One NE20 serves as MAN egress router and the egress enables NAT translation. Internal network has many VPN users that have allocated private network address. Client requires to enable one-to-one static mapping on VPN users' egerss.
Detailed configuration is as follows:
nat address-group 1 218.*.*.61 218.*.*.61 mask 255.255.255.255 //Create address pool group.
nat address-group 2 218.*.*.17 218.*.*.17 mask 255.255.255.255
ACL 2000 //Create access list.
rule 5 permit source 192.168.0.8
rule 5 permit source 192.168.0.88
interface ethernet 2/0/0
nat outband 2000 address-group 1 //Egress translation uses address pool group.
nat outband 2001 address-group 2
nat server global 218.*.*.61 inside 10.16.6.26 2001 address-group 1 //mapping relation
nat server global 218.*.*.17 inside 10.16.6.27 2002 address-group 2
AAfter the configuration above is finished. there is null route configuration:
ip route-static 218.*.*.61 255.255.255.255 NULL0
ip route-static 218.*.*.17 255.255.255.255 NULL0
32-bit mask route must be configured and the mask is less than 32-bit, NAT translation fails.
On NE20 only NAT server can enable NAT mapping. When external network accesses internal network, designated address can be mapped. When it is out of external network, it obtains address from address pool group and enables NAT translation. According to translation mechanism, single address is used to build address pool and then one-to-one mapping can be solved with ACL matching source address.