Thursday , March 28 2024
Home / IP Services / Huawei AR1200 NAT configuration

Huawei AR1200 NAT configuration

A short NAT (Network Address Translation) description based on AR1200 documentation:

Huawei AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance.

  • Static NAT

The number of private addresses is equal to the number of public addresses, so it does not save pull of public addresses.

  • PAT

Maps a public address to multiple private addresses.

  • Internal Server

Hosts in the public network can access an internal server.

  • Easy IP

Takes a public IP address of the interface as the source address after NAT is performed.

  • Twice NAT

Translates both the source and destination addresses. Using in the scenario where IP addresses of hosts on private and public networks overlap.

  • NAT multi-instance

Allows users on private networks to access the public network and allows users in different VPNs to access the public network through the same egress. In addition, users in the VPNs with the same IP address can access the public network. Supports association between VPNs and NAT server, and allows users on the public network to access hosts in the VPNs. This function is applicable when IP addresses of multiple VPNs overlap.

Let’s try to configure NAT based on the below topology:

  1. Users from LAN 10.0.20.0/24 can access internet using a pull of public addresses.
  2. Users from LAN 172.16.10.0/24 can access internet using a public IP of WAN interface.
  3. Users from internet can access internal FTP server 192.168.1.10.

Configure IP addresses and default routing based on the above topology:

labnario
#
interface Vlanif100
 ip address 10.0.20.2 255.255.255.0
#
interface Vlanif200
 ip address 172.16.10.2 255.255.255.0
#
interface Ethernet0/0/0
 portswitch
 port link-type access
 port default vlan 100
#
interface Ethernet0/0/1
 portswitch
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/0
 ip address 201.120.4.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 201.120.4.2

internet
#
interface GigabitEthernet0/0/0
 ip address 201.120.4.2 255.255.255.0

Configure outbound NAT on labnario router for hosts in both LANs:

[labnario]acl number 2000
[labnario-acl-basic-2000] rule 5 permit source 10.0.20.0 0.0.0.255

[labnario]acl number 2500
[labnario-acl-basic-2500] rule 5 permit source 172.16.10.0 0.0.0.255

[labnario]nat address-group 1 201.120.4.100 201.120.4.110

[labnario]interface GigabitEthernet 0/0/0
[labnario-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat
[labnario-GigabitEthernet0/0/0]nat outbound 2500
[labnario-GigabitEthernet0/0/0]display this
#
interface GigabitEthernet0/0/0
 ip address 201.120.4.1 255.255.255.0
 nat outbound 2000 address-group 1 no-pat 
 nat outbound 2500

No-pat indicates one-to-one NAT, that is, only the IP address is translated and the port number is not translated.

Configure NAT server on labnario router to let external users to have FTP access to internal FTP server:

[labnario-GigabitEthernet0/0/0]nat server protocol tcp global 201.120.4.10 ftp inside 192.16.1.10 ftp

Enable the NAT ALG function for FTP packets:

[labnario]nat alg ftp enable

[labnario]display nat alg 

NAT Application Level Gateway Information:
----------------------------------
  Application            Status
----------------------------------
  dns                    Disabled
  ftp                    Enabled
  rtsp                   Disabled
  sip                    Disabled
----------------------------------

After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT server. The application protocol cannot work without the NAT ALG function.

Let’s check if our NAT is configured properly:

[labnario]display nat outbound 
 NAT Outbound Information:
 --------------------------------------------------------------------------
 Interface                     Acl     Address-group/IP/Interface      Type
 --------------------------------------------------------------------------
 GigabitEthernet0/0/0         2000                              1    no-pat
 GigabitEthernet0/0/0         2500                    201.120.4.1    easyip
 --------------------------------------------------------------------------
  Total : 2

[labnario]dis nat server

  Nat Server Information:
  Interface  : GigabitEthernet0/0/0
    Global IP/Port     : 201.120.4.10/21(ftp)
   Inside IP/Port     : 192.16.1.10/21(ftp)
    Protocol : 6(tcp)   
    VPN instance-name  : ----                            
    Acl number         : ----
    Description : ----

  Total :    1

Unfortunately, even NAT commands are supported by eNSP simulator, it does not mean that NAT is supported as a whole. Internal hosts cannot communicate with internet and internal FTP server is not available for public users as well. But this is what I wanted to show you. You can check this NAT configuration on real devices. It should work properly.

Leave a Reply

Your email address will not be published. Required fields are marked *