NetEngine AR600 AR6000 Series Routers NAT Feature Description

Security Level:
NetEngine AR600，
AR6000 Series Routers
NAT Feature Description
www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential

Objective
By study this course, you will
 Know the principle of NAT
 Know the application of NAT
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 2

Content
Chap1 Feature Description of NAT
Chap2 NAT Implementation of AR
Chap3 NAT Configuration of AR
Chap4 NAT Applications of AR

Feature Description of NAT
• NAT description、Basic NAT、

PAT、NAT Server、NAT Multi-
instance、Static NAT/PAT、
EASY IP、DNS Mapping、Twice
NAT、ALG、NAT Filter、NAT
Mapping

What is NAT
 The network address translation (NAT) technology translates the IP

address in the header of an IP datagram to another IP address and enables
users on private networks to access public networks.NAT enables users on
private networks to access public networks. Through NAT, most private
addresses can be translated to a few public addresses. This can mitigate
shortage of IP addresses.

Basic NAT Process
 As shown in Figure, the procedure of basic NAT is as follows:
 The NAT device receives a packet requesting access to a server on the public network from
the host on the private network.
 The NAT device selects an idle public IP address (for example, 3.3.3.10) from the IP
address pool to replace the source private IP address (10.1.1.2) in the packet, records the
mapping between 3.3.3.10 and 10.1.1.2, and then sends the packet to the public network.
 After receiving the response packet from the public network, the NAT device queries the
previously saved mapping between the public IP address and the private IP address based
on the destination IP address (3.3.3.10) in the response packet, replaces the destination IP
address with 10.1.1.2, and then sends the response packet to the private network.
Private network IP address pool Public network
NAT device

Basic NAT
 Basic NAT is a form of one-to-one address translation. In this mode,
only IP addresses are translated and TCP/UDP port numbers are not
translated. One public IP address cannot be used by multiple private
network users.
Private network IP address pool Public network
NAT device

NAPT（PAT）
 Basic NAT does not support reusing address, and therefore cannot address the
scarcity of public IP addresses. NAPT, however, can avoid this problem.
 NATP is a form of many-to-one address translation. By supporting address
translation in the format of IP address + port number, NAPT enables multiple
private network users to access a public network using one public IP address.
Therefore, NAPT is the most common mode for implementing address translation.
IP address pool
Private network Public network
NAT device

NAT Server
 In real world applications, public network users want to actively access private
servers. In basic NAT or NAPT mode, the destination IP addresses in packets sent
from public network users cannot be mapped into private IP addresses, and therefore
public network users cannot actively access the private server.
 In NAT server mode, public network users can actively access private servers by
statically configuring the mappings between public IP addresses/port numbers and
private IP addresses/port numbers. The NAT device can translate public IP addresses
into private IP addresses.
Private Public
10.1.1.2 http
4.4.4.4:80->10.1.1.2:80
4.4.4.4:21->10.1.1.3:21
Router
10.1.1.3 ftp

NAT Multi-instance
 NAT allows users of different VPNs to access external networks through the same
egress. In addition, users in the VPNs with the same IP address can access external
networks.
 The IP addresses of host A in VPN 1 and host B in VPN 2 are 10.1.1.1 and host A
and host B want to access the same server on an external network. Then NAT takes
the internal VPN information as a matching condition, translate host A and host B
into different IP address, so the host of public net can visit host A and host B
Separately
202.110.10.1/24
202.130.65.1/24
CE A CE B
VPN A VPN B
192.168.1.1/24 192.168.1.1/24

Static NAT/PAT
Host A IP address：
IPa Static NAT：
S IP： IPc D IP： IPa IPa<->IP1
IPb<->IP2
S IP： IPa D IP： IPc AR FW S IP： IPc D IP： IP1

Host B IP address：
IPc
S IP： IP1 D IP： IPc
S IP： IPc D IP： IP2
S IP： IP2 D IP： IPc

S IP： IPc D IP： IPb
S IP： IPb D IP： IPc

Flow from Host C to Host A
Host B IP address：
IPb Flow from Host A to Host C
 Static NAT/PAT mapping config by user Flow from Host C to Host B
Flow from Host B to Host C
 Static PAT include translation of TCP/IP ports
 Static NAT/PAT involves network address control by using ACL

Easy IP
 In easy IP mode, the public IP address of an interface is directly used as the
translated source IP address. In this mode, the IP address of the outbound interface
can be dynamically obtained, and therefore easy IP mode applies to the scenario
where the outbound interface obtains a public IP address through dialup or
Dynamic Host Configuration Protocol (DHCP).
 When the NAT device performs traditional source NAT, a NAT address pool
containing only public IP addresses needs to be configured. When the private
network is small and has a limited quantity of public IP address available, public IP
addresses can be conserved if the public IP address of the external interface of the
NAT device is used as the source IP address of the NAT.
Private host A Source IP address: IPb Source IP address: IPb Public host B
IP address: IPa Destination IP address: IPa Destination IP address: IPc IP address: IPb
Source IP address: IPa Interface IP Source IP address: IPc

Destination IP address: IPb address: IPc Destination IP address: IPb

DNS mapping
 In real world applications, users on a private network want to access a server on the
same private network using the domain name of the server. The DNS server, however,
is on a public network. In general, a DNS response packet carries the public IP address
of a private server. Therefore, private network users cannot access private servers
using the domain name unless the public IP address is processed by the NAT device.
 In DNS mapping mode, private network users can access private servers using the
domain name of the server by configuring a mapping table of domain names, public IP
address, public ports, and protocol types and establishing the mappings between the
domain names of private servers and the public network information.
Translate the DNS response message

Twice NAT
Configure the global mapping between the
overlapping IP address pool and the Public host B
temporary IP address pool: 1.1.1.0–3.3.3.0,
with a 24-bit mask
Configure common NAT outbound
Enable the DNS NAT-ALG function
Public
network
Private host A
DNS server
 Twice NAT translates source and destination IP addresses at the same time.
Twice NAT can be used when the IP addresses of private hosts are the same as
those of public hosts.

NAT mapping
 The NAT technology is widely used on the Internet due to the lack of Internet
Protocol version 4 (IPv4) addresses and for security reasons. Different vendors
implement different NAT functions. As a result, applications using the simple
traversal of UDP through NAT (STUN), traversal using relay NAT (TURN), and
intelligent concept extraction (ICE) technologies cannot implement NAT traversal.
The STUN, TURN, and ICE technologies are widely used in various types of
software, such as SIP proxies. Therefore, it is necessary to implement NAT mapping
to allow the software to perform NAT traversal so that multiple applications can work
consistently.

NAT mapping
 The following three NAT mapping types are available:
 Endpoint-independent mapping: NAT reuses the port mapping for subsequent packets
sent from the same internal IP address and port to any external IP address and port.
 Address-dependent mapping: NAT reuses the port mapping for subsequent packets
sent from the same internal IP address and port to the same external IP address,
regardless of the external port.
 Address and port-dependent mapping: NAT reuses the port mapping for subsequent
packets sent from the same internal IP address and port to the same external IP
address and port while the mapping is still active.
 The AP supports mapping independent of public IP addresses and mapping related to
public IP addresses and ports.

NAT filter
 A NAT device provides the NAT filtering function to filter packets sent from a public
network to a private network. The following three NAT filtering types are available:
 Endpoint-independent filtering
 Address-dependent filtering
 Address and port-dependent filtering

ALG
 NAT and NAPT translate only the IP address in the IP packet header and port number
in the TCP/UDP packet header. For certain special protocols such as ICMP and FTP,
the data field of the packets may contain an IP address or port number that cannot be
translated using NAT. This may cause problems.
 For example, an FTP server that uses a private IP address may need to send its own IP
address to a public host when setting up a session with the public host. The IP address
is saved in the data field of the IP packet and cannot be translated using NAT. When
the public host uses this private IP address, the FTP server is unreachable.

ALG
 The problems NAT has with these special protocols can be solved by using the ALG
function in the NAT implementation. ALG is a translation proxy for a specific
application protocol. It interacts with the NAT device to maintain the connection status,
and uses status information about the NAT device to change the specific data in the
data field of IP packets and performs the required processing. The ALG function
enables packets of application protocols to travel across different networks.
 ALG can handle protocol such as DNS、FTP、ICMP、RTSP、NBT、ILS、SIP、
SQLNET、PPTP、H.323(including RAS、H.225、H.245) 、QQ、MSN、etc。（
current version only support FTP、DNS、ICMP、SIP、RTSP）

Principle of FTP（1）
 1：FTP：A FTP connect include control access and data access, the control
access is listened by server on port 21, the data access is built by the
consultation between server and client.
 2：There are 2 inner control commands of data access of FTP consultation：
PORT→binding a port by client，server start the connect

PASV→ binding a port by server，client start the connect
 3：For example，client sent“PORT 10.110.1.23,4,10”to server，means
client have bind a connect on 10.110.1.23:1034

Principle of FTP （2）
FTP connect with the port in use by control connect consultation data

FTP ALG（1）
 NAT device will work in this way when it receive a port command to build data
access from the host in private network:
 Translate the IP address/port number of private network into the IP
address/port number in address pool.
 Distribute a IP address/port number peer available from the address pool,
then built the relationship between this IP address/port number and the IP
address/port number from private network.
 Take place the IP address/port number peer in the packet, enable the FTP
server in public network connect with the IP address/port number peer when
building the data access.

FTP ALG（2）
FTP NAT FTP

client server server
PORT 10,1,1,200,4,3 PORT 162,105,178,65,64,1

200 Port command OK 200 Port command OK
RETR index.txt RETR index.txt
150 Opening ASCII connection 150 Opening ASCII connection
client:1027<-host:2049 nat server:16385<-host:2049
The way NAT device handle FTP PORT command
Temporary FTP server 162.105.178.65:16385->10.1.1.200:1027

Content

NAT Implementation
 NAT is Implemented on the MPU of AR, NAT Implementation divide into

forwarding element and control element on multicore, packet can complete
NAT Implementation on the forwarding element, only when ALG is needed,
goto the control element.

NAT Implementation of AR
 Feature of NAT：
 Basic NAT、NAPT、Easy IP
 NAT Server、 Static NAT/PAT 、 Twice NAT
 NAT-ALG（DNS、DNS mapping、FTP、ICMP、SIP、RTSP）
 NAT Multi-instance
 NAT Filter、NAT Mapping

Content

NAT Configuration
 Config address pool：
 run：nat address-group group-index start-address end-address，Config public address pool。
 Config relationship between ACL and address pool：
 run：interface interface-type interface-number.subnumber，System-view。
 run：nat outbound acl-number [ address-group group-number [ no-pat ] ]，Config ACL with address pool。
 Config Easy IP：

 run：nat outbound acl-number，Config Easy IP。
 Config local server：

 Run these command to Config NAT local server：
 nat server protocol { protocol-number | tcp | udp } global global-address global-port inside host-address [ host-
port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl INTEGER<2000-3999> ] [description text<S> ]
 nat server [ protocol { protocol-number | icmp | tcp | udp } ] global global-address inside host-address [ vpn-
instance vpn-instance-name ] [ netmask mask ] [ acl INTEGER<2000-3999> ] [description text<S> ]

NAT Configuration
 Config Static NAT ：
 Run these command to Config Static NAT：
 nat static protocol { protocol-number | tcp | udp } global global-address global-port inside host-
address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl INTEGER<2000-
3999> ] [description text<S> ]
 nat static [ protocol { protocol-number | icmp | tcp | udp } ] global global-address inside host-
address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl INTEGER<2000-3999> ]
[description text<S> ]
 Enable NAT ALG：
 run：nat alg { all | dns | ftp | sip | rtsp } enable， Enable NAT ALG 。
 ConfigDNS Mapping ：
 run：nat dns-map domain-name global-address global-port {tcp | udp }， Config DNS Mapping
 Config Twice NAT ：
 run：nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length
length [ inside-vpn-instance inside-vpn-instance-name]，Config Twice NAT。

NAT Configuration
 Config NAT filter：
 run：nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }，
Config NAT filter mode。
 Config NAT mapping：
 run：nat mapping-mode endpoint-independent [ tcp | udp ] [ dest-port ]，Config NAT mapping
mode
 Delete NAT session：
 run：reset nat session { all | transit interface interface-name } ， Delete all NAT session or session
of a port。
 Delete all NAT session
 run：reset session all ，Delete all NAT session 。
 Delete FW session
 run：reset firewall session all ，Delete FW session

Accessing a Private Server from a Public Host
Company A
Company B
 As shown in Figure, the network of Company A is connected to the WAN through the
NAT function of the AR. Company A provides a WWW server to support access from
public network users. The private IP address of the WWW server is 192.168.20.2:8080
and the external IP address of the WWW server is 202.169.10.5/24.
 The network of Company B is connected to the WAN through the NAT function of the
AR. Company B provides an FTP server to support access from public network users.
The private IP address is of the FTP server is 10.0.0.3/24 and the public IP address of
the FTP server is 202.169.10.33/24.

NAT Server Configuration
 Configuration Roadmap
 Config IP address on port, then config NAT Server on WAN side, enable host
inbound visit server outbound.
 Enable NAT ALG of FTP, enable the FPT visiting cross the NAT.
 Configuration text：
#
vlan batch 100 200
#
nat alg ftp enable
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0

#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
#
interface GigabitEthernet0/0/1
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
#
return

 Check configuration：
 Run display nat server：
[Huawei] display nat server
Nat Server Information:
Interface : GigabitEthernet0/0/1
Global IP/Port : 202.169.10.5/80(www)
Inside IP/Port : 192.168.20.2/8080
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Global IP/Port : 202.169.10.33/21(ftp)

Inside IP/Port : 10.0.0.3/21(ftp)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Total : 2

Accessing a Public Server from a Private Host
Company A
Server
Company B
 As shown in Figure, the network of Company A is connected to the WAN through the NAT
function of the AR. To ensure the security of the network of Company A, the IP addresses in the
public IP address pool (202.169.10.100–202.169.10.200) are used to replace the private host IP
addresses (on the 192.168.20.0 network segment) of Company A when accessing the WAN server.
 The network of Company B is connected to the WAN through the NAT function of the AR. To
ensure the security of the network of Company B and because the public IP address pool of
Company B is insufficient, the IP addresses in the public IP address pool (202.169.10.80–
202.169.10.83) and port numbers are both translated to replace the private host IP addresses (on
the 10.0.0.0 network segment) of Company B when accessing the WAN servers.

NAT Outbound Configuration
 Configuration Roadmap
 Config IP address
 Config NAT Outbound under WAN side，enable host inbound visit server outbound.
 Config text
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
rule 5 permit source 10.0.0.0 0.0.0
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0

#
#
interface GigabitEthernet0/0/1
ip address 202.169.10.1 255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001 address-group 2
#
nat address-group 1 202.169.10.100 202.169.10.200
nat address-group 2 202.169.10.80 202.169.10.83
#
return

 Check Configuration：
 Run display nat outbound on AR, then:

[Huawei] display nat outbound
NAT Outbound Information:
-----------------------------------------------------------------
Interface Acl Address-group/IP Type
-----------------------------------------------------------------
GigabitEthernet0/0/1 2000 1 no-pat
GigabitEthernet0/0/1 2001 2 pat
-----------------------------------------------------------------
Total : 2

Content

Hosts on the Private Network Access Servers on the
Public Network
 During the private network planning for many communities, schools, and
companies, private network users actually use private IP addresses due to limited
quantity of public IP address. The NAT technology can enable private network
users to access public networks. As shown in the figure, enable host inbound visit
server outbound by configuring NAT.
PC A
192.168.1.11/24
AR Server
PC B
192.168.1.13/24
202.130.65.1/24
PC C
192.168.1.100/24

Hosts on the Public Network Access Servers on the
Private Network
 In certain scenarios, some servers such as Web servers and FTP servers inside
private networks need to provide services to public networks. The NAT server
mode supports this type of application
 As shown in the figure, enable host outbound visit server inbound by configuring
NAT Server, such as “public IP address and port number” and “private IP address
and port number”
PC A
192.168.1.11/24
AR PC C
PC B
192.168.1.13/24
202.130.65.11/24
Server
192.168.1.100/24

Accessing a Private Server from a Private host Through
the Domain Name
 In DNS mapping mode, private network users can access private servers using the
domain name by configuring the domain name mapping table, public IP address,
public ports, and protocol types and establishing the mappings between the domain
names of private servers and the public network information.
 As shown in Figure, PC A and PC B (private hosts) can directly access the private
server through www.hi.com in DNS mapping mode.
Translate the DNS response message by the NAT device

Summary
One of the problems Internet face is the shortage of

IP address. NAT not only conserves IP addresses
but also effectively avoids attacks from public
networks and hides and protects the computers
inside networks.

Thank you
www.huawei.com

NetEngine AR600 AR6000 Series Routers NAT Feature Description

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NetEngine AR600 AR6000 Series Routers NAT Feature Description

Uploaded by

Copyright:

Available Formats

Security Level:

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 2

Chap2 NAT Implementation of AR

Chap3 NAT Configuration of AR

Chap4 NAT Applications of AR

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 3

• NAT description、Basic NAT、

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 4

 The network address translation (NAT) technology translates the IP

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 5

Private network IP address pool Public network

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 6

Private network IP address pool Public network

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 7

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 8

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 9

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 10

S IP： IPa D IP： IPc AR FW S IP： IPc D IP： IP1

S IP： IPc D IP： IP2

S IP： IP2 D IP： IPc

S IP： IPb D IP： IPc

 Static NAT/PAT involves network address control by using ACL

Source IP address: IPa Interface IP Source IP address: IPc

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 12

Translate the DNS response message

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 13

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 14

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 15

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 16

 Address and port-dependent filtering

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 17

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 18

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 19

PORT→binding a port by client，server start the connect

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 20

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 21

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 22

FTP NAT FTP

PORT 10,1,1,200,4,3 PORT 162,105,178,65,64,1

The way NAT device handle FTP PORT command

Temporary FTP server 162.105.178.65:16385->10.1.1.200:1027

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 23

Chap2 NAT Implementation of AR

Chap3 NAT Configuration of AR

Chap4 NAT Applications of AR

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 24

 NAT is Implemented on the MPU of AR, NAT Implementation divide into

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 25

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 26

Chap2 NAT Implementation of AR

Chap3 NAT Configuration of AR

Chap4 NAT Applications of AR

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 27

 Config Easy IP：

 Config local server：

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 28

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 29

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 30

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 31

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 32

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 33

Global IP/Port : 202.169.10.33/21(ftp)