F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Configuration Guide-6PW100
Table Of Contents
- Title Page
- Table of Contents
- Configuring NAT
- Overview
- Configuration guidelines
- Configuring NAT in the Web interface
- Recommended configuration procedure
- Creating an address pool
- Configuring dynamic NAT on an interface
- Creating a static address mapping
- Enabling static NAT on an interface
- Configuring an internal server
- Configuring ACL-based NAT on the internal server
- Configuring DNS mapping
- NAT configuration example
- Internal server configuration example
- Configuring NAT at the CLI
- NAT configuration task list
- Configuring static NAT
- Configuring dynamic NAT
- Configuring an internal server
- Configuring ACL-based NAT on an internal server
- Configuring DNS mapping
- Displaying and maintaining NAT
- One-to-one static NAT configuration example
- Dynamic NAT configuration example
- Common internal server configuration example
- NAT DNS mapping configuration example
- Troubleshooting NAT
- Configuring NAT-PT
- Feature and hardware compatibility
- Overview
- NAT-PT configuration task list
- Configuration prerequisites
- Enabling NAT-PT
- Configuring a NAT-PT prefix
- Configuring IPv4/IPv6 address mappings on the IPv6 side
- Configuring IPv4/IPv6 address mappings on the IPv4 side
- Setting the ToS field after NAT-PT translation
- Setting the traffic class field after NAT-PT translation
- Configuring static NAPT-PT mappings of IPv6 servers
- Displaying and maintaining NAT-PT
- NAT-PT configuration examples
- Troubleshooting NAT-PT
- NAT444
- Configuring ALG
- Support and other resources
- Index
2
The NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT also has the following disadvantages:
• Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also
true to the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection, or its port command cannot work
correctly.
• Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host because the host IP address has
been hidden.
41BNAT control
Typically, an enterprise allows some hosts in the internal network to access external networks and
prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP
address is among addresses denied, the NAT device does not translate the address. In addition, the NAT
device only translates private addresses to specified public addresses.
You can achieve NAT control through an access control list (ACL) and an address pool.
• Only packets matching the ACL rules are served by NAT.
• An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of
internal hosts, and network requirements. The NAT device selects an address from the address pool
as the public address of an IP packet.
42BNAT operation
102BBasic NAT
As shown in 224HFigure 1, when an internal host accesses an external network, the NAT device uses a public
IP address to replace the private source IP address. In
225HFigure 1, NAT uses the IP address of the outgoing
interface as the public IP address. All internal hosts use the same public IP address to access external
networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, the NAT device
chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its
NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks
simultaneously.
The number of public IP addresses that a NAT device needs is usually far less than the number of internal
hosts because not all internal hosts access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.
103BNAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses
to be mapped to the same public IP address, which is called multiple-to-one NAT.