NAT hairpin in P2P mode configuration example

Network requirements

In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients. An internal client must request the IP address and port number of another client from the external server before accessing the client.

Configure NAT hairpin so that:

Figure 63: Network diagram

Requirements analysis

To meet the network requirements, you must perform the following tasks:

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated.

<Router> system-view
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit

# Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 1/0/2. The IP address of GigabitEthernet 1/0/2 is used as the public address for the source address translation of the packets from internal to external.

[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] nat outbound 2000

# Configure the Endpoint-Independent Mapping mode for PAT. For packets with the same source address and port number and permitted by ACL 2000, the source address and port number are translated to the same public address and port number.

[Router] nat mapping-behavior endpoint-independent acl 2000

# Enable NAT hairpin on interface GigabitEthernet 1/0/1.

[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] nat hairpin enable

Verifying the configuration

# Verify that Host A, Host B, and Host C can access each other after they register their IP addresses and port numbers to the external server. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all
NAT outbound information:
  Totally 1 NAT outbound rules.
  Interface: GigabitEthernet1/0/2
    ACL: 2000
    Address group ID: ---
    Port-preserved: N    NO-PAT: N         Reversible: N
    Config status: Active

NAT logging:
  Log enable          : Disabled
  Flow-begin          : Disabled
  Flow-end            : Disabled
  Flow-active         : Disabled
  Port-block-assign   : Disabled
  Port-block-withdraw : Disabled
  Alarm               : Disabled

NAT hairpinning:
  Totally 1 interfaces enabled with NAT hairpinning.
  Interface: GigabitEthernet1/0/1
    Config status: Active

NAT mapping behavior:
  Mapping mode : Endpoint-Independent
  ACL          : 2000
  Config status: Active

NAT ALG:
  DNS        : Enabled
  FTP        : Enabled
  H323       : Enabled
  ICMP-ERROR : Enabled
  ILS        : Enabled
  MGCP       : Enabled
  NBT        : Enabled
  PPTP       : Enabled
  RSH        : Enabled
  RTSP       : Enabled
  SCCP       : Enabled
  SIP        : Enabled
  SQLNET     : Enabled
  TFTP       : Enabled
  XDMCP      : Enabled

# Display NAT session information generated when Client A accesses Client B.

[Router] display nat session verbose
Initiator:
  Source      IP/port: 192.168.1.3/44929
  Destination IP/port: 202.38.1.3/1
  DS-Lite tunnel peer: -
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: UDP(17)
  Inbound interface: GigabitEthernet1/0/1
Responder:
  Source      IP/port: 192.168.1.2/69
  Destination IP/port: 202.38.1.3/1024
  DS-Lite tunnel peer: -
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: UDP(17)
  Inbound interface: GigabitEthernet1/0/1
State: UDP_READY
Application: TFTP
Start time: 2012-08-15 15:53:36  TTL: 46s
Initiator->Responder:            1 packets         56 bytes
Responder->Initiator:            1 packets         72 bytes

Total sessions found: 1