Example for Configuring Intranet Hosts to Access an Extranet
Networking Requirements
On the network shown in Figure 5-29, intranet users in areas A and B of an enterprise are connected to the Internet through the router, and need to access the Internet. A large number of public IP addresses are planned for users in area A. The enterprise wants to map the IP addresses (in the IP network segment 192.168.20.0/24) of hosts in area A to IP addresses in the public address pool (2.2.2.100 to 2.2.2.200) in 1:1 mapping mode so that these hosts can access the Internet. A small number of public IP addresses are planned for users in area B. The enterprise wants to map the IP addresses (in the IP network segment 10.0.0.0/24) of hosts in area B to IP addresses in the public address pool (2.2.2.80 to 2.2.2.83) in N:1 mapping mode so that these hosts can access the Internet. The public IP address of the WAN-side interface on the router is 2.2.2.1/24. The IP address of the carrier device connected to the router is 2.2.2.2/24.
Configuration Roadmap
The configuration roadmap is as follows:
Configure IP addresses for interfaces and a default route to allow intranet hosts to access the Internet.
On the WAN-side interface of the router, configure outbound NAT without port translation for hosts in area A so that these hosts can access the Internet after 1:1 address translation.
On the WAN-side interface of the router, configure outbound NAT with port translation for hosts in area B so that these hosts can access the Internet after N:1 address translation.
Procedure
- Configure IP addresses for interfaces on the router.
<Huawei> system-view [Huawei] sysname Router [Router] vlan 100 [Router-vlan100] quit [Router] interface vlanif 100 [Router-Vlanif100] ip address 192.168.20.1 24 [Router-Vlanif100] quit [Router] interface ethernet 2/0/0 [Router-Ethernet2/0/0] port link-type access [Router-Ethernet2/0/0] port default vlan 100 [Router-Ethernet2/0/0] quit [Router] vlan 200 [Router-vlan200] quit [Router] interface vlanif 200 [Router-Vlanif200] ip address 10.0.0.1 24 [Router-Vlanif200] quit [Router] interface ethernet 2/0/1 [Router-Ethernet2/0/1] port link-type access [Router-Ethernet2/0/1] port default vlan 200 [Router-Ethernet2/0/1] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] ip address 2.2.2.1 24 [Router-GigabitEthernet3/0/0] quit
- On the router, configure a default route with next hop address 2.2.2.2.
[Router] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
- On the router, configure outbound NAT without port translation.
[Router] nat address-group 1 2.2.2.100 2.2.2.200 [Router] acl 2000 [Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Router-acl-basic-2000] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat [Router-GigabitEthernet3/0/0] quit
- On the router, configure outbound NAT with port translation.
[Router] nat address-group 2 2.2.2.80 2.2.2.83 [Router] acl 2001 [Router-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 [Router-acl-basic-2001] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2 [Router-GigabitEthernet3/0/0] quit [Router] quit
Before running the ping -a source-ip-address command (with the source IP address of ICMP Echo-Request packets specified) on the router to check whether intranet users can access the Internet, run the ip soft-forward enhance enable command to enable the enhanced forwarding function for control packets generated by the router. If this function is not enabled, the ping fails.
- Verify the configuration.
# Run the display nat outbound command on the router to check the outbound NAT configuration.
<Router> display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- GigabitEthernet3/0/0 2000 1 no-pat GigabitEthernet3/0/0 2001 2 pat ----------------------------------------------------------------- Total : 2
# Run the ping command on the router to verify that intranet users can access the Internet.
<Router> ping -a 192.168.20.1 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms<Router> ping -a 10.0.0.1 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms# Before NAT entries age, run the display nat session all command on the router to check the address translation result.
<Router> display nat session all NAT Session Table Information: Protocol : ICMP(1) SrcAddr Vpn : 192.168.20.1 DestAddr Vpn : 2.2.2.2 Type Code IcmpId : 8 0 44004 NAT-Info New SrcAddr : 2.2.2.100 New DestAddr : ---- New IcmpId : ---- Protocol : ICMP(1) SrcAddr Vpn : 10.0.0.1 DestAddr Vpn : 2.2.2.2 Type Code IcmpId : 8 0 44005 NAT-Info New SrcAddr : 2.2.2.81 New DestAddr : ---- New IcmpId : 10243 Total : 2
Configuration Files
Router configuration file
# sysname Router # vlan batch 100 200 # acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 # acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 # nat address-group 1 2.2.2.100 2.2.2.200 nat address-group 2 2.2.2.80 2.2.2.83 # interface Vlanif100 ip address 192.168.20.1 255.255.255.0 # interface Vlanif200 ip address 10.0.0.1 255.255.255.0 # interface Ethernet2/0/0 port link-type access port default vlan 100 # interface Ethernet2/0/1 port link-type access port default vlan 200 # interface GigabitEthernet3/0/0 ip address 2.2.2.1 255.255.255.0 nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 # ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 # return