Example for Configuring the NAT Function
This section provides an example for configuring the centralized NAT function to implement multiple-to-multiple translations from internal addresses of enterprise users to external addresses and allow only PCs on a specified network segment to access the Internet.
Networking Requirements
On the network shown in Figure 1, the NE20E performs the NAT function to help PCs within the enterprise network access the Internet. The NE20E uses Ethernet interface 0/2/0 to connect to the enterprise network. The NE20E connects to the Internet using GE 0/2/1 interface. The enterprise has five public IP addresses ranging from 11.11.11.101/32 to 11.11.11.105/32.
- Only PCs on the network segment of 192.168.10.0/24 can access the Internet.
- Multiple-to-multiple NAT translation is performed for internal and external IP addresses.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic NAT functions.
- Configure a NAT traffic policy.
Data Preparation
Service-location backup group index: 1
Service-instance-group name: group1
NAT instance name: nat1; NAT instance index: 1
NAT address pool name for NATA: address-group1; NAT address pool ID: 1; IP address segment: 11.11.11.101 to 11.11.11.105
ACL name: 3001
Number and IP address of the interface that applies the NAT traffic policy
Procedure
- Configure basic NAT functions.
- Configure a NAT traffic policy.
- Configure an outbound NAT traffic policy.
- Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow only hosts with a network segment address of 192.168.10.0/24 to access the Internet.
[~NATA] acl 3001[*NATA-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255[*NATA-acl4-advance-3001] commit[~NATA-acl4-advance-3001] quit - Apply the NAT traffic policy for ACL users in the view of GE 0/2/1.
[~NATA] interface gigabitEthernet 0/2/1
[~NATA-GigabitEthernet0/2/1] ip address 11.2.3.4 24
[*NATA-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
[*NATA-GigabitEthernet0/2/1] commit
[~NATA-GigabitEthernet0/2/1] quit
- Assign an IP address to GE 0/2/0.
[~NATA] interface gigabitEthernet 0/2/0
[~NATA-GigabitEthernet0/2/0] ip address 192.168.10.1 24
[*NATA-GigabitEthernet0/2/0] commit
[~NATA-GigabitEthernet0/2/0] quit
- Verify the configuration.
# Verify NAT user information.
[~NATA] display nat user-information slot 9 verbose
This operation will take a few minutes. Press 'Ctrl+C' to break ... Slot: 9 Total number: 1. --------------------------------------------------------------------------- User Type : NAT444 CPE IP : 192.168.10.100 User ID : - VPN Instance : - Address Group : address-group1 NoPAT Address Group : - NAT Instance : nat1 Public IP : 11.11.11.102 NoPAT Public IP : - Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512 Total/TCP/UDP/ICMP Session Current : 1/0/1/0 Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512 Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0 Nat ALG Enable : NULL Aging Time(s) : - Left Time(s) : - Session Limit Discard Count : 0 -->Transmit Packets : 1046632 -->Transmit Bytes : 90409306 -->Drop Packets : 0 <--Transmit Packets : 0 <--Transmit Bytes : 0 <--Drop Packets : 0 ---------------------------------------------------------------------------
Configuration Files
NATA configuration file
# sysname NATA # service-location 1 location follow-forwarding-mode # service-instance-group group1 service-location 1 # nat instance nat1 id 1 service-instance-group group1 nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105 # acl number 3001 rule 1 permit ip source 192.168.10.0 0.0.0.255 # interface GigabitEthernet 0/2/0 undo shutdown ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet 0/2/1 undo shutdown ip address 11.2.3.4 255.255.255.0 nat bind acl 3001 instance nat1 # return
