No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Campus Dual-Uplink NAT and an Internal Server (Different Public IP Addresses Are Used Based on Different Outbound Interfaces)

Example for Configuring Campus Dual-Uplink NAT and an Internal Server (Different Public IP Addresses Are Used Based on Different Outbound Interfaces)

This section provides an example for configuring campus dual-uplink NAT and an internal server so that each internal host accesses an Internet server and an internal server through different outbound interfaces.

Applicable Products and Versions

This example is applicable to NE20E-S series products running V800R010C00 and later versions.

Networking Requirements

In Figure 1-24, NAT-Device's GE 0/2/0 connects to a campus network, GE 0/2/2 connects to an education network, and GE 0/2/1 connects to the Internet. Hosts on the private network access the education network through GE 0/2/2, and other traffic is sent out through GE 0/2/1 over a default route.

The campus network server provides web services. Its private IP address is 192.168.1.2/24, domain name is www.test.edu.cn, and public IP address is 2.1.1.6. Hosts on the Internet and campus network want to access the server through the domain name or the public IP address of 2.1.1.6. In addition, hosts on the campus network want to freely access the Internet and education network through NAT-Device. GE 0/2/2's peer IP address is 2.1.1.2/24, and GE 0/2/1's peer IP address is 1.1.1.2/24.

Based on the network plan, hosts on non-education networks can access the education network only through a dedicated channel. Therefore, extranet users, including those on both education and non-education networks, access the campus network through GE 0/2/2. Packets with the source IP address set to the education network's address (for example, 2.1.1.6/24) through GE 0/2/1 are masked by the carrier.

Figure 1-24  Networking for configuring campus dual-uplink NAT and an internal server
NOTE:

In this example, interface 1, interface 2, and interface 3 stand for GE 0/2/0, GE 0/2/1, and GE 0/2/2, respectively.



Configuration Roadmap

  1. Configure basic NAT functions.
  2. Configure an internal server.
  3. Enable the DNS ALG function.
  4. Configure the DNS mapping function.
  5. Configure redirection.
  6. Configure a NAT diversion policy.
  7. Apply the NAT diversion policy.
  8. Configure a static route.

Data Preparation

  • NAT instance names (nat1 and nat2), indexes (1 and 2), and public address pool and education network address pool assigned to nat1 and nat2, respectively
  • NAT-Device's address pool names (address-group1 and address-group2) and address pool numbers (1 and 2)
  • ACL numbers (3001, 3002, 3003, and 3004)
  • Names (GE 0/2/0, GE 0/2/2, and GE 0/2/1) and IP addresses (192.168.1.1/24, 2.1.1.1/24, and 1.1.1.1/24) of interfaces that apply the NAT diversion policy.
  • Private IP address (192.168.1.2) of an internal server

Procedure

  1. Configure basic NAT functions.
    1. Create NAT instances named nat1 and nat2.

      <HUAWEI> system-view
      [~HUAWEI] sysname NAT-Device
      [*HUAWEI] commit
      

      [~NAT-Device] service-location 1
      [*NAT-Device-service-location-1] location follow-forwarding-mode
      [*NAT-Device-service-location-1] commit
      [~NAT-Device-service-location-1] quit
      [~NAT-Device] service-instance-group group1
      [*NAT-Device-service-instance-group-group1] service-location 1
      [*NAT-Device-service-instance-group-group1] commit
      [~NAT-Device-service-instance-group-group1] quit
      [~NAT-Device] nat instance nat1 id 1
      [*NAT-Device-nat-instance-nat1] service-instance-group group1
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [*NAT-Device-nat-instance-nat2] service-instance-group group1
      [*NAT-Device-nat-instance-nat2] commit
      [~NAT-Device-nat-instance-nat2] quit

    2. Configure NAT address pools.

      • In the NAT instance named nat1, configure an address pool used in NAT processing to access non-education network addresses on the Internet.
      • In the NAT instance named nat2, configure an address pool used in NAT processing to access education network addresses.
      [~NAT-Device] nat instance nat1 id 1
      [~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 1.1.1.50 1.1.1.100
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit
      [~NAT-Device] nat instance nat2 id 2
      [~NAT-Device-nat-instance-nat1] nat address-group address-group2 group-id 2 2.1.1.50 2.1.1.100
      [*NAT-Device-nat-instance-nat1] commit
      [~NAT-Device-nat-instance-nat1] quit

  2. Configure an internal server in the NAT instance named nat2 so that private network users access the internal server with the public IP address of 2.1.1.6.

    [~NAT-Device] nat instance nat2 id 2
    [~NAT-Device-nat-instance-nat2] nat server global 2.1.1.6 inside 192.168.1.2
    [*NAT-Device-nat-instance-nat2] commit
    [~NAT-Device-nat-instance-nat2] quit

  3. Enable DNS ALG in the NAT instance named nat2.

    [~NAT-Device] nat instance nat2
    [~NAT-Device-nat-instance-nat2] nat alg dns  
    [*NAT-Device-nat-instance-nat2] commit 
    [~NAT-Device-nat-instance-nat2] quit

  4. Configure DNS mapping in the NAT instance named nat2 so that NAT translates private and public IP addresses mapped to the DNS domain name before the DNS server resolves the address of the internal server.

    [~NAT-Device] nat instance nat2
    [~NAT-Device-nat-instance-nat2] nat dns-mapping domain  www.test.edu.cn  global-address 2.1.1.6 inside-address 192.168.1.2  
    [*NAT-Device-nat-instance-nat2] commit 
    [~NAT-Device-nat-instance-nat2] quit

  5. Configure redirection.

    [~NAT-Device] nat instance nat2
    [~NAT-Device-nat-instance-nat2] redirect ip-nexthop 2.1.1.2 outbound  
    [*NAT-Device-nat-instance-nat2] commit 
    [~NAT-Device-nat-instance-nat2] quit

  6. Configure a NAT diversion policy.
    1. Configure an ACL numbered 3001 to allow hosts on the campus network segment of 192.168.1.0/24 to access the Internet.

      [~NAT-Device] acl 3001
      [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255
      [*NAT-Device-acl4-advance-3001] commit
      [~NAT-Device-acl4-advance-3001] quit

    2. Configure an ACL numbered 3002 to allow private network hosts to access the internal server with the public IP address of 2.1.1.6. Services initiated only on the private network can be processed by NAT on GE 0/2/0.

      [~NAT-Device] acl 3002
      [*NAT-Device-acl4-advance-3002] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 2.1.1.6 0
      [*NAT-Device-acl4-advance-3002] commit
      [~NAT-Device-acl4-advance-3002] quit

    3. Configure an ACL numbered 3003 that matches data sent by the internal server to private network hosts to prevent the data from being redirected to the outbound interface of the education network.

      [~NAT-Device] acl 3003
      [*NAT-Device-acl4-advance-3003] rule 1 permit ip source 192.168.1.2 0 destination 192.168.1.0 0.0.0.255
      [*NAT-Device-acl4-advance-3003] commit
      [~NAT-Device-acl4-advance-3003] quit

    4. Configure an ACL numbered 3004 that matches data sent by the internal server to the Internet and redirected to the outbound interface of the education network.

      [~NAT-Device] acl 3004
      [*NAT-Device-acl4-advance-3004] rule 1 permit ip source 192.168.1.2 0
      [*NAT-Device-acl4-advance-3004] commit
      [~NAT-Device-acl4-advance-3004] quit

    5. Configure a traffic classifier for data that does not need to be redirected.

      [~NAT-Device] traffic classifier permitover operator or
      [*NAT-Device-classifier-permitover] if-match acl 3003
      [*NAT-Device-classifier-permitover] commit
      [~NAT-Device-classifier-permitover] quit

    6. Configure a traffic classifier for data that needs to be redirected.

      [~NAT-Device] traffic classifier redirectover operator or
      [*NAT-Device-classifier-redirectover] if-match acl 3004
      [*NAT-Device-classifier-redirectover] commit
      [~NAT-Device-classifier-redirectover] quit

    7. Define a traffic behavior named permitover as permit.

      [~NAT-Device] traffic behavior permitover
      [*NAT-Device-behavior-permitover] commit
      [~NAT-Device-behavior-permitover] quit

    8. Define a traffic behavior named redirectover as redirect.

      [~NAT-Device] traffic behavior redirectover
      [*NAT-Device-behavior-redirectover] redirect ip-nexthop 2.1.1.2
      [*NAT-Device-behavior-redirectover] commit
      [~NAT-Device-behavior-redirectover] quit

    9. Bind the ACLs to a traffic diversion policy for matching against data sent by the internal server to private network hosts and data to be redirected to the education network in sequence.

      [~NAT-Device] traffic policy redirect
      [*NAT-Device-trafficpolicy-redirect] classifie permitover behavior permitover
      [*NAT-Device-trafficpolicy-redirect] classifier redirectover behavior redirectover
      [*NAT-Device-trafficpolicy-redirect] commit
      [~NAT-Device-trafficpolicy-redirect] quit

  7. Apply the NAT diversion policy.
    1. Apply the NAT diversion policy named redirect to GE 0/2/0 to perform redirection for incoming data and bind the policy to the NAT instance named nat2.

      [~NAT-Device] interface GigabitEthernet 0/2/0
      [~NAT-Device-GigabitEthernet0/2/0] ip address 192.168.1.1 255.255.255.0
      [*NAT-Device-GigabitEthernet0/2/0] traffic-policy redirect inbound
      [*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3002 instance nat2
      [*NAT-Device-GigabitEthernet0/2/0] commit
      [~NAT-Device-GigabitEthernet0/2/0] quit

    2. Apply the traffic classification policy to GE 0/2/2, perform NAT on the outbound interface of the education network, and bind the policy to the NAT instance nat2.

      [~NAT-Device] interface GigabitEthernet 0/2/2
      [~NAT-Device-GigabitEthernet0/2/0] ip address 2.1.1.1 255.255.255.0
      [*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3001 instance nat2
      [*NAT-Device-GigabitEthernet0/2/0] commit
      [~NAT-Devicee-GigabitEthernet0/2/0] quit

    3. Apply the traffic classification policy to GE 0/2/1, perform NAT for private network traffic sent to a non-education network, and bind the policy to the NAT instance nat1.

      [~NAT-Device] interface GigabitEthernet 0/2/1
      [~NAT-Device-GigabitEthernet0/2/1] ip address 1.1.1.1 255.255.255.0
      [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
      [*NAT-Device-GigabitEthernet0/2/1] commit
      [~NAT-Device-GigabitEthernet0/2/1] quit

  8. Configure a static route.

    [~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
    [*NAT-Device] commit

  9. Verify the configuration.

    # Run the display nat server-map command to view server-map entries of all users accessing the internal server.

    [~NAT-Device] display nat server-map
    This operation will take a few minutes. Press 'Ctrl+C' to break ...              
    Slot: 9
    Total number:  2.
      NAT Instance: nat2                                                                                                                  
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->2.1.1.6 [192.168.1.2]                                                                                                  
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP: 192.168.1.2
      
      NAT Instance: nat2                                                                                                                  
      Protocol:ANY, VPN:--->-                                                                                                           
      Server reverse:ANY->1.168.101.1 [192.168.1.2]                                                                                          
      Tag:0x0, TTL:-, Left-Time:-                                                                                                       
      CPE IP: 192.168.1.2

    Verify that education network users and non-education network users can access the campus network server through the domain name of www.test.endu.cn or the public IP address of 2.1.1.6.

    The private network users can access the campus network server through the domain name of www.test.endu.cn or the public IP address of 2.1.1.6.

    Private network users can access the Internet.

NAT-Device Configuration File

# 
sysname NAT-Device 
# 
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1     
 service-instance-group group1
 nat address-group address-group1 group-id 1 1.1.1.50 1.1.1.100 
# 
nat instance nat2 id 2
 service-instance-group group1
 nat address-group address-group2 group-id 2 2.1.1.50 2.1.1.100
 nat server global 2.1.1.6 inside 192.168.1.2
 nat dns-mapping domain  www.test.edu.cn  global-address 2.1.1.6 inside-address 192.168.1.2
 redirect ip-nexthop 2.1.1.2 outbound
 nat alg dns
#
acl number 3001                                                                                                                     
 rule 1 permit ip source 192.168.1.0 0.0.0.255                                                                                      
#                                                                                                                                   
acl number 3002                                                                                                                     
 rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 2.1.1.6 0                                                              
#                                                                                                                                   
acl number 3003                                                                                                                     
 rule 1 permit ip source 192.168.1.2 0 destination 192.168.1.0 0.0.0.255                                                            
#                                                                                                                                   
acl number 3004                                                                                                                     
 rule 1 permit ip source 192.168.1.2 0                                                                                              
#                                                                                                                                   
traffic classifier permitover operator or                                                                                           
 if-match acl 3003                                                                                                                  
#                                                                                                                                   
traffic classifier redirectover operator or                                                                                         
 if-match acl 3004                                                                                                                  
#                                                                                                                                   
traffic behavior permitover                                                                                                         
#                                                                                                                                   
traffic behavior redirectover                                                                                                       
 redirect ip-nexthop 2.1.1.2                                                                                                      
#                                                                                                                                   
traffic policy redirect                                                                                                             
 classifier permitover behavior permitover                                                                                          
 classifier redirectover behavior redirectover                                                                                      
#
interface GigabitEthernet 0/2/0 
 undo shutdown 
 ip address 192.168.1.1 255.255.255.0
 traffic-policy redirect inbound
 nat bind acl 3002 instance nat2
#
interface GigabitEthernet 0/2/2 
 undo shutdown 
 ip address 2.1.1.1 255.255.255.0
 nat bind acl 3001 instance nat2
#  
interface GigabitEthernet 0/2/1 
 undo shutdown 
 ip address 1.1.1.1 255.255.255.0
 nat bind acl 3001 instance nat1
#  
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
return
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26245

Downloads: 879

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next