Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring NAT to Translate Both the Source and Destination IP Addresses
This section provides an example for configuring NAT to translate both the source and destination IP addresses when Internet users access an internal server.
Networking Requirements
In Figure 2-14, NAT-Device functions as a gateway of an enterprise, and the FTP server is an internal server on the enterprise network. Users on the Internet want to access the FTP server on the private network. During the access process, public IP addresses are translated so that no public network routes are imported to the private network. The peer device connected to NAT-Device is assigned an IP address of 11.11.1.2.
Figure 2-14 shows IP addresses of interfaces. The configuration requirements are as follows:
- PCs on the Internet can access the FTP server inside the enterprise network.
- NAT-Device does not import public network routes.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic NAT functions.
- Configure an internal server.
- Enable the NAT ALG function for FTP.
- Configure a NAT diversion policy.
- Apply the NAT diversion policy.
- Configure static routes.
Data Preparation
To complete the configuration, you need the following data:
- NAT instance names (nat1 and nat2) and indexes (1 and 2)
- NAT instance named nat1: NAT address pool name (address-group1), address pool number (1), a range of public IP addresses (11.11.11.10 through 11.11.11.15); NAT instance named nat2: NAT address pool name (address-group2), address pool number (2), a range of public IP addresses (11.11.11.16 through 11.11.11.20)
- ACL numbers (3001 and 3002)
- Name (GE 0/2/0) and IP address (192.168.1.1/24) of a private network interface to which a NAT diversion policy is applied; name (GE 0/2/1) and IP address (11.11.11.1) of a public network interface to which a NAT diversion policy is applied
- Internal server's advertised public IP address (11.11.11.10) and internal IP address (192.168.1.2)
Procedure
- Configure basic NAT functions.
- Configure an internal server.
[~NAT-Device] nat instance nat1 [~NAT-Device-nat-instance-nat1] nat server-mode enable [~NAT-Device-nat-instance-nat1] nat server global 11.11.11.10 inside 192.168.1.2 [*NAT-Device-nat-instance-nat1] commit [~NAT-Device -nat-instance-nat1] quit
- Enable NAT ALG for FTP to translate the application-layer IP addresses and port numbers of traffic of the NAT instance named nat1.
[~NAT-Device] nat instance nat1 [~NAT-Device-nat-instance-nat1] nat alg ftp [*NAT-Device-nat-instance-nat1] commit [~NAT-Device -nat-instance-nat1] quit
- Configure a NAT diversion policy.
- Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.1.0/24 to access the Internet.
- Configure an ACL-based traffic classification rule and set the ACL number to 3002 and ACL rule number to 2 to allow any packets to match the rule.
[~NAT-Device] acl 3001 [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255 [*NAT-Device-acl4-advance-3001] commit [~NAT-Device-acl4-advance-3001] quit [~NAT-Device] acl 3002 [*NAT-Device-acl4-advance-3002] rule 2 permit ip source any [*NAT-Device-acl4-advance-3002] commit [~NAT-Device-acl4-advance-3002] quit
- Apply the NAT diversion policy.
- Apply the traffic classification policy with ACL 3001 to the view of GE 0/2/1 on the public network side.
- Apply the traffic classification policy with ACL 3002 to the view of GE 0/2/0 on the private network side.
[~NAT-Device] interface gigabitEthernet 0/2/1 [~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.11.1 24 [*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1 [*NAT-Device-GigabitEthernet0/2/1] commit [~NAT-Device-GigabitEthernet0/2/1] quit [~NAT-Device] interface gigabitEthernet 0/2/0 [~NAT-Device-GigabitEthernet0/2/0] ip address 192.168.1.1 24 [*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3002 instance nat2 [*NAT-Device-GigabitEthernet0/2/0] commit [~NAT-Device-GigabitEthernet0/2/0] quit
- Configure a default route as a static route and set the next hop address of the default route to 11.11.11.2.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2 [*NAT-Device] commit
- Verify the configuration.
# Run the display nat server-map command to view the internal server information.
[~NAT-Device] display nat server-map This operation will take a few minutes. Press 'Ctrl+C' to break ... Slot: 9 Total number: 2. NAT Instance: nat1 Protocol:ANY, VPN:--->- Server:192.168.1.2[11.11.11.10]->ANY Tag:0x0, TTL:-, Left-Time:- CPE IP:192.168.10.10 extendable:false NAT Instance: nat1 Protocol:ANY, VPN:--->- Server reverse:ANY->11.11.11.10[192.168.1.2] Tag:0x0, TTL:-, Left-Time:- CPE IP:192.168.10.10 extendable:false
NAT-Device Configuration File
# sysname NAT-Device # service-location 1 location follow-forwarding-mode # service-instance-group group1 service-location 1 # nat instance nat1 id 1 service-instance-group group1 nat server-mode enable nat address-group address-group1 group-id 1 11.11.11.10 11.11.11.15 nat server global 11.11.11.10 inside 192.168.1.2 # nat instance nat2 id 2 service-instance-group group1 nat address-group address-group2 group-id 2 11.11.11.16 11.11.11.20 nat alg ftp # acl number 3001 rule 1 permit ip source 192.168.1.0 0.0.0.255 # acl number 3002 rule 2 permit ip source any # interface GigabitEthernet 0/2/1 undo shutdown ip address 11.11.11.1 255.255.255.0 nat bind acl 3001 instance nat1 # interface GigabitEthernet 0/2/0 undo shutdown ip address 192.168.1.1 255.255.255.0 nat bind acl 3002 instance nat2 # ip route-static 0.0.0.0 0.0.0.0 11.11.11.2 # return
