Configuring Extranet Hosts to Access Intranet Servers
Context
Ensure that global-address and host-address do not conflict with existing IP addresses assigned to devices, including IP addresses of interfaces and IP addresses in the user address pool.
The specified global-port or host-port cannot be used by other applications.
You can set current-interface or loopback to borrow an interface IP address to be a NAT-translated public address.
When you configure static one-to-one NAT that borrows an interface IP address (no interface number is specified and the IP address is mapped to a private network address), other services enabled on the interface may become unavailable. If you want to enable other applications on the interface, add an ACL rule to filter out the number of the interface on which the applications are enabled.
Procedure
- Run system-view
The system view is displayed.
- Static NAT can be configured using the nat static command in the interface or system view, or configured through NAT Server.
- Configure the static NAT function in the interface view.
- Run interface interface-type interface-number[.subnumber ]
The interface view or sub-interface view is displayed.
- Run one of the following commands as required:
- nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number[.subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]
- nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number[.subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]
- nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number[.subnumber ] } global-port global-port2 [ vrrp vrrpid ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]
Run quit
The system view is displayed.
- Run interface interface-type interface-number[.subnumber ]
- Configure the static NAT function in the system view. This operation applies to the scenario where multiple interfaces share one static NAT mapping.
- Run one of the following commands as required:
- nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
- nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
- nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
- nat static protocol { tcp | udp } global global-address global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
nat static protocol { tcp | udp } global interface loopback interface-number global-port global-port2 [ vpn-instance vpn-instance-name ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
- Run interface interface-type interface-number[.subnumber ]
The interface view or sub-interface view is displayed.
- Run nat static enable
The static NAT function is enabled on the interface.
- Run one of the following commands as required:
- Configure the NAT Server function.
- Run interface interface-type interface-number[.subnumber ]
The interface view or sub-interface view is displayed.
- Run one of the following commands as required:
- nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number[.subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]
- nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number[.subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]
- Run interface interface-type interface-number[.subnumber ]
- To specify a global VPN, you are advised to configure static NAT in the interface view. Then the device can automatically obtain information about the VPN instance associated with the interface, and you do not need to manually specify the VPN instance at the public network side (global). To associate NAT static with a global VPN in the system view, you can specify a loopback interface as the outbound interface at the public network side, and then specify a VPN instance.
- If you run the undo nat static and undo nat server commands, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.
- Configure the static NAT function in the interface view.
