Configuring Network Address Translation (NAT) on Huawei Router AR2220

1. Overview

 

The function of Network Address Translation (NAT) is to translation a private IP address to into a public IP address that connected to the internet before packets are forwarded to another network. NAT can advertise a single public IP address for the entire local private network to the internet and providing a security by hiding the entire internal network behind that address.

In this article, we will configure different configuration of static NAT and Dynamic NAT on Huawei router model AR2220.

2. Prerequisites

 

In this document, it is supposed that:

a. You have already install Huawei eNSP on your computer. If you do not, you can refer to this link Huawei Network Device Simulation With eNSP.
b. You know how to configure SSH remote management on Huawei router. If you do not, you can refer this link SSH Configuration on Huawei Router AR2220.

3. Lab Scenario Set up

 

We will set up a Lab to configure NAT as show in the following diagram. We will configure NAT on “HQ-RT02”. There is one router in the LAN with the host name as “HQ-RT01” and this host is acting as an inside LAN server. We will configure SSH and Telnet server on this host. There is one router act as the internet and another router act as computer in the public network.

The following is the basic configuration of each devices.

On HQ-RT01

First all, we can configure host name and IP as the following.

] sysname HQ-RT01
] int g0/0/0
     ip add 10.0.0.2 255.255.255.0
] ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

Then, let’s configure SSH server fore remote management as the following.

] user-interface vty 0 4
    authentication-mode aaa
    protocol inbound all

] stelnet server enable

] aaa
    local-user netadmin password cipher 111
    local-user netadmin privilege level 15
    local-user netadmin service-type ssh telnet

] rsa local-key-pair create

On HQ-RT02

On HQ-RT02 let’s configure the basic configuration as the following.

] sysname HQ-RT02
] int g0/0/0
     ip add 10.0.0.2 255.255.255.0
] int g0/0/1
     ip add 117.100.100.1 255.255.255.248

] ip route-static 0.0.0.0 0.0.0.0 117.100.100.6

On router acts as the Internet

We just need to configure IP address on each interface on the Internet router.

] int g0/0/0
     ip add 117.100.100.6 255.255.255.248
] int g0/0/1
     ip add 111.100.100.1 255.255.255.0

On router acts as a computer in public network

On PC router, let’s configure the basic configuration as the following.

] int g0/0/0
     ip add 111.100.100.10 255.255.255.0
] ip route-static 0.0.0.0 0.0.0.0 111.100.100.1

 

4. Dynamic NAT

4.1 Configure Dynamic NAT To Interface IP

 

Before we configure dynamic NAT, HQ-RT01 is not able to ping to IP address of the internet router.

<HQ-RT01>ping 117.100.100.6
  PING 117.100.100.6: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 117.100.100.6 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

Now let start to configure dynamic NAT on HQ-RT02. First, we need to create an ACL to contain the IP address to be NATed. In below ACL, we allow all IP in the LAN can access to the internet.

] acl number 2000  
    rule 10 permit source 10.0.0.0 0.0.0.255

Then, we need to configure dynamic NAT on the interface that connect direct to the internet using the created ACL above.

] int g0/0/1
    nat outbound 2000

Now, HQ-RT01 should be able to ping to IP address of the internet router.

<HQ-RT01>ping 117.100.100.6
  PING 117.100.100.6: 56  data bytes, press CTRL_C to break
    Reply from 117.100.100.6: bytes=56 Sequence=1 ttl=254 time=60 ms
    Reply from 117.100.100.6: bytes=56 Sequence=2 ttl=254 time=30 ms
    Reply from 117.100.100.6: bytes=56 Sequence=3 ttl=254 time=20 ms
    Reply from 117.100.100.6: bytes=56 Sequence=4 ttl=254 time=30 ms
    Reply from 117.100.100.6: bytes=56 Sequence=5 ttl=254 time=40 ms

  --- 117.100.100.6 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/36/60 ms

4.2 Configure Dynamic NAT With IP Pool

 

It is also possible if we want to translate our LAN IP subnet to pool of public IP address. In the following command will create a NAT pool with IP address rang from 117.100.100.4 to 117.100.100.5.

] nat address-group 0 117.100.100.4 117.100.100.5

Then on interface that connect directly to the internet, we need  apply the following command.

] int g0/0/1
    undo nat outbound 2000
    nat outbound 2000 address-group 0

5. Static NAT

5.1 Configure Static NAT To Interface IP

 

If we want to publish the access of the internal server to the internet, we can configure static NAT on our router “HQ-RT02”. In the following command will configure a static NAT for remote SSH access from the internet using the IP address that is assigned to interface GE0/0/1 of HQ-RT01.

] int g0/0/1
    nat static protocol tcp global current-interface 22 inside 10.0.0.2 22

Now, if we test telnet port 22 to the public IP configure on interface GE0/0/1 of HQ-RT02 router from router PC, we should get the following successful result.

> telnet 117.100.100.1 22
   Press CTRL_] to quit telnet mode
   Trying 117.100.100.1 ...
   Connected to 117.100.100.1 ...SSH-1.99-DOPRA-1.5

To login to HQ-RT01 from the internet, we can use the following commands.

] ssh client first-time enable
] stelnet 117.100.100.1 22
  Please input the username:netadmin
  Enter password:
<HQ-RT01>

5.2 Configure Static NAT To IP In The Same Interface Subnet

 

Usually, there are many local services to publish to be accessible from the internet. In this case, we can configure NAT the local IP to any available public IP within the same subnet of IP that assigned to the router “HQ-RT02” interface GE0/0/1 which it is connect directly to the internet.

To so, first we need to enable static NAT on interface GE0/0/1 of “HQ-RT02”.

] int g0/0/1
    nat static enable

Then, we can configure NAT as the following to NAT public IP 117.100.100.2 port 2323 to the private IP 10.0.0.2 port 23.

] nat static protocol tcp global 117.100.100.2 2323 inside 10.0.0.2 23

We can test telnet from PC router as the following.

>telnet 117.100.100.2 2323
  Press CTRL_] to quit telnet mode
  Trying 117.100.100.2 ...
  Connected to 117.100.100.2 ...

Login authentication


Username:netadmin
Password:
  ----------------------------------------------------------------------------- 
    
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: Telnet      
  IP-Address : 10.0.0.1     
  Time       : 2017-06-30 00:10:25-08:00     
  -----------------------------------------------------------------------------
<HQ-RT01>

In some case, we might want to NAT one private IP to one public IP for any services and we can do as the following.

] undo nat static protocol tcp global 117.100.100.2 2323 inside 10.0.0.2 telnet
] int g0/0/1
    undo nat static protocol tcp global current-interface 22 inside 10.0.0.2 22
] nat static global 117.100.100.3 inside 10.0.0.2

Now, if we try to ping IP 117.100.100.3 from PC router, we should get the following result.

>ping 117.100.100.3
  PING 117.100.100.3: 56  data bytes, press CTRL_C to break
    Reply from 117.100.100.3: bytes=56 Sequence=1 ttl=253 time=40 ms
    Reply from 117.100.100.3: bytes=56 Sequence=2 ttl=253 time=40 ms
    Reply from 117.100.100.3: bytes=56 Sequence=3 ttl=253 time=40 ms
    Reply from 117.100.100.3: bytes=56 Sequence=4 ttl=253 time=40 ms
    Reply from 117.100.100.3: bytes=56 Sequence=5 ttl=253 time=50 ms

  --- 117.100.100.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/42/50 ms

If we test SSH from PC router, we should get the following result.

] stelnet 117.100.100.3 22
  Please input the username:netadmin
  Enter password:
  ----------------------------------------------------------------------------- 
    
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: Telnet      
  IP-Address : 111.100.100.10     
  Time       : 2017-06-30 00:19:36-08:00     
  -----------------------------------------------------------------------------
<HQ-RT01>

If we test Telnet from PC router, we should get the following result.

>telnet 117.100.100.3
  Press CTRL_] to quit telnet mode
  Trying 117.100.100.3 ...
  Connected to 117.100.100.3 ...

Login authentication


Username:netadmin
Password:
  ----------------------------------------------------------------------------- 
    
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: SSH      
  IP-Address : 111.100.100.10 ssh     
  Time       : 2017-06-30 00:30:09-08:00     
  -----------------------------------------------------------------------------
<HQ-RT01>

6. Conclusion

 

That’s all about configuring network address translation (NAT) on Huawei router AR2220 from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments