< Home

Key Points for Configuring NAT66

NAT66 Configuration Overview

NAT66 is generally configured as follows:

  1. Configure a NAT policy: Create NAT rules, configure matching conditions, and specify the data flows that require NAT.
  2. Set the action in the NAT policy.

Configuring a NAT Policy

The NAT function is implemented using NAT rules in a NAT policy. Create a NAT rule to specify the data flow that requires NAT and the translation action.

If multiple NAT rules are configured, the device matches them from top to bottom in the NAT rule list. If the traffic matches a NAT rule, the subsequent rules will no longer be matched. Therefore, pay attention to the configuration sequence.

  1. Create a NAT rule and configure matching conditions.

    All matching conditions are optional for traffic matching. However, when configuring a NAT policy, you must configure the source or destination address as the matching condition. When configuring the destination NAT policy, you must set the matching condition for the destination security zone to any.

    Operation

    Command

    Description

    Enter the NAT policy view and create a NAT rule.

    nat-policy

    rule name rule-name

    -

    Configure the NAT policy type.

    nat-type nat66

    -

    Configure a matching condition for the NAT rule: address.

    • Configure a source IP address that needs to match the traffic.

      source-address ipv6-address ipv6-prefix-length [ description description ]

    • Configure a destination IP address that needs to match the traffic.

      destination-address ipv6-address ipv6-prefix-length [ description description ]

    Only one address prefix can be configured for the source address matching condition of the NAT66 policy, and it is also true for the destination address matching condition.

    For example, set the address prefix to 3000:1000::/48 in the matching condition.

    [sysname] nat-policy
 [sysname-policy-nat] rule name policy1
 [sysname-policy-nat-rule-policy1] source-address 3000:1000:: 48

    When configuring static NAT66, ensure that the length of the address prefix in the matching condition is the same as the length of the post-NAT address prefix.

    For example, configure NAT for users whose address prefix is 3000:1000::/48.

    [sysname] nat-policy
 [sysname-policy-nat] rule name policy1
 [sysname-policy-nat-rule-policy1] source-address 3000:1000:: 48
 [sysname-policy-nat-rule-policy1] action destination-nat static 3000:1100:: 48

    When configuring static NAT66, do not configure the same source NAT action if the protocol, destination address, and destination security zone in the matching conditions are the same. (For example, when the protocol, destination address, and destination security zone in the matching conditions of two NAT policies are the same but the source IP addresses of users belong to different network segments, if the same source NAT action is configured, the source addresses of packets will be translated into the same address, causing access conflicts). If the source address, source security zone, and protocol in the matching conditions are the same, do not configure the same destination NAT action. (For example, when the source address, destination security zone, and protocol in the matching conditions of two NAT policies are the same but users access different destination addresses, if the same destination NAT action is configured, the destination addresses of packets will be translated into the same address, causing access conflicts.)

    Configure a matching condition for the NAT rule: security zone.

    • Configure the source security zone of traffic. The source security zone is often the security zone where the internal network is located.

      source-zone { zone-name &<1-6> | any }

    • Configure the destination security zone of traffic. The destination security zone is often the security zone where the external network is located.

      destination-zone zone-name

    When configuring destination NAT, set the destination security zone to any.

    Configure a matching condition for the NAT rule: service.

    • Reference an existing service set.

      service { service-name &<1-6> | any }

      service-exclude service-name &<1-6>

    • Configure a service (by referencing a TCP/UDP/SCTP port or IP-layer protocol).

      • service protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *

      • service protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]

      • service protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]

      • service protocol protocol-number

      • service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *

      • service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]

      • service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]

      • service-exclude protocol protocol-number

    You can specify a service in either of the following ways:

    • Run the service command to reference a predefined or user-defined service. A user-defined service must be configured before it is referenced.
    • Run the service protocol command to configure the port and protocol of a service in a NAT rule. However, the services configured in this mode cannot be reused by other policies.

    For example, specify source TCP ports 123 to 128 as the matching condition.

    First configuration mode:

    [sysname] ip service-set set1 type object
 [sysname-object-service-set-set1] service protocol tcp source-port 123 to 128
 [sysname-object-service-set-set1] quit
 [sysname] nat-policy
 [sysname-policy-nat] rule name policy1
 [sysname-policy-nat-rule-policy1] service set1

    Second configuration mode:

    [sysname] nat-policy
 [sysname-policy-nat] rule name policy1
 [sysname-policy-nat-rule-policy1] service protocol tcp source-port 123 to 128

  2. Configure an action for the NAT rule.

    action { source-nat | destination-nat } nptv6 ipv6-prefix nptv6_prefix_len

    action source-nat static ipv6-prefix static_prefix_len

    action destination-nat static ipv6-prefix static_prefix_len [ port ]

    source-nat indicates that source NAT is performed for data flows, and destination-nat indicates that destination NAT is performed for data flows.

Parent Topic: Configuring NAT66
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >