131
Bidirectional NAT for internal-to-external access
Network requirements
As shown in
, the IP address of the Web server is 192.168.1.10, and it overlaps with internal
network 192.168.1.0/24, where the hosts reside. The company has two public IP addresses 202.38.1.2
and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using its
domain name.
Figure 54
Network diagram
Configuration considerations
This is a typical application of bidirectional NAT.
•
When an internal host tries to access the external Web server by using the domain name, a DNS
query is sent to the external DNS server. The server sends the internal host a response with the Web
server's IP address, which overlaps with that of the internal host. To make sure the internal host
reaches the Web server instead of an internal user, configure inbound dynamic NAT with ALG and
DNS mapping so that NAT can translate the Web server's address in the payload to a dynamically
assigned NAT address.
•
The internal host uses the NAT address as the destination address. When a packet from the internal
host arrives at the NAT device, the source IP address overlaps with the real address of the Web
server. Configure outbound dynamic NAT to translate the source IP address to a dynamically
assigned NAT address.
•
The NAT device has no route to the NAT address of the external Web server. Add a static route to
the NAT address with GigabitEthernet 1/2 as the output interface.
Configuration procedure
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable NAT with ALG and DNS.
<Router> system-view
[Router] nat alg dns
# Configure ACL 2000, and create a rule to permit packets only from segment 192.168.1.0/24 to pass
through.
[Router] acl number 2000
[Router-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-basic-2000] quit
# Create address group 1.
Summary of Contents for MSR 2600 Series
Page 6: ...We appreciate your comments...
Page 33: ...18 AC vlan1 quit...
Page 118: ...103...