Bidirectional Nat For Internal-To-External Access - H3C MSR 2600 Configuration Manual

Bidirectional NAT for internal-to-external access

Network requirements
As shown in
network 192.168.1.0/24, where the hosts reside. The company has two public IP addresses 202.38.1.2
and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using its
domain name.
Figure 54 Network diagram
Configuration considerations
This is a typical application of bidirectional NAT.
• When an internal host tries to access the external Web server by using the domain name, a DNS
query is sent to the external DNS server. The server sends the internal host a response with the Web
server's IP address, which overlaps with that of the internal host. To make sure the internal host
reaches the Web server instead of an internal user, configure inbound dynamic NAT with ALG and
DNS mapping so that NAT can translate the Web server's address in the payload to a dynamically
assigned NAT address.
The internal host uses the NAT address as the destination address. When a packet from the internal
•
host arrives at the NAT device, the source IP address overlaps with the real address of the Web
server. Configure outbound dynamic NAT to translate the source IP address to a dynamically
assigned NAT address.
The NAT device has no route to the NAT address of the external Web server. Add a static route to
•
the NAT address with GigabitEthernet 1/2 as the output interface.
Configuration procedure
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable NAT with ALG and DNS.
<Router> system-view
[Router] nat alg dns
# Configure ACL 2000, and create a rule to permit packets only from segment 192.168.1.0/24 to pass
through.
[Router] acl number 2000
[Router-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-basic-2000] quit
# Create address group 1.
Figure 54, the IP address of the Web server is 192.168.1.10, and it overlaps with internal
131