1. Overview
The function of Network Address Translation (NAT) is to translation a private IP address to into a public IP address that connected to the internet before packets are forwarded to another network. NAT can advertise a single public IP address for the entire local private network to the internet and providing a security by hiding the entire internal network behind that address.
In this article, we will configure different configuration of static NAT and Dynamic NAT on Huawei router model AR2220.
2. Prerequisites
In this document, it is supposed that:
a. You have already install Huawei eNSP on your computer. If you do not, you can refer to this link Huawei Network Device Simulation With eNSP.
b. You know how to configure SSH remote management on Huawei router. If you do not, you can refer this link SSH Configuration on Huawei Router AR2220.
3. Lab Scenario Set up
We will set up a Lab to configure NAT as show in the following diagram. We will configure NAT on “HQ-RT02”. There is one router in the LAN with the host name as “HQ-RT01” and this host is acting as an inside LAN server. We will configure SSH and Telnet server on this host. There is one router act as the internet and another router act as computer in the public network.
The following is the basic configuration of each devices.
On HQ-RT01
First all, we can configure host name and IP as the following.
] sysname HQ-RT01 ] int g0/0/0 ip add 10.0.0.2 255.255.255.0 ] ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
Then, let’s configure SSH server fore remote management as the following.
] user-interface vty 0 4 authentication-mode aaa protocol inbound all ] stelnet server enable ] aaa local-user netadmin password cipher 111 local-user netadmin privilege level 15 local-user netadmin service-type ssh telnet ] rsa local-key-pair create
On HQ-RT02
On HQ-RT02 let’s configure the basic configuration as the following.
] sysname HQ-RT02 ] int g0/0/0 ip add 10.0.0.2 255.255.255.0 ] int g0/0/1 ip add 117.100.100.1 255.255.255.248 ] ip route-static 0.0.0.0 0.0.0.0 117.100.100.6
On router acts as the Internet
We just need to configure IP address on each interface on the Internet router.
] int g0/0/0 ip add 117.100.100.6 255.255.255.248 ] int g0/0/1 ip add 111.100.100.1 255.255.255.0
On router acts as a computer in public network
On PC router, let’s configure the basic configuration as the following.
] int g0/0/0 ip add 111.100.100.10 255.255.255.0 ] ip route-static 0.0.0.0 0.0.0.0 111.100.100.1
4. Dynamic NAT
4.1 Configure Dynamic NAT To Interface IP
Before we configure dynamic NAT, HQ-RT01 is not able to ping to IP address of the internet router.
<HQ-RT01>ping 117.100.100.6 PING 117.100.100.6: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 117.100.100.6 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Now let start to configure dynamic NAT on HQ-RT02. First, we need to create an ACL to contain the IP address to be NATed. In below ACL, we allow all IP in the LAN can access to the internet.
] acl number 2000 rule 10 permit source 10.0.0.0 0.0.0.255
Then, we need to configure dynamic NAT on the interface that connect direct to the internet using the created ACL above.
] int g0/0/1 nat outbound 2000
Now, HQ-RT01 should be able to ping to IP address of the internet router.
<HQ-RT01>ping 117.100.100.6 PING 117.100.100.6: 56 data bytes, press CTRL_C to break Reply from 117.100.100.6: bytes=56 Sequence=1 ttl=254 time=60 ms Reply from 117.100.100.6: bytes=56 Sequence=2 ttl=254 time=30 ms Reply from 117.100.100.6: bytes=56 Sequence=3 ttl=254 time=20 ms Reply from 117.100.100.6: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 117.100.100.6: bytes=56 Sequence=5 ttl=254 time=40 ms --- 117.100.100.6 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/36/60 ms
4.2 Configure Dynamic NAT With IP Pool
It is also possible if we want to translate our LAN IP subnet to pool of public IP address. In the following command will create a NAT pool with IP address rang from 117.100.100.4 to 117.100.100.5.
] nat address-group 0 117.100.100.4 117.100.100.5
Then on interface that connect directly to the internet, we need apply the following command.
] int g0/0/1
undo nat outbound 2000
nat outbound 2000 address-group 0
5. Static NAT
5.1 Configure Static NAT To Interface IP
If we want to publish the access of the internal server to the internet, we can configure static NAT on our router “HQ-RT02”. In the following command will configure a static NAT for remote SSH access from the internet using the IP address that is assigned to interface GE0/0/1 of HQ-RT01.
] int g0/0/1 nat static protocol tcp global current-interface 22 inside 10.0.0.2 22
Now, if we test telnet port 22 to the public IP configure on interface GE0/0/1 of HQ-RT02 router from router PC, we should get the following successful result.
> telnet 117.100.100.1 22 Press CTRL_] to quit telnet mode Trying 117.100.100.1 ... Connected to 117.100.100.1 ...SSH-1.99-DOPRA-1.5
To login to HQ-RT01 from the internet, we can use the following commands.
] ssh client first-time enable ] stelnet 117.100.100.1 22 Please input the username:netadmin Enter password: <HQ-RT01>
5.2 Configure Static NAT To IP In The Same Interface Subnet
Usually, there are many local services to publish to be accessible from the internet. In this case, we can configure NAT the local IP to any available public IP within the same subnet of IP that assigned to the router “HQ-RT02” interface GE0/0/1 which it is connect directly to the internet.
To so, first we need to enable static NAT on interface GE0/0/1 of “HQ-RT02”.
] int g0/0/1 nat static enable
Then, we can configure NAT as the following to NAT public IP 117.100.100.2 port 2323 to the private IP 10.0.0.2 port 23.
] nat static protocol tcp global 117.100.100.2 2323 inside 10.0.0.2 23
We can test telnet from PC router as the following.
>telnet 117.100.100.2 2323 Press CTRL_] to quit telnet mode Trying 117.100.100.2 ... Connected to 117.100.100.2 ... Login authentication Username:netadmin Password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Telnet IP-Address : 10.0.0.1 Time : 2017-06-30 00:10:25-08:00 ----------------------------------------------------------------------------- <HQ-RT01>
In some case, we might want to NAT one private IP to one public IP for any services and we can do as the following.
] undo nat static protocol tcp global 117.100.100.2 2323 inside 10.0.0.2 telnet ] int g0/0/1 undo nat static protocol tcp global current-interface 22 inside 10.0.0.2 22 ] nat static global 117.100.100.3 inside 10.0.0.2
Now, if we try to ping IP 117.100.100.3 from PC router, we should get the following result.
>ping 117.100.100.3 PING 117.100.100.3: 56 data bytes, press CTRL_C to break Reply from 117.100.100.3: bytes=56 Sequence=1 ttl=253 time=40 ms Reply from 117.100.100.3: bytes=56 Sequence=2 ttl=253 time=40 ms Reply from 117.100.100.3: bytes=56 Sequence=3 ttl=253 time=40 ms Reply from 117.100.100.3: bytes=56 Sequence=4 ttl=253 time=40 ms Reply from 117.100.100.3: bytes=56 Sequence=5 ttl=253 time=50 ms --- 117.100.100.3 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/42/50 ms
If we test SSH from PC router, we should get the following result.
] stelnet 117.100.100.3 22 Please input the username:netadmin Enter password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Telnet IP-Address : 111.100.100.10 Time : 2017-06-30 00:19:36-08:00 ----------------------------------------------------------------------------- <HQ-RT01>
If we test Telnet from PC router, we should get the following result.
>telnet 117.100.100.3 Press CTRL_] to quit telnet mode Trying 117.100.100.3 ... Connected to 117.100.100.3 ... Login authentication Username:netadmin Password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: SSH IP-Address : 111.100.100.10 ssh Time : 2017-06-30 00:30:09-08:00 ----------------------------------------------------------------------------- <HQ-RT01>
6. Conclusion
That’s all about configuring network address translation (NAT) on Huawei router AR2220 from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
