NAT Server for external-to-internal access through domain name configuration example
Network requirements
As shown in Figure 60, Web server at 10.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.
Configure NAT Server to allow external users to access the internal Web server by using the domain name.
Figure 60: Network diagram
Requirements analysis
To meet the network requirements, you must perform the following tasks:
Configure NAT Server to map the private IP address and port of the DNS server to a public address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.
Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP address of the Web server in the payload of the DNS response packet into a public IP address.
Configuration procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Enable NAT with ALG for DNS.
<Router> system-view [Router] nat alg dns
# Configure ACL 2000, and create a rule to permit packets only from 10.110.10.2 to pass through.
[Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0 [Router-acl-ipv4-basic-2000] quit
# Create address group 1.
[Router] nat address-group 1
# Add address 202.38.1.3 to the group.
[Router-address-group-1] address 202.38.1.3 202.38.1.3 [Router-address-group-1] quit
# Configure NAT Server on interface GigabitEthernet 1/0/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server.
[Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns
# Enable outbound NO-PAT on interface GigabitEthernet 1/0/2. Use the address in address group 1 to translate the private address in DNS response payload, and allow reversible NAT.
[Router-GigabitEthernet1/0/2] nat outbound 2000 address-group 1 no-pat reversible
Verifying the configuration
# Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all
NAT address group information:
Totally 1 NAT address groups.
Address group 1:
Port range: 1-65535
Address information:
Start address End address
202.38.1.3 202.38.1.3
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: GigabitEthernet1/0/2
ACL: 2000
Address group ID: 1
Port-preserved: N NO-PAT: Y Reversible: Y
Config status: Active
NAT internal server information:
Totally 1 internal servers.
Interface: GigabitEthernet1/0/2
Protocol: 17(UDP)
Global IP/port: 202.38.1.2/53
Local IP/port : 10.110.10.3/53
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Enabled
ICMP-ERROR : Enabled
ILS : Enabled
MGCP : Enabled
NBT : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQLNET : Enabled
TFTP : Enabled
XDMCP : Enabled
# Display NAT session information generated when Host accesses Web server.
[Router] display nat session verbose Initiator: Source IP/port: 202.1.1.2/1694 Destination IP/port: 202.38.1.3/8080 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Responder: Source IP/port: 10.110.10.2/8080 Destination IP/port: 202.1.1.2/1694 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1