Nat Internal Server Configuration Example - H3C S9500 Series Operation Manual

Operation Manual – NAT
H3C S9500 Series Routing Switches
[H3C] interface Vlan-interface 200
[H3C-Vlan-interface200] nat outbound 3000 address-group 0 slot 3
[H3C-Vlan-interface200] quit
# Customize a flow template (the default flow template does not check the packet's
destination MAC address), and apply the flow template to Ethernet 4/1/1. The interface
card is located in slot 4.
[H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0
vlanid
[H3C] interface Ethernet4/1/1
[H3C-Ethernet4/1/1] flow-template user-defined
# Configure ACL 4000, allowing only the packets with VLAN ID 100 and destination
MAC being the MAC address of VLAN-interface 100 (000f-e23f-3294) to pass (Only
Layer 3 packets need to be redirected to the NAT LPU, while protocol packets, such as
label distribution protocol (LDP) packets, and Layer 2 packets do not need to be
redirected).
[H3C] acl number 4000
[H3C-acl-link-4000] rule permit ingress 100 egress 000f-e23f-3294 0-0-0
[H3C-acl-link-4000] quit
# Reference the configured ACLs to redirect the matching packets that needs address
translation to the NAT LPU. Ethernet 4/1/1 is the inbound interface at the private
network side, and the VLAN ID is 100.
[H3C] interface Ethernet4/1/1
[H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3000 link-group 4000
rule 0 slot 3 designated-vlan 100
[H3C-Ethernet4/1/1] quit
# Configure a blacklist.
[H3C] nat blacklist mode all
[H3C] nat blacklist limit amount 500
[H3C] nat blacklist limit rate cir 1000
[H3C] nat blacklist start

1.4.2 NAT Internal Server Configuration Example

I. Network requirements
As illustrated in
100 to provide services for external users.
Host 10.1.2.2 provides WWW and Telnet services and corresponds to public
network address 200.1.1.102.
Host 10.1.2.3 provides TCP services and corresponds to public network address
200.1.1.103.
Figure 1-4, configure NAT to enable the two internal servers in VLAN
1-18
Chapter 1 NAT Configuration