Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring NAT and an Internal Web Server
This section provides an example for configuring NAT and an internal web server to provide web services for internet or private network users.
Networking Requirements
In Figure 2-11, the private IP address 192.168.0.100/24 and port 8080 are assigned to a web server to provide web services. The public IP address of the web server is 11.1.1.3/24, and the domain name is www.TestNat.com. The outbound interface GE 0/2/1 of NAT-Device is 11.1.1.2/24, and the LAN-side gateway's IP address is 192.168.0.1. The enterprise has no other public IP addresses. The IP address of the peer device on the carrier side is 11.1.1.1/24. The enterprise attempts to use the private network web server to provide web services for Internet users and to allow private network users to access the Internet. Private network users can also access the private network web server through a DNS server on the Internet.
The configuration requirements are as follows:
- PCs only on the network segment of 192.168.0.200/24 can access the Internet.
- NAT-Device uses the public IP address of a public interface and the public IP address of an internal server. No other public IP addresses are used.
- Public network users access the internal web server at 192.168.0.100/24 using the public IP address of 11.1.1.3/24 and the domain name of www.TestNat.com.
- Private network users access the internal web server at 192.168.0.100/24 using the public IP address of 11.1.1.3/24 and the domain name of www.TestNat.com.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic NAT functions.
- Configure an internal server.
- Configure DNS mapping.
- Enable the NAT ALG function for the DNS protocol.
- Configure a NAT distribution policy.
- Apply the NAT distribution policy.
- Configure static routes.
Data Preparation
To complete the configuration, you need the following data:
- NAT instance name (nat1) and index (1)
- NAT-Device's NAT address pool name (address-group1), address pool number (1), and IP address range in easy IP mode
- ACL number (3001)
- Name (GE 0/2/1) and IP address (11.1.1.2/24) of an interface to which a NAT distribution policy is applied
Procedure
- Configure basic NAT functions.
- Configure an internal server.
[~NAT-Device] nat server protocol tcp global 11.1.1.3 www inside 192.168.0.100 8080 [~NAT-Device] commit
- Configure DNS mapping between the DNS domain name of www.TestNat.com, the public IP address of 11.1.1.3 and the private IP address of 192.168.0.100.
[~NAT-Device] nat instance nat1 [~NAT-Device-nat-instance-nat1] nat dns-mapping domain www.TestNat.com global-address 11.1.1.3 inside-address 192.168.0.100 [*NAT-Device-nat-instance-nat1] commit [~NAT-Device-nat-instance-nat1] quit
- Enable the NAT ALG function for the DNS protocol.
[~NAT-Device] nat instance nat1 [~NAT-Device-nat-instance-nat1] nat alg dns [*NAT-Device-nat-instance-nat1] commit [~NAT-Device-nat-instance-nat1] quit
- Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic classification rule to allow hosts only with a network segment address of 192.168.0.200/24 to access the Internet.
[~NAT-Device] acl 3001 [*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.200 0.0.0.255 [*NAT-Device-acl4-advance-3001] commit [~NAT-Device-acl4-advance-3001] quit
- Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the outbound interface named GE 0/2/1.
[~NAT-Device] interface gigabitEthernet 0/2/1 [~NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1 [*NAT-Device-GigabitEthernet0/2/1] commit [~NAT-Device-GigabitEthernet0/2/1] quit
- Configure a default route as a static route and set the next hop address of the default route to 11.1.1.1.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.1.1.1 [*NAT-Device] commit
- Verify the configuration.
# Run the display nat server-map command to view the internal server information.
[~NAT-Device] display nat server-map This operation will take a few minutes. Press 'Ctrl+C' to break ... Slot: 9 Total number: 2. NAT Instance: nat1 Protocol:TCP, VPN:--->- Server:192.168.0.100:8080[11.1.1.3:80]->ANY Tag:0x0, TTL:-, Left-Time:- CPE IP:192.168.0.100 NAT Instance: nat1 Protocol:TCP, VPN:--->- Server reverse:ANY->11.1.1.3:80[192.168.0.100:8080] Tag:0x0, TTL:-, Left-Time:- CPE IP:192.168.0.100 ---------------------------------------------------------------------------
NAT-Device Configuration File
# sysname NAT-Device # nat instance nat1 id 1 simple-configuration # nat address-group 1 group-id 1 unnumbered interface GigabitEthernet0/2/1 # nat server protocol tcp global 11.1.1.3 www inside 192.168.0.100 8080 # nat instance nat1 nat alg dns nat dns-mapping domain www.TestNat.com global-address 11.1.1.3 inside-address 192.168.0.100 # acl number 3001 rule 1 permit ip source 192.168.0.200 0.0.0.255 # interface GigabitEthernet 0/2/1 undo shutdown ip address 11.1.1.2 24 nat bind acl 3001 instance nat1 # ip route-static 0.0.0.0 0.0.0.0 11.1.1.1 # return
