NAT444 gateway unified with BRAS device configuration example
Network requirements
As shown in Figure 70, the host, a PPPoE client, is connected to the Internet through the router. The router acts as the BRAS device and NAT444 gateway. Configure PPPoE server and NAT444 on the router to meet the following requirements:
The PPPoE server cooperates with the RADIUS server to authenticate the host by using CHAP, and assigns a private IP address to the host.
The PPPoE server uses shared key expert for secure RADIUS communication, and sends usernames with domain names to the RADIUS server.
NAT444 cooperates with BRAS, and assigns a public IP address and a port block after the host passes authentication and obtains a private IP address.
Figure 70: Network diagram
Configuration procedure
Configure the RADIUS server (details not shown):
# Set the shared key for secure communication to expert.
# Add a user account and password for the PPP users connected to the router.
Configure the router:
# Create RADIUS scheme rad.
<Router> system-view [Router] radius scheme rad
# Specify the IP address of the primary accounting server and the primary authentication server as 10.0.0.1, and the service port of the primary authentication server as 1812.
[Router-radius-rad] primary accounting 10.0.0.1 [Router-radius-rad] primary authentication 10.0.0.1 1812
# Set the shared key to plaintext expert for secure communication.
[Router-radius-rad] key authentication simple expert
# Include domain names in the usernames sent to the RADIUS server.
[Router-radius-rad] user-name-format with-domain [Router-radius-rad] quit
# Create ISP domain cgn.
[Router] domain cgn
# Specify RADIUS scheme rad for PPP user authentication, authorization, and accounting.
[Router-isp-cgn] authentication ppp radius-scheme rad [Router-isp-cgn] authorization ppp radius-scheme rad [Router-isp-cgn] accounting ppp radius-scheme rad
# Specify the user address type as private IPv4 address.
[Router-isp-cgn] user-address-type private-ipv4 [Router-isp-cgn] quit
# Create a PPP address pool and add IP addresses 10.210.0.2 to 10.210.0.255 to the pool.
[Router] ip pool 1 10.210.0.2 10.210.0.255
# Configure interface Virtual-Template 1 to use CHAP for authentication and use PPP address pool 1 for IP address assignment.
[Router] interface virtual-template 1 [Router-Virtual-Template1] ppp authentication-mode chap domain cgn [Router-Virtual-Template1] remote address pool 1 [Router-Virtual-Template1] ip address 10.210.0.1 24
# Enable PPPoE server on GigabitEthernet 1/0/1 and bind the interface to Virtual-Template 1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] pppoe-server bind virtual-template 1 [Router-GigabitEthernet1/0/1] quit
# Configure ACL 2000 to identify packets from subnet 10.210.0.0/24.
[Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule 0 permit source 10.210.0.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit
# Create address group 1. Add public address 111.8.0.200, specify the port range as 1024 to 65535, and set the port block size to 10.
[Router] nat address-group 1 [Router-address-group-1] port-block block-size 10 [Router-address-group-1] port-range 1024 65535 [Router-address-group-1] address 111.8.0.200 111.8.0.200
# Configure outbound dynamic NAT444 on GigabitEthernet 1/0/2 to use address group 1 to translate packets permitted by ACL 2000.
[Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] ip address 111.8.0.101 255.255.255.0 [Router-GigabitEthernet1/0/2] nat outbound 2000 address-group 1 [Router-GigabitEthernet1/0/2] quit
Verifying the configuration
# Initiate a connection from the PPPoE client by entering the username and password.
# Execute the display ppp access-user command to display PPP user information, including the private IP address, translated public IP address, and port block. (Details not shown.)
# Verify that a dynamic NAT444 entry has been created for the user.
[Router] display nat port-block dynamic Local VPN Local IP Global IP Port block Connections --- 10.210.0.4 111.8.0.200 1024-1323 0 Total entries found: 1