NAT Configuration Guide

introduction introduction nat (network address translation) is a technology that maps one ip address space to another and is primarily used to allow multiple internal network devices to share fewer public ip addresses to communicate with external networks when existing ip address resources are limited basic concepts and principles basic concepts and principles a network address translation (nat) device, often a router or firewall, has an internal interface to the internal network and an external interface to an external network, such as the internet when a device on the internal network sends a packet out, the nat device replaces the internal source ip address in the packet with one of its own external ip addresses, and records this translation relationship in the nat table when an external network device receives a packet and returns a response, the nat device restores the destination ip address to the ip address of the internal device that originally initiated the request according to the records in the nat table, thus forwarding the response packet to the internal device static nat this type maps an internal ip address to a fixed external ip address at all times it is typically used in scenarios where you need to provide fixed accessibility for an internal server on an external network for example, a company with an internal web server can use static nat to make it accessible from the outside with a fixed public ip address on the internet dynamic nat dynamic nat maintains a pool of available external ip addresses from which internal devices are dynamically assigned an external ip address for address translation when they need to access the external network when used, the external ip address is released back into the address pool for use by other internal devices port address translation (pat) also known as napt (network address port translation), pat is the most commonly used nat technology it translates not only ip addresses, but also port numbers (tcp or udp ports) multiple internal devices can share one or a few external ip addresses, distinguished by different port numbers on the nat device for example, if there are multiple devices on an internal network that need to access the internet, pat can use a single public ip address to establish a communication link for each device through a different port number, enabling "many to one" ip address translation nat configuration nat configuration configure port domains configure port domains operation command description enter the system configuration view configure terminal enter the interface configuration view interface type interface number type has ethernat, vlan, lag, loopback,sub ethernet enable port nat output nat zone 1 disable port nat output no nat zone configure the nat function configure the nat function operation command description enter the system configuration view configure terminal enable nat function nat enable disable nat function no nat enable configure static nat nat static basic global ip local ip type global ip is public network address, local ip is private network address, and the type has snat and dnat delete static nat no nat static basic global ip local ip type configure static napt nat static {tcp|udp} global ip global port local ip local port type global port is public network port, local port is private network port delete static napt no nat static {tcp|udp} global ip global port local ip local port configure a dynamic nat address pool nat pool pool name start ip \[end ip] pool name is the name of nat address pool, start ip is the start ip of nat address pool, end ip is the end ip of nat address pool, configuring only start ip means using a single address delete a dynamic nat address pool no nat pool pool name configure a binding dynamic address pool nat binding binding name pool name \[acl name] binding name is the name of bind operation, pool name if the name of nat address pool, acl name is the name of acl name delete a binding dynamic address pool no nat binding binding name display and maintenance display and maintenance operation command description display nat config infomation show nat config display nat translations show nat translations display nat translations count show nat translations count display nat statistics show nat statistics static nat typical scenario configuration example static nat typical scenario configuration example network requirements the ip address of the router's outgoing interface 2 is 2 2 2 2/24 and the gateway address on the lan side is 192 168 0 1/24 the address at the opposite end on the carrier side is 2 2 2 1/24 the host's intranet address is 192 168 0 2/24 and a static address of 2 2 2 3/24 must be used the company must be able to convert the private address internally to a public address for connection to the wan procedure 1 router configuration \# configure the port ip address and set port 2 as the nat conversion output port sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 0 1/24 sonic(config if 1)# exit sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 2 2 2 2/24 sonic(config if 2)# nat zone 1 \# configure static routes sonic(config)# ip route 0 0 0 0/0 2 2 2 1 \# configure static nat sonic(config)# nat enable sonic(config)# nat static basic 2 2 2 3 192 168 0 1 snat verify configuration sonic(config)# do show nat config global values admin mode enabled global timeout 600 secs tcp timeout 86400 secs udp timeout 300 secs static entries nat type ip protocol global ip global port local ip local port twice nat id \ snat all 2 2 2 3 192 168 0 1 pool entries pool name global ip range global port range \ nat bindings binding name pool name access list nat type twice nat id \ nat zones port zone \ ethernet1 0 ethernet2 1 sonic(config)# do show nat translations static nat entries 2 static napt entries 0 dynamic nat entries 0 dynamic napt entries 0 static twice nat entries 0 static twice napt entries 0 dynamic twice nat entries 0 dynamic twice napt entries 0 total snat/snapt entries 1 total dnat/dnapt entries 1 total entries 2 protocol source destination translated source translated destination \ all 2 2 2 3 192 168 0 1 all 192 168 0 1 2 2 2 3 sonic(config)# do show nat statistics protocol source destination packets bytes \ all 2 2 2 3 0 0 all 192 168 0 1 0 0 dynamic nat typical scenario configuration example dynamic nat typical scenario configuration example network requirements the users of a company's private network are connected to the internet, and interface 3 on the router has a public address of 2 2 2 2/24 and a carrier side address of 2 2 2 1/24 the users want to use addresses in the public address pool (2 2 2 100 to 2 2 2 200) to replace the internal host address (segment 192 168 20 0/24) with nat to access the internet procedure 1 router configuration \# configure the port ip address and set port 2 as the nat conversion output port sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 20 1/24 sonic(config if 1)# exit sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 2 2 2 2/24 sonic(config if 2)# nat zone 1 \# configure static routes sonic(config)# ip route 0 0 0 0/0 2 2 2 1 \# configure dynamic nat sonic(config)# nat enable sonic(config)# nat pool nat pool 2 2 2 100 2 2 2 200 sonic(config)# nat binding test nat pool verify configuration sonic(config)# do show nat config global values admin mode enabled global timeout 600 secs tcp timeout 86400 secs udp timeout 300 secs static entries nat type ip protocol global ip global port local ip local port twice nat id \ pool entries pool name global ip range global port range \ nat pool 2 2 2 100 2 2 2 200 1024 65534 nat bindings binding name pool name access list nat type twice nat id \ test nat pool snat nat zones port zone \ ethernet1 0 ethernet2 1 sonic(config)# do show nat translations static nat entries 0 static napt entries 0 dynamic nat entries 0 dynamic napt entries 0 static twice nat entries 0 static twice napt entries 0 dynamic twice nat entries 0 dynamic twice napt entries 0 total snat/snapt entries 0 total dnat/dnapt entries 0 total entries 0 protocol source destination translated source translated destination \ tcp 2 2 2 100 192 168 20 2 tcp 192 168 20 2 2 2 2 100 sonic(config)# do show nat statistics protocol source destination packets bytes \ tcp 2 2 2 100 0 0 tcp 192 168 20 2 0 0