< Home

Key Points for Configuring Source NAT

Source NAT Configuration Overview

Source NAT is basically configured as follows:

  1. Configure a Source NAT address pool and specify the public network address range after NAT. If Source NAT in Easy IP mode is configured, skip this step.
    1. Create an address pool and configure address segments in the address pool.
    2. Specify the address pool mode based on the Source NAT type.
    3. Optional: Control the use of the address pool. The port range after NAT and the number of private IP addresses corresponding to each public IP address can be configured.
  2. Configure a NAT policy for address translation.
    1. Create NAT rules, configure matching conditions, and specify the data flows to be translated by Source NAT.
    2. Set the action in the policy.

Configuring a Source NAT Address Pool

  1. Create an address pool.

    To specify the address range in an address pool, you can configure one or more address segments or specify a large address range and then exclude the addresses and ports that cannot be used.

    Operation

    Command

    Create a NAT address pool.

    nat address-group group-name [ group-number ]

    Set an IP address range.

    section [ id ] start-ipv4 [ end-ipv4 ]

    Exclude certain addresses or ports.

    exclude-ip { ip-address1 [ to ip-address2 ] | ip-address1 mask { mask-value | mask-length } }

    exclude-port port1 [ to port2 ]

  2. Set an address pool mode. The address pool mode varies with the Source NAT type.

    mode { pat | no-pat { global | local } | full-cone { global | local } [ no-reverse ] }

    Source NAT Type

    Command

    Description

    NAT No-PAT

    mode no-pat { global | local }

    -

    NAPT

    mode pat

    -

    3-Tuple NAT

    mode full-cone { global | local } [ no-reverse ]

    Optional: smart-fullcone exclude-dest-port port1 port2

    For 3-Tuple NAT, one port range can be reserved for NAPT.

    Smart NAT

    mode no-pat { global | local }

    smart-nopat ip-address

    For Smart NAT, after configuring the address pool mode, you need to specify a reserved address for NAPT.
  3. Optional: Control the use of the address pool.

    Operation

    Command

    Set the maximum number of private addresses corresponding to a public address.

    srcip-car-num srcip-number [ no-port-translation ]

    Configure the range of port numbers for port translation.

    nat port range begin-port end-port

    Configure the working status for an address pool.

    status { maintenance | inactive }

  4. Configure the black-hole route to prevent routing loop.

    route enable

Configuring the NAT Policy

The NAT function is implemented using NAT rules in the NAT policy. Create a NAT rule to specify the data flow to be translated and the translation action.

If multiple NAT rules are configured, the device matches them from top to bottom in the NAT rule list. If the traffic matches a NAT rule, the following rules will no longer be matched. Therefore, pay attention to the configuration sequence.

  1. Create a NAT rule and set matching conditions.

    All matching conditions are optional for traffic matching. The default matching condition is any. If an optional matching condition is configured, traffic that meets the condition is matched. If it is not configured, traffic is not matched with this matching condition.

    Operation

    Command

    Description

    Enter the NAT policy view and create a NAT rule.

    nat-policy

    rule name rule-name

    -
    Set the matching condition (address) of the NAT rule.

    • Configure the source IP address as the matching condition.

      source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] [ description description ] | range { ipv4-start-address ipv4-end-address } [ description description ] | mac-address &<1-6> | any }

      Exclude certain addressed from the NAT address range.

      source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range { ipv4-start-address ipv4-end-address } } [ description description ]

    • Configure the destination IP address as the matching condition.

      destination-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] [ description description ] | range { ipv4-start-address ipv4-end-address } [ description description ] | mac-address &<1-6> | domain-set domain-set &<1-6> | any }

      Exclude certain addressed from the NAT address range.

      destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range { ipv4-start-address ipv4-end-address } } [ description description ]

    For example, NAT needs to be performed for users in the network segment 10.1.1.0/24, excluding the users from 10.1.1.2 to 10.1.1.5.

    [sysname] nat-policy
[sysname-policy-nat] rule name policy1
[sysname-policy-nat-rule-policy1] source-address 10.1.1.0 24
[sysname-policy-nat-rule-policy1] source-address-exclude range 10.1.1.2 10.1.1.5
    Set the matching condition (security zone) of the NAT rule.

    • Configure the source security zone as the matching condition, which is usually the security zone where the intranet resides.

      source-zone { zone-name &<1-6> | any }

    • Specify the destination security zone or outbound interface. The destination security zone and outbound interface are mutually exclusive. You can select only one of them.

      • Configure the destination security zone as the matching condition, which is usually the security zone where the Internet resides.

        destination-zone zone-name

      • Configure the outbound interface.

        egress-interface interface-type interface-number

    -
    Set the matching condition (service) of the NAT rule.

    • Reference an existing service set.

      service { service-name &<1-6> | any }

      service-exclude service-name &<1-6>

    • Configure a service (by referencing a TCP/UDP/SCTP port or an IP-layer protocol).

      • service protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *

      • service protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]

      • service protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]

      • service protocol protocol-number

      • service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *

      • service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]

      • service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]

      • service-exclude protocol protocol-number

    The device supports two modes in which a service is specified:

    • Run the service command to reference a predefined or user-defined service. To reference a user-defined service, ensure that the service has been configured.
    • Run the service protocol command to set the port or protocol number of the service in the NAT rule. However, the service configured in this mode cannot be used by other policies.

    For example, to specify source ports (TCP ports 123 to 128) as the matching condition:

    The first configuration method:

    [sysname] ip service-set set1 type object
[sysname-object-service-set-set1] service protocol tcp source-port 123 to 128
[sysname-object-service-set-set1] quit
[sysname] nat-policy
[sysname-policy-nat] rule name policy1
[sysname-policy-nat-rule-policy1] service set1

    The second configuration method:

    [sysname] nat-policy
[sysname-policy-nat] rule name policy1
[sysname-policy-nat-rule-policy1] service protocol tcp source-port 123 to 128

  2. Set an action for the NAT rule.

    action { source-nat { address-group address-group-name | easy-ip } | no-nat }

    nat indicates that NAT is performed for the matched traffic, while no-nat indicates that NAT is not performed for the matched traffic.

    no-nat mainly applies to certain special clients. For example, to perform NAT on all hosts except 192.168.1.2 on the 192.168.1.0/24 network segment, you can first configure a policy that does not translate 192.168.1.2 and then configure a policy to translate the 192.168.1.0/24 network segment.

Parent Topic: Configuring Source NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >