Example for Configuring Bidirectional NAT

This section provides an example for configuring bidirectional NAT on an enterprise network. This function protects data within the enterprise network and translates both the source and destination, without exposing internal server data. A configuration networking diagram is provided to help you understand the configuration procedure.

Networking Requirements

In Figure 1, the router translates private IP address of servers A and B to public IP addresses before the servers communicate with the Internet. When server A attempts to access server B, server A sends a packet with a private source IP address of 10.78.1.2 and the destination IP address of 11.11.11.1 (server B's public address). When server B attempts to access server A, server B sends a packet with a private source IP address of 10.67.1.2 and the destination IP address of 11.11.11.2 (server A's public address).

Figure 1 Bidirectional NAT networking

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/0, respectively.


Configuration Roadmap

The configuration roadmap is as follows:
  1. Create a NAT instance and associate a service board with the NAT instance.
  2. Configure a mapping between the NAT address pool, internal servers' private IP addresses, and public addresses.
  3. Configure an outbound NAT traffic diversion policy.

Data Preparation

To complete the configuration, you need the following data:

  • Service-location group index: 1

  • Service-instance group name: group1

  • NAT instance names and indexes: nata with index 1; natb with index 2

  • NATA's address pools: address-groupa and address-groupb

  • Server public IP address: 11.11.11.2 for server A and 11.11.11.1 for server B

  • ACL numbers: 2464 and 2465

  • Names and IP addresses of interfaces to which an outbound NAT traffic diversion policy applies: GE 0/1/1 with IP address 10.78.1.1/24 and GE 0/1/0 with IP address 10.67.1.1/24

Procedure

  1. Create a NAT instance and associate a service board with the NAT instance.

    <HUAWEI> system-view
[~HUAWEI] sysname NATA
[*HUAWEI] commit
[~NATA] service-location 1
[*NATA-service-location-1] location slot 1
[*NATA-service-location-1] commit
[~NATA-service-location-1] quit
[~NATA] service-instance-group group1
[*NATA-service-instance-group-group1] service-location 1
[*NATA-service-instance-group-group1] commit
[~NATA-service-instance-group-group1] quit
[~NATA] nat instance nata id 1
[*NATA-nat-instance-nata] service-instance-group group1
[*NATA-nat-instance-nata] commit
[~NATA-nat-instance-nata] quit
[~NATA] nat instance natb id 2
[*NATA-nat-instance-natb] service-instance-group group1
[*NATA-nat-instance-natb] commit
[~NATA-nat-instance-natb] quit

  2. Configure a mapping between the NAT address pool, internal servers' private IP addresses, and public addresses.

    # In the view of a NAT instance named nata, configure an IP address pool named address-groupa with an IP address segment ranging from 11.1.1.1 to 11.1.1.10 and map the NAT-A's private IP address of 10.78.1.2 to a public IP address of 11.11.11.2.

    [~NATA] nat instance nata
[~NATA-nat-instance-nata] nat address-group address-groupa group-id 111 11.1.1.1 11.1.1.10
[*NATA-nat-instance-nata] nat server protocol udp global 11.11.11.2 inside 10.78.1.2
[*NATA-nat-instance-nata] commit
[~NATA-nat-instance-nata] quit

    # In the view of a NAT instance named natb, configure an IP address pool named address-groupb with an IP address segment ranging from 11.1.1.11 to 11.1.1.20 and map the NAT-B's private IP address of 10.67.1.2 to a public IP address of 11.11.11.1.

    [~NATA] nat instance natb
[~NATA-nat-instance-natb] nat address-group address-groupb group-id 112 11.1.1.11 11.1.1.20
[*NATA-nat-instance-natb] nat server protocol udp global 11.11.11.1 inside 10.67.1.2
[*NATA-nat-instance-natb] commit
[~NATA-nat-instance-natb] quit

  3. Configure an outbound NAT traffic policy.
    1. Configure an ACL rule.

      Configure an ACL numbered 2464 and an ACL rule numbered 5 to allow only hosts with a network segment address of 10.78.1.0/24 to access the Internet.

      [~NATA] acl number 2464
[*NATA-acl4-basic-2464] rule 5 permit source 10.78.1.0 0.0.0.255
[*NATA-acl4-basic-2464] commit
[~NATA-acl4-basic-2464] quit

      # Configure an ACL numbered 2465, an ACL rule numbered 5, and an ACL-based traffic classification rule to only allow hosts with a network segment address of 10.67.1.0/24 to access the Internet.

      [~NATA] acl number 2465
[*NATA-acl4-basic-2465] rule 5 permit source 10.67.1.0 0.0.0.255
[*NATA-acl4-basic-2465] commit
[~NATA-acl4-basic-2465] quit

    2. Apply the outbound NAT traffic diversion policy to GE 0/1/0 and GE 0/1/1.

      # Bind the ACL numbered 2464 and the NAT instance named nata to GE 0/1/0.

      [~NATA] interface gigabitEthernet 0/1/0
[~NATA-GigabitEthernet0/1/1] ip address 10.67.1.1 24
[~NATA-GigabitEthernet0/1/0] nat bind acl 2464 instance nata
[*NATA-GigabitEthernet0/1/0] commit
[~NATA-GigabitEthernet0/1/0] quit

      # Bind the ACL numbered 2465 and the NAT instance named natb to GE 0/1/1.

      [~NATA] interface gigabitEthernet 0/1/1
[~NATA-GigabitEthernet0/1/1] ip address 10.78.1.1 24
[~NATA-GigabitEthernet0/1/1] nat bind acl 2465 instance natb
[*NATA-GigabitEthernet0/1/1] commit
[~NATA-GigabitEthernet0/1/1] quit

  4. Verify the configuration.

    # View NAT user information.

    [~NATA] display nat instance
nat instance nata id 1
 service-instance-group group1
 nat address-group address-groupa group-id 111 11.1.1.1 11.1.1.10 
 nat server protocol udp global 11.11.11.2 inside 10.78.1.2
nat instance natb id 2
 service-instance-group group1
 nat address-group address-groupb group-id 112 11.1.1.11 11.1.1.20 
 nat server protocol udp global 11.11.11.1 inside 10.67.1.2

    # Check server mapping entries of all users.

    [~NATA] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 1
Total number:  4.    
  NAT Instance: nata     
  Protocol:UDP, VPN:--->-      
  Server:10.78.1.2[11.11.11.2]->ANY    
  Tag:0x0, TTL:-, Left-Time:-    
  CPE IP:10.78.1.2    
  NAT Instance: nata      
  Protocol:UDP, VPN:--->-         
  Server reverse:ANY->11.11.11.2[10.78.1.2]  
  Tag:0x0, TTL:-, Left-Time:-     
  CPE IP:10.78.1.2 
  NAT Instance: natb   
  Protocol:UDP, VPN:--->-   
  Server:10.67.1.2[11.11.11.1]->ANY   
  Tag:0x0, TTL:-, Left-Time:-    
  CPE IP:10.67.1.2    
  NAT Instance: natb     
  Protocol:UDP, VPN:--->-     
  Server reverse:ANY->11.11.11.1[10.67.1.2]  
  Tag:0x0, TTL:-, Left-Time:-  
  CPE IP:10.67.1.2

Configuration Files

NATA configuration file

#
sysname NATA
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
nat instance nata id 1
 service-instance-group group1
 nat address-group address-groupa group-id 111 11.1.1.1 11.1.1.10 
 nat server protocol udp global 11.11.11.2 inside 10.78.1.2
nat instance natb id 2
 service-instance-group group1
 nat address-group address-groupb group-id 112 11.1.1.11 11.1.1.20 
 nat server protocol udp global 11.11.11.1 inside 10.67.1.2
#
acl number 2464
 rule 5 permit source 10.78.1.0 0.0.0.255
# 
acl number 2465
 rule 5 permit source 10.67.1.0 0.0.0.255
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.78.1.1 255.255.255.0
 undo dcn
 nat bind acl 2465 instance natb
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.67.1.1 255.255.255.0
 undo dcn
 nat bind acl 2464 instance nata
#
return
Parent Topic: Configuration Examples for NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >