NAT Server for external-to-internal access configuration example
Network requirements
As shown in Figure 59, two Web servers, one FTP server and one SMTP server are in the internal network to provide services for external users. The internal network address is 10.110.0.0/16. The company has three public IP addresses from 202.38.1.1/24 to 202.38.1.3/24.
Configure the NAT Server feature to allow the external user to access the internal servers with public address 202.38.1.1/24.
Figure 59: Network diagram
Configuration procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Enter interface view of GigabitEthernet 1/0/2.
<Router> system-view [Router] interface gigabitethernet 1/0/2
# Configure NAT Server to allow external users to access the FTP server by using the address 202.38.1.1 and port 21.
[Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.1 21 inside 10.110.10.3 ftp
# Configure NAT Server to allow external users to access the Web server 1 by using the address 202.38.1.1 and port 80.
[Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1 http
# Configure NAT Server to allow external users to access the Web server 2 by using the address 202.38.1.1 and port 8080.
[Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.1 8080 inside 10.110.10.2 http
# Configure NAT Server to allow external users to access the SMTP server by using the address 202.38.1.1 and port number defined by SMTP.
[Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.1 smtp inside 10.110.10.4 smtp
Verifying the configuration
# Verify that the host on the external network can access the internal servers by using the public addresses. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all NAT internal server information: Totally 4 internal servers. Interface: GigabitEthernet1/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/21 Local IP/port : 10.110.10.3/21 Config status : Active Interface: GigabitEthernet1/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/25 Local IP/port : 10.110.10.4/25 Config status : Active Interface: GigabitEthernet1/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/80 Local IP/port : 10.110.10.1/80 Config status : Active Interface: GigabitEthernet1/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/8080 Local IP/port : 10.110.10.2/80 Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent ACL : --- Config status: Active NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RSH : Enabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled
# Display NAT session information generated when Host accesses the FTP server.
[Router] display nat session verbose Initiator: Source IP/port: 202.38.1.10/1694 Destination IP/port: 202.38.1.1/21 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Responder: Source IP/port: 10.110.10.3/21 Destination IP/port: 202.38.1.10/1694 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 State: TCP_ESTABLISHED Application: FTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1