Hello Guys,
Today I would like to show you how to implement NAT hairpin with Huawei routers.
What's NAT hairpin?
It's a special kind of NAT that returns the inbound flow out again through the same interface to a external IP address. Basically combines two common types of nat:
NAT server + NAT outbound.
Below picture speak for itself:
What's the purpose for NAT hairpin?
Is useful for single link branch scenario when there are no users connected to the LAN. We can use this special NAT to test the bandwidth capabilities (speed test) without a host behind branch CPE.
How to do it?
We will consider above topology naming.
Configuration
AR1:
#
acl number 3000
rule 5 permit ip
#
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
nat server global current-interface inside 12.1.1.2 \\ process inbound flow
nat outbound 3000 \\redirect to an external ip address
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
----------------------------------------------------------------------
AR2:
#
interface Vlanif10
ip address 11.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 12.1.1.1 255.255.255.0
#
interface Ethernet0/0/0
undo portswitch
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet0/0/4
port link-type access
port default vlan 20
#
interface Ethernet0/0/7
port link-type access
port default vlan 10
#
ip route-static 10.1.1.0 255.255.255.0 10.1.1.1
ip route-static 11.1.1.0 255.255.255.0 11.1.1.2
ip route-static 12.1.1.0 255.255.255.0 12.1.1.2
#
--------------------------------------------------------------
AR3:
#
interface Ethernet0/0/0
undo portswitch
ip address 12.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0 12.1.1.1
Results:
1.
After pinging from the host to 10.1.1.1 (AR1 WAN interface IP address), the AR1 will generate below nat session table, see the new source&destination IP address:
[AR1]dis nat session all
NAT Session Table Information:
Protocol : ICMP(1)
SrcAddr Vpn : 11.1.1.2
DestAddr Vpn : 10.1.1.1
Type Code IcmpId : 8 0 1
NAT-Info
New SrcAddr : 10.1.1.1
New DestAddr : 12.1.1.2
New IcmpId : 10242
Total : 1
2.
We see ICMP data arriving on AR3 after we start ping AR1 WAN from the host.
AR3 replay the icmp request:
<Huawei>
Aug 5 2014 11:14:42.130.1+00:00 Huawei IP/7/debug_icmp:
ICMP Receive: echo(Type=8, Code=0), Src = 10.1.1.1, Dst = 12.1.1.2, ICMP Id = 0x
2802, ICMP Seq = 125
<Huawei>
Aug 5 2014 11:14:42.130.2+00:00 Huawei IP/7/debug_icmp:
ICMP Send: echo-reply(Type=0, Code=0), Src = 12.1.1.2, Dst = 10.1.1.1, ICMP Id =
0x2802, ICMP Seq = 125
<Huawei>
Aug 5 2014 11:14:43.130.1+00:00 Huawei IP/7/debug_icmp:
ICMP Receive: echo(Type=8, Code=0), Src = 10.1.1.1, Dst = 12.1.1.2, ICMP Id = 0x
2802, ICMP Seq = 126
<Huawei>
Aug 5 2014 11:14:43.130.2+00:00 Huawei IP/7/debug_icmp:
ICMP Send: echo-reply(Type=0, Code=0), Src = 12.1.1.2, Dst = 10.1.1.1, ICMP Id =
0x2802, ICMP Seq = 126
Hope you enjoy reading this case!
You can find out more by visiting our documentation portal, HERE.