No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples for NAT

Configuration Examples for NAT

Example for Configuring Dynamic Address Translation

Networking Requirements

As shown in Figure 7-99, a company has private network users in area A and area B, and the AP is connected to the public network through the Layer 3 interface VLANIF300. The VLANIF300 address is 202.169.10.1/24, and the address of the public network is 202.169.10.2/24. Users in area A want to access the public network by replacing the host addresses (on the network segment 192.168.20.0/24) in area A with the addresses (202.169.10.100-202.169.10.200) in the public network address pool in NAT mode. As there are fewer public network IP addresses in area B, users in area B want to access the public network by replacing the host addresses (on the network segment 10.0.0.0/24) in area B with the addresses (202.169.10.80-202.169.10.83) in the public network address pool in the mode of replacing both IP address and port number.

Figure 7-99  Networking diagram for configuring dynamic address translation

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF interfaces so that devices can communicate with each other.

  2. Configure dynamic address translation so that the public network users can access public network services.

Procedure

  1. Configure users to go online on the AP.

    Configure users in area A and area B to go online through the AP. For details, see Example for Configuring Fat AP Layer 2 Networking.

  2. Assign IP addresses for the VLANIF interfaces on the AP.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan 300 
    [AP-vlan300] quit
    [AP] interface vlanif 300
    [AP-Vlanif300] ip address 202.169.10.1 24
    [AP-Vlanif300] quit
    [AP] interface gigabitethernet 0/0/0 
    [AP-GigabitEthernet0/0/0] port link-type trunk 
    [AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 300
    [AP-GigabitEthernet0/0/0] quit

  3. Configure a default route with the next hop address 202.169.10.2 on the AP.

    [AP] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
    

  4. Configure outbound NAT on the AP.

    [AP] nat address-group 1 202.169.10.100 202.169.10.200 
    [AP] nat address-group 2 202.169.10.80 202.169.10.83  
    [AP] acl 2000
    [AP-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255
    [AP-acl-basic-2000] quit
    [AP] acl 2001
    [AP-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255
    [AP-acl-basic-2001] quit
    [AP] interface vlanif 300
    [AP-Vlanif300] nat outbound 2000 address-group 1 no-pat
    [AP-Vlanif300] nat outbound 2001 address-group 2 
    [AP-Vlanif300] quit
    [AP] quit
    

  5. Verify the configuration.

    # Run the display nat outbound command on the AP to check the address translation result.

    <AP> display nat outbound
     NAT Outbound Information:                                                      
     --------------------------------------------------------------------------     
     Interface                     Acl     Address-group/IP/Interface      Type     
     --------------------------------------------------------------------------     
     Vlanif300                    2000                              1    no-pat 
     Vlanif300                    2001                              2       pat
     --------------------------------------------------------------------------
      Total : 2     
    xia

    # Run the ping command on the AP to check whether users can access the public network from the private network.

    <AP> ping -a 192.168.20.1 202.169.10.2
      PING 202.169.10.2: 56 data bytes, press CTRL_C to break                         
        Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms                
    -- 202.169.10.2 ping statistics ---                                           
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/1/2 ms 
    <AP> ping -a 10.0.0.1 202.169.10.2
      PING 202.169.10.2: 56 data bytes, press CTRL_C to break                         
        Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms                
        Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms                
    -- 202.169.10.2 ping statistics ---                                           
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/1/2 ms 
    

Configuration Files

Configuration file of the AP

#
 sysname AP
#                                                                               
 vlan batch 300   
#                                                                               
acl number 2000                                                                 
 rule 5 permit source 192.168.20.0 0.0.0.255                                    
#                                                                               
acl number 2001                                                                 
 rule 5 permit source 10.0.0.0 0.0.0.255                                       
#
 nat address-group 1 202.169.10.100 202.169.10.200
 nat address-group 2 202.169.10.80 202.169.10.83                      
#                                                                                
interface Vlanif300                                                             
 ip address 202.169.10.1 255.255.255.0                                          
 nat outbound 2000 address-group 1 no-pat                                       
 nat outbound 2001 address-group 2
#                                                                                
interface GigabitEthernet0/0/0                                                                                                      
 port link-type trunk                                                                                                               
 port trunk allow-pass vlan 300 
#                                                                  
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2                          
#                                                              
return  

Example for Configuring Static One-to-One NAT

Networking Requirements

As shown in Figure 7-100, the AP is connected to the public network through the Layer 3 interface VLANIF200. The VLANIF200 address is 202.10.1.2/24, and the address of the public network is 202.10.1.1/24. The host with the address 192.168.0.2/24 on the internal network needs to access external networks through a fixed address 202.10.1.3/24. It is required that the AP should translate a private network address to a public network address so that the host can access external networks.

Figure 7-100  Networking diagram for configuring static one-to-one NAT

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF interfaces so that devices can communicate with each other.

  2. Configure static NAT on the VLANIF200 interface of the AP to implement one-to-one mapping of internal and external network addresses.

Procedure

  1. Configure users to go online on the AP.

    Configure users to go online through the AP. For details, see Example for Configuring Fat AP Layer 2 Networking.

  2. Assign IP addresses for the VLANIF interfaces on the AP.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan 200 
    [AP-vlan200] quit
    [AP] interface vlanif 200
    [AP-Vlanif200] ip address 202.10.1.2 24
    [AP-Vlanif200] quit
    [AP] interface gigabitethernet 0/0/0 
    [AP-GigabitEthernet0/0/0] port link-type trunk
    [AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 200
    [AP-GigabitEthernet0/0/0] quit

  3. Configure a default route with the next hop address 202.10.1.1 on the AP.

    [AP] ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
    

  4. Configure one-to-one NAT mapping on the VLANIF200 interface of the AP.

    [AP] interface vlanif 200
    [AP-Vlanif200] nat static global 202.10.1.3 inside 192.168.0.2
    [AP-Vlanif200] quit
    

  5. Verify the configuration.

    # Run the display nat static command on the AP to check the mapping between the addresses in the address pool.

    [AP] display nat static
      Static Nat Information:                                                                                                           
      Interface  : Vlanif200                                                                                                            
        Global IP/Port     : 202.10.1.3/----                                                                                            
        Inside IP/Port     : 192.168.0.2/----                                                                                           
        Protocol : ----                                                                                                                 
        VPN instance-name  : ----                                                                                                       
        Acl number         : ----                                                                                                       
        Vrrp id            : ----                                                                                                       
        Netmask  : 255.255.255.255                                                                                                      
        Description : ----     
                                                                                                                                        
      Total :    1 

Configuration Files

Configuration file of the AP

#
 sysname AP
#
vlan batch 200
#                                                                                                                                   
interface Vlanif200                                                                                                                 
 ip address 202.10.1.2 255.255.255.0                                                                                                
 nat static global 202.10.1.3 inside 192.168.0.2 netmask 255.255.255.255                                                            
#                                                                                                                            
interface GigabitEthernet0/0/0                                                                                                      
 port link-type trunk                                                                                                               
 port trunk allow-pass vlan 200                                                                                              
# 
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1                                                                                          
# 
return  

Example for Configuring an Internal Server

Networking Requirements

As shown in Figure 7-101, the AP is connected to the public network through the Layer 3 interface VLANIF300. The VLANIF300 address is 202.169.10.1/24, and the address of the public network is 202.169.10.2/24. The FTP server is deployed on the company's network for users on external networks to access. The private IP address of the FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24. It is required that external users can access the FTP server through the NAT function of the AP.

Figure 7-101  Networking diagram for configuring an internal server

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF interfaces so that devices can communicate with each other.

  2. Configure an NAT server on the VLANIF300 interface of the AP so that users on external networks can access the server on the internal network.

  3. Enable the FTP NAT ALG function to allow the external FTP packets to traverse the NAT server.

Procedure

  1. Configure users to go online on the AP.

    Configure users to go online through the AP. For details, see Example for Configuring Fat AP Layer 2 Networking.

  2. Assign IP addresses for the VLANIF interfaces on the AP.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan 300 
    [AP-vlan300] quit
    [AP] interface vlanif 300
    [AP-Vlanif300] ip address 202.169.10.1 24
    [AP-Vlanif300] quit
    [AP] interface gigabitethernet 0/0/0 
    [AP-GigabitEthernet0/0/0] port link-type trunk
    [AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 300
    [AP-GigabitEthernet0/0/0] quit

  3. Configure a default route with the next hop address 202.169.10.2 on the AP.

    [AP] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
    

  4. Configure the NAT server function on the AP.

    [AP] interface vlanif 300
    [AP-Vlanif300] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
    [AP-Vlanif300] quit

  5. Enable the FTP NAT ALG function on the AP.

    [AP] nat alg ftp enable
    [AP] quit

  6. Verify the configuration.

    # Run the display nat server command on the AP. The command output is as follows:

    <AP> display nat server
      Nat Server Information:                                                       
      Interface  : Vlanif300 
        Global IP/Port     : 202.169.10.33/21(ftp)      
        Inside IP/Port     : 10.0.0.3/21(ftp)               
        Protocol : 6(tcp)                                              
        VPN instance-name  : ----                                
        Acl number         : ----                  
        Vrrp id            : ----              
        Description : ----
                                                                                    
      Total :    1    

    # Run the display nat alg command on the AP. The command output is as follows:

    <AP> display nat alg
    NAT Application Level Gateway Information:   
    ----------------------------------                                              
      Application            Status                                                 
    ----------------------------------                                              
      dns                    Disabled                                               
      ftp                    Enabled                                               
      rtsp                   Disabled                                               
      pptp                   Disabled                                            
    ----------------------------------  

Configuration Files

Configuration file of the AP

#
 sysname AP
#                                                                               
 vlan batch 300                                                        
#                                                                               
 nat alg ftp enable                                                             
#                                                                               
interface Vlanif300                                                             
 ip address 202.169.10.1 255.255.255.0                                          
 nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp           
#                                                                               
interface GigabitEthernet0/0/0                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 300                                                 
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2                                    
#
return  

Example for Configuring NAT

Networking Requirements

As shown in Figure 7-102, the private IP address of the FTP server is 192.168.0.100/24, the public address is 202.10.1.3/24, and the domain name is TestNat.com. The AP is connected to the public network through the Layer 3 interface VLANIF100. The VLANIF100 address is 202.10.1.2/24, and the address of the public network is 202.10.1.1/24. The company has no other public IP addresses. The internal FTP server needs to provide the FTP service for external users. Intranet users can access external networks and use the external DNS server to access the internal FTP server.

Figure 7-102  Networking diagram for configuring NAT

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF interfaces so that devices can communicate with each other.

  2. Configure Easy IP on the VLANIF100 interface of the AP so that the internal hosts can access external network services.

  3. Configure an NAT server and the FTP NAT ALG function on the VLANIF100 interface of the AP so that users on external networks can access the FTP server on the internal network.

  4. Configure the DNS mapping and DNS NAT ALG functions on the AP so that users on the internal network can access the internal FTP server through the external DNS server.

Procedure

  1. Configure users to go online on the AP.

    Configure users to go online through the AP. For details, see Example for Configuring Fat AP Layer 2 Networking.

  2. Assign IP addresses for the VLANIF interfaces on the AP.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan 100 
    [AP-vlan100] quit
    [AP] interface vlanif 100
    [AP-Vlanif100] ip address 202.10.1.2 24
    [AP-Vlanif100] quit
    [AP] interface gigabitethernet 0/0/0 
    [AP-GigabitEthernet0/0/0] port link-type trunk
    [AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 100
    [AP-GigabitEthernet0/0/0] quit

  3. Configure a default route with the next hop address 202.10.1.1 on the AP.

    [AP] ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
    

  4. Configure outbound NAT in Easy IP mode on the VLANIF100 interface of the AP.

    [AP] acl 2000
    [AP-acl-basic-2000] rule 5 permit source 192.168.0.0 0.0.0.255
    [AP-acl-basic-2000] quit
    [AP] interface vlanif 100
    [AP-Vlanif100] nat outbound 2000
    

  5. Configure an NAT server and the FTP NAT ALG function on the VLANIF100 interface of the AP.

    [AP-Vlanif100] nat server protocol tcp global 202.10.1.3 ftp inside 192.168.0.100
    [AP-Vlanif100] quit
    [AP] nat alg ftp enable
    

  6. Configure the DNS mapping and DNS NAT ALG functions on the AP.

    [AP] nat alg dns enable
    [AP] nat dns-map TestNat.com 202.10.1.3 80 tcp
    [AP] quit
    

  7. Verify the configuration.

    # Run the display nat outbound command on the AP. The command output is as follows:

    <AP> display nat outbound
     NAT Outbound Information:                                                      
     --------------------------------------------------------------------------     
     Interface                     Acl     Address-group/IP/Interface      Type     
     --------------------------------------------------------------------------     
     Vlanif100                    2000                     202.10.1.2    easyip     
     --------------------------------------------------------------------------     
      Total : 1   

    # Run the display nat server command on the AP. The command output is as follows:

    <AP> display nat server
      Nat Server Information:                                                       
      Interface  : Vlanif100                                              
        Global IP/Port     : 202.10.1.3/21(ftp)                                   
        Inside IP/Port     : 192.168.0.100/21(ftp)                                       
        Protocol : 6(tcp)                                                           
        VPN instance-name  : ---- 
        Acl number         : ----                                                  
        Vrrp id            : ----                                                   
        Description : ----
      Total :    1    

    # Run the display nat alg command on the AP. The command output is as follows:

    <AP> display nat alg
    NAT Application Level Gateway Information:   
    ----------------------------------                                              
      Application            Status                                                 
    ----------------------------------                                              
      dns                    Enabled                                                
      ftp                    Enabled                                               
      rtsp                   Disabled                                               
      pptp                   Disabled 
    ----------------------------------  

Configuration Files

Configuration file of the AP

#
 sysname AP
#
 vlan batch 100                                                        
#                                                                               
acl number 2000                                                                 
 rule 5 permit source 192.168.0.0 0.0.0.255                                     
#                                                                               
 nat alg dns enable
 nat alg ftp enable                                                              
 #                                                                              
 nat dns-map testnat.com 202.10.1.3 80 tcp                                  
#                                                                               
interface Vlanif100                                                  
 ip address 202.10.1.2 255.255.255.0                                            
 nat server protocol tcp global 202.10.1.3 ftp inside 192.168.0.100 ftp        
 nat outbound 2000                                                              
#                                                                               
 ip route-static 0.0.0.0 0.0.0.0 202.10.1.1                                     
#
interface GigabitEthernet0/0/0                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 100                                                 
# 
return  
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118682

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next