F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Configuration Guide-6PW100
Table Of Contents
- Title Page
- Table of Contents
- Configuring NAT
- Overview
- Configuration guidelines
- Configuring NAT in the Web interface
- Recommended configuration procedure
- Creating an address pool
- Configuring dynamic NAT on an interface
- Creating a static address mapping
- Enabling static NAT on an interface
- Configuring an internal server
- Configuring ACL-based NAT on the internal server
- Configuring DNS mapping
- NAT configuration example
- Internal server configuration example
- Configuring NAT at the CLI
- NAT configuration task list
- Configuring static NAT
- Configuring dynamic NAT
- Configuring an internal server
- Configuring ACL-based NAT on an internal server
- Configuring DNS mapping
- Displaying and maintaining NAT
- One-to-one static NAT configuration example
- Dynamic NAT configuration example
- Common internal server configuration example
- NAT DNS mapping configuration example
- Troubleshooting NAT
- Configuring NAT-PT
- Feature and hardware compatibility
- Overview
- NAT-PT configuration task list
- Configuration prerequisites
- Enabling NAT-PT
- Configuring a NAT-PT prefix
- Configuring IPv4/IPv6 address mappings on the IPv6 side
- Configuring IPv4/IPv6 address mappings on the IPv4 side
- Setting the ToS field after NAT-PT translation
- Setting the traffic class field after NAT-PT translation
- Configuring static NAPT-PT mappings of IPv6 servers
- Displaying and maintaining NAT-PT
- NAT-PT configuration examples
- Troubleshooting NAT-PT
- NAT444
- Configuring ALG
- Support and other resources
- Index
5
106BEasy IP
Easy IP uses the public IP address of an interface on the device as the translated source address to save
IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.
107BNAT support for VPNs
NAT allows users from different VPNs to access external networks through the same outbound interface,
and allows the VPN users to use the same private address space.
1. Upon receiving a request from an VPN to an external network, NAT replaces the private source IP
address and port number with a public IP address and port number, and records the VPN
information.
2. When the response packet arrives, NAT replaces the public destination IP address and port
number with the internal IP address and port number, and sends the packet to the target VPN.
This feature can also apply to internal servers so that external users can access an internal host of an VPN.
For example, suppose a host in VPN 1 needs to provide Web services for the Internet. It has a private
address of 10.110.1.1. To achieve this purpose, configure NAT to use 202.110.10.20 as the public IP
address of the host so that the Internet users can use this IP address to access Web services on the host.
43BAddress translation
Address translation can be classified into dynamic and static NAT.
108BDynamic NAT
A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL
with an address pool (or the address of an interface in the case of Easy IP). This association defines what
packets can use the addresses in the address pool (or the interface's address) to access the external
network. Dynamic NAT is applicable when a large number of internal users must access external
networks. An IP address is selected from the associated address pool to translate an outgoing packet.
After the session terminates, the selected IP address is released.
Dynamic NAT can meet external access requirements of a large number of users.
109BStatic NAT
Mappings between external and internal network addresses are manually configured. Static NAT can
meet fixed access requirements of a few users.
44BLow-priority address pool
The following matrix shows the feature and hardware compatibility:
Hardware Lo
w
-
p
riorit
y
address
p
ool com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E Yes
F5000 Yes
Firewall module Yes
U200-A Yes
U200-S No