I've been working with the various Comware based devices such as te F1000 firewall, the A5800 switches, and the MSR30-20 routers. Specifically I'm trying to figure out how (on the firewall and router) to create a NAT translation that is 1:1 on BOTH inbound and outbound.
Currently the problem is that I can get a 1:1 on the inbound (using the nat-server command) however my outbounds ignore the nat-server and use the PAT address grouping for outbound originated traffic. Specifically I have a public DNS server that the outside world needs to get to. I can get that part working, however when the server contacts the primary for zone transfers, the "originated" packets use the PAT address space rather than the NAT 1:1 address space.
The blow example has:
205.140.10.16 -> 172.16.0.16 (tcp/udp port 53)
172.16.0.16 -> public (sows up as some random address in the 205.140.10.240-244 range)
What I wanted was:
172.16.0.16 -> packet source 205.140.10.16
So, here is a cutout of what I'm using:
#
nat address-group 205.140.10.240 205.140.10.244
#
acl number 2000 name authorize_nat_outbound
rule 100 permit source 172.16.0.0 0.0.3.255
rule 105 deny
#
interface GigabitEthernet 0/0
port link-mode route
nat outbound static
nat outbound 2000 address-group 1
nat server protocol tcp global 205.140.10.16 dns inside 172.16.0.16 dns
nat server protocol udp global 205.140.10.16 dns inside 172.16.0.16 dns
ip address 205.140.10.199 255.255.255.0
#
interface GigabitEthernet 0/1
port link-mode route
ip address 172.16.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 205.140.10.1