< Home

CLI: Example for Enabling a Private IPv4 User to Traverse the Carrier Network for Accessing an IPv4 Internet Server

This section provides an example for configuring NAT444.

Networking Requirements

Carrier A is in lack of public IPv4 addresses. To relieve the shortage, its internal MAN uses private IPv4 addresses. To enable a private IPv4 user in the MAN to access the IPv4 Internet, NAT needs to be performed twice on both the CPE and CGN devices, as shown in Figure 1.

Figure 1 NAT444 networking diagram

Configuration Roadmap

  1. Complete basic configurations on the CPE, including setting interface IP addresses and adding the interfaces to security zones.
  2. Configure the NAT policy on the CPE, translating a private user address to a private carrier address.
  3. Complete basic configurations on the CGN device, including setting interface IP addresses and adding the interfaces to security zones.
  4. Configure the NAT policy on the CGN device, translating a private carrier address to a public address and enabling a private user to access the Internet.

Procedure

  • Configure the CPE.
    1. Configure interface addresses and add the interfaces to security zones.

      # Configure an IP address for GE0/0/0.

      <FW> system-view
[FW] sysname CPE
[CPE] interface GigabitEthernet 0/0/0
[CPE-GigabitEthernet0/0/0] ip address 10.1.1.1 255.255.255.0
[CPE-GigabitEthernet0/0/0] quit
[CPE] firewall zone untrust
[CPE-zone-untrust] add interface GigabitEthernet 0/0/0
[CPE-zone-untrust] quit

      # Configure an IP address for GigabitEthernet 0/0/1.

      [CPE] interface GigabitEthernet 0/0/1
[CPE-GigabitEthernet 0/0/1] ip address 192.168.0.1 255.255.255.0
[CPE-GigabitEthernet 0/0/1] quit
[CPE] firewall zone trust
[CPE-zone-trust] add interface GigabitEthernet 0/0/1
[CPE-zone-trust] quit

    2. Configure a security policy.

      [CPE] security-policy
[CPE-policy-security] rule name policy_sec_1
[CPE-policy-security-rule-policy_sec_1] source-zone trust
[CPE-policy-security-rule-policy_sec_1] destination-zone untrust
[CPE-policy-security-rule-policy_sec_1] source-address 192.168.0.0 24
[CPE-policy-security-rule-policy_sec_1] action permit
[CPE-policy-security-rule-policy_sec_1] quit
[CPE-policy-security] quit

    3. Configure an outbound source NAT policy to translate a private user address to the CPE GE0/0/0 address.

      [CPE] nat-policy
[CPE-policy-nat] rule name policy_nat_1
[CPE-policy-nat-rule-policy_nat_1] source-zone trust
[CPE-policy-nat-rule-policy_nat_1] destination-zone untrust
[CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24
[CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip
[CPE-policy-nat-rule-policy_nat_1] quit
[CPE-policy-nat] quit

    4. Configure a default route. In this example, the next-hop address of the CPE to the carrier MAN is 10.1.1.2.

      [CPE] ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

  • Configure the CGN.
    1. Configure interface addresses and add the interfaces to security zones.

      # Configure an IP address for GE0/0/0.

      <FW> system-view
[FW] sysname CGN
[CGN] interface GigabitEthernet 0/0/0
[CGN-GigabitEthernet0/0/0] ip address 1.1.1.1 255.255.255.0
[CGN-GigabitEthernet0/0/0] quit
[CGN] firewall zone untrust
[CGN-zone-untrust] add interface GigabitEthernet 0/0/0
[CGN-zone-untrust] quit

      # Configure an IP address for GigabitEthernet 0/0/1.

      [CGN] interface GigabitEthernet 0/0/1
[CGN-GigabitEthernet 0/0/1] ip address 10.1.2.1 255.255.255.0
[CGN-GigabitEthernet 0/0/1] quit
[CGN] firewall zone trust
[CGN-zone-trust] add interface GigabitEthernet 0/0/1
[CGN-zone-trust] quit

    2. Configure a security policy.

      [CGN] security-policy
[CGN-policy-security] rule name policy_sec_1
[CGN-policy-security-rule-policy_sec_1] source-zone trust
[CGN-policy-security-rule-policy_sec_1] destination-zone untrust
[CGN-policy-security-rule-policy_sec_1] source-address 10.1.1.0 24
[CGN-policy-security-rule-policy_sec_1] action permit
[CGN-policy-security-rule-policy_sec_1] quit
[CGN-policy-security] quit

    3. Configure a source NAT policy to translate a private carrier address to a public address, enabling a private user to access the Internet.

      # Configure an address pool. Enable port translation for reuse of public addresses.

      [CGN] nat address-group address_1
[CGN-address-group-address_1] mode pat
[CGN-address-group-address_1] route enable
[CGN-address-group-address_1] section 0 1.1.1.11 1.1.1.20
[CGN-address-group-address_1] quit

      # Configure the NAT policy.

      [CGN] nat-policy
[CGN-policy-nat] rule name policy_nat_1
[CGN-policy-nat-rule-policy_nat_1] source-zone trust
[CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
[CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24
[CGN-policy-nat-rule-policy_nat_1] action source-nat address-group address_1
[CGN-policy-nat-rule-policy_nat_1] quit
[CGN-policy-nat] quit

    4. Configure a default route.

      In this example, the next hop address of the CGN to the Internet is 1.1.1.2.

      [CGN] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
      In this example, the next-hop address from the CGN to the CPE is 10.1.2.2.
      [CGN] ip route-static 10.1.1.1 255.255.255.255 10.1.2.2

  • Configure the server.

    • Set the IP address of the server to 2.2.2.2/32.
    • The route to addresses in the address pool of the CGN must be configured on the server.

  • Configure the PC.

    Configure the PC address and specify a gateway. The configuration methods of PC addresses and routes vary with the PC operating systems. Therefore, the configuration methods are not described here.

Configuration Scripts

  • The CPE configuration script is as follows:

    #                                                                               
 sysname CPE                                      
#                                                                               
interface GigabitEthernet0/0/0                                                  
 ip address 10.1.1.1 255.255.255.0                                               
#                                                                               
interface GigabitEthernet 0/0/1                                                  
 ip address 192.168.0.1 255.255.255.0                                              
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet 0/0/1                                             
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/0                                             
#                                                                                
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.2                                       
#                                                                               
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone trust                                                           
    destination-zone untrust                                                    
    source-address 192.168.0.0 24                                                  
    action permit                                                               
#                                                                                
nat-policy                                                                      
  rule name policy_nat_1                                                        
    source-zone trust                                                           
    destination-zone untrust                                                    
    source-address 192.168.0.0 24                                                  
    action source-nat easy-ip                                           
#                                                                                
return

  • The CGN configuration script is as follows:

    #                                                                               
 sysname CGN                                      
#                                                                               
interface GigabitEthernet0/0/0                                                  
 ip address 1.1.1.1 255.255.255.0                                               
#                                                                               
interface GigabitEthernet 0/0/1                                                  
 ip address 10.1.2.1 255.255.255.0                                              
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet 0/0/1                                             
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/0                                             
#                                                                                
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2                                       
 ip route-static 10.1.1.1 255.255.255.255 10.1.2.2                                
#                                                                                
nat address-group address_1                                                 
 mode pat                                                                        
 route enable                                                                    
 section 0 1.1.1.11 1.1.1.20                                                  
#                                                                               
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone trust                                                           
    destination-zone untrust                                                    
    source-address 10.1.1.0 24                                                  
    action permit                                                               
#                                                                                
nat-policy                                                                      
  rule name policy_nat_1                                                        
    source-zone trust                                                           
    destination-zone untrust                                                    
    source-address 10.1.1.0 24                                                  
    action source-nat address-group address_1                                          
#                                                                                
return
Parent Topic: CGN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >