Hi there, everyone!
This post is about the easy IP, PAT, NAT Server (Internal Server Access) as part of the NAT Series. Please see more details as you read further down.
BACKGROUND INFORMATION
VPN A and VPN B need to access the Internet; in the lab as above, we only need to ping IP address 202.100.1.2 to test the Internet access. What should we do now?
PROCEDURE
The first step is to configure all IP addresses. The VPN instance is strange to me, so I need to deal with it later. Just forget about it right now.
We can discuss easy IP first. What’s easy IP? Easy IP allows hosts to access the Internet using temporary public address, which is the same as my current Juniper firewall SSG20 using China Telecom EPON PPPoE dialup.
The example seems easy, but if you try to configure it by yourself without reference, it’s still a task. If you want to ping 200.100.1.1 from client1, it’s easy by using routing protocol, but here we have to use NAT.
I configure an ACL rule 2000 to permit 192.168.0.x out and then apply NAT outbound 2000 on GE0/0/1 of Router. After that, I can ping 200.100.1.1.
[Router]display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/1 2000 200.100.1.2 easyip
--------------------------------------------------------------------------
I can see that the type is easyip. The answer has a default route. This kind of mode can only use one public IP address.
So let’s talk about the mode of using several public IP addresses---NAT Pool.
I can’t ping 202.169.10.201. It turns out I've forgotten to configure the IP address for GE 0/0/0. While pinging, I can see the NAT session as below.
[Router]display nat session all
NAT Session Table Information:
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.20.2
DestAddr Vpn : 202.169.10.201
Type Code IcmpId : 0 8 20773
NAT-Info
New SrcAddr : 202.169.10.125
New DestAddr : ----
New IcmpId : 10256
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.20.2
DestAddr Vpn : 202.169.10.201
Type Code IcmpId : 0 8 20772
NAT-Info
New SrcAddr : 202.169.10.125
New DestAddr : ----
New IcmpId : 10255
Total : 2
We can also see this kind NAT Pool mode’s name is PAT.
[Router]display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/0 2000 1 pat
--------------------------------------------------------------------------
Total : 1
Sometimes, we configure a internal server such
as http server and we want outside users to access the server. Here we go.
Error: The address conflicts with the NAT address group IP.
Error: The address conflicts with interface or ARP IP.
So I use nat server protocol tcp global current-interface www inside192.168.20.2 80 and you can see the effort as below.
I have a second choice and prefer to use ftp.
nat server protocol tcp global current-interface ftp inside 192.168.20.2 21
This time I can access FTP server remotely with success!
In a word:
[Router]display nat server
Nat Server Information:
Interface : GigabitEthernet0/0/0
Global IP/Port : current-interface/21(ftp) (Real IP : 202.169.10.1)
Inside IP/Port : 192.168.20.3/21(ftp)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Global IP/Port : current-interface/80(www) (Real IP : 202.169.10.1)
Inside IP/Port : 192.168.20.3/80(www)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Total : 2
This would be all on easy IP, PAT, NAT Server (Internal Server Access) as part of the NAT Series. Thanks for reading this post!
