NAT Server for external-to-internal access through domain name configuration example
Network requirements
As shown in Figure 60, Web server at 10.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.
Configure NAT Server to allow external users to access the internal Web server by using the domain name.
Figure 60: Network diagram
Requirements analysis
To meet the network requirements, you must perform the following tasks:
Configure NAT Server to map the private IP address and port of the DNS server to a public address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.
Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP address of the Web server in the payload of the DNS response packet into a public IP address.
Configuration procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Enable NAT with ALG for DNS.
<Router> system-view [Router] nat alg dns
# Configure ACL 2000, and create a rule to permit packets only from 10.110.10.2 to pass through.
[Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0 [Router-acl-ipv4-basic-2000] quit
# Create address group 1.
[Router] nat address-group 1
# Add address 202.38.1.3 to the group.
[Router-address-group-1] address 202.38.1.3 202.38.1.3 [Router-address-group-1] quit
# Configure NAT Server on interface GigabitEthernet 1/0/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server.
[Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns
# Enable outbound NO-PAT on interface GigabitEthernet 1/0/2. Use the address in address group 1 to translate the private address in DNS response payload, and allow reversible NAT.
[Router-GigabitEthernet1/0/2] nat outbound 2000 address-group 1 no-pat reversible
Verifying the configuration
# Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all NAT address group information: Totally 1 NAT address groups. Address group 1: Port range: 1-65535 Address information: Start address End address 202.38.1.3 202.38.1.3 NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet1/0/2 ACL: 2000 Address group ID: 1 Port-preserved: N NO-PAT: Y Reversible: Y Config status: Active NAT internal server information: Totally 1 internal servers. Interface: GigabitEthernet1/0/2 Protocol: 17(UDP) Global IP/port: 202.38.1.2/53 Local IP/port : 10.110.10.3/53 Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent ACL : --- Config status: Active NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RSH : Enabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled
# Display NAT session information generated when Host accesses Web server.
[Router] display nat session verbose Initiator: Source IP/port: 202.1.1.2/1694 Destination IP/port: 202.38.1.3/8080 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Responder: Source IP/port: 10.110.10.2/8080 Destination IP/port: 202.1.1.2/1694 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1