Comware

 View Only
last person joined: yesterday 

Expand all | Collapse all

NAT configuration on MSR20 routers

This thread has been viewed 1 times
  • 1.  NAT configuration on MSR20 routers

    Posted Mar 13, 2014 08:48 AM

    Hello Guys.

     

    I have an MSR20 routers and i need to configure NAT on it so that my internal clients can use the public IP address of the router when accessing the internet. What are the configuration commands for doing this ? please help.

     

    thanks.


    #NAT
    #router


  • 2.  RE: NAT configuration on MSR20 routers

    Posted Jun 23, 2014 12:34 PM

    There are a ton of ways to configure NAT for either inbound or outbound usage.  I'll include a very basic one that does PAT (port address translation) that you can use on your MSR20 however note that its only one of MANY wanys to accomplish NAT. 

     

    http://www.h3c.com/portal/products___solutions/technology/security_and_vpn/technology_white_paper/200808/613642_57_0.htm describes many of the different methods that can be used to represent NAT (altough no examples on that whitepaper... blah)

     

    # only overloading a single address. You could specify a range if you expect more than 60k connections through this

    # NAT device.  Note that even a single web page could temporarly use half a dozen connections to build the page.

    #

    nat address-group 1 206.123.99.226 206.123.99.226

    #

    # Only allow machines in the range of 10.1.1.1 - 10.1.1.191 to NAT outbound. Deny all others

    acl number 2001 name authorized_nat_outbound

      # First off, deny addresses in the range that are not authorized

      rule 100 deny source 10.1.1.192 0.0.0.63 logging

      #

      # ...then authorize the rest of the block

      rule 110 permit source 10.1.1.0 0.0.0.255

      #

      # Deny everything else

      rule 999 deny logging

    #

    acl number 3001 name inbound-from-public

      #

      # First off permit the VRRP protocol to be transmitted

      rule 100 permit 112

      #

      # We know for a fact that we want to block out all "faked" transport packets from ever entering

      rule 110 deny ip destination 10.0.0.0 0.255.255.255 logging

      rule 120 deny ip destination 172.16.0.0 0.15.255.255 logging

      rule 130 deny ip destination 192.168.0.0 0.0.255.255 loggin

      #

      # ... additionally deny anything sourced from an RFC1918 address

      rule 140 deny ip source 10.0.0.0 0.255.255.255 logging

      rule 150 deny ip source 172.16.0.0 0.15.255.255 logging

      rule 160 deny ip source 192.168.0.0 0.0.255.255 logging

      #

      # Specifically allow some "router initiated things" to return to the router (such as NTP)

      rule 200 permit udp destination 206.123.99.26 0 destination-port eq ntp

      #

      # Allow specific protocols inbound to our site

      rule 300 permit tcp established

      rule 310 permit tcp destination 206.123.99.26 0 destination-port eq 80

      rule 320 permit tcp destination 206.123.99.26 0 destination-port eq 443

      #
      # Allow various types of ICMP probing or ICMP returns to occur.  This
      # should be reviewed for security concerns vs operation validation needs.
      #
      rule 950 permit icmp icmp-type echo
      rule 955 permit icmp icmp-type echo-reply
      rule 960 permit icmp icmp-type port-unreachable
      rule 965 permit icmp icmp-type net-unreachable
      rule 970 permit icmp icmp-type ttl-exceeded
      rule 975 deny icmp logging
      #
      # By default, everything else is invalid
      rule 999 deny ip logging

    #

    interface Ethernet 0/0

     port link-mode route

     description Public Connection to the Internet

     firewall packet-filter name inbound-from-public inbound

     nat outbound static

     nat outbound 2001 address-group 1

     nat server protocol tcp global 206.123.99.26 www inside 10.1.1.16 www

     nat server protocol tcp global 206.123.99.26 443 inside 10.1.1.16 443

     ip address 206.123.99.26 255.255.255.0

    #

    interface Eternet 0/1

     port link-mode route

     ip address 10.1.1.1 255.255.255.0

    #

    ip route-static 0.0.0.0 0.0.0.0 206.123.99.1

    #

     ntp-service source-interface Ethernet 0/0

     ntp-service unicast-server 72.26.198.240
     ntp-service unicast-server 38.229.71.1