No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

What Is NAT

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Is NAT

What Is NAT

Introduction

This document briefly describes what NAT is and NAT types. The scenarios and implementation principles of each type of NAT are introduced one by one.

Overview of NAT

Definition

Network Address Translation (NAT) translates the IP address in an IP datagram header to another IP address.

Purpose

The rapid development of the Internet brings an increasing number of network applications. Exhaustion of IPv4 addresses has become a bottleneck for the network development. IPv6 can solve the problem of IPv4 address shortage, but numerous network devices and applications are based on IPv4. Major transitional technologies such as classless inter-domain routing (CIDR) and private network addresses are used before the wide use of IPv6 addresses. NAT enables users on private networks to access public networks. When a host on a private network accesses a public network, NAT translates the host's private IP address to a public IP address. Multiple hosts on a private network can share one public IP address. This implements network communication while saving public IP addresses.

Benefits

As a transitional plan, NAT enables address reuse to meet the demand for IP addresses, therefore alleviating the IPv4 address shortage. In addition to solving the problem of IP address shortage, NAT provides the following advantages:

  • Protects private networks against external attacks, greatly improving network security.
  • This function controls not only access to external networks from internal hosts, but also access to the internal network from external users.

Understanding NAT

Introduction to NAT

NAT translates the IP address in an IP datagram header to another IP address, allowing users on private networks to access public networks. Basic NAT implements one-to-one translation between one private IP address and one public IP address, whereas Network Address and Port Translation (NAPT) implements one-to-many translation between one public IP address and multiple private IP addresses.

Basic NAT

Basic NAT implements one-to-one IP address translation. In this mode, only the IP address is translated, whereas the TCP/UDP port number remains unchanged. Basic NAT cannot translate multiple private IP addresses to the same public IP address.

Figure 1-1 Networking diagram for basic NAT

As shown in Figure 1-1, the basic NAT process is as follows:

  1. The Router receives a request packet sent from the host on the private network for accessing the server on the public network. The source IP address of the packet is 10.1.1.100.
  2. The Router selects an idle public IP address (1.1.1.1) from the IP address pool, and sets up forward and reverse NAT entries that specify the mapping between the source IP address of the packet and the public IP address. The Router translates the packet's source IP address to the public IP address based on the forward NAT entry, and sends the packet to the server on the public network. After the translation, the packet's source IP address is 1.1.1.1, and its destination IP address is 2.2.2.2.
  3. After receiving a response packet from the server on the public network, the Router queries the reverse NAT entry based on the packet's destination IP address. The Router translates the packet's destination IP address to the private IP address of the host on the private network based on the reverse NAT entry, and sends the packet to the host. After the translation, the packet's source IP address is 2.2.2.2, and its destination IP address is 10.1.1.100.
NOTE:

Basic NAT cannot solve the problem of public IP address shortage because it cannot implement address reuse. Therefore, basic NAT is seldom used in practice.

The number of public IP addresses owned by the NAT device is far less than the number of hosts on private networks because not all the hosts on private networks access public networks at the same time. The number of public IP addresses needs to be determined based on the number of hosts on private networks that access public networks during peak hours.

NAPT

In addition to one-to-one address translation, NAPT allows multiple private IP addresses to be mapped to the same public IP address. It is also called many-to-one address translation or address reuse.

NAPT translates the IP address and port number of a packet so that multiple users on a private network can use the same public IP address to access the public network.

Figure 1-2 Networking diagram for NAPT

As shown in Figure 1-2, the NAPT process is as follows:

  1. The Router receives a request packet sent from the host on the private network for accessing the server on the public network. For example, the packet is sent from Host A to Router, its source IP address is 10.1.1.100, and its port number is 1025.
  2. The Router selects an idle public IP address and an idle port number from the IP address pool, and sets up forward and reverse NAPT entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number. The Router translates the packet's source IP address and port number to the public IP address and port number based on the forward NAPT entry, and sends the packet to the server on the public network.For example, after the translation is performed on the packet of Host A, the packet's source IP address is 1.1.1.1, and its port number is 16384.
  3. After receiving a response packet from the server on the public network, the Router queries the reverse NAPT entry based on the packet's destination IP address and port number. The Router translates the packet's destination IP address and port number to the private IP address and port number of the host on the private network based on the reverse NAPT entry, and sends the packet to the host.For example, after the translation is performed on the packet sent from the server to Host A, the packet's destination IP address is 10.1.1.100, and its destination port number is 1025.

Implementation of NAT

Basic NAT and NAPT translate private IP addresses to public IP addresses by using NAT devices. Basic NAT implements one-to-one address translation, and NAPT implements many-to-one address translation. On existing networks, NAT is implemented based on the principles of basic NAT and NAPT. NAT implements multiple functions such as Easy IP, NAT address pool, NAT server, and static NAT/NAPT.

NAT address pool and Easy IP are implemented in similar ways. This section describes only Easy IP. For the implementation of NAT address pool, see NAPT in Introduction to NAT.

Easy IP

Easy IP uses access control lists (ACLs) to control the private IP addresses that can be translated.

Easy IP is applied to the scenario where hosts on small-scale LANs access the Internet. Small-scale LANs are usually deployed at small and medium-sized cybercafes or small-sized offices where only a few internal hosts are used and the outbound interface obtains a temporary public IP address through dial-up. The temporary public IP address is used by the internal hosts to access the Internet. Easy IP allows the hosts to access the Internet using this temporary public address.

Figure 1-3 Networking diagram for Easy IP

As shown in Figure 1-3, the Easy IP process is as follows:

  1. The Router receives a request packet sent from the host on the private network for accessing the server on the public network.
  2. The Router sets up forward and reverse Easy IP entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number of the port connected to the public network. The Router translates the source IP address and port number of the packet to the public IP address and port number based on the forward Easy IP entry, and sends the packet to the server on the public network.
  3. After receiving a response packet from the server on the public network, the Router queries the reverse Easy IP entry based on the packet's destination IP address and port number. The Router translates the packet's destination IP address and port number to the private IP address and port number of the host on the private network based on the reverse Easy IP entry, and sends the packet to the host.

NAT Server

NAT can shield hosts on private networks from public network users. When a private network needs to provide services such as WWW and FTP services for public network users, servers on the private network must be accessible to public network users at any time.

The NAT server can address the preceding problem by translating the public IP address and port number to the private IP address and port number based on the preset mapping.

Figure 1-4 Networking diagram for NAT server implementation

As shown in Figure 1-4, the address translation process of the NAT server is as follows:

  1. Address translation entries of the NAT server are configured on the Router.
  2. The Router receives an access request sent from a host on the public network. The Router queries the address translation entry based on the packet's destination IP address and port number. The Router translates the packet's destination IP address and port number to the private IP address and port number based on the address translation entry, and sends the packet to the server on the private network.
  3. After receiving a response packet sent from the server on the private network, the Router queries the address translation entry based on the packet's source IP address and port number. The Router translates the packet's source IP address and port number to the public IP address and port number based on the address translation entry, and sends the packet to the host on the public network.

Static NAT/NAPT

Static NAT indicates that a private IP address is statically bound to a public IP address when NAT is performed. Only this private IP address can be translated to this public IP address.

Static NAPT indicates that the combination of a private IP address, protocol number, and port number is statically bound to the combination of a public IP address, protocol number, and port number. Multiple private IP addresses can be translated to the same public IP address.

Static NAT/NAPT can also translate host IP addresses in the specified private address range to host IP addresses in the specified public address range. When an internal host accesses the external network, static NAT or NAPT translates the IP address of the internal host to a public address if the IP address of the internal host is in the specified address range. An external host can directly access an internal host if the private IP address translated from the IP address of the external host is in the specified internal address range.

NAT ALG

NAT and NAPT can translate only IP addresses in IP datagram headers and port numbers in TCP/UDP headers. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function. As a special translation agent for application protocols, the ALG interacts with the NAT device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagrams and complete other necessary work, so that application protocols can run across private and public networks.

For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. When the host on the public network attempts to use the received private IP address, it finds that the FTP server is unreachable.

DNS, FTP, PPTP and RTSP support the ALG function. Table 1-1 lists the NAT fields supported by different protocols.

Table 1-1 Fields supported by different protocols

Application Protocol

Field

DNS

IP and Port fields in a response packet

FTP

  • IP and Port fields in the payload of a Port request packet
  • IP and Port fields in the payload of a Passive response packet

SIP

  • Request line
  • From
  • To
  • Contact
  • Via
  • O
  • Connection information field (indicating an IP address) and media description field (indicating a port) in the Message body
  • record-router

PPTP

There are two scenarios:

  • PPTP client on the private network and PPTP server on the public network: Client-Call-ID field
  • PPTP server on the private network and PPTP client on the public network: Server-Call-ID field

RTSP

Port field in a setup/reply OK packet

DNS Mapping

In practice, users on a private network need to access internal servers on the same private network using domain names, but the DNS server is located on a public network. Usually, a DNS response packet carries the public IP address of an internal server. If the NAT device does not replace the public IP address resolved by the DNS server with the private IP address of the internal server, users on the private network cannot access the internal server using the domain name.

DNS mapping can solve the problem by configuring a table that specifies the mapping between domain names, public IP addresses, public port numbers, and protocol types. In this manner, the mapping between domain names of servers on the private network and public network information is established.

Figure 1-5 describes the implementation of DNS mapping.

Figure 1-5 Networking diagram for DNS mapping

As shown in Figure 1-5, the host on the private network needs to access the web server using the domain name, and the Router functions as a NAT server. After receiving a DNS response packet, the Router searches the DNS mapping table for the information about the web server based on the domain name carried in the response packet. Then, the Router replaces the public IP address carried in the DNS response packet with the private IP address of the web server. In this manner, the DNS response packet received by the host carries the private IP address of the web server. Then, the host can access the web server using the domain name.

NAT Associated with VPNs

NAT allows hosts on private networks to access public networks, hosts in different virtual private networks (VPNs) on a private network to access a public network through the same outbound interface, and hosts with the same IP address in different VPNs to access a public network simultaneously. The NAT also supports NAT server associated with VPNs. It allows a host on a public network to access hosts in different VPNs on a private network, and a host on a public network to access hosts with the IP address in different VPNs on a private network.

Source NAT Associated with VPNs

Source NAT associated with VPNs allows hosts in different VPNs on a private network to access a public network using NAT. Figure 1-6 shows the networking for NAT associated with VPNs.

Figure 1-6 Networking diagram for source NAT associated with VPNs

Source NAT associated with VPNs is implemented as follows:

  1. The IP addresses of host A in VPN 1 and host B in VPN 2 are 10.1.1.1. Host A and host B want to access the same server on the public network.
  2. When a router functions as a NAT device, the router translates the source IP address of the packet sent from host A to 1.1.1.1 and the source IP address of the packet sent from host B to 1.1.2.1. In addition, the router records the VPN information about the hosts in the NAT translation table.
  3. When the response packets sent from the server on the public network to host A and host B pass through the router:
    • The NAT module translates the destination IP address 1.1.1.1 of the packet sent to host A to 10.1.1.1 based on the NAT translation table, and then sends the packet to host A in VPN 1.
    • The NAT module translates the destination IP address 1.1.2.1 of the packet sent to host B to 10.1.1.1 based on the NAT translation table, and then sends the packet to host B in VPN 2.

NAT Server Associated with VPNs

NAT server associated with VPNs allows hosts on a public network to access servers in different VPNs on a private network using NAT.

Figure 1-7 Networking diagram for NAT server associated with VPNs

As shown in Figure 1-7, the IP addresses of server A in VPN 1 and server B in VPN 2 are 10.1.1.1. The public address of server A is 1.1.10.1 and that of server B is 1.1.20.1. Hosts on the public network can access server A using 1.1.10.1 and access server B using 1.1.20.1.

The NAT server associated with VPNs is implemented as follows:

  1. A host on the public network sends a packet with the destination IP address as 1.1.10.1 to server A in VPN 1 and sends a packet with the destination IP address as 1.1.20.1 to server B in VPN 2.
  2. The router functions as the NAT server. Based on the packets' destination IP addresses and VPN information:
    • The router translates the destination address 1.1.10.1 to 10.1.1.1 and sends the packet to server A in VPN 1.
    • The router translates the destination address 1.1.20.1 to 10.1.1.1 and sends the packet to server B in VPN 2.

      In addition, the router records the VPN information in the NAT translation table.

  3. When the response packets sent from server A and server B to the host on the public network pass through the router:
    • The NAT module translates the source IP address 10.1.1.1 of the packet sent from server A to 1.1.10.1 based on the NAT translation table, and sends the packet to the host on the public network.
    • The NAT module translates the source IP address 10.1.1.1 of the packet sent from server B to 1.1.20.1 based on the NAT translation table, and sends the packet to the host on the public network.

Twice NAT

Twice NAT refers to translation of both the source and destination IP addresses of a data packet. It is applied to the situation where a private IP address is the same as a public IP address.

Figure 1-8 Networking diagram for twice NAT

The process of twice NAT is described as follows:

  1. Host A with the IP address 1.1.1.1 on the private network wants to access host B with the same IP address on the public network. Host A sends a DNS request to the DNS server on the public network. The DNS server sends a response packet containing the IP address 1.1.1.1 of host B. When the response packet passes through the router, the router performs DNS ALG and translates host B's IP address 1.1.1.1 in the response packet to the unique temporary IP address 3.3.3.1. Then, the router forwards the response packet to Host A.
  2. Host A sends a request packet with the destination IP address as the temporary IP address 3.3.3.1, for accessing host B. When the request packet passes through the router, the router detects that the destination IP address is the temporary IP address, and translates the destination IP address to host B's real IP address 1.1.1.1. Meanwhile, the router translates the source IP address of the request packet to an address in the outbound NAT address pool using outbound NAT. Then, the router forwards the request packet to host B.
  3. Host B sends host A a response packet with the destination IP address as the address in the outbound NAT address pool and the source IP address as the IP address of host B 1.1.1.1. When the response packet passes through the router, the router detects that the source IP address is the same as the real IP address of host A, and translates the source IP address to the temporary IP address 3.3.3.1 using NAT. Meanwhile, the router translates the destination IP address of the response packet to the private IP address 1.1.1.1 of host A. Then, the router forwards the response packet to host A.
Figure 1-9 Networking diagram for twice NAT when multiple VPNs are deployed on a private network

A private network may consist of multiple VPNs and hosts in the VPNs may have the same IP address. When configuring DNS ALG on a router, you need to add the VPN information that is used as the condition for mapping identical IP addresses of the hosts in the VPNs to IP addresses in the temporary address pool. Figure 1-9 shows the networking for twice NAT when multiple VPNs are deployed on a private network. When multiple VPNs are deployed on a private network, the twice NAT process remains unchanged. The source IP address of host A in VPN A is translated to the temporary address 3.3.3.1, and the source IP address of host B in VPN B is translated to the temporary address 4.4.4.1.

NAT Filtering and NAT Mapping

NAT filtering allows an NAT device to filter the traffic from a public network to a private network. NAT mapping enables the IP addresses of a group of hosts on a private network to be mapped to the same public IP address using the NAT mapping table.

NAT Filtering

A NAT device filters the traffic from external network to internal network. NAT filtering includes the following modes:

  • Endpoint-independent filtering
  • Endpoint-dependent filtering
  • Endpoint and port-dependent filtering

Figure 1-10 shows the NAT filtering applications.

Figure 1-10 NAT filtering applications

As shown in the preceding figure, PC-1 on the private network communicates with PC-2 and PC-3 on the public network using a NAT device. Datagram 1 is sent from PC-1 to PC-2. The source port number of the datagram is 1111 and the destination port number is 2222. The NAT device translates the source IP address to 3.3.3.3.

After PC-1 sends an access request to a PC on the public network, the PC on the public network transmits traffic to PC-1, and the NAT device filters the traffic destined for PC-1. Datagram 2', datagram 3', and datagram 4' are sent in three scenarios corresponding to the preceding three NAT filtering modes.

  • Datagram 2' is sent from PC-3 to PC-1. The destination address of datagram 2 is different from that of datagram 1, and the destination port number is 1111. Datagram 2 can pass through the NAT device only when endpoint-independent filtering is used.
  • Datagram 3' is sent from PC-2 to PC-1. The destination address of datagram 3 is the same as that of datagram 1, and the destination port number is 1111. The source port number of datagram 3 is 3333, which is different from that of datagram 1. Datagram 3 can pass through the NAT device only when endpoint-dependent filtering or endpoint-independent filtering is used.
  • Datagram 4' is sent from PC-2 to PC-1. The destination address of datagram 4 is the same as that of datagram 1, and the destination port number is 1111. The source port number of datagram 4 is 2222, which is the same as that of datagram 1. In this case, endpoint and port-dependent filtering is used, which is the default one. Datagram 4 can pass through the NAT device no matter whether a filtering mode is configured or no matter which filtering mode is configured.

NAT Mapping

After NAT mapping is enabled on a public network, it seems that all flows from a private network come from the same IP address because hosts on the private network share the same public IP address. When a host on the private network initiates a session request to a host on the public network, the NAT device searches the NAT translation table for the related session record. If the NAT device finds the session record, it translates the private IP address and port number and forwards the request. If the NAT device does not find the session record, it translates the private IP address and port number and meanwhile adds a session record to the NAT translation table. NAT mapping includes the following modes:

  • Endpoint-independent mapping: The NAT uses the same IP address and port mapping for packets sent from the same private IP address and port to any public IP address and port.
  • Endpoint and port-dependent mapping: The NAT uses the same port mapping for packets sent from the same private IP address and port to the same public IP address and port if the mapping is still active.

Application Scenarios for NAT

Private Network Hosts Accessing Public Network

Private IP addresses are planned for hosts on private networks for communities, schools, and enterprises because public IP addresses are limited. In this case, the NAT technology can be used to implement access from hosts on the private networks to public networks. As shown in Figure 1-11, Easy IP is configured on the Router to enable the hosts on the private network to access the server on the public network.

Figure 1-11 Networking diagram for private network hosts accessing public network servers

Public Network Hosts Accessing Private Network Servers

On private networks, some servers such as web servers and FTP servers need to provide services for public network users. NAT supports this application. As shown in Figure 1-12, the NAT server is configured. That is, mapping between the public IP address and port number and the private IP address and port number is defined. As a result, the host on the public network can access the server on the private network using the mapping.

Figure 1-12 Networking diagram for public network hosts accessing private network servers

Private Network Hosts Accessing Private Network Servers Using the Domain Name

Hosts on a private network need to access a server on the same private network using the domain name. The DNS server, however, is located on a public network. You can configure DNS mapping to allow the private network hosts to access the DNS server. As shown in Figure 1-13, a DNS mapping table is configured to define mapping between the domain name, public IP address, public port number, and protocol type. The public IP address carried in the DNS response packet is replaced by the private IP address of the server on the private network. In this manner, hosts on the private network can access the server using the domain name.

Figure 1-13 Networking diagram for private network hosts accessing private network servers using the domain name

NAT Multi-instance

NAT multi-instance allows hosts that belong to different MPLS VPNs but have the same private IP address to access a public network through the same egress device simultaneously. As shown in Figure 1-14, host A and host B have the same private IP address, but they belong to different VPNs. NAT associated with VPNs is enabled to differentiate the hosts in different VPNs. In this manner, host A and host B can access the public network server simultaneously.

Figure 1-14 Networking diagram for NAT multi-instance

Summary of NAT Configuration Tasks

As shown in Table 1-2, users can select NAT features based on usage scenarios and configure the selected NAT features.

Table 1-2 NAT configuration tasks

Scenario

Description

Task

Internal hosts use private IP addresses to access external networks.

Internal hosts of an enterprise use private IP addresses to communicate with each other, but cannot access external networks. Dynamic NAT translates the private IP address of a device to the public IP address and establishes a mapping between the private and public address. When the response packet reaches the device, the public IP address is translated to the private IP address and then forwarded to the host. In this way, intranet users can access external networks.

Configuring Dynamic NAT

Important internal hosts use fixed public IP addresses and interface numbers to communicate with external hosts.

During dynamic NAT, it cannot use fixed public IP addresses and interface numbers to replace the private IP addresses and interface numbers. When some important hosts need to access the external network, they must use fixed public IP addresses and interface numbers. Dynamic NAT cannot meet this requirement.

Static NAT sets up a fixed mapping between public and private IP addresses. A specific private IP address can be replaced only by the specified public IP address. In this way, the important hosts can access the external network using fixed public IP addresses.

Configuring Static NAT

External users access internal servers.

NAT can shield IP addresses off internal hosts. When the internal network needs to provide services such as web and FTP services for external users, internal servers must be accessible to external users at any time.

The NAT server enables the internal servers to be accessible at any time. By configuring the mapping between the public and private IP addresses and between the public and private interface numbers, the NAT device can translate public IP addresses to private IP addresses.

Configuring an Internal NAT Server

Licensing Requirements and Limitations for NAT

Involved Network Elements

Other network elements are not required.

Licensing Requirements

NAT is a basic feature of a router and is not under license control.

Feature Limitations

  • By default, the route forwarding function is enabled on high-end LAN cards (8FE1GE, 24GE, and 24ES2GP). These cards do not send received IP packets to the CPU when the IP packets are forwarded on a LAN card. In this way, NAT services configured on VLANIF interfaces do not take effect.

Configuring Dynamic NAT

Configuring ACL Rules

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl [ number ] acl-number [ match-order { auto | config } ]

    An ACL with the specified number is created and the ACL view is displayed.

  3. Configure basic or advanced ACLs as required. For details, see Configuring a Basic ACL or Configuring an Advanced ACL in the Huawei AR Series V200R010 Configuration Guide - Security - ACL Configuration.

    NOTE:

    Only basic ACLs (2000 to 2999) and advanced ACLs (3000 to 3999) can be used to configure the NAT function.

    1. When permit is used in the ACL rule, the system uses the address pool to translate addresses for the packets of which the source IP address is specified in the ACL rule.
    2. When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect. That is, the system searches routes for packets, but does not translate addresses.
    3. If the ACL rule referenced in the command is modified, the modification does not take effect immediately. To make the modification take effect immediately, run the reset nat session command to clear the mapping entry information. You are advised not to modify the ACL rules in use.

Configuring Outbound NAT

Context

The address pool used by outbound NAT stores a set of public IP addresses used by dynamic NAT. When dynamic NAT is performed, an address in the address pool is selected for NAT address translation.

To access external networks through dynamic NAT, intranet users can choose one of the following modes based on their public IP address plan:

  • After users configure the IP address of outbound ports and other applications on the NAT device, there are still some available public IP addresses. Users can choose outbound NAT with an address pool.
  • After users configure the IP address of outbound ports on the NAT device and other applications, there are no available public IP addresses. Users can choose Easy IP that uses the IP address of outbound ports on the NAT device to implement dynamic NAT.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure outbound NAT. Users can choose one of the following configuration methods based on actual situations:

    • Configure outbound NAT with an address pool.
      1. Run nat address-group group-index start-address end-address

        A public address pool is configured.

      2. Run interface interface-type interface-number [ .subnumber ]

        The interface view or sub-interface view is displayed.

      3. Run nat outbound acl-number address-group group-index [ no-pat ]

        Outbound NAT that references an address pool is configured.

    • Configure Easy IP without an address pool.
      1. Run interface interface-type interface-number [ .subnumber ]

        The interface view or sub-interface view is displayed.

      2. Run nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ] [ vrrp vrrpid ]

        Easy IP is configured.

(Optional) Enabling NAT ALG

Context

Generally, NAT translates only the IP address in the IP packet header and the interface number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or interface number in the Data field. Such content cannot be translated using NAT. Therefore, communication between internal and external networks will fail.

The application level gateway (ALG) function enables the NAT device to identify the IP address or interface number in the Data field, and translate addresses based on the mapping table. In this way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, SIP, PPTP, and RTSP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat alg { all | protocol-name } enable

    The NAT ALG function for specified application protocols is enabled.

    By default, the NAT ALG function is disabled.

  3. (Optional) Run port-mapping { dns | ftp | sip | rtsp | pptp } port port-number acl acl-number

    The port mapping is configured.

    Run the port-mapping command to configure port mapping when the application protocol that is enabled with the NAT ALG function uses a non-well-known port number, namely a non-default port number.

  4. (Optional) Run tcp proxy ip-address port-number [ acl acl-number ]

    The TCP proxy function is enabled.

    By default, the TCP proxy function is disabled on the device.

  5. (Optional) Run tcp proxy aging-time aging-time

    The aging time of a TCP connection set up by the TCP proxy is configured.

    By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.

(Optional) Configuring the SIP Call Bandwidth Limit on a NAT Device

Context

When the SIP server is deployed on the public network and SIP phones in public and private networks are interconnected, the call quality is affected if the bandwidth on the NAT device is insufficient. You can enable call admission control (CAC) and set the total bandwidth on the NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the specified value, the SIP call is rejected.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number [ .subnumber ] }

    CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.

    By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.

(Optional) Configuring NAT Filtering and NAT Mapping

Context

NAT conserves IPv4 addresses and improves network security. Different vendors provide different NAT features. As a result, applications using STUN, TURN, and ICE technologies may fail to traverse NAT devices because these technologies are implemented using SIP proxy. SIP proxy is a multi-channel application and needs to create multiple data channels to implement its function. To ensure connection of multiple data channels, NAT filtering and NAT mapping must be configured to allow only packets that meet the filtering and mapping conditions to pass through.

The device supports the following NAT mapping types:

  • Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to any external IP address and port.
  • Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to the same external IP address and interface while the mapping is still active.

The device supports the following NAT filtering types:

  • Endpoint-and-port-independent filtering
  • Endpoint-dependent and port-independent filtering
  • Endpoint-and-port-dependent filtering
NOTE:

Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT devices.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

    The NAT mapping mode is configured.

    The default NAT mapping mode is endpoint-and-port-dependent.

  3. Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

    The NAT filtering mode is configured.

    The default NAT filtering mode is endpoint-and-port-dependent.

(Optional) Configuring Twice NAT

Context

If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT can be configured. The overlapping addresses are replaced with temporary addresses and then translated by NAT so that the internal and external hosts can access each other.

  • An overlapping address pool specifies which internal IP addresses can overlap with public IP addresses. Twice NAT is performed only on the addresses in the overlapping address pool.
  • A temporary address pool specifies which temporary IP addresses can replace addresses in the overlapping address pool.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

    The mapping between the overlapping address pool and the temporary address pool is configured.

    NOTE:
    • A maximum of 255 addresses can be configured in the overlapping address pool and the temporary address pool.
    • When the VPN instance specified in the command is deleted, the configuration of twice NAT is also deleted.

(Optional) Configuring NAT Log Output

Context

NAT logs are generated when the router performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT.

The router can send NAT logs to a specified log host, as shown in Figure 1-15.

Figure 1-15 Sending NAT logs to a specified log host

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall log session enable

    The firewall log function is enabled.

  3. Run firewall log session nat enable

    The NAT session log function is enabled.

  4. (Optional) Run nat log-format elog

    Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog server.

  5. Run the following command to output logs to the information center log host or session log host:

    • Output logs to the information center log host
      1. Run info-center enable

        The information center is enabled.

      2. Run info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number | | { vpn-instance vpn-instance-name | public-net } ] *

        The channel through which logs are output to the log host is configured.

        The router supports a maximum of eight log hosts to implement backup among log hosts.

    NOTE:

    For details on how to configure the router to send logs to a log host, see Example for Outputting Log Information to a Log Host in "Information Center Configuration" of the Huawei AR Series V200R010 Configuration Guide - Device Management.

    • Output logs to the session log host

      Run firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

      A session log host is configured.

      By default, no session log host is configured.

(Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall-nat session { { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time time-value

    The aging time of NAT mapping entries is configured.

    By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 120 seconds for HTTP, 20 seconds for ICMP, 600 seconds for TCP, 10 seconds for TCP-proxy, 120 seconds for UDP, 1800 seconds for SIP, 120 seconds for SIP-media, 60 seconds for RTSP, 120 seconds for RTSP-media, 600 seconds for pptp, and 600 seconds for pptp-data. The default aging time of session entries on a user-defined TCP or UDP port is the same as that of the corresponding protocol.

(Optional) Enabling NAT Service Priority

Context

Some scenarios require a higher priority of the NAT service than that of routing services. In this case, perform NAT first, and search the routing table for the translated addresses to facilitate traffic forwarding. For example, to enable a public network device to access a private network device, configure static NAT first to translate the private IP address into a fixed public IP address and then configure a static route to the public IP address so that traffic sent from the public network to the private network can be distributed through NAT.

Pre-configuration Tasks

Before enabling NAT service priority, complete the following tasks:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat inside priority enable

    The NAT service has a higher priority than routing services.

    By default, routing services have a higher priority.

(Optional) Enabling the Function of Discarding Packets That Do Not Match ACL Rules

Context

After an ACL is associated with an NAT address pool, the device translates the source address of a data packet matching the ACL into an IP address in the NAT address pool. You can run the nat miss forward deny command to enable the function of discarding the packets that do not match the ACL rules bound to NAT.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat miss forward deny

    The function of discarding packets that do not match ACL rules bound to NAT is enabled.

    By default, the function of discarding the packets that do not match the ACL rules bound to NAT is disabled on a device.

Verifying the Dynamic NAT Configuration

Procedure

  • Run the display nat address-group [ group-index ] [ verbose ] command to verify the configuration of a NAT address pool.
  • Run the display nat outbound [ acl acl-number | address-group group-index | interface interface-type interface-number [ .subnumber ] ] command to verify the configuration of outbound NAT.
  • Run the display nat alg command to verify the NAT ALG configuration.
  • Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name} command to verify the configuration of twice NAT.
  • Run the display firewall-nat session aging-time command to check the aging time of NAT mapping entries.
  • Run the display nat sip cac bandwidth information [ verbose ] command to check the current total bandwidth and occupied bandwidth on the device.
  • Run the display nat filter-mode command to check the current NAT filtering mode.
  • Run the display nat mapping-mode command to check the NAT mapping mode.
  • Run the display nat mapping table { all | number } or display nat mapping table inside-address ip-address protocol protocol-name port port-number [ vpn-instance vpn-instance-name ] command to check the NAT table information or the number of entries in the NAT table.

Configuring Static NAT

Configuring Static Address Mapping

Procedure

  1. You can configure static address mapping as follows:

    Configuring static address mapping in the interface view:

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number [ .subnumber ]

      The interface view or sub-interface view is displayed.

    3. Run one of the following commands as required:
      • nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]
      • nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]
      • nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port global-port2 [ vrrp vrrpid ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]
      • nat static protocol { tcp | udp } global global-address global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

    Configuring static address mapping in the system view:

    1. Run system-view

      The system view is displayed.

    2. Run one of the following commands as required:
      • nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
      • nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
      • nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
    3. Run interface interface-type interface-number [ .subnumber ]

      The interface view or sub-interface view is displayed.

    4. Run nat static enable

      Static NAT is enabled on the interface.

    NOTE:
    • To specify a global VPN, you are advised to configure static NAT in the interface view. Then the device can automatically obtain information about the VPN instance associated with the interface, and you do not need to manually specify the VPN instance at the public network side (global). To associate static NAT with a global VPN in the system view, you can specify a loopback interface as the outbound interface at the public network side, and then specify a VPN instance.
    • When configuring static NAT, ensure that global-address and host-address are different from IP addresses of interfaces and IP addresses in the user address pool.
    • If you run the undo nat static command, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.
    • You are advised to use the second method if multiple interfaces use the same static NAT mapping.
    • When you configure static one-to-one NAT that borrows an interface IP address (no interface number is specified and the IP address is mapped to a private network address), other services enabled on the interface may become unavailable. Confirm your action before performing the configuration. If you want to enable other applications on the interface, add an ACL rule after the configuration to filter out the number of the interface on which the applications are enabled.
    • The specified global-port or host-port cannot be used by other applications. Otherwise, the configuration does not take effect.

(Optional) Enabling NAT ALG

Context

Generally, NAT translates only the IP address in the IP packet header and the interface number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or interface number in the Data field. Such content cannot be translated using NAT. Therefore, communication between internal and external networks will fail.

The application level gateway (ALG) function enables the NAT device to identify the IP address or interface number in the Data field, and translate addresses based on the mapping table. In this way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, SIP, PPTP, and RTSP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat alg { all | protocol-name } enable

    The NAT ALG function for specified application protocols is enabled.

    By default, the NAT ALG function is disabled.

  3. (Optional) Run port-mapping { dns | ftp | sip | rtsp | pptp } port port-number acl acl-number

    The port mapping is configured.

    Run the port-mapping command to configure port mapping when the application protocol that is enabled with the NAT ALG function uses a non-well-known port number, namely a non-default port number.

  4. (Optional) Run tcp proxy ip-address port-number [ acl acl-number ]

    The TCP proxy function is enabled.

    By default, the TCP proxy function is disabled on the device.

  5. (Optional) Run tcp proxy aging-time aging-time

    The aging time of a TCP connection set up by the TCP proxy is configured.

    By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.

(Optional) Configuring the SIP Call Bandwidth Limit on a NAT Device

Context

When the SIP server is deployed on the public network and SIP phones in public and private networks are interconnected, the call quality is affected if the bandwidth on the NAT device is insufficient. You can enable call admission control (CAC) and set the total bandwidth on the NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the specified value, the SIP call is rejected.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number [ .subnumber ] }

    CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.

    By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.

(Optional) Configuring DNS Mapping

Context

If an enterprise has no internal DNS server but needs to access internal servers using the domain name, intranet users of the enterprise must use DNS servers on external networks.

Intranet users can use the external DNS server to access an external server by performing NAT; however, intranet users cannot use the external DNS server to access an internal server because the IP address resolved by the external DNS server is not the real private IP address of the internal server.

When configuring static NAT and DNS mapping at the same time, you can create a mapping entry containing the domain name, public IP address, public interface number, and protocol type. When receiving a DNS resolution packet, the NAT device searches the private IP address mapped to the public address in the mapping entry. The NAT device then replaces the address resolved by the DNS server with the private IP address and forwards the resolution result to users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

    A mapping from a domain name to a public IP address, an interface number, and a protocol type is configured.

    NOTE:

    After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG DNS function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function is disabled, internal hosts cannot access internal servers using the domain name.

(Optional) Configuring NAT Filtering and NAT Mapping

Context

NAT conserves IPv4 addresses and improves network security. Different vendors provide different NAT features. As a result, applications using STUN, TURN, and ICE technologies may fail to traverse NAT devices because these technologies are implemented using SIP proxy. SIP proxy is a multi-channel application and needs to create multiple data channels to implement its function. To ensure connection of multiple data channels, NAT filtering and NAT mapping must be configured to allow only packets that meet the filtering and mapping conditions to pass through.

The device supports the following NAT mapping types:

  • Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to any external IP address and port.
  • Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to the same external IP address and interface while the mapping is still active.

The device supports the following NAT filtering types:

  • Endpoint-and-port-independent filtering
  • Endpoint-dependent and port-independent filtering
  • Endpoint-and-port-dependent filtering
NOTE:

Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT devices.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

    The NAT mapping mode is configured.

    The default NAT mapping mode is endpoint-and-port-dependent.

  3. Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

    The NAT filtering mode is configured.

    The default NAT filtering mode is endpoint-and-port-dependent.

(Optional) Configuring Twice NAT

Context

If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT can be configured. The overlapping addresses are replaced with temporary addresses and then translated by NAT so that the internal and external hosts can access each other.

  • An overlapping address pool specifies which internal IP addresses can overlap with public IP addresses. Twice NAT is performed only on the addresses in the overlapping address pool.
  • A temporary address pool specifies which temporary IP addresses can replace addresses in the overlapping address pool.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

    The mapping between the overlapping address pool and the temporary address pool is configured.

    NOTE:
    • A maximum of 255 addresses can be configured in the overlapping address pool and the temporary address pool.
    • When the VPN instance specified in the command is deleted, the configuration of twice NAT is also deleted.

(Optional) Configuring NAT Log Output

Context

NAT logs are generated when the router performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT.

The router can send NAT logs to a specified log host, as shown in Figure 1-16.

Figure 1-16 Sending NAT logs to a specified log host

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall log session enable

    The firewall log function is enabled.

  3. Run firewall log session nat enable

    The NAT session log function is enabled.

  4. (Optional) Run nat log-format elog

    Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog server.

  5. Run the following command to output logs to the information center log host or session log host:

    • Output logs to the information center log host
      1. Run info-center enable

        The information center is enabled.

      2. Run info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number | | { vpn-instance vpn-instance-name | public-net } ] *

        The channel through which logs are output to the log host is configured.

        The router supports a maximum of eight log hosts to implement backup among log hosts.

    NOTE:

    For details on how to configure the router to send logs to a log host, see Example for Outputting Log Information to a Log Host in "Information Center Configuration" of the Huawei AR Series V200R010 Configuration Guide - Device Management.

    • Output logs to the session log host

      Run firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

      A session log host is configured.

      By default, no session log host is configured.

(Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall-nat session { { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time time-value

    The aging time of NAT mapping entries is configured.

    By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 120 seconds for HTTP, 20 seconds for ICMP, 600 seconds for TCP, 10 seconds for TCP-proxy, 120 seconds for UDP, 1800 seconds for SIP, 120 seconds for SIP-media, 60 seconds for RTSP, 120 seconds for RTSP-media, 600 seconds for pptp, and 600 seconds for pptp-data. The default aging time of session entries on a user-defined TCP or UDP port is the same as that of the corresponding protocol.

(Optional) Enabling NAT Service Priority

Context

Some scenarios require a higher priority of the NAT service than that of routing services. In this case, perform NAT first, and search the routing table for the translated addresses to facilitate traffic forwarding. For example, to enable a public network device to access a private network device, configure static NAT first to translate the private IP address into a fixed public IP address and then configure a static route to the public IP address so that traffic sent from the public network to the private network can be distributed through NAT.

Pre-configuration Tasks

Before enabling NAT service priority, complete the following tasks:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat inside priority enable

    The NAT service has a higher priority than routing services.

    By default, routing services have a higher priority.

(Optional) Enabling the Function of Discarding Packets That Do Not Match ACL Rules

Context

After an ACL is associated with an NAT address pool, the device translates the source address of a data packet matching the ACL into an IP address in the NAT address pool. You can run the nat miss forward deny command to enable the function of discarding the packets that do not match the ACL rules bound to NAT.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat miss forward deny

    The function of discarding packets that do not match ACL rules bound to NAT is enabled.

    By default, the function of discarding the packets that do not match the ACL rules bound to NAT is disabled on a device.

Verifying the Static NAT Configuration

Procedure

  • Run the display nat alg command to verify the NAT ALG configuration.
  • Run the display nat dns-map [ domain-name ] command to verify the configuration of DNS mapping.
  • Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name} command to verify the configuration of twice NAT.
  • Run the display firewall-nat session aging-time command to check the aging time of NAT mapping entries.
  • Run the display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-name [ .subnumber ] | acl acl-number ] command to verify the configuration of static NAT.
  • Run the display nat sip cac bandwidth information [ verbose ] command to check the current total bandwidth and occupied bandwidth on the device.
  • Run the display nat filter-mode command to check the current NAT filtering mode.
  • Run the display nat mapping-mode command to check the NAT mapping mode.
  • Run the display nat mapping table { all | number } or display nat mapping table inside-address ip-address protocol protocol-name port port-number [ vpn-instance vpn-instance-name ] command to check the NAT table information or the number of entries in the NAT table.
  • Run the display nat static interface enable command to check whether the static NAT function is enabled.

Configuring an Internal NAT Server

Configuring Internal NAT Server

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [ .subnumber ]

    The interface view or sub-interface view is displayed.

  3. Run either of the following commands to configure an internal NAT server:

    • nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]
    • nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]
    NOTE:
    • When configuring an internal NAT server, ensure that global-address and host-address are different from IP addresses of ports and IP addresses in the user address pool.
    • You can use the IP address of current-interface or loopback as the internal server's IP address.
    • The undo nat server command does not delete mapping entries immediately. You can run the reset nat session command to delete mapping entries.
    • Compared with static NAT, NAT Server translates only the IP address, but not the port number, when the private network initiatively accesses the public network.
    • When you configure one-to-one NAT Server that borrows an interface IP address (no interface number is specified and the IP address is mapped to a private network address), other services enabled on the interface may become unavailable. Confirm your action before performing the configuration. If you want to enable other applications on the interface, add an ACL rule after the configuration to filter out the number of the interface on which the applications are enabled.

(Optional) Enabling NAT ALG

Context

Generally, NAT translates only the IP address in the IP packet header and the interface number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or interface number in the Data field. Such content cannot be translated using NAT. Therefore, communication between internal and external networks will fail.

The application level gateway (ALG) function enables the NAT device to identify the IP address or interface number in the Data field, and translate addresses based on the mapping table. In this way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, SIP, PPTP, and RTSP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat alg { all | protocol-name } enable

    The NAT ALG function for specified application protocols is enabled.

    By default, the NAT ALG function is disabled.

  3. (Optional) Run port-mapping { dns | ftp | sip | rtsp | pptp } port port-number acl acl-number

    The port mapping is configured.

    Run the port-mapping command to configure port mapping when the application protocol that is enabled with the NAT ALG function uses a non-well-known port number, namely a non-default port number.

  4. (Optional) Run tcp proxy ip-address port-number [ acl acl-number ]

    The TCP proxy function is enabled.

    By default, the TCP proxy function is disabled on the device.

  5. (Optional) Run tcp proxy aging-time aging-time

    The aging time of a TCP connection set up by the TCP proxy is configured.

    By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.

(Optional) Configuring the SIP Call Bandwidth Limit on a NAT Device

Context

When the SIP server is deployed on the public network and SIP phones in public and private networks are interconnected, the call quality is affected if the bandwidth on the NAT device is insufficient. You can enable call admission control (CAC) and set the total bandwidth on the NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the specified value, the SIP call is rejected.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number [ .subnumber ] }

    CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.

    By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.

(Optional) Configuring DNS Mapping

Context

If an enterprise has no internal DNS server but needs to access internal servers using the domain name, intranet users of the enterprise must use DNS servers on external networks.

Intranet users can use the external DNS server to access an external server by performing NAT; however, intranet users cannot use the external DNS server to access an internal server because the IP address resolved by the external DNS server is not the real private IP address of the internal server.

When configuring static NAT and DNS mapping at the same time, you can create a mapping entry containing the domain name, public IP address, public interface number, and protocol type. When receiving a DNS resolution packet, the NAT device searches the private IP address mapped to the public address in the mapping entry. The NAT device then replaces the address resolved by the DNS server with the private IP address and forwards the resolution result to users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

    A mapping from a domain name to a public IP address, an interface number, and a protocol type is configured.

    NOTE:

    After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG DNS function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function is disabled, internal hosts cannot access internal servers using the domain name.

(Optional) Configuring NAT Filtering and NAT Mapping

Context

NAT conserves IPv4 addresses and improves network security. Different vendors provide different NAT features. As a result, applications using STUN, TURN, and ICE technologies may fail to traverse NAT devices because these technologies are implemented using SIP proxy. SIP proxy is a multi-channel application and needs to create multiple data channels to implement its function. To ensure connection of multiple data channels, NAT filtering and NAT mapping must be configured to allow only packets that meet the filtering and mapping conditions to pass through.

The device supports the following NAT mapping types:

  • Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to any external IP address and port.
  • Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for subsequent packets sent from the same internal IP address and interface to the same external IP address and interface while the mapping is still active.

The device supports the following NAT filtering types:

  • Endpoint-and-port-independent filtering
  • Endpoint-dependent and port-independent filtering
  • Endpoint-and-port-dependent filtering
NOTE:

Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT devices.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

    The NAT mapping mode is configured.

    The default NAT mapping mode is endpoint-and-port-dependent.

  3. Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

    The NAT filtering mode is configured.

    The default NAT filtering mode is endpoint-and-port-dependent.

(Optional) Configuring Twice NAT

Context

If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT can be configured. The overlapping addresses are replaced with temporary addresses and then translated by NAT so that the internal and external hosts can access each other.

  • An overlapping address pool specifies which internal IP addresses can overlap with public IP addresses. Twice NAT is performed only on the addresses in the overlapping address pool.
  • A temporary address pool specifies which temporary IP addresses can replace addresses in the overlapping address pool.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

    The mapping between the overlapping address pool and the temporary address pool is configured.

    NOTE:
    • A maximum of 255 addresses can be configured in the overlapping address pool and the temporary address pool.
    • When the VPN instance specified in the command is deleted, the configuration of twice NAT is also deleted.

(Optional) Configuring NAT Log Output

Context

NAT logs are generated when the router performs address translation. The logs record the original source IP addresses, source ports, destination IP addresses, destination ports, and translated source IP addresses and source ports, as well as user actions and time stamps. You can view NAT logs to learn about information about users have accessed a network using NAT.

The router can send NAT logs to a specified log host, as shown in Figure 1-17.

Figure 1-17 Sending NAT logs to a specified log host

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall log session enable

    The firewall log function is enabled.

  3. Run firewall log session nat enable

    The NAT session log function is enabled.

  4. (Optional) Run nat log-format elog

    Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog server.

  5. Run the following command to output logs to the information center log host or session log host:

    • Output logs to the information center log host
      1. Run info-center enable

        The information center is enabled.

      2. Run info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-number | | { vpn-instance vpn-instance-name | public-net } ] *

        The channel through which logs are output to the log host is configured.

        The router supports a maximum of eight log hosts to implement backup among log hosts.

    NOTE:

    For details on how to configure the router to send logs to a log host, see Example for Outputting Log Information to a Log Host in "Information Center Configuration" of the Huawei AR Series V200R010 Configuration Guide - Device Management.

    • Output logs to the session log host

      Run firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

      A session log host is configured.

      By default, no session log host is configured.

(Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall-nat session { { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time time-value

    The aging time of NAT mapping entries is configured.

    By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 120 seconds for HTTP, 20 seconds for ICMP, 600 seconds for TCP, 10 seconds for TCP-proxy, 120 seconds for UDP, 1800 seconds for SIP, 120 seconds for SIP-media, 60 seconds for RTSP, 120 seconds for RTSP-media, 600 seconds for pptp, and 600 seconds for pptp-data. The default aging time of session entries on a user-defined TCP or UDP port is the same as that of the corresponding protocol.

(Optional) Enabling NAT Service Priority

Context

Some scenarios require a higher priority of the NAT service than that of routing services. In this case, perform NAT first, and search the routing table for the translated addresses to facilitate traffic forwarding. For example, to enable a public network device to access a private network device, configure static NAT first to translate the private IP address into a fixed public IP address and then configure a static route to the public IP address so that traffic sent from the public network to the private network can be distributed through NAT.

Pre-configuration Tasks

Before enabling NAT service priority, complete the following tasks:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat inside priority enable

    The NAT service has a higher priority than routing services.

    By default, routing services have a higher priority.

(Optional) Enabling the Function of Discarding Packets That Do Not Match ACL Rules

Context

After an ACL is associated with an NAT address pool, the device translates the source address of a data packet matching the ACL into an IP address in the NAT address pool. You can run the nat miss forward deny command to enable the function of discarding the packets that do not match the ACL rules bound to NAT.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat miss forward deny

    The function of discarding packets that do not match ACL rules bound to NAT is enabled.

    By default, the function of discarding the packets that do not match the ACL rules bound to NAT is disabled on a device.

Verifying the Internal NAT Server Configuration

Procedure

  • Run the display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ] command to verify the configuration of the NAT server.
  • Run the display nat alg command to verify the NAT ALG configuration.
  • Run the display nat dns-map [ domain-name ] command to verify the configuration of DNS mapping.
  • Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name} command to verify the configuration of twice NAT.
  • Run the display firewall-nat session aging-time command to check the aging time of NAT mapping entries.
  • Run the display nat sip cac bandwidth information [ verbose ] command to check the current total bandwidth and occupied bandwidth on the device.
  • Run the display nat filter-mode command to check the current NAT filtering mode.
  • Run the display nat mapping-mode command to check the NAT mapping mode.
  • Run the display nat mapping table { all | number } or display nat mapping table inside-address ip-address protocol protocol-name port port-number [ vpn-instance vpn-instance-name ] command to check the NAT table information or the number of entries in the NAT table.

Maintaining NAT

Clearing NAT Mapping Entries

Context

NOTE:

The cleared entries cannot be restored; therefore, confirm the action before you use the command.

Procedure

  • After you are determined to clear NAT mapping entries, run the reset nat session { all | transit interface interface-type interface-number [ .subnumber ] } command in the system view.

Monitoring NAT Mapping Entries

Procedure

  • Run the display nat session { all [ verbose ] | number },display nat session protocol { protocol-name | protocol-number } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ], display nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ], or display nat session destination destination-address [ destination-port ] [ verbose ] command to display information about entries in the NAT mapping table.

Enabling the Self-Healing Function on the Timer of a NAT Module

Context

If the running timer of a NAT module is faulty, the NAT service fails and the device cannot work properly. After the self-healing function is enabled on the timer of a NAT module, the usage of the timer can be automatically detected. If a fault occurs on the timer, you can reset the device to rectify the fault and ensure the proper running of the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run set nat-session self-healing enable

    The self-healing function on the timer of a NAT module is enabled.

    By default, the self-healing function on the timer of a NAT module is disabled.

Configuration Examples for NAT

Example for Configuring Dynamic NAT

Networking Requirements

As shown in Figure 1-18, private network users in Area A and Area B of a company connect to the Internet. The public IP address of GigabitEthernet3/0/0 on the router is 2.2.2.1/24. The IP address of the carrier device connected to the router is 2.2.2.2/24. Users in Area A want to use addresses in the public address pool (2.2.2.100 to 2.2.2.200) to replace IP addresses (192.168.20.0/24) of hosts in Area A in NAT mode to access the Internet. Users in Area B want to use addresses in the public address pool (2.2.2.80 to 2.2.2.83) to replace IP addresses (10.0.0.0/24) of hosts in Area B to access the Internet.

Figure 1-18 Networking diagram for configuring dynamic NAT

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses for ports, default route, and outbound NAT on the WAN interface to allow internal hosts to access external networks.

Procedure

  1. Configure an IP address for ports on the router.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] vlan 100  
    [Router-vlan100] quit 
    [Router] interface vlanif 100 
    [Router-Vlanif100] ip address 192.168.20.1 24  
    [Router-Vlanif100] quit 
    [Router] interface ethernet 2/0/0 
    [Router-Ethernet2/0/0] port link-type access   
    [Router-Ethernet2/0/0] port default vlan 100  
    [Router-Ethernet2/0/0] quit  
    [Router] vlan 200  
    [Router-vlan200] quit 
    [Router] interface vlanif 200 
    [Router-Vlanif200] ip address 10.0.0.1 24  
    [Router-Vlanif200] quit 
    [Router] interface ethernet 2/0/1  
    [Router-Ethernet2/0/1] port link-type access  
    [Router-Ethernet2/0/1] port default vlan 200 
    [Router-Ethernet2/0/1] quit  
    [Router] interface gigabitethernet 3/0/0 
    [Router-GigabitEthernet3/0/0] ip address 2.2.2.1 24  
    [Router-GigabitEthernet3/0/0] quit

  2. Configure a default route with next hop address 2.2.2.2 on the router.

    [Router] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2

  3. Configure outbound NAT on the router.

    [Router] nat address-group 1 2.2.2.100 2.2.2.200  
    [Router] nat address-group 2 2.2.2.80 2.2.2.83 
    [Router] acl 2000 
    [Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 
    [Router-acl-basic-2000] quit 
    [Router] acl 2001 
    [Router-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 
    [Router-acl-basic-2001] quit 
    [Router] interface gigabitethernet 3/0/0 
    [Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat 
    [Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2  
    [Router-GigabitEthernet3/0/0] quit
    NOTE:

    To run the ping -a source-ip-address command that has a source IP address specified on the router to verify that intranet users can access the Internet, you need to run the ip soft-forward enhance enable command to enable the enhanced forwarding function for control packets generated by the device so that the private source IP addresses can be translated into public IP addresses by the NAT function. By default, the the enhanced forwarding function for control packets generated by the device is enabled. If the function has been disabled using the undo ip soft-forward enhance enable command, you need to run the ip soft-forward enhance enable command in the system view to enable the function again.

  4. Verify the configuration.

    # Run the display nat outbound command on the router to check the address translation result.

    <Router> display nat outbound 
     NAT Outbound Information: 
     ----------------------------------------------------------------- 
     Interface                Acl      Address-group/IP/Interface  Type 
     ----------------------------------------------------------------- 
     GigabitEthernet3/0/0   2000                     1         no-pat 
     GigabitEthernet3/0/0     2001                     2           pat 
     ----------------------------------------------------------------- 
      Total : 2     

    # Run the ping command on the router to verify that users on the internal network can access the Internet.

    <Router> ping -a 192.168.20.1 2.2.2.2 
      PING 2.2.2.2: 56 data bytes, press CTRL_C to break                          
     Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms                 
    -- 2.2.2.2 ping statistics ---                                            
     5 packet(s) transmitted                                                      
     5 packet(s) received                                                         
     0.00% packet loss                                                            
     round-trip min/avg/max = 1/1/2 ms 
    <Router> ping -a 10.0.0.1 2.2.2.2 
      PING 2.2.2.2: 56 data bytes, press CTRL_C to break                          
     Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms                 
     Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms                 
    -- 2.2.2.2 ping statistics ---                                            
     5 packet(s) transmitted                                                      
     5 packet(s) received                                                         
     0.00% packet loss                                                            
     round-trip min/avg/max = 1/1/2 ms      

Configuration Files

Configuration file of the router

# 
 sysname Router 
#                                                                                
vlan batch 100 200 
#                                                                                
acl number 2000                                                                  
 rule 5 permit source 192.168.20.0 0.0.0.255                                     
#                                                                                
acl number 2001                                                                  
 rule 5 permit source 10.0.0.0 0.0.0.255                                        
#                                                                                 
 nat address-group 1 2.2.2.100 2.2.2.200 
 nat address-group 2 2.2.2.80 2.2.2.83                       
#                                                                   
interface Vlanif100                                                              
 ip address 192.168.20.1 255.255.255.0                                           
#                                                                                
interface Vlanif200                                                              
 ip address 10.0.0.1 255.255.255.0                                           
#                                                                                 
interface Ethernet2/0/0                              
 port link-type access                                                           
 port default vlan 100                                                           
#                                                                                
interface Ethernet2/0/1                 
 port link-type access                                                           
 port default vlan 200                                               
#                                                                                
interface GigabitEthernet3/0/0     
 ip address 2.2.2.1 255.255.255.0                                                
 nat outbound 2000 address-group 1 no-pat                                        
 nat outbound 2001 address-group 2 
# 
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2                           
#                                                               
return  

Example for Configuring Static One-to-One NAT

Networking Requirements

As shown in Figure 1-19, the IP address of outbound interface GE2/0/0 on the router is 2.2.2.2/24 and the LAN gateway address is 192.168.0.1/24. The IP address of the carrier device connected to the router is 2.2.2.1/24. The private IP address of the host is 192.168.0.2/24 and the fixed IP address the host needs to use is 2.2.2.3/24. In this case, the private IP address of this company must be translated to a public IP address to allow the host to access the WAN.

Figure 1-19 Networking diagram for configuring static one-to-one NAT

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the IP address of ports, default route, and static NAT on the WAN interface to implements one-to-one translation between a private IP address and a public IP address.

Procedure

  1. Configure an IP address for ports on the router.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] interface gigabitethernet 2/0/0  
    [Router-GigabitEthernet2/0/0] ip address 2.2.2.2 24   
    [Router-GigabitEthernet2/0/0] quit        
    [Router] interface gigabitethernet 1/0/0 
    [Router-GigabitEthernet1/0/0] ip address 192.168.0.1 24   
    [Router-GigabitEthernet1/0/0] quit

  2. Configure a default route with next hop address 2.2.2.1 on the router.

    [Router] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

  3. Configure one-to-one NAT mapping on uplink interface GE2/0/0 on the router.

     
    [Router] interface gigabitethernet 2/0/0 
    [Router-GigabitEthernet2/0/0] nat static global 2.2.2.3 inside 192.168.0.2 
    [Router-GigabitEthernet2/0/0] quit

  4. Verify the configuration.

    # Run the display nat static command on the router to check the mapping between address pools.

    <Router> display nat static 
      Static Nat Information:                                                        
      Interface  : GigabitEthernet2/0/0                                                     
     Global IP/Port     : 2.2.2.3/----                                         
     Inside IP/Port     : 192.168.0.2/----                                        
     Protocol : ----                                                              
     VPN instance-name  : ----                                                    
     Acl number         : ----                                                    
     Vrrp id            : ----                                                    
     Netmask  : 255.255.255.255                                                   
     Description : ----                                                           
                                                                                     
      Total : 1                                                                  

Configuration Files

Configuration file of the router

# 
 sysname Router 
# 
interface GigabitEthernet1/0/0                                                          
 ip address 192.168.0.1 255.255.255.0                                            
#                                                                                
interface GigabitEthernet2/0/0                                                   
 ip address 2.2.2.2 255.255.255.0                                             
 nat static global 2.2.2.3 inside 192.168.0.2 netmask 255.255.255.255 
#                                                                                
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.1                                      
# 
return  

Example for Configuring Twice NAT

Networking Requirements

As shown in Figure 1-20, the IP address of the outbound interface on the router is 2.2.2.2/24. The IP address of the LAN gateway is 1.1.1.1/24 and that of the carrier device connected to the router is 2.2.2.1/24. IP addresses of internal hosts are not assigned properly. The IP address of PC1 on the internal network overlaps with that of Server A on the external network. In this case, PC2 can access this server using the domain name of Server A, but PC2 may access PC1 on the same network segment based on the DNS resolution result. Users want packets to be forwarded correctly.

Figure 1-20 Network diagram for configuring twice NAT

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for ports on the router.
  2. Configure a default route on the router.
  3. Configure the DNS ALG function to enable DNS packets to traverse the NAT device.
  4. Map the overlapped address pool to the temporary address pool.
  5. Configure outbound NAT to allow internal users to access external networks.

Procedure

  1. Configure an IP address for ports on the router.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] interface gigabitethernet 1/0/0  
    [Router-GigabitEthernet1/0/0] ip address 2.2.2.2 24   
    [Router-GigabitEthernet1/0/0] quit        
    [Router] interface gigabitethernet 2/0/0 
    [Router-GigabitEthernet2/0/0] ip address 1.1.1.1 24   
    [Router-GigabitEthernet2/0/0] quit

  2. Configure a default route with next hop address 2.2.2.1 on the router.

    [Router] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

  3. Configure the mapping between the overlapped address pool and the temporary address pool on the router.

    [Router] nat overlap-address 0 1.1.1.100 3.3.3.100 pool-length 254

  4. Configure a static route on the router from the temporary address pool to outbound interface GE1/0/0.

    [Router] ip route-static 3.3.3.100 32 gigabitethernet 1/0/0 2.2.2.1

  5. Configure the DNS NAT ALG function in the system view.

    [Router] nat alg dns enable

  6. Configure outbound NAT on outbound interface GE1/0/0 of the router.

    1. Create an ACL and configure an ACL rule to permit the packets of PC1 to pass through.
      [Router] acl 3180  
      [Router-acl-adv-3180] rule 5 permit ip source 1.1.1.0 0.0.0.255 
      [Router-acl-adv-3180] quit
    2. Configure the NAT address pool for outbound NAT.
      [Router] nat address-group 1 2.2.2.100 2.2.2.200 
    3. Configure outbound NAT on outbound interface GE1/0/0.
      [Router] interface gigabitethernet 1/0/0 
      [Router-GigabitEthernet1/0/0] nat outbound 3180 address-group 1 
      [Router-GigabitEthernet1/0/0] quit

  7. Verify the configuration.

    # Run the display nat overlap-address all command on the router to check the mapping between the overlapped address pool and the temporary address pool.

    <Router> display nat overlap-address all 
    Nat Overlap Address Pool To Temp Address Pool Map Information: 
     ------------------------------------------------------------------------------- 
     Id  Overlap-Address  Temp-Address Pool-Length       Inside-VPN-Instance-Name 
     ------------------------------------------------------------------------------- 
     0 1.1.1.100   3.3.3.100 254                                        
     ------------------------------------------------------------------------------- 
      Total : 1 

    # Run the display nat outbound command to display the configuration of NAT.

    [Router] display nat outbound 
     NAT Outbound Information: 
     ----------------------------------------------------------------- 
     Interface              Acl      Address-group/IP/Interface      Type 
     ----------------------------------------------------------------- 
     GigabitEthernet1/0/0      3180                  1                pat 
     ----------------------------------------------------------------- 
      Total : 1  

Configuration Files

Configuration file of the router

# 
 sysname Router 
#                                                                             
acl number 3180                                                                
rule 5 permit ip source 1.1.1.0 0.0.0.255                
#                                                                                
 nat alg dns enable                                                              
 #                                                                               
 nat address-group 1 2.2.2.100 2.2.2.200                                
 #                                                                               
 nat overlap-address 0 1.1.1.100 3.3.3.100 pool-length 254                
#                                                                                
interface GigabitEthernet2/0/0                                                   
 ip address 1.1.1.1 255.255.255.0                                             
#                                                                                
interface GigabitEthernet1/0/0                                                   
 ip address 2.2.2.2 255.255.255.0                                             
 nat outbound 3180 address-group 1                                               
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1 
ip route-static 3.3.3.100 255.255.255.255 GigabitEthernet1/0/0 2.2.2.1 
#                                                                    return  

Example for Configuring NAT

Networking Requirements

As shown in Figure 1-21, GE1/0/0 on the router has a private IP address 192.168.1.1/24 and is connected to the intranet. GE2/0/0 on the router has a public IP address 11.11.11.1/8 and is connected to the Internet. The intranet server has a private IP address 192.168.1.2/24 and a public IP address 11.11.11.6/8. The intranet host has an IP address 192.168.1.3/24.

Both the intranet host and extranet host want to access the intranet server through the public IP address 11.11.11.6.

Figure 1-21 Networking diagram for configuring NAT

Configuration Roadmap

The configuration roadmap is as follows:

  • Configure IP addresses for interfaces.
  • Configure a default route.
  • Configure outbound NAT and static NAT in Easy IP mode on the LAN-side interface of the router to ensure that the intranet host can use a public IP address to access the intranet server.
  • Configure outbound NAT and static NAT in Easy IP mode on the WAN-side interface of the router to ensure that the intranet host can access the Internet and the extranet host can use a public IP address to access the intranet server.

Procedure

  1. Configure IP addresses for interfaces on the router.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] interface gigabitethernet 1/0/0  
    [Router-GigabitEthernet1/0/0] ip address 192.168.1.1 24  
    [Router-GigabitEthernet1/0/0] quit        
    [Router] interface gigabitethernet 2/0/0 
    [Router-GigabitEthernet2/0/0] ip address 11.11.11.1 8  
    [Router-GigabitEthernet2/0/0] quit

  2. Configure a default route on the router and specify the next hop address as 11.11.11.2.

    [Router] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2

  3. Configure outbound NAT and static NAT in Easy IP mode on GE1/0/0 of the router to ensure that the intranet host can use a public IP address to access the intranet server.

    [Router] acl 3000 
    [Router-acl-adv-3000] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0 
    [Router-acl-adv-3000] quit 
    [Router] interface gigabitethernet 1/0/0 
    [Router-GigabitEthernet1/0/0] nat outbound 3000 
    [Router-GigabitEthernet1/0/0] nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 
    [Router-GigabitEthernet1/0/0] quit

  4. Configure outbound NAT and static NAT in Easy IP mode on GE2/0/0 of the router to ensure that the intranet host can access the Internet and the extranet host can use a public IP address to access the intranet server.

    [Router] acl 2000 
    [Router-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255 
    [Router-acl-basic-2000] quit 
    [Router] interface gigabitethernet 2/0/0 
    [Router-GigabitEthernet2/0/0] nat outbound 2000 
    [Router-GigabitEthernet2/0/0] nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 
    [Router-GigabitEthernet2/0/0] quit

  5. Verify the configuration.

    # The intranet host and extranet host can access the intranet server using the public IP address 11.11.11.6. The intranet host can also access the Internet.

Configuration Files

Router configuration file

#                                                                                
acl number 2000                                                                  
 rule 5 permit source 192.168.1.0 0.0.0.255                                      
#                                                                                
acl number 3000 
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0           
#                                                                                
interface GigabitEthernet1/0/0                                                   
 ip address 192.168.1.1 255.255.255.0                                            
 nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 
 nat outbound 3000 
#                                                                                
interface GigabitEthernet2/0/0                                                   
 ip address 11.11.11.1 255.0.0.0                                                 
 nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 
 nat outbound 2000 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2                                  
#                                                
return                                                                          

Example for Configuring PPPoE Dialup Access in Easy IP Mode

Networking Requirements

The command output is as follows: As shown in Figure 1-22, the router obtains an IP address from the PPPoE server. The IP address of Eth2/0/1 on the router is 192.168.0.1/24 and the IP address of the PPPoE server is 2.2.2.2/16. Internal hosts connect to the network using routers. The router obtains a public IP address from the PPPoE server in PPPoE dialup mode. Users hope that internal hosts can access external networks.

Figure 1-22 Networking diagram for configuring PPPoE dialup access in Easy IP mode

Configuration Roadmap

The configuration roadmap is as follows:

Create a dialer interface and set parameters of the dialer port, establish a PPPoE session, configure a static route on the router, and configure Easy IP on the dialer interface to implement external network access by configuring PPPoE dialup in Easy IP mode.

Procedure

  1. Configure a PPPoE server.

    Configure the authentication mode, IP address allocation mode, and IP address or IP address pool for the PPPoE client. For details about the configuration procedure, see the documentation of the PPPoE server. If the router functions as a PPPoE server, see Example for Configuring the PPPoE Server.

  2. Configure a dialer port.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] dialer-rule 
    [Router-dialer-rule] dialer-rule 1 ip permit 
    [Router-dialer-rule] quit 
    [Router] interface dialer 1 
    [Router-Dialer1] dialer user user2 
    [Router-Dialer1] dialer-group 1 
    [Router-Dialer1] dialer bundle 1 
    [Router-Dialer1] dialer timer idle 300 
    INFO:  The configuration will become effective after link reset. 
    [Router-Dialer1] dialer queue-length 8 
    [Router-Dialer1] ppp chap user user1@system 
    [Router-Dialer1] ppp chap password cipher huawei123 
    [Router-Dialer1] ip address ppp-negotiate 
    [Router-Dialer1] quit

  3. Create a PPPoE session.

    [Router] interface gigabitethernet 1/0/0 
    [Router-GigabitEthernet1/0/0] pppoe-client dial-bundle-number 1 on-demand 
    [Router-GigabitEthernet1/0/0] quit

  4. Configure a static route on the router.

    [Router] ip route-static 0.0.0.0 0 dialer 1

  5. Configure outbound NAT on the dialer interface in Easy IP mode.

    [Router] acl 2000 
    [Router-acl-basic-2000] rule 5 permit source 192.168.0.0 0.0.0.255 
    [Router-acl-basic-2000] quit 
    [Router] interface dialer 1 
    [Router-Dialer1] nat outbound 2000 
    [Router-Dialer1] quit

  6. Verify the configuration.

    # Run the display pppoe-client session summary command to check the PPPoE session status and configuration. Check whether the session status is Up and whether the configuration is consistent with the data plan and networking according to command output.

    <Router> display pppoe-client session summary 
    PPPoE Client Session: 
    ID Bundle  Dialer  Intf             Client-MAC Server-MAC State 
    1 1       1       GE1/0/0          00e0fc030201  00e0fc030206  PPPUP

    # Run the display nat outbound command on the router. The command output is as follows:

    <Router> display nat outbound 
     NAT Outbound Information: 
     --------------------------------------------------------------------------- 
     Interface                     Acl      Address-group/IP/Interface      Type 
     --------------------------------------------------------------------------- 
     Dialer1                    2000                     1.1.1.1            easyip      
     ---------------------------------------------------------------------------      
      Total : 1                                                                     

Configuration Files

Configuration file of the router

# 
 sysname Router 
#                                                                                
acl number 2000                                                                  
 rule 5 permit source 192.168.0.0 0.0.0.255                                      
#                                                                                
dialer-rule                                                                      
 dialer-rule 1 ip permit  
#                                                                                
interface Dialer1                                                                
 link-protocol ppp 
 ppp chap user user1@system                                                      
 ppp chap password cipher %^%#R=>NT8A-8KmWU38WOZq(s%MsRSg>3,}l9b%K.%!S%^%#                       
 ip address ppp-negotiate                                                        
 dialer user user2                                                               
 dialer bundle 1                                                                 
 dialer queue-length 8                                                           
 dialer timer idle 300                                                           
 dialer-group 1                                                                  
 nat outbound 2000                                                               
# 
interface GigabitEthernet1/0/0 
 pppoe-client dial-bundle-number 1 on-demand 
# 
 ip route-static 0.0.0.0 0.0.0.0 Dialer1 
# 
return      

Example for Configuring the SIP Call Bandwidth Limit on a NAT Device

Networking Requirements

As shown in Figure 1-23, the Router functions as the NAT gateway to connect to the enterprise internal network and Internet. Multiple SIP phones on the enterprise internal network often call the SIP phone, UserA, on the Internet. For example, multiple users on the enterprise internal network often hold call conferences with the SIP phone on the Internet. The voice configurations of the SIP phones and NAT configuration of the Router are complete, and enterprise internal users can call the user on the Internet. The NAT device has limited bandwidth, so the SIP call bandwidth limit needs to be configured on the NAT device to reject the SIP calls that exceed the configured bandwidth limit.

Figure 1-23 Configuring the SIP call bandwidth limit on a NAT device

Configuration Roadmap

The configuration roadmap is as follows:

Enable CAC and set the total bandwidth to limit the bandwidth of SIP calls.

Procedure

  1. Enable CAC on the Router and set the total bandwidth of the Router to 2000 Kbps.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] nat sip cac enable bandwidth 2000 
    [Router] quit

  2. Verify the configuration.

    # Run the display nat sip cac bandwidth information verbose command on the Router to check detailed information about the configured total bandwidth and occupied bandwidth.

    <Router> display nat sip cac bandwidth information verbose 
    -------------------------------------------------------------------------------  
    Total Bandwidth(Kbps)       Used Bandwidth(Kbps)                                 
      2000                        1900                                                  
    -------------------------------------------------------------------------------  
    Src-IP          Src-Port Dest-IP         Dest-Port Protocol Used Bandwidth(Kbps) 
    192.168.0.2     50       3.3.3.3         5060      udp        600 
    192.168.0.3     50       3.3.3.3         5060      udp        700 
    192.168.0.4     50       3.3.3.3         5060      udp        600 
    -------------------------------------------------------------------------------

    # User 1, User 2, and User 3 in the enterprise's intranet can concurrently have a conference call with User A on the Internet (the bandwidth does not exceed 2000 Kbps). If the total bandwidth of the users who attempt to access the conference exceeds 2000 Kbps, the call fails.

Configuration Files

Configuration file of the Router

# 
 sysname Router 
#                                                                                
nat sip cac enable bandwidth 2000                                                   
#                                                                                
return  

Troubleshooting NAT

Intranet users Fail to Access Public Networks

Fault Description

This fault is commonly caused by one of the following:

  • Outbound NAT is not properly configured on the outbound interface connected to the public network.
  • The configuration of the ACL bound to outbound NAT is incorrect.

Procedure

  1. Check whether packets are received on interfaces of device.

    Run the display interface interface-type interface-number command on the device to display the value of the Input field.

    • If the value of the Input field is 0, the device does not receive any packets. Check the interface configuration to ensure that the interface can receive packets.
    • If the value of the Input field is not 0, go to step 2.
    NOTE:

    The device supports GE, FE, Eth-Trunk, and sub-interfaces. If an Eth-Trunk sub-interface is used, run the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check whether the Eth-Trunk sub-interface receives packets.

  2. Check whether the ACL rule bound to outbound NAT allows NAT service packets to pass through.

    Run the display nat outbound command on the device to check whether outbound NAT is correctly configured.

    [Huawei]display nat outbound  
      NAT Outbound Information: 
     --------------------------------------------------------------------------- 
     Interface                     Acl      Address-group/IP/Interface      Type 
     --------------------------------------------------------------------------- 
     GigabitEthernet0/0/0         2000                               1 no-pat 
     --------------------------------------------------------------------------- 
      Total : 1                                                                     

    The preceding information indicates that ACL 2000 is bound to outbound NAT on GigabitEthernet0/0/0.

    Check whether the rule of ACL 2000 is configured correctly. If the IP address, interface number, or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be transmitted correctly.

    Run the display acl 2000 command to check the configuration of outbound NAT bound to ACL 2000.

    [Huawei] display acl 2000  
    Basic ACL2000, 1 rule  
    Acl's step is 5  
    rule 5 permit source 192.168.1.100 0      

    The rule of ACL 2000 matches packets with the source address 192.168.1.100.

    • If the ACL rule is configured incorrectly, reconfigure the ACL rule.
    • If the ACL rule is configured correctly but the fault persists, go to step 3.

  3. Check that the address pool configuration is correct.

    Run the display nat address-group command on the device to check whether the address pool bound to outbound NAT on the outbound interface is correct.

    [Huawei] display nat address-group 1  
    NAT Address-Group Information:  
    --------------------------------------  
    Index Start-address      End-address  
    --------------------------------------  
    1       10.0.0.100         10.0.0.110  
    --------------------------------------  
    Total : 1      
         

    To check Easy IP information on the outbound port, run the display nat outbound command on the device. For example:

    [Huawei] display nat outbound  
     NAT Outbound Information:  
     --------------------------------------------------------------------------  
     Interface                    Acl      Address-group/IP/Interface      Type  
     --------------------------------------------------------------------------  
     GigabitEthernet0/0/1        2000                         1.1.1.1 easyip  
     --------------------------------------------------------------------------  
      Total : 1             

    The preceding information indicates that Easy IP is configured on GigabitEthernet0/0/1 and the address pool 1.1.1.1 bound to the interface is the address pool advertised on the interface. If NAT is disabled, you perform the following steps:

    • If the bound IP address is the interface address, ensure that the interface address is valid.

External Hosts Fail to Access Internal Servers

Fault Description

This fault is commonly caused by one of the following:

  • The NAT server is configured on an incorrect interface such as an outbound port or other unrelated interfaces. The NAT server must be configured on the inbound interface of an external host that connects to the internal network.
  • The NAT server configuration is incorrect. For example, the corresponding public and private IP addresses of internal servers are incorrect, and private ports and enabled ports of internal servers are different.

Procedure

  1. Check whether services on the internal NAT server are running properly.

    When the external network cannot access the internal NAT server, check whether services such as HTTP server and FTP server are enabled on the internal NAT server. Access the internal NAT server from an internal host to check whether the services are running properly.

    • If services on the internal NAT server are not running properly, enable the services.
    • If services on the internal NAT server are running properly but the fault persists, go to step 2.

  2. Check that the NAT server is configured correctly.

    Run the display nat server command on the device to check that the NAT server is configured on the correct NAT interface and the correct protocol type, interface number, and IP address are configured.

    [Huawei] display nat server  
      Nat Server Information:                                                        
      Interface  : GigabitEthernet 2/0/0                                              
     Global IP/Port     : 1.1.1.1/80 (www)                                   
     Inside IP/Port     : 192.168.0.100/8080                                       
     Protocol : 6(tcp)                                                          
     VPN instance-name  : ----  
     Acl number         : ----                                                   
     Vrrp id            : ----                                                    
     Description : ---- 
      Total : 1     

    Ensure that the mapped internal address and interface are correct. When some services such as FTP and TFTP transmit data packets, several interfaces (some of them are randomly generated) are used. Therefore, to configure the NAT server providing such services, cancel the limitation on the ports so that the internal server can provide services normally.

    • If the NAT server is configured incorrectly, reconfigure the NAT server.
    • If the NAT server is configured correctly but the fault persists, go to step 3.

  3. Check the connection between the external host and NAT server and the configurations of the connected ports.

    Check that the IP address of the outbound interface on the NAT server is correct and the external IP address of the NAT server is correct. The IP addresses cannot conflict with the addresses on other network segments. Ping the external interface of the NAT server on an external host. Ensure that the external host can ping the NAT server successfully.

    • If the external host cannot connect to the NAT server, check the connection.
    • If the external host and NAT server are connected correctly but the fault persists, go to step 4.

  4. Check that the internal NAT server is configured with the correct gateway address or route.

    The internal NAT server must be configured with the correct route or gateway address so that packets destined for the external host can be sent to the gateway.

    • If the gateway address or route on the internal NAT server is configured incorrectly, reconfigure it.
    • If the gateway address or route on the internal NAT server is configured correctly but the fault persists, contact technical support personnel.

Internal Hosts with an Overlapped IP Address Fail to Access External Servers

Fault Description

This fault is commonly caused by one of the following:

  • Outbound NAT is incorrectly configured on the outbound port.
  • NAT ALG is disabled for the DNS protocol.
  • The DNS mapping entry is configured incorrectly. For example, the corresponding public address is different from the IP address of an external server.
  • The route between the temporary address pool and the outbound interface is not configured.

Procedure

  1. Check that outbound NAT is configured correctly.

    Run the display nat outbound command on the device to check whether outbound NAT is configured correctly.

    [Huawei]display  nat outbound  
     NAT Outbound Information:  
     ---------------------------------------------------------------------------  
     Interface                     Acl      Address-group/IP/Interface      Type  
     ---------------------------------------------------------------------------  
     GigabitEthernet0/0/1         3180                               1       pat  
     ---------------------------------------------------------------------------  
      Total : 1     

    The preceding information indicates that ACL 3180 is bound to outbound NAT and the address pool index is 1. Check that outbound NAT references a correct address pool. When configuring an address pool, ensure that the destination address on the external network is different from any address in the address pool. Run the display nat address-group command to check the configuration of the address pool.

    [Huawei]display nat address-group 1  
    NAT Address-Group Information:  
    --------------------------------------  
    Index Start-address      End-address  
    --------------------------------------  
    1       1.1.1.1            1.1.1.10  
    --------------------------------------  
    Total : 1          

    Check that ACL rules bound to outbound NAT are correct. Generally, incorrect addresses, protocol types, or interface numbers are defined in ACL rules. When an ACL problem occurs, packets on the internal network cannot be sent out or packets on the external network cannot be sent to the internal network.

    Run the display acl 3180 command to check the ACL bound to outbound NAT.

    [Huawei]display acl 3180 
    Advanced ACL 3180, 1 rule  
    Acl's step is 5  
    rule 5 permit tcp source 10.10.10.1 0      
    NOTE:

    An ACL strictly controls the permitted address segments, protocols, and ports based on the networking requirements. If certain protocol packets are rejected by the NAT gateway, check whether the packets of this protocol are permitted by the ACL.

    • If outbound NAT is configured incorrectly, correct the configuration.
    • If outbound NAT is configured correctly but the fault persists, go to step 2.

  2. Check that the DNS mapping entry is configured correctly.

    Run the display nat dns-map command on the device to check whether the NAT server is configured on the correct NAT interface and check whether the protocol type, interface number, and IP address are correctly configured.

    [Huawei]display nat dns-map  
      NAT DNS mapping information: 
      Domain-name : test1 
      Global IP : 10.1.1.1 
      Global port : 2012 
      Protocol : tcp 
     
      Total : 1  
    • If the DNS mapping entry is configured incorrectly, run the nat dns-map command in the system view to configure a DNS mapping entry correctly.
    • If the DNS mapping entry is configured correctly but the fault persists, go to step 3.

  3. Check that NAT ALG is enabled for the DNS protocol.

    Run the display nat alg command on the device to check whether NAT ALG is enabled for the DNS protocol.

    [Huawei]display nat alg  
    NAT Application Level Gateway Information:                                       
    ----------------------------------                                               
      Application            Status                                                  
    ----------------------------------                                               
      dns                 Disabled                                                
      ftp                    Disabled                                                
      rtsp                   Enabled                                                 
      sip                    Disabled                                                
      pptp                   Disabled                                         
    ---------------------------------- 
    • If NAT ALG is disabled for the DNS protocol, run the nat alg command to enable it.
    • If NAT ALG is enabled for the DNS protocol but the fault persists, go to step 4.

  4. Check that the mappings between overlapped address pools and temporary address pools are correct.

    Run the display nat overlap-address command on the device to check whether all the mappings between overlapped address pools and temporary address pools are correct.

    [Huawei]display nat overlap-address all  
    Nat Overlap Address Pool To Temp Address Pool Map Information:  
     ---------------------------------------------------------------------- 
     Id  Overlap-Address  Temp-Address  Pool-Length  Inside-VPN-Instance-Name  
     ---------------------------------------------------------------------- 
     1 1.1.1.1          20.20.20.20     34  
    ----------------------------------------------------------------------- 
      Total : 1             
    NOTE:

    The temporary address pool contains available IP addresses on the device. The IP addresses in the address pool cannot conflict with any interface address, VRRP address, or NAT address. In the preceding information, Inside-VPN-Instance-Name specifies the VPN instance to which the internal interface connected to the host belongs.

    • If the mappings are incorrect, reconfigure the mappings.
    • If the mappings are correct but the fault persists, go to step 5.

  5. Check that the route between the temporary address pool and the outbound interface is configured.

    Run the display ip routing-table command on the device to check all the routes on the public network.

    [Huawei]display ip routing-table  
    Route Flags: R - relay, D - download to fib  
    ------------------------------------------------------------------------------  
    Routing Tables: Public  
             Destinations : 2       Routes : 2  
      
    Destination/Mask Proto  Pre  Cost       Flags NextHop         Interface  
      
     10.0.0.0/8     Static 60 0            D 10.164.50.1     Ethernet1/0/0  
     10.10.10.10/32 Direct 64 0            D 127.0.0.1       Vlanif3      
    NOTE:

    If the name of the VPN instance where the internal interface is located has been configured, run the display ip routing-table vpn-instance vpn-name command to check the routes.

    • If there is no correct route, reconfigure a route.
    • If the route is correct but the fault persists, contact technical support personnel.

FAQ About NAT

Does NAT Support VPN Multi-Instance?

Yes. Network address translation (NAT) supports virtual private network (VPN) multi-instance.

How Do I View the NAT Session Table?

Run the display nat session all command to view the NAT session table.

How Do I Forcibly Age NAT Session Tables?

Run the reset nat session all command to forcibly age NAT session tables.

Can the Global Address of the NAT Server Be an Address in the NAT Address Pool?

No.

How Can I Enable NAT Log and Set a Log Interval?

NAT logs are generated when the device performs address translation.

Configuration Example

Configure the device to generate NAT logs at an interval of 200 seconds.

<Huawei> system-view
[Huawei] firewall log all enable 
[Huawei] info-center enable
[Huawei] firewall log defend log-interval 200

How Can I Set the Aging Time of the Traffic Forwarding Table?

You can use the firewall-nat session aging-time command to set the aging time of the session entries.

Configuration Example

# Set the aging time of FTP session entries to 60 seconds.

<Huawei> system-view
[Huawei] firewall-nat session ftp aging-time 60

Users on an Internal Network Cannot Access Internal Servers Using Domain Names. Why?

When a user device accesses the internal server using a domain name, whether the domain name contains the host name varies. Therefore, you have to configure different DNS domain names in the following two situations. For example, you want to access the domain name www.hbjs.gov.cn.

  • When the DNS Request packet sent by the user device contains the host name, that is, the user device uses the domain name www.hbjs.gov.cn to access the internal server, run the nat dns-map www.hbjs.gov.cn global-address global-port { tcp | udp } command.
  • When the DNS Request packet sent by the user device does not contain the host name, that is, the user device uses the domain name hbjs.gov.cn to access the internal server, run the nat dns-map hbjs.gov.cn global-address global-port { tcp | udp } command.
NOTE:

If you are not sure whether the DNS Request packet sent by the device contains the host name or not, it is recommended that you configure both the preceding commands.

Private Network User and Server Are in the Same VLAN. After NAT Server Is Configured on the VLANIF Interface, Why Cannot the User Access the Server Using Public Address?

The private network user and server are connected to the same VLANIF interface and the same subcard. After the nat server command is executed in the VLANIF interface view to map the server IP address to a public network address, the response packet sent by the server to the user cannot be sent to the CPU, so the packet address cannot be translated. As a result, the user cannot connect to the server. To solve this problem, run the nat outbound command on the VLANIF interface so that the server's response packet can be sent to the router and the packet address can be translated. The router then forwards the packet to the user. The user can connect to the server.

What Are the Differences Between NAT Server and NAT Static Modes?

For the access from the public network to the private network, the NAT server and NAT static modes are the same. For the access from the private network to the public network, the NAT server mode translates only the IP address, while the NAT static mode translates both the IP address and port.

# Configure NAT server on the public network interface Gigabitethernet 0/0/1.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 3000 inside 10.1.1.100 1000 
Figure 1-24 Diagram of the NAT server mode

For the access from the private network to the public network, the When the NAT server proactively accesses the Internet, NAT server mode translates only the IP address. That is, when the source IP address of the traffic matches the private IP address in the NAT server rule, the NAT server mode translates the IP address regardless of the port number.

# Configure NAT static on the public network interface Gigabitethernet 0/0/1.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[Huawei-GigabitEthernet0/0/1] nat static protocol tcp global current-interface 3000 inside 10.1.1.100 1000 
Figure 1-25 Diagram of the NAT static mode

For the access from the private network to the public network, the NAT static mode translates both IP address and port.

The enterprise requires that private users can access the public server and public users can access the private server. If both the NAT server and Easy IP functions are configured on the router, since the NAT server mode translates only the IP address for the access from the private network to the public network, flow tables may fail to be established. In this case, you are advised to change NAT server to NAT static.

An External Phone Fails to Register With the SIP Server After a NAT Server Is Configured on the Outbound Interfaces of the Device Functioning as a SIP Server.

A SIP server is deployed on an internal network and a NAT server and MTU are configured on the outbound and inbound interfaces of a gateway router on this network. In this case, the router sends fragmented packets to the SIP server and the server returns ICMP Error packets. An external phone fails to register with the SIP server. Disable the MTU configuration on the inbound interface or run the ip soft-forward enhance enable command to enable the enhanced IP forwarding function on the router, so that the external phone can correctly register with the SIP server to implement NAT translation.

What Are Differences of Easy IP and Address Pool?

Easy IP uses the public IP address of an interface as the translated source address, as shown in Figure 1-26.

Figure 1-26 Networking of Easy IP

When the address pool mode is used, you need to configure a public address pool from which public addresses mapping private addresses are selected, as shown in Figure 1-27.

Figure 1-27 Networking of an address pool

Use Easy IP or address pool according to planning of public IP addresses:

  • If there are idle public IP addresses after IP addresses of outbound interfaces on NAT devices and other applications are configured, use the address pool mode.
  • If there are no idle public IP addresses after IP addresses of outbound interfaces on NAT devices and other applications are configured, use Easy IP.

Which Interfaces Support NAT?

The following interfaces support NAT:

  • Physical interfaces

    Layer 3 Ethernet interface, Layer 3 GE interface, G.SHDSL interface, ADSL interface, VDSL interface, PON interface, serial interface, POS interface, asynchronous interface, ATM interface, BRI interface, and cellular interface

  • Logical interfaces

    Dialer interface, tunnel interface, Layer 3 Eth-Trunk interface, VE interface, VT interface, MP-group interface, MFR interface, and IMA-Group interface

  • Sub-interfaces

    Ethernet sub-interface, Eth-Trunk sub-interface, ATM sub-interface, serial sub-interface, MFR sub-interface, IMA-Group sub-interface, and POS sub-interface

Public Address Cannot Be Pinged When NAT Is Configured on the Device as the Egress Gateway. How Do I Solve the Problem?

After outbound NAT is configured, run the ip soft-forward enhance enable command to enable the enhanced IP forwarding function before running the ping -a source-ip-address host command. The device then does not translate private source addresses into public addresses when sending packets.

What Should I Do If the CPU Usage Is High After DNS Mapping Is Configured?

After DNS mapping is configured, the CPU processes packets before the router forwards the packets. If a large number of packets need to be processed, the CPU usage is high.

If the CPU usage remains high and affects device usage, it is recommended that you delete the DNS mapping configuration and disable the DNS ALG function to prevent packets from being sent to the CPU, reducing the CPU usage. To protect the router and meet users' service demands, add the NAT server configuration on the interface connecting to the internal network.

When an internal network host accesses an internal network server using the domain name, the host sends a domain name request to the DNS server. The DNS server encapsulates the public IP address corresponding to the domain name into the response packet. If the DNS mapping and DNS ALG functions are enabled, the router converts the public IP address encapsulated in a DNS response packet into a private IP address when forwarding the packet to an internal network host. After the DNS mapping and DNS ALG configurations are deleted, the router cannot perform IP address translation. You can add the NAT server configuration on the interface connecting to the internal network. The public IP address then can be converted into the private IP address of the internal network server, allowing internal network hosts to access the internal network server.

The configuration procedure is as follows:

  1. On the NAT-enabled router, run the undo nat alg enable command to disable the DNS ALG function and run the undo nat dns-map command to delete the DNS mapping configuration.
  2. On the interface connecting to the internal network, run the nat server command to add the NAT server configuration. This configuration allows the router to convert the public IP address of the internal network server into its private IP address when an internal network host accesses the internal network server.

Disable the DNS ALG function and delete the DNS mapping configuration.

<Huawei> system view
[Huawei] undo nat dns-map www.bz2z.com 1.1.1.1 80 tcp
[Huawei] undo nat dns-map bz2z.com 1.1.1.1 80 tcp

Assume that the interface connecting to the public network is GE0/0/0 and the interface connecting to the internal network is GE0/0/1. Check the configuration of the interface connecting to the public network.

[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] display this
# 
interface GigabitEthernet0/0/0  
 ip address 1.1.1.2 255.255.255.0  
 nat server protocol tcp global current-interface 80 inside 192.168.1.100 80  
 nat outbound 3001  
[Huawei-GigabitEthernet0/0/0] quit

Configure NAT server on the interface connecting to the internal network. Change the keyword current-interface in the NAT server configuration to the specified public network interface.

[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global interface gigabitethernet 0/0/0 80 inside 192.168.1.100 80

After the preceding configurations are complete, the CPU usage is reduced and internal network hosts can normally access the internal network server.

Network Access Through Internet-side Port 80, 8080, or 443 Fails.

Internet-side ports 80, 8080, and 443 are disabled by a carrier. If Internet-side port 80, 8080, or 443 is enabled in NAT, users cannot access the intranet.

In the following example, Internet-side port 80 is configured as a NAT server.

[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 10.10.10.1 80 inside 192.168.2.10 80

When devices on another network access the intranet, intranet port 80 is mapped to Internet-side port 80, causing an access failure. To resolve this problem, change the mapped Internet-side port to a port except ports 8080 and 443. For example, change it to port 1001.

[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 10.10.10.1 1001 inside 192.168.2.10 80

Related Information

For more information and detailed procedures, refer to the following documents:

CLI-based Configuration Guide - IP Service AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R009

Translation
Download
Updated: 2019-08-08

Document ID: EDOC1100086645

Views: 1162

Downloads: 42

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next