Example for Configuring Twice NAT
Networking Requirements
As shown in Figure 5-19, the IP address of the outbound interface on the router is 2.2.2.2/24. The IP address of the LAN gateway is 1.1.1.1/24 and that of the carrier device connected to the router is 2.2.2.1/24. IP addresses of internal hosts are not assigned properly. The IP address of PC1 on the internal network overlaps with that of Server A on the external network. In this case, PC2 can access this server using the domain name of Server A, but PC2 may access PC1 on the same network segment based on the DNS resolution result. Users want packets to be forwarded correctly.
Configuration Roadmap
The configuration roadmap is as follows:
Configure an IP address for ports on the router.
Configure a default route on the router.
Configure the DNS ALG function to enable DNS packets to traverse the NAT device.
Map the overlapped address pool to the temporary address pool.
Configure outbound NAT to allow internal users to access external networks.
Procedure
- Configure an IP address for ports on the router.
<Huawei> system-view [Huawei] sysname Router [Router] interface gigabitethernet 1/0/0 [Router-GigabitEthernet1/0/0] undo portswitch [Router-GigabitEthernet1/0/0] ip address 2.2.2.2 24 [Router-GigabitEthernet1/0/0] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] undo portswitch [Router-GigabitEthernet2/0/0] ip address 1.1.1.1 24 [Router-GigabitEthernet2/0/0] quit
- Configure a default route with next hop address 2.2.2.1
on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
- Configure the mapping between the overlapped address pool
and the temporary address pool on the router.
[Router] nat overlap-address 0 1.1.1.100 3.3.3.100 pool-length 254
- Configure a static route on the router from the temporary
address pool to outbound interface GE1/0/0.
[Router] ip route-static 3.3.3.100 32 gigabitethernet 1/0/0 2.2.2.1
- Configure the DNS NAT ALG function in the system view.
[Router] nat alg dns enable
- Configure outbound NAT on outbound interface GE1/0/0 of
the router.
- Verify the configuration.
# Run the display nat overlap-address all command on the router to check the mapping between the overlapped address pool and the temporary address pool.
<Router> display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------- Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------- 0 1.1.1.100 3.3.3.100 254 ------------------------------------------------------------------------------- Total : 1
# Run the display nat outbound command to display the configuration of NAT.
[Router] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- GigabitEthernet1/0/0 3180 1 pat ----------------------------------------------------------------- Total : 1
Configuration Files
Configuration file of the router
# sysname Router # acl number 3180 rule 5 permit ip source 1.1.1.0 0.0.0.255 # nat alg dns enable # nat address-group 1 2.2.2.100 2.2.2.200 # nat overlap-address 0 1.1.1.100 3.3.3.100 pool-length 254 # interface GigabitEthernet2/0/0 undo portswitch ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 undo portswitch ip address 2.2.2.2 255.255.255.0 nat outbound 3180 address-group 1 # ip route-static 0.0.0.0 0.0.0.0 2.2.2.1 ip route-static 3.3.3.100 255.255.255.255 GigabitEthernet1/0/0 2.2.2.1 # return