NAT hairpin in P2P mode configuration example
Network requirements
In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients. An internal client must request the IP address and port number of another client from the external server before accessing the client.
Configure NAT hairpin so that:
The internal clients can register the same public address to the external server.
The internal clients can access each other through the IP address and port number obtained from the server.
Figure 63: Network diagram
Requirements analysis
To meet the network requirements, you must perform the following tasks:
Configure outbound dynamic PAT on the interface connected to the external network, so the internal clients can access the external server for registration.
Configure the mapping behavior for PAT as Endpoint-Independent Mapping because the registered IP address and port number should be accessible for any source address.
Enable NAT hairpin on the interface connected to the internal network so that internal clients can access each other through the public address.
Configuration procedure
# Specify IP addresses for the interfaces on the router. (Details not shown.)
# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated.
<Router> system-view [Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit
# Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 1/0/2. The IP address of GigabitEthernet 1/0/2 is used as the public address for the source address translation of the packets from internal to external.
[Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat outbound 2000
# Configure the Endpoint-Independent Mapping mode for PAT. For packets with the same source address and port number and permitted by ACL 2000, the source address and port number are translated to the same public address and port number.
[Router] nat mapping-behavior endpoint-independent acl 2000
# Enable NAT hairpin on interface GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] nat hairpin enable
Verifying the configuration
# Verify that Host A, Host B, and Host C can access each other after they register their IP addresses and port numbers to the external server. (Details not shown.)
# Display all NAT configuration and statistics.
[Router] display nat all NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet1/0/2 ACL: 2000 Address group ID: --- Port-preserved: N NO-PAT: N Reversible: N Config status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT hairpinning: Totally 1 interfaces enabled with NAT hairpinning. Interface: GigabitEthernet1/0/1 Config status: Active NAT mapping behavior: Mapping mode : Endpoint-Independent ACL : 2000 Config status: Active NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RSH : Enabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled
# Display NAT session information generated when Client A accesses Client B.
[Router] display nat session verbose Initiator: Source IP/port: 192.168.1.3/44929 Destination IP/port: 202.38.1.3/1 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Responder: Source IP/port: 192.168.1.2/69 Destination IP/port: 202.38.1.3/1024 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 State: UDP_READY Application: TFTP Start time: 2012-08-15 15:53:36 TTL: 46s Initiator->Responder: 1 packets 56 bytes Responder->Initiator: 1 packets 72 bytes Total sessions found: 1