Configuring NAT ALG
Enabling NAT ALG for SIP
Context
Generally, NAT translates only the IP address in the IP packet header and the port number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or port number in the Data field. Such content cannot be translated using NAT. The NAT ALG function enables the NAT device to identify the IP address or port number in the Data field. Currently, the NAT ALG function is applicable to DNS, FTP, SIP, PPTP, and RTSP protocols. SIP is a multi-channel application and requires multiple data channel links. To ensure the establishment of multiple channels, you must configure the NAT mapping mode and NAT filtering mode. Only the packets that match the mapping and filtering conditions are allowed to pass through. Therefore, in NAT ALG for SIP, you need to configure both APDM and APDF to enable SIP proxy to traverse NAT.
Procedure
- Run system-view
The system view is displayed.
- Run nat alg sip enable
The NAT ALG function for SIP is enabled.
By default, the NAT ALG function for SIP is disabled.
- Run nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]
The NAT mapping mode is configured.
The NAT mapping mode is APDM by default.
- Run nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }
The NAT filtering mode is configured.
The NAT filtering mode is APDF by default.
- (Optional) Run nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number[.subnumber ] }
CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.
By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.
- (Optional) Run port-mapping sip port port-number acl acl-number
Port mapping for SIP is configured.
This command applies when SIP enabled with the NAT ALG function uses a non-well-known port number, namely, a non-default port number.
Enabling NAT ALG for DNS
Context
In some scenarios, users on a private network need to access intranet servers using domain names, but the DNS server is located on a public network. Usually, a DNS response packet carries the public IP address of an intranet server. If the NAT device does not replace the public IP address resolved by the DNS server with the private IP address of the intranet server, users on the private network cannot access the intranet server using the domain name. DNS ALG and DNS mapping solve this problem. You need to enable DNS ALG so that the NAT device can identify DNS response packets, and set up DNS mappings to create a table that specifies mappings among domain names, public IP addresses, public port numbers, and protocol types.
As shown in Figure 5-27, the host on the private network needs to access the web server using the domain name, and the Router functions as a NAT server. After receiving a DNS response packet, the NAT device searches the DNS mapping table for the public IP address of the web server based on the domain name carried in the response packet, and searches the static NAT mapping table based on the public IP address. Then, the NAT device replaces the public IP address carried in the DNS response packet with the mapped private IP address of the web server. In this manner, the DNS response packet received by the host carries the private IP address of the web server. Then, the host can access the web server using the private IP address of the web server.
Prerequisites
Static NAT has been configured on the Router. That is, the static NAT mappings between the public IP address and port number of the web server and the private IP address and port number of the web server have been set up. For details about how to configure static NAT, see the configuration of NAT static in the interface view and system view in Configuring Extranet Hosts to Access Intranet Servers.
Procedure
- Run system-view
The system view is displayed.
- Run nat alg dns enable
The NAT ALG function for DNS is enabled.
By default, the NAT ALG function for DNS is disabled.
- Run nat dns-map domain-name { global-address | interface interface-type interface-number[.subnumber ] } global-port protocol-name
A mapping from a domain name to a public IP address, a port number, and a protocol type is configured.
- (Optional) Run port-mapping dns port port-number acl acl-number
Port mapping for DNS is configured.
This command applies when DNS enabled with the NAT ALG function uses a non-well-known port number, namely, a non-default port number.
Verifying the NAT ALG Configuration
Procedure
- Run the display nat alg to check the NAT ALG configuration.
- Run the display nat dns-map [ domain-name ] command to check the configuration of DNS mapping.
- Run the display nat sip cac bandwidth information [ verbose ] command to check the current total bandwidth and occupied bandwidth on the device.
- Run the display nat filter-mode command to check the NAT filtering mode.
- Run the display nat mapping-mode command to check the NAT mapping mode.