Manualshelf

R3166-R3206-HP High-End Firewalls NAT and ALG Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
12345678910
5
When a VPN host sends a packet to a public host, NAT replaces its private source IP address and port
number with a public IP address and port number, and records the NAT entry with the relevant VPN
information, such as the protocol type and router distinguisher (RD). When a response packet arrives, the
NAT gateway translates its public destination IP address and port number to the private ones and sends
it to the VPN host. Both NAT and NAPT support multiple-instance.
NAT also supports internal server multiple-instance to allow external users to access VPN hosts. For
example, in VPN 1, a Web server has a private address of 10.110.1.1. You can assign public IP address
202.110.10.20 to the server on the NAT device so that Internet hosts can access it.
Low-priority address pool
An address pool is a set of consecutive public IP addresses. A NAT gateway selects addresses from the
address pool and uses them as the translated source addresses.
When two devices in a stateful failover implementation carry out NAT, identical address pools must be
configured on both devices, helping ensure that service traffic is successfully taken over by the other
device if one device fails. However, if the devices select the same IP addresses from their address pool
and assign them the same port numbers, reverse sessions on the two devices are the same. As a result,
session data cannot be backed up between the devices.
To solve the problem, the low-priority address pool attribute is introduced to NAT. You can configure
address pools on the two devices to have different priorities. For example, suppose that two addresses
pools, 100.0.0.1 through 100.0.0.5 (A), and 100.0.0.6 through 100.0.0.10 (B), are configured on the
two devices. You can configure A as the low-priority address pool on a device and configure B as the
low-priority address pool on the other device. Because addresses in the low-priority address pool are not
selected by NAT. The two devices use different addresses as translated source addresses, and thus
session data can be backed up successfully.
NOTE:
For information about stateful failover configuraiton, see
High Availability Configuration Guide
.
Configuring a NAT policy in the web interface
Configuration overview
Configuring address translation
A NAT gateway can be configured with or dynamically generate mapping entries to translate between
internal and external network addresses. Generally, address translation can be classified into two types,
dynamic and static.
Dynamic NAT
A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL
with an address pool (or the address of an interface in the case of Easy IP). This association defines what
packets can use the addresses in the address pool (or the interface’s address) to access the external
network. Dynamic NAT is applicable when a large number of internal users need to access external
networks. An IP address is selected from the associated address pool to translate an outgoing packet.
After the session terminates, the selected IP address is released.
Perform the tasks in Table 1 t
o configure dynamic NAT.