Professional Documents
Culture Documents
NetEngine AR600,
AR6000 Series Routers
NAT Feature Description
www.huawei.com
The NAT device receives a packet requesting access to a server on the public network from
the host on the private network.
The NAT device selects an idle public IP address (for example, 3.3.3.10) from the IP
address pool to replace the source private IP address (10.1.1.2) in the packet, records the
mapping between 3.3.3.10 and 10.1.1.2, and then sends the packet to the public network.
After receiving the response packet from the public network, the NAT device queries the
previously saved mapping between the public IP address and the private IP address based
on the destination IP address (3.3.3.10) in the response packet, replaces the destination IP
address with 10.1.1.2, and then sends the response packet to the private network.
NAT device
NAT device
IP address pool
Private network Public network
NAT device
202.130.65.1/24
CE A CE B
VPN A VPN B
192.168.1.1/24 192.168.1.1/24
Private host A Source IP address: IPb Source IP address: IPb Public host B
IP address: IPa Destination IP address: IPa Destination IP address: IPc IP address: IPb
DNS server
Twice NAT translates source and destination IP addresses at the same time.
Twice NAT can be used when the IP addresses of private hosts are the same as
those of public hosts.
Endpoint-independent mapping: NAT reuses the port mapping for subsequent packets
sent from the same internal IP address and port to any external IP address and port.
Address-dependent mapping: NAT reuses the port mapping for subsequent packets
sent from the same internal IP address and port to the same external IP address,
regardless of the external port.
Address and port-dependent mapping: NAT reuses the port mapping for subsequent
packets sent from the same internal IP address and port to the same external IP
address and port while the mapping is still active.
The AP supports mapping independent of public IP addresses and mapping related to
public IP addresses and ports.
Address-dependent filtering
1:FTP:A FTP connect include control access and data access, the control
access is listened by server on port 21, the data access is built by the
consultation between server and client.
2:There are 2 inner control commands of data access of FTP consultation:
FTP connect with the port in use by control connect consultation data
Basic NAT、NAPT、Easy IP
NAT Server、 Static NAT/PAT 、 Twice NAT
NAT-ALG(DNS、DNS mapping、FTP、ICMP、SIP、RTSP)
NAT Multi-instance
NAT Filter、NAT Mapping
Company B
As shown in Figure, the network of Company A is connected to the WAN through the
NAT function of the AR. Company A provides a WWW server to support access from
public network users. The private IP address of the WWW server is 192.168.20.2:8080
and the external IP address of the WWW server is 202.169.10.5/24.
The network of Company B is connected to the WAN through the NAT function of the
AR. Company B provides an FTP server to support access from public network users.
The private IP address is of the FTP server is 10.0.0.3/24 and the public IP address of
the FTP server is 202.169.10.33/24.
Configuration text:
#
vlan batch 100 200
#
nat alg ftp enable
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
Total : 2
Server
Company B
As shown in Figure, the network of Company A is connected to the WAN through the NAT
function of the AR. To ensure the security of the network of Company A, the IP addresses in the
public IP address pool (202.169.10.100–202.169.10.200) are used to replace the private host IP
addresses (on the 192.168.20.0 network segment) of Company A when accessing the WAN server.
The network of Company B is connected to the WAN through the NAT function of the AR. To
ensure the security of the network of Company B and because the public IP address pool of
Company B is insufficient, the IP addresses in the public IP address pool (202.169.10.80–
202.169.10.83) and port numbers are both translated to replace the private host IP addresses (on
the 10.0.0.0 network segment) of Company B when accessing the WAN servers.
PC A
192.168.1.11/24
AR Server
PC B
192.168.1.13/24
202.130.65.1/24
PC C
192.168.1.100/24
192.168.1.11/24
AR PC C
PC B
192.168.1.13/24
202.130.65.11/24
Server
192.168.1.100/24