1 travel through GE 0/2/1, and packets destined for 192.168.1.2 travel through GE 0/2/2.
Figure 1-57  Networking for configuring an enterprise network to be dual-homed to the Internet, with NAT and an internal server deployed
NOTE:

In this example, interface 1, interface 2, and interface 3 stand for GE 0/2/0, GE 0/2/1, and GE 0/2/2, respectively.



Configuration Roadmap
  1. Configure basic NAT functions.
  2. Configure mapping for an internal server.
  3. Enable the NAT ALG function for the FTP protocol.
  4. Configure a NAT diversion policy.
  5. Apply the NAT diversion policy.
  6. Configure static routes.
Data Preparation
  • NAT instance name (nat1) and index (1)
  • Address pool name (address-group1) and ID (1)
  • ACL numbers (3001 and 3002)
  • Names (GE 0/2/1 and GE 0/2/2) and IP addresses (211.11.1.1/24 and 11.11.2.1/24) of interfaces that apply a NAT diversion policy
  • Private IP addresses (192.168.1.1 and 192.168.1.2) of an internal server

Procedure

  1. Configure basic NAT functions.
    1. Create NAT instances named nat1 and nat2.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      

      [~NAT-Device] service-location 1
      [*NAT-Device-service-location-1] location follow-forwarding-mode
      [*NAT-Device-service-location-1] commit
      [~NAT-Device-service-location-1] quit
      [~NAT-Device] service-instance-group group1
      [*NAT-Device-service-instance-group-group1] service-location 1
      [*NAT-Device-service-instance-group-group1] commit
      [~NAT-Device-service-instance-group-group1] quit
      [~NAT-Device] nat instance nat1 id 1
      [*NAT-Device-nat-instance-nat1] service-instance-group group1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [*NAT-Device-nat-instance-nat2] service-instance-group group1
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

    2. Assign IP addresses to interfaces.

      [~NAT-Device] interface GigabitEthernet 0/2/1
      [~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.1.1
      [*NAT-Device-GigabitEthernet0/2/1] commit
      [~NAT-Device-GigabitEthernet0/2/1] quit
      [~NAT-Device] interface GigabitEthernet 0/2/2
      [~NAT-Device-GigabitEthernet0/2/2] ip address 11.11.2.1
      [*NAT-Device-GigabitEthernet0/2/2] commit
      [~NAT-Device-GigabitEthernet0/2/2] quit

    3. Configure a NAT address pool.

      [~NAT-Device] nat instance nat1 id 1
      [~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/2
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

  2. Configure an internal server.

    [~NAT-Device] nat instance nat1 id 1
    [~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 ftp inside 192.168.1.1 ftp
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device-nat-instance-nat1] quit
    [~NAT-Device] nat instance nat2 id 2
    [~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 ftp inside 192.168.1.2 ftp
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device-nat-instance-nat1] quit

  3. Enable the NAT ALG function for FTP.

    [~NAT-Device] nat instance nat1
    [~NAT-Device-nat-instance-nat1] nat alg ftp
    [*NAT-Device-nat-instance-nat1] commit
    [~NAT-Device-nat-instance-nat1] quit
    [~NAT-Device] nat instance nat2
    [~NAT-Device-nat-instance-nat2] nat alg ftp
    [*NAT-Device-nat-instance-nat2] commit
    [~NAT-Device-nat-instance-nat2] quit

  4. Configure a NAT diversion policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.0.200/24 to access the Internet.

    [~NAT-Device] acl 3001
    [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255
    [*NAT-Device-acl4-advance-3001] commit
    [~NAT-Device-acl4-advance-3001] quit
    

  5. Apply the NAT diversion policy. Apply the traffic classification rule with the ACL number 3001 to the view of the outbound interface named GE 0/2/1 and GE 0/2/2.

    [~NAT-Device] interface GigabitEthernet 0/2/1
    [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
    [*NAT-Device-GigabitEthernet0/2/1] commit
    [~NAT-Device-GigabitEthernet0/2/1] quit
    [~NAT-Device] interface GigabitEthernet 0/2/2
    [*NAT-Device-GigabitEthernet0/2/2] nat bind acl 3001 instance nat2
    [*NAT-Device-GigabitEthernet0/2/2] commit
    [~NAT-Device-GigabitEthernet0/2/2] quit

  6. Configure static routes so that packets with the next-hop IP address of 11.11.1.2 are sent through GE 0/2/1 and those with the next-hop IP address of 11.11.2.2 are sent through 0/2/2.

    [~NAT-Device] ip route-static 11.11.1.2 32 GigabitEthernet 0/2/1
    [*NAT-Device] ip route-static 11.11.2.2 32 GigabitEthernet 0/2/2
    [*NAT-Device] commit

  7. Verify the configuration.

    # Run the display nat server-map command to view the internal server information.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9 
    Total number:  4.
      NAT Instance: nat1                                                                                                                
      Protocol:ANY, VPN:--->-                                                                                                           
      Server: 192.168.1.1 [11.11.1.1]->ANY                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP: 192.168.1.1
                                                                                                                                         
      NAT Instance: nat1                                                                                                                
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->11.11.1.1 [192.168.1.1]                                                                                   
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP: 192.168.1.1  
      
      NAT Instance: nat2                                                                                                                
      Protocol:ANY, VPN:--->-                                                                                                           
      Server: 192.168.1.2 [11.11.2.1]->ANY                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP: 192.168.1.2 
                                                                                                                                                                                                               
      NAT Instance: nat2                                                                                                                
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->11.11.2.1 [192.168.1.2]                                                                                   
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP: 192.168.1.2

NAT-Device Configuration File
# 
sysname NAT-Device 
# 
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1
 nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
 nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 ftp inside 192.168.1.1 ftp
 nat alg ftp
# 
nat instance nat2 id 2
 service-instance-group group2
 nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/2
 nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 ftp inside 192.168.1.2 ftp
 nat alg ftp
#
acl number 3001 
 rule 1 permit ip source 192.168.1.0 0.0.0.255
# 
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 11.11.1.1 
 nat bind acl 3001 instance nat1 
#
interface GigabitEthernet 0/2/2 
 undo shutdown 
 ip address 11.11.2.1 
 nat bind acl 3001 instance nat2 
#  
ip route-static 11.11.1.2 32 GigabitEthernet 0/2/1
ip route-static 11.11.2.2 32 GigabitEthernet 0/2/2
#  
return

Example for Configuring IPoEoVLAN Access Together with NAT

This section provides an example for configuring IPoEoVLAN access together with NAT so that home users can access the Internet through NAT processing.

Applicable Products and Versions

This example is applicable to NE20E-S series products running V800R010C00 and later versions.

Networking Requirements

In Figure 1-58, home users access a BRAS using IPoE. The BRAS implements user authentication, authorization, and accounting. It also provides the NAT service to convert between the private and public IP addresses of home users, so that the home users can access the Internet.

Home users of user group 1 can access the Internet.

Figure 1-58  Example for configuring IPoEoVLAN access together with NAT
NOTE:

In this example, interface 1 stands for Eth-Trunk2.1.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic NAT functions.
  2. Configure NAT user information.
  3. Configure a NAT diversion policy.
  4. Configure a BAS interface.
Data Preparation
  • Name of a NAT instance
  • NAT address pool's number and start and end IP addresses
  • User group name
  • ACL and UCL numbers
  • NAT traffic diversion policy information

Procedure

  1. Create a NAT instance named nat1.

    <HUAWEI> system-view
    [~HUAWEI] service-location 1
    [*HUAWEI-service-location-1] location follow-forwarding-mode
    [*HUAWEI-service-location-1] commit
    [~HUAWEI-service-location-1] quit
    [~HUAWEI] service-instance-group group1
    [*HUAWEI-service-instance-group-group1] service-location 1
    [*HUAWEI-service-instance-group-group1] commit
    [~HUAWEI-service-instance-group-group1] quit
    [~HUAWEI] nat instance nat1 id 1
    [*HUAWEI-nat-instance-nat1] service-instance-group group1
    [*HUAWEI-nat-instance-nat1] commit
    [~HUAWEI-nat-instance-nat1] quit

  2. Configure a NAT address pool.

    [~HUAWEI] nat instance nat1 id 1
    [~HUAWEI-nat-instance-nat1] nat address-group address-group1 group-id 1 11.1.1.1 mask 26
    [*HUAWEI-nat-instance-nat1] commit
    [~HUAWEI-nat-instance-nat1] quit

  3. Configure NAT user information.
    1. Create a user group named group1.

      [~HUAWEI] user-group group1
      [~HUAWEI] commit

    2. Configure the BRAS service to enable users to go online. For details, see HUAWEI NE20E Configuration Guide - User Access.

      [~HUAWEI] ip pool pool1 bas local
      [*HUAWEI-ip-pool-pool1] gateway 100.64.0.1 255.255.0.0
      [*HUAWEI-ip-pool-pool1] section 0 100.64.0.2 100.64.255.254
      [*HUAWEI-ip-pool-pool1] dns-server 192.168.8.2
      [*HUAWEI-ip-pool-pool1] commit
      [~HUAWEI-ip-pool-pool1] quit
      [~HUAWEI] radius-server group rd1
      [*HUAWEI-radius-rd3] radius-server authentication 192.168.8.9 1812
      [*HUAWEI-radius-rd3] radius-server accounting 192.168.8.9 1813
      [*HUAWEI-radius-rd3] radius-server type standard
      [*HUAWEI-radius-rd3] radius-server shared-key-cipher huawei@123
      [*HUAWEI-radius-rd3] commit
      [~HUAWEI-radius-rd3] quit
      [~HUAWEI] aaa
      [~HUAWEI-aaa] authentication-scheme auth1
      [*HUAWEI-aaa-authen-auth1] authentication-mode radius
      [*HUAWEI-aaa-authen-auth1] commit
      [~HUAWEI-aaa-authen-auth1] quit
      [~HUAWEI-aaa] accounting-scheme acct1
      [*HUAWEI-aaa-accounting-acct1] accounting-mode radius
      [~HUAWEI-aaa-accounting-acct1] commit
      [~HUAWEI-aaa-accounting-acct1] quit
      [~HUAWEI-aaa] domain isp1
      [*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
      [*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
      [*HUAWEI-aaa-domain-isp1] radius-server group rd1
      [*HUAWEI-aaa-domain-isp1] ip-pool pool1
      [*HUAWEI-aaa-domain-isp1] user-group group1
      [*HUAWEI-aaa-domain-isp1] commit
      [~HUAWEI-aaa-domain-isp1] quit
      [~HUAWEI-aaa] quit

  4. Configure a traffic classification rule, a NAT behavior, and a NAT traffic policy and apply the policy.

    NOTE:

    Configure UCLs for user traffic in distributed NAT scenarios. A UCL number ranges from 6000 to 9999.

    1. Configure ACL-based traffic classification rule and set the ACL number to 6001 and ACL rule number to 1.

      [~HUAWEI] acl number 6001
      [*HUAWEI-acl-ucl-6001] rule 1 permit ip source user-group group1
      [*HUAWEI-acl-ucl-6001] commit
      [~HUAWEI-acl-ucl-6001] quit

    2. Configure a traffic classifier.

      [~HUAWEI] traffic classifier c1 operator or
      [*HUAWEI-classifier-c1] if-match acl 6001
      [*HUAWEI-classifier-c1] commit
      [~HUAWEI-classifier-c1] quit

    3. Configure a traffic behavior named b1 and bind the traffic behavior to the NAT instance named nat1.

      [~HUAWEI] traffic behavior b1 
      [*HUAWEI-behavior-b1] nat bind instance nat1
      [*HUAWEI-behavior-b1] commit
      [~HUAWEI-behavior-b1] quit

    4. Configure a NAT diversion policy and associate the ACL rule with the traffic behavior.

      [~HUAWEI] traffic policy p1
      [*HUAWEI-trafficpolicy-p1] share-mode
      [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 precedence 1
      [*HUAWEI-trafficpolicy-p1] commit
      [~HUAWEI-trafficpolicy-p1] quit

    5. Apply the NAT diversion policy in the system view.

      [~HUAWEI] traffic-policy p1 inbound
      [*HUAWEI] commit

  5. Configure a BAS interface.

    [~HUAWEI] interface Eth-Trunk 2.1
    [*HUAWEI-Eth-Trunk2.1] user-vlan 1 2
    [*HUAWEI-Eth-Trunk2.1-1-2] quit
    [*HUAWEI-Eth-Trunk2.1] bas
    [*HUAWEI-Eth-Trunk2.1-bas] access-type layer2-subscriber default-domain authentication isp1
    [*HUAWEI-Eth-Trunk2.1-bas] client-option82
    [*HUAWEI-Eth-Trunk2.1-bas] option82-relay-mode include allvalue
    [*HUAWEI-Eth-Trunk2.1-bas] authentication-method bind
    [*HUAWEI-Eth-Trunk2.1-bas] quit
    [*HUAWEI-Eth-Trunk2.1] quit

Configuration Files
  • BRAS configuration file

    service-location 1
     location follow-forwarding-mode
    #
    service-instance-group group1
     service-location 1
    #
    nat instance nat1 id 1
     service-instance-group group1
     nat address-group group1 group-id 1 11.1.1.1 mask 26 
    #
    radius-server group rd1
     radius-server shared-key-cipher huawei@123    
     radius-server authentication 192.168.8.9 1812 weight 0
     radius-server accounting 192.168.8.9 1813 weight 0
     radius-server type standard
    #
    ip pool pool1 bas local
     gateway 100.64.0.1 255.255.0.0
     section 0 100.64.0.2 100.64.255.254 
     dns-server 192.168.8.2
    #
    aaa
     authentication-scheme auth1
     #
     accounting-scheme acct1
     #
     domain isp1
      authentication-scheme auth1
      accounting-scheme acct1
      radius-server group rd1
      ip-pool pool1
      user-group group1
     #
     user-group group1
    #
    acl number 6001
     rule 1 permit ip source user-group group1
    #
    traffic classifier c1 operator or
     if-match acl 6001
    #
    traffic behavior b1
     nat bind instance nat1
    #
    traffic policy p1
     share-mode
     classifier c1 behavior b1 precedence 1
    #
    traffic-policy p1 inbound
    #
    interface Eth-Trunk2.1
     user-vlan 1 2
     # 
     bas
      access-type layer2-subscriber default-domain authentication isp1
      client-option82
      option82-relay-mode include allvalue 
      authentication-method bind
     #
    #
     return
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26055

Downloads: 876

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next