Configuring NAT Address Pool Detection
This section describes how to configure NAT address pool detection to ensure that the IP addresses in the NAT address pool are available IP addresses.
Context
If an intranet user uses a post-NAT public IP address for unauthorized operations on the Internet, the public IP address may be masked by Internet devices. Therefore, other users on the same intranet cannot use this public IP address for normal Internet access. In this case, you can configure NAT address pool detection on the FW. Then the FW uses an IP address in the NAT address pool as the source address to detect an Internet server. If the FW does not receive any response packet within a specific period, the FW will remove the IP address from the NAT address pool to prevent the IP addresses of intranet-to-Internet packets from being translated into this IP address. NAT address pool detection works by referencing a health check template in the address pool. For details on health check, see Health Check.
With NAT address pool detection, the FW periodically sends a detection packet to the remote server. The source address of the packet is an address in the address pool.
If the FW does not receive any response packet from the remote server with the specified period (the default period is15s and detection packets are sent three times), the FW will remove the IP address (source address of the detection packet) from its address pool and will not use the address for NAT translation.
The removed IP address can still be used as the source address of a detection packet to detect the remote server. If a response packet is received from the remote server, the FW adds the IP address to the NAT address pool to perform NAT translation for intranet users.
Procedure
- Access the system view.
- Configure a health check template.
- Add detection members to the health check.
destination ip-address [ interface interface-type interface-number [ next-hop next-hop-ip-address ] ] protocol { icmp | { dns | http | radius } [ destination-port port-number ] | { tcp | tcp-simple } destination-port port-number }
- Add detection members to the health check.
- Configure NAT address pool detection.
- Enable NAT address pool detection.
ip-detect healthcheck healthcheck-name
The detection time (detection interval x number of detection failures) of the health check specified by healthcheck-name must be greater than 33s. Otherwise, the healthcheck name command cannot be used with the ip-detect healthcheck command.
- Enable NAT address pool detection.
Follow-up Procedure
After completing the preceding configurations, run the display nat ip-detect address-group { name group-name | id group-id } [ exclude-ip | ip-address ] command to check information about IP addresses proactively removed by the FW from the address pool.
<sysname> display nat ip-detect address-group name nataddr
Address-group id: 1 Detect ip num: 10 Exclude ip num: 9
-----------------------------------------------------------------------------------
IP-address: Section-id Excluded Excluded-Time
-----------------------------------------------------------------------------------
1.1.1.1 0 YES 2015/11/26 09:30:39
1.1.1.2 0 YES 2015/11/26 09:31:03
1.1.1.3 0 YES 2015/11/26 09:30:50
1.1.1.4 0 YES 2015/11/26 09:31:28
1.1.1.5 0 YES 2015/11/26 09:30:53
1.1.1.6 0 YES 2015/11/26 09:30:26
1.1.1.7 0 YES 2015/11/26 09:30:54
1.1.1.8 0 YES 2015/11/26 09:31:24
1.1.1.9 0 YES 2015/11/26 09:31:03
1.1.1.10 0 NO ---