Key Points for Configuring Destination NAT

Destination NAT Configuration Overview

Destination NAT is basically configured as follows:

1. Configure a Destination NAT address pool and specify the private network address range after NAT.
2. Configure a NAT policy for address translation.
   1. Create NAT rules, configure matching conditions, and specify the data flows to be translated by Destination NAT.
   2. Set the action in the policy.

Configuring a Destination NAT Address Pool

1. Create a NAT address pool.

   Operation	Command
   Create a NAT address pool.	destination-nat address-group address-group-name [ address-group-number ]
   Set an IP address range.	section start-address end-address [ weight weight-value ]

2. Configure the black-hole route to prevent routing loop.

   ip route-static x.x.x.x 255.255.255.255 NULL0

Configuring the NAT Policy

The NAT function is implemented using NAT rules in the NAT policy. Create a NAT rule to specify the data flow to be translated and the translation action.

If multiple NAT rules are configured, the device matches them from top to bottom in the NAT rule list. If the traffic matches a NAT rule, the following rules will no longer be matched. Therefore, pay attention to the configuration sequence.

1. Create a NAT rule and set matching conditions.

   Operation	Command	Description
   Enter the NAT policy view and create a NAT rule.	nat-policy rule name rule-name	-
   Set the matching condition (address) of the NAT rule.	Configure the source IP address as the matching condition. source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] [ description description ] | range { ipv4-start-address ipv4-end-address } [ description description ] | mac-address &<1-6> | any } Exclude certain addressed from the NAT address range. source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range { ipv4-start-address ipv4-end-address } } [ description description ] Configure the destination IP address as the matching condition. destination-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] [ description description ] | range { ipv4-start-address ipv4-end-address } [ description description ] | mac-address &<1-6> | domain-set domain-set &<1-6> | any } Exclude certain addressed from the NAT address range. destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range { ipv4-start-address ipv4-end-address } } [ description description ]	The matching condition based on the destination IP address is mandatory, and the matching conditions based on other types of IP addresses are optional. For example, NAT is required for users whose destination IP address is 10.1.1.0/24. [sysname] nat-policy [sysname-policy-nat] rule name policy1 [sysname-policy-nat-rule-policy1] destination-address 10.1.1.0 24
   Set the matching condition (security zone) of the NAT rule.	Configure the source security zone as the matching condition, which is usually the security zone where the internet resides. source-zone { zone-name &<1-6> | any }	When configuring a destination NAT policy, you can configure only the source security zone but not the destination security zone.
   Set the matching condition (service) of the NAT rule.	Reference an existing service set. service { service-name &<1-6> | any } service-exclude service-name &<1-6> Configure a service (by referencing a TCP/UDP/SCTP port or an IP-layer protocol). service protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] * service protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service protocol protocol-number service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] * service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service-exclude protocol protocol-number	The device supports two modes in which a service is specified: Run the service command to reference a predefined or user-defined service. To reference a user-defined service, ensure that the service has been configured. Run the service protocol command to set the port or protocol number of the service in the NAT rule. However, the service configured in this mode cannot be used by other policies. For example, to specify source ports (TCP ports 123 to 128) as the matching condition: The first configuration method: [sysname] ip service-set set1 type object [sysname-object-service-set-set1] service protocol tcp source-port 123 to 128 [sysname-object-service-set-set1] quit [sysname] nat-policy [sysname-policy-nat] rule name policy1 [sysname-policy-nat-rule-policy1] service set1 The second configuration method: [sysname] nat-policy [sysname-policy-nat] rule name policy1 [sysname-policy-nat-rule-policy1] service protocol tcp source-port 123 to 128

2. Set an action for the NAT rule.

   action destination-nat