< Home

Configuring Static Mapping

This section describes how to configure static mapping.

Context

By configuring static mapping, you can specify the private IP address pool, public IP address pool, port ranges allocated to public addresses, and their mappings to rapidly translate private addresses to public addresses.

For configurations of the NMS, see server documents. This section focuses on the configuration of static mapping on the CGN, namely the FW.

Procedure

  1. Access the system view.

    system-view

  2. Configure static mapping and access its view.

    nat static-mapping

  3. Configure the private IPv4 address pool.
    1. Run the inside-ipv4-pool pool-id command to create a private IPv4 address pool.
    2. Run the section section-id start-ipv4 end-ipv4 command to configure address ranges for the private IPv4 address pool.
    3. Run the quit command to exit the view of the private IPv4 address pool.
  4. Configure the public IPv4 address pool. When you configure static mapping, you can choose to configure mapping between the public address pool and the private address pool or between the public interface address and the private address pool. This step is required only when you configure mapping between the public address pool and private address pool.
    1. Run the global-pool global-pool-id command to create a public IPv4 address pool.
    2. Run the section section-id start-ipv4 end-ipv4 command to configure address ranges for the public IPv4 address pool.
    3. Optional: Run the nat mode full-cone command to set the static mapping mode is to 3-tuple NAT.

      The default static mapping mode is 5-tuple NAT.

    4. Optional: Run the route enable command to enable the user network route (UNR) delivery function for addresses in the static mapping public address pool.

      After you configure this command, the FW generates a UNR for addresses in the public address pool. This UNR, like the blackhole route, can prevent route loops and can be imported and advertised by dynamic routing protocols, such as OSPF.

      If addresses in the public address pool and outgoing interface addresses are on different network segments, you must configure a blackhole route. If they are on the same network segment, configuring a blackhole route is recommended.

      If they are the same, no route loops will be generated, and you do not need to configure a blackhole route.

      By default, the UNR delivery function for addresses in the static mapping public address pool is disabled.

    5. Run the quit command to exit the view of the public IPv4 address pool.
  5. Optional: Enables the static mapping public address pool statistics function. The statistics on the address pool are collected only when the address pool statistics function is enabled in the system view and the public address pool view.
    1. Run the nat statistics enable command to enable the global address pool statistics function.

      By default, the function is disabled.

    2. Run the nat static-mapping to configure static mapping and access its view.
    3. Run the global-pool global-pool-id command to create a public IPv4 address pool.
    4. Run the statistics enable command enables the static mapping public address pool statistics function.

      By default, the function is disabled.

    5. Run the quit command to exit the view of the public IPv4 address pool.
  6. Configure static mapping. If the in-section and ip-first parameters are not configured on the device, the device calculates the mappings between public and private IP addresses by address pool. The device preferentially generates 1-to-1 mappings between private IPv4 addresses and port ranges and assigns a public IPv4 address to these private IPv4 addresses. After the available port ranges are used in one round, the device generates 1-to-1 mappings between other private IPv4 addresses and port ranges and assigns another public IPv4 address to these private IPv4 addresses.

    • Run the static-mapping mapping-id inside-ipv4-pool inside-pool-id global-pool global-pool-id [ port-range start-port end-port ] [ port-block-size port-number ] [ ip-first ] command to configure address pool-based static mapping between public and private IP addresses.

      When you configure address pool-based static mapping, the addresses in the public IP address pool must meet the mapping requirements of the addresses in the private IP address pool. The advantage and disadvantage are as follows:

      • Advantage: You need to ensure only that the addresses in the private IP address pool have mapped addresses in the public IP address pool. You do not need to consider whether the addresses in each section of the private and public IP address pools have a mapping.
      • Disadvantage: Deleting any section in the private or public IP address pool affects the mapping between public and private IP addresses. Therefore, the device does not support the dynamic deleting of sections in both the private and public IP address pools.

      ip-first: Indicates that public addresses in the address pool are translated to private addresses first and then ports are translated if this parameter is specified. If this parameter is not specified, ports are translated first and then public addresses in the address pool are translated. By default, ports are translated first.

    • Run the static-mapping mapping-id inside-ipv4-pool inside-pool-id global-pool global-pool-id [ port-range start-port end-port ] [ port-block-size port-number ] in-section command to configure section-based static mapping between public and private IP addresses.

      When you configure section-based static mapping, the section-ids in the private and public IP address pool are in one-to-one mapping relationship. All public sections with a mapping must meet the mapping requirements of the sections in the private IP address pool. The advantage and disadvantage are as follows:

      • Advantage: Supports dynamic deleting of sections. Deleting a section in either the private or public address pool causes the users corresponding to the private section fail the mapping, but it does not affect the mapping requirements of other sections.
      • Disadvantage: If the public addresses in a section meet the mapping requirements of a section in the private IP address pool and there are still available public addresses, these public addresses cannot be mapped to the addresses of other sections in the private IP address pool. This causes a waste of public addresses. Therefore, you need to plan well the addresses of each section.

    • Run the static-mapping mapping-id inside-ipv4-pool inside-pool-id global interface { interface-name | interface-type interface-number } [ port-range start-port end-port ] [ port-block-size port-block-size ] command to configure mapping between private and public interfaces.

      If the public address is dynamically obtained in PPPoE or DHCP mode, you can use the public interface address as the public address and configure the mapping between the public interface address and private address pool.

    The allocated port range is from 2048 to 65535 by default.

    A single private IPv4 address pool can build static mapping relationships with several public IP address pools, and each of those static mapping relationships can only be applied once.

  7. Optional: Exclude the public port range used in static mapping.

    exclude-port start-port end-port static-mapping mapping-id

    The start port of the excluded port range must be a multiple of 256, and the end port added by 1 must be a multiple of 256. You can configure only one excluded port range for the static mapping.

  8. Reference static mapping.

    Static mapping takes effect only after being applied in the NAT policy view.

    1. Run the nat-policy command to access the NAT policy view.
    2. Run the rule name rule-name command to create a NAT rule in the NAT policy view. Then the NAT rule view is displayed. If multiple NAT rules are configured, they are matched from top to bottom in sequence. If one rule is matched, the remaining rules are ignored.

    3. Configure matching conditions for the source NAT rule.

      By default, all matching conditions are "any." A NAT rule applies only to traffic that meets all the configured conditions in the NAT rule.

      • Run the source-address { address-set address-set-name &<1-6> | ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } | mac-address &<1-6> | any } command to set a source IP address that needs to match the traffic.

      • Run the destination-address { address-set address-set-name &<1-6> | ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } | mac-address &<1-6> | any } command to set a destination IP address that needs to match the traffic.

      • Run the source-zone { zone-name &<1-6> | any } command to configure the source security zone (the intranet security zone) for traffic.

      • Run the destination-zone zone-name command to configure the destination security zone (the Internet security zone) for traffic.

    4. Run the action source-nat static-mapping [ mapping-id ] command to apply the static mapping policy.

  9. Optional: When traffic matches a static mapping, a user entry will be generated. User entries that the device can carry are limited. You can configure log and alarm sending when the user table usage reaches a threshold. In this way, the FW sends logs and alarms to notify users when the user table usage reaches this threshold.

    1. To enable the function of sending logs and alarms when the usage of the user table reaches the threshold, run the nat user-table used-up alarm enable command in the system view.

    2. To set an alarm threshold for the usage of the user table, run the nat user-table used-up alarm threshold command.

Parent Topic: Static Mapping
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >