No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring NAT

Configuring NAT

Configuring Dynamic NAT

Configuring ACL Rules

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl [ number ] acl-number [ match-order { auto | config } ]

    An ACL with the specified number is created and the ACL view is displayed.

  3. Configure basic or advanced ACLs as required. For details, see Configuring a Basic ACL or Configuring an Advanced ACL.

    NOTE:

    Only basic ACLs (2000 to 2999) and advanced ACLs (3000 to 3999) can be used to configure the NAT function.

    1. When permit is used in the ACL rule, the system uses the address pool to translate addresses for the packets of which the source IP address is specified in the ACL rule.

    2. When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect. That is, the system searches routes for packets, but does not translate addresses.

Configuring Outbound NAT

Context

The address pool used by outbound NAT stores a set of public IP addresses used by dynamic NAT. When dynamic NAT is performed, an address in the address pool is selected for NAT address translation.

To access external networks through dynamic NAT, intranet users can choose one of the following modes based on their public IP address plan:

  • After users configure the IP address of outbound ports and other applications on the NAT device, there are still some available public IP addresses. Users can choose outbound NAT with an address pool.
  • After users configure the IP address of outbound ports on the NAT device and other applications, there are no available public IP addresses. Users can choose Easy IP that uses the IP address of outbound ports on the NAT device to implement dynamic NAT.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure outbound NAT. Users can choose one of the following configuration methods based on actual situations:
    • Configure outbound NAT with an address pool.
      1. Run nat address-group group-index start-address end-address

        A public address pool is configured.

      2. Run interface interface-type interface-number

        The interface view is displayed.

      3. Run nat outbound acl-number address-group group-index [ no-pat ]

        Outbound NAT that references an address pool is configured.

    • Configure Easy IP without an address pool.
      1. Run interface interface-type interface-number

        The interface view is displayed.

      2. Run nat outbound acl-number [ interface interface-type interface-number ]

        Easy IP is configured.

(Optional) Enabling NAT ALG

Context

Generally, NAT translates only the IP address in the IP packet header and the interface number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or interface number in the Data field. Such content cannot be translated using NAT. Therefore, communication between internal and external networks will fail.

The application level gateway (ALG) function enables the NAT device to identify the IP address or interface number in the Data field, and translate addresses based on the mapping table. In this way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, PPTP and RTSP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat alg { all | protocol-name } enable

    The NAT ALG function for specified application protocols is enabled.

    By default, the NAT ALG function is disabled.

  3. (Optional) Run port-mapping protocol-name port port-number acl acl-number

    The port mapping is configured.

    Run the port-mapping protocol to configure port mapping when the application protocol that is enabled with the NAT ALG function uses a non-well-known port number, namely a non-default port number. You can run the display port-mapping command to check the mapping between the application protocols and ports.

(Optional) Configuring NAT Filtering and NAT Mapping

Context

NAT conserves IPv4 addresses and improves network security.When traversing NAT devices, some applications need to create multiple data channels depending on the multi-channel technology. To ensure connection of multiple data channels, NAT filtering and NAT mapping must be configured to allow only packets that meet the filtering and mapping conditions to pass through.

The device supports the following NAT mapping types:

  • Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to any external IP address and port.
  • Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to the same external IP address and interface while the mapping is still active.

The device supports the following NAT filtering types:

  • Endpoint-and-port-independent filtering
  • Endpoint-dependent and port-independent filtering
  • Endpoint-and-port-dependent filtering

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

    The NAT mapping mode is configured.

    The default NAT mapping mode is endpoint-and-port-dependent.

  3. Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

    The NAT filtering mode is configured.

    The default NAT filtering mode is endpoint-and-port-dependent.

(Optional) Configuring NAT Log Output

Context

NAT logs are generated when the device performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT.

The AP can send NAT logs to a specified log host, as shown in Figure 7-96.

Figure 7-96  Sending NAT logs to a specified log host

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure the device to send logs to a log host in the information center or a session log host.

    • Sending logs to a log host in the information center

      1. Run info-center enable

        The information center is enabled.

      2. Run info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number | { language language-name | binary [ port ] } | transport { udp | tcp ssl-policy policy-name } ] *

        The channel used to export logs to the log host is configured.

        A a maximum of eight log hosts can be configured to implement backup among log hosts.

        NOTE:
        For the detailed configuration example, see "Example for Outputting Log Information to a Log Host".
    • Send logs to a session log host

      Run the nat log binary-log host host-ip-address host-port source source-ip-address source-port command to configure a binary NAT session log host.

  3. Run nat log session enable

    The NAT session log function is enabled.

    By default, the NAT session log function is disabled.

  4. (Optional) Run nat log session log-interval interval-time

    The interval of generating NAT session logs is configured.

    By default, NAT session logs are generated every 30 seconds.

Verifying the Configuration
  • Run the display nat log configuration command to verify the configuration of NAT session logs.
(Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat session protocol-name aging-time time-value

    The aging time of NAT mapping entries is configured.

    By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 20 seconds for ICMP, 600 seconds for pptp, and 600 seconds for pptp-data, 60 seconds for RTSP, 120 seconds for RTSP-media, 600 seconds for TCP, 120 seconds for UDP.

Verifying the Configuration
  • Run the display nat session aging-time command to check the aging time of NAT mapping entries.
Verifying the Dynamic NAT Configuration

Procedure

  • Run the display nat address-group [ group-index ] [ verbose ] command to verify the configuration of a NAT address pool.
  • Run the display nat outbound [ acl acl-number | address-group group-index | interface interface-type interface-number ] command to verify the configuration of outbound NAT.
  • Run the display nat alg command to verify the NAT ALG configuration.
  • Run the display nat session aging-time command to check the aging time of NAT mapping entries.
  • Run the display nat filter-mode command to check the current NAT filtering mode.
  • Run the display nat mapping-mode command to check the NAT mapping mode.
  • Run the display nat mapping table { all | number } or display nat mapping table inside-address ip-address protocol protocol-name port port-number command to check the NAT table information or the number of entries in the NAT table.
  • Run the display app-inspect session table [ application-protocol application-protocol-name ] [ source-ip ip-address [ port-number ] ] [ destination-ip ip-address [ port-number ] ] command to check the application session table.

Configuring Static NAT

Configuring Static Address Mapping

Procedure

  1. You can configure static address mapping as follows:

    Configuring static address mapping in the interface view:

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run one of the following commands as required:
      • nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number } global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ netmask mask ] [ acl acl-number ] [ description description ]
      • nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number } inside host-address [ netmask mask ] [ acl acl-number ] [ description description ]

    Configuring static address mapping in the system view:

    1. Run system-view

      The system view is displayed.

    2. Run one of the following commands as required:
      • nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ netmask mask ] [ description description ]
      • nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ netmask mask ] [ description description ]
      • nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ netmask mask ] [ description description ]
    3. Run interface interface-type interface-number

      The interface view is displayed.

    4. Run nat static enable

      Static NAT is enabled on the interface.

(Optional) Enabling NAT ALG

Context

Generally, NAT translates only the IP address in the IP packet header and the interface number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or interface number in the Data field. Such content cannot be translated using NAT. Therefore, communication between internal and external networks will fail.

The application level gateway (ALG) function enables the NAT device to identify the IP address or interface number in the Data field, and translate addresses based on the mapping table. In this way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, PPTP and RTSP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat alg { all | protocol-name } enable

    The NAT ALG function for specified application protocols is enabled.

    By default, the NAT ALG function is disabled.

  3. (Optional) Run port-mapping protocol-name port port-number acl acl-number

    The port mapping is configured.

    Run the port-mapping protocol to configure port mapping when the application protocol that is enabled with the NAT ALG function uses a non-well-known port number, namely a non-default port number. You can run the display port-mapping command to check the mapping between the application protocols and ports.

(Optional) Configuring DNS Mapping

Context

If an enterprise has no internal DNS server but needs to access internal servers using the domain name, intranet users of the enterprise must use DNS servers on external networks.

Intranet users can use the external DNS server to access an external server by performing NAT; however, intranet users cannot use the external DNS server to access an internal server because the IP address resolved by the external DNS server is not the real private IP address of the internal server.

When configuring static NAT and DNS mapping at the same time, you can create a mapping entry containing the domain name, public IP address, public interface number, and protocol type. When receiving a DNS resolution packet, the NAT device searches the private IP address mapped to the public address in the mapping entry. The NAT device then replaces the address resolved by the DNS server with the private IP address and forwards the resolution result to users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat dns-map domain-name global-address global-port protocol-name

    A mapping from a domain name to a public IP address, an interface number, and a protocol type is configured.

(Optional) Configuring NAT Filtering and NAT Mapping

Context

NAT conserves IPv4 addresses and improves network security.When traversing NAT devices, some applications need to create multiple data channels depending on the multi-channel technology. To ensure connection of multiple data channels, NAT filtering and NAT mapping must be configured to allow only packets that meet the filtering and mapping conditions to pass through.

The device supports the following NAT mapping types:

  • Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to any external IP address and port.
  • Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to the same external IP address and interface while the mapping is still active.

The device supports the following NAT filtering types:

  • Endpoint-and-port-independent filtering
  • Endpoint-dependent and port-independent filtering
  • Endpoint-and-port-dependent filtering

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

    The NAT mapping mode is configured.

    The default NAT mapping mode is endpoint-and-port-dependent.

  3. Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

    The NAT filtering mode is configured.

    The default NAT filtering mode is endpoint-and-port-dependent.

(Optional) Configuring NAT Log Output

Context

NAT logs are generated when the device performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT.

The AP can send NAT logs to a specified log host, as shown in Figure 7-97.

Figure 7-97  Sending NAT logs to a specified log host

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure the device to send logs to a log host in the information center or a session log host.

    • Sending logs to a log host in the information center

      1. Run info-center enable

        The information center is enabled.

      2. Run info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number | { language language-name | binary [ port ] } | transport { udp | tcp ssl-policy policy-name } ] *

        The channel used to export logs to the log host is configured.

        A a maximum of eight log hosts can be configured to implement backup among log hosts.

        NOTE:
        For the detailed configuration example, see "Example for Outputting Log Information to a Log Host".
    • Send logs to a session log host

      Run the nat log binary-log host host-ip-address host-port source source-ip-address source-port command to configure a binary NAT session log host.

  3. Run nat log session enable

    The NAT session log function is enabled.

    By default, the NAT session log function is disabled.

  4. (Optional) Run nat log session log-interval interval-time

    The interval of generating NAT session logs is configured.

    By default, NAT session logs are generated every 30 seconds.

Verifying the Configuration
  • Run the display nat log configuration command to verify the configuration of NAT session logs.
(Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat session protocol-name aging-time time-value

    The aging time of NAT mapping entries is configured.

    By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 20 seconds for ICMP, 600 seconds for pptp, and 600 seconds for pptp-data, 60 seconds for RTSP, 120 seconds for RTSP-media, 600 seconds for TCP, 120 seconds for UDP.

Verifying the Configuration
  • Run the display nat session aging-time command to check the aging time of NAT mapping entries.
Verifying the Static NAT Configuration

Procedure

  • Run the display nat alg command to verify the NAT ALG configuration.
  • Run the display nat dns-map [ domain-name ] command to verify the configuration of DNS mapping.
  • Run the display nat session aging-time command to check the aging time of NAT mapping entries.
  • Run the display nat static [ global global-address | inside host-address | interface interface-type interface-name | acl acl-number ] command to verify the configuration of static NAT.
  • Run the display nat filter-mode command to check the current NAT filtering mode.
  • Run the display nat mapping-mode command to check the NAT mapping mode.
  • Run the display nat mapping table { all | number } or display nat mapping table inside-address ip-address protocol protocol-name port port-number command to check the NAT table information or the number of entries in the NAT table.
  • Run the display nat static interface enable command to check whether the static NAT function is enabled.

Configuring an Internal NAT Server

Configuring Internal NAT Server

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [ .subnumber ]

    The interface view is displayed.

  3. Run either of the following commands to configure an internal NAT server:

    • nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number } global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ acl acl-number ] [ description description ]
    • nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number } inside host-address [ acl acl-number ] [ description description ]
    NOTE:
    • When configuring an internal NAT server, ensure that global-address and host-address are different from IP addresses of ports and IP addresses in the user address pool.
    • You can use the IP address of current-interface or loopback as the internal server's IP address.
    • The undo nat server command does not delete mapping entries immediately. You can run the reset nat session command to delete mapping entries.
    • Compared with static NAT, NAT Server translates only the IP address, but not the port number, when the private network initiatively accesses the public network.
    • When you configure one-to-one NAT Server that borrows an interface IP address (no interface number is specified and the IP address is mapped to a private network address), other services enabled on the interface may become unavailable. Confirm your action before performing the configuration. If you want to enable other applications on the interface, add an ACL rule after the configuration to filter out the number of the interface on which the applications are enabled.

(Optional) Enabling NAT ALG

Context

Generally, NAT translates only the IP address in the IP packet header and the interface number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or interface number in the Data field. Such content cannot be translated using NAT. Therefore, communication between internal and external networks will fail.

The application level gateway (ALG) function enables the NAT device to identify the IP address or interface number in the Data field, and translate addresses based on the mapping table. In this way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, PPTP and RTSP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat alg { all | protocol-name } enable

    The NAT ALG function for specified application protocols is enabled.

    By default, the NAT ALG function is disabled.

  3. (Optional) Run port-mapping protocol-name port port-number acl acl-number

    The port mapping is configured.

    Run the port-mapping protocol to configure port mapping when the application protocol that is enabled with the NAT ALG function uses a non-well-known port number, namely a non-default port number. You can run the display port-mapping command to check the mapping between the application protocols and ports.

(Optional) Configuring DNS Mapping

Context

If an enterprise has no internal DNS server but needs to access internal servers using the domain name, intranet users of the enterprise must use DNS servers on external networks.

Intranet users can use the external DNS server to access an external server by performing NAT; however, intranet users cannot use the external DNS server to access an internal server because the IP address resolved by the external DNS server is not the real private IP address of the internal server.

When configuring static NAT and DNS mapping at the same time, you can create a mapping entry containing the domain name, public IP address, public interface number, and protocol type. When receiving a DNS resolution packet, the NAT device searches the private IP address mapped to the public address in the mapping entry. The NAT device then replaces the address resolved by the DNS server with the private IP address and forwards the resolution result to users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat dns-map domain-name global-address global-port protocol-name

    A mapping from a domain name to a public IP address, an interface number, and a protocol type is configured.

(Optional) Configuring NAT Filtering and NAT Mapping

Context

NAT conserves IPv4 addresses and improves network security.When traversing NAT devices, some applications need to create multiple data channels depending on the multi-channel technology. To ensure connection of multiple data channels, NAT filtering and NAT mapping must be configured to allow only packets that meet the filtering and mapping conditions to pass through.

The device supports the following NAT mapping types:

  • Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to any external IP address and port.
  • Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to the same external IP address and interface while the mapping is still active.

The device supports the following NAT filtering types:

  • Endpoint-and-port-independent filtering
  • Endpoint-dependent and port-independent filtering
  • Endpoint-and-port-dependent filtering

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

    The NAT mapping mode is configured.

    The default NAT mapping mode is endpoint-and-port-dependent.

  3. Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

    The NAT filtering mode is configured.

    The default NAT filtering mode is endpoint-and-port-dependent.

(Optional) Configuring NAT Log Output

Context

NAT logs are generated when the device performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT.

The AP can send NAT logs to a specified log host, as shown in Figure 7-98.

Figure 7-98  Sending NAT logs to a specified log host

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure the device to send logs to a log host in the information center or a session log host.

    • Sending logs to a log host in the information center

      1. Run info-center enable

        The information center is enabled.

      2. Run info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number | { language language-name | binary [ port ] } | transport { udp | tcp ssl-policy policy-name } ] *

        The channel used to export logs to the log host is configured.

        A a maximum of eight log hosts can be configured to implement backup among log hosts.

        NOTE:
        For the detailed configuration example, see "Example for Outputting Log Information to a Log Host".
    • Send logs to a session log host

      Run the nat log binary-log host host-ip-address host-port source source-ip-address source-port command to configure a binary NAT session log host.

  3. Run nat log session enable

    The NAT session log function is enabled.

    By default, the NAT session log function is disabled.

  4. (Optional) Run nat log session log-interval interval-time

    The interval of generating NAT session logs is configured.

    By default, NAT session logs are generated every 30 seconds.

Verifying the Configuration
  • Run the display nat log configuration command to verify the configuration of NAT session logs.
(Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat session protocol-name aging-time time-value

    The aging time of NAT mapping entries is configured.

    By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 20 seconds for ICMP, 600 seconds for pptp, and 600 seconds for pptp-data, 60 seconds for RTSP, 120 seconds for RTSP-media, 600 seconds for TCP, 120 seconds for UDP.

Verifying the Configuration
  • Run the display nat session aging-time command to check the aging time of NAT mapping entries.
Verifying the Internal NAT Server Configuration

Procedure

  • Run the display nat server [ global global-address | inside host-address | interface interface-type interface-number | acl acl-number ] command to verify the configuration of the NAT server.
  • Run the display nat alg command to verify the NAT ALG configuration.
  • Run the display nat dns-map [ domain-name ] command to verify the configuration of DNS mapping.
  • Run the display nat session aging-time command to check the aging time of NAT mapping entries.
  • Run the display nat filter-mode command to check the current NAT filtering mode.
  • Run the display nat mapping-mode command to check the NAT mapping mode.
  • Run the display nat mapping table { all | number } or display nat mapping table inside-address ip-address protocol protocol-name port port-number command to check the NAT table information or the number of entries in the NAT table.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117249

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next