Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example
Network requirements
As shown in Figure 61, an intranet uses the subnet 192.168.1.0/24. The Web server at 192.168.1.2/24 provides Web services for external users and the DNS server at 192.168.1.3/24 resolves the domain name of the Web server. The company has 3 public addresses 202.38.1.2, 202.38.1.3, and 202.38.1.4.
Configure NAT to allow external host at 192.168.1.2 in the external network to use the domain name to access the internal Web server.
Figure 61: Network diagram
Requirements analysis
To meet the network requirements, you must perform the following tasks:
Configure NAT Server to map the private IP address and port of the DNS server to a public IP address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.
Configure outbound dynamic NAT and enable ALG for DNS. The Web server's IP address is the same as the external host's IP address. NAT with ALG can translate the Web server's private address in the payload of the DNS response packet to a dynamically assigned public address.
Configure inbound dynamic NAT. The external host's IP address is the same as the Web server's IP address. Inbound dynamic NAT can translate the external host's IP address into a dynamically assigned public address.
Add a static route to the public IP address of the external host with GigabitEthernet 1/0/2 as the output interface.
Configuration procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Enable NAT with ALG for DNS.
<Router> system-view [Router] nat alg dns
# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass through.
[Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit
# Create address group 1.
[Router] nat address-group 1
# Add address 202.38.1.2 to the address group.
[Router-address-group-1] address 202.38.1.2 202.38.1.2 [Router-address-group-1] quit
# Create address group 2.
[Router] nat address-group 2
# Add address 202.38.1.3 to the address group.
[Router-address-group-2] address 202.38.1.3 202.38.1.3 [Router-address-group-2] quit
# Configure NAT Server on interface GigabitEthernet 1/0/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4.
[Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.3 dns
# Enable outbound NO-PAT on interface GigabitEthernet 1/0/2 to translate IP address of the Web server in the DNS response payload into the address in address group 1, and allow reversible NAT.
[Router-GigabitEthernet1/0/2] nat outbound 2000 address-group 1 no-pat reversible
# Enable inbound PAT on interface GigabitEthernet 1/0/2 to translate the source address of packets going to the internal network to the address in address group 2.
[Router-GigabitEthernet1/0/2] nat inbound 2000 address-group 2
# Configure a static route to 202.38.1.3 with GigabitEthernet 1/0/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.)
[Router] ip route-static 202.38.1.3 32 gigabitethernet 1/0/2 20.2.2.2
Verifying the configuration
# Verify that the host on the external network can use the domain name to access the internal Web server whose address is the same as the host. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all NAT address group information: Totally 2 NAT address groups. Address group 1: Port range: 1-65535 Address information: Start address End address 202.38.1.2 202.38.1.2 Address group 2: Port range: 1-65535 Address information: Start address End address 202.38.1.3 202.38.1.3 NAT inbound information: Totally 1 NAT inbound rules. Interface: GigabitEthernet1/0/2 ACL: 2000 Address group ID: 2 Add route: N NO-PAT: N Reversible: N Config status: Active NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet1/0/2 ACL: 2000 Address group ID: 1 Port-preserved: N NO-PAT: Y Reversible: Y Config status: Active NAT internal server information: Totally 1 internal servers. Interface: GigabitEthernet1/0/2 Protocol: 17(UDP) Global IP/port: 202.38.1.4/53 Local IP/port : 200.1.1.3/53 Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent ACL : --- Config status: Active NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RSH : Enabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled
# Display NAT session information generated when Host accesses the Web server.
[Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/1694 Destination IP/port: 202.38.1.2/8080 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Responder: Source IP/port: 192.168.1.2/8080 Destination IP/port: 202.38.1.3/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1