Got it

NAT hairpin with Huawei AR G3

Latest reply: Apr 22, 2018 15:31:18 7481 3 1 0 0

Hello Guys, 

Today I would like to show you how to implement NAT hairpin with Huawei routers.


What's NAT hairpin? 

It's a special kind of NAT that returns the inbound flow out again through the same interface to a external IP address. Basically combines two common types of nat: 

NAT server + NAT outbound.

Below picture speak for itself:

NAT hairpin with Huawei AR G3-1328635-1


What's the purpose for NAT hairpin?

Is useful for single link branch scenario when there are no users connected to the LAN. We can use this special NAT to test the bandwidth capabilities (speed test) without a host behind branch CPE. 


How to do it?

We will consider above topology naming. 


Configuration

AR1:

#                                                                              

acl number 3000                                                                

rule 5 permit ip                                                              

#                                                                              

interface GigabitEthernet0/0/0                                                 

ip address 10.1.1.1 255.255.255.0                                             

nat server global current-interface inside 12.1.1.2      \\ process inbound flow                     

nat outbound 3000                                                    \\redirect to an external ip address                          

#                                                                              

ip route-static 0.0.0.0 0.0.0.0 10.1.1.2                                       

----------------------------------------------------------------------

AR2:

#                                                                               

interface Vlanif10                                                             

 ip address 11.1.1.1 255.255.255.0                                             

#                                                                               

interface Vlanif20                                                             

 ip address 12.1.1.1 255.255.255.0                                             

#                                                                               

interface Ethernet0/0/0                                                        

 undo portswitch                                                               

 ip address 10.1.1.2 255.255.255.0                                              

#                                                                                 

interface Ethernet0/0/4                                                        

 port link-type access                                                          

 port default vlan 20                                                          

  #                                                                      

interface Ethernet0/0/7                                                        

 port link-type access                                                         

 port default vlan 10                                                          

#

ip route-static 10.1.1.0 255.255.255.0 10.1.1.1                                

ip route-static 11.1.1.0 255.255.255.0 11.1.1.2                                

ip route-static 12.1.1.0 255.255.255.0 12.1.1.2                                

--------------------------------------------------------------

AR3:

#                                                                               

interface Ethernet0/0/0                                                        

 undo portswitch                                                               

 ip address 12.1.1.2 255.255.255.0                                             

#                               

ip route-static 0.0.0.0 0 12.1.1.1  


Results:

1. 

After pinging from the host to 10.1.1.1 (AR1 WAN interface IP address), the AR1 will generate below nat session table, see the new source&destination IP address:

 

[AR1]dis nat session all                                                    

  NAT Session Table Information:                                               

     Protocol          : ICMP(1)                                               

     SrcAddr   Vpn     : 11.1.1.2                                              

     DestAddr  Vpn     : 10.1.1.1                                              

     Type Code IcmpId  : 8   0   1                                             

     NAT-Info                                                                  

       New SrcAddr     : 10.1.1.1                                              

       New DestAddr    : 12.1.1.2                                              

       New IcmpId      : 10242                                                                                                                          

  Total : 1                     


2.    

We see ICMP data arriving on AR3 after we start ping AR1 WAN from the host.

AR3 replay the icmp request:

 

<Huawei>                                                                       

Aug  5 2014 11:14:42.130.1+00:00 Huawei IP/7/debug_icmp:                       

ICMP Receive: echo(Type=8, Code=0), Src = 10.1.1.1, Dst = 12.1.1.2, ICMP Id = 0x

2802, ICMP Seq = 125                                                           

                                                                                

<Huawei>                                                                        

Aug  5 2014 11:14:42.130.2+00:00 Huawei IP/7/debug_icmp:                       

ICMP Send: echo-reply(Type=0, Code=0), Src = 12.1.1.2, Dst = 10.1.1.1, ICMP Id =

0x2802, ICMP Seq = 125                                                         

                                                                                

<Huawei>                                                                       

Aug  5 2014 11:14:43.130.1+00:00 Huawei IP/7/debug_icmp:                       

ICMP Receive: echo(Type=8, Code=0), Src = 10.1.1.1, Dst = 12.1.1.2, ICMP Id = 0x

2802, ICMP Seq = 126                                                           

                                                                                

<Huawei>                                                                       

Aug  5 2014 11:14:43.130.2+00:00 Huawei IP/7/debug_icmp:                       

ICMP Send: echo-reply(Type=0, Code=0), Src = 12.1.1.2, Dst = 10.1.1.1, ICMP Id =

0x2802, ICMP Seq = 126       



Hope you enjoy reading this case!

You can find out more by visiting our documentation portal, HERE.         



                                                                          


This post was last edited by Iulian at 2018-08-07 01:54.
  • x
  • convention:

user_2790689
Created Aug 26, 2014 05:53:08

Thank you.
View more
  • x
  • convention:

MauroLatam
Created Feb 21, 2015 15:59:58

Thanks, but how would yo do it if you want just to redirect traffic to Internet?  I mean, without changing the destination of packets. That is the case of VPN full tunneling.


Thanks.


View more
  • x
  • convention:

wissal
MVE Created Apr 22, 2018 15:31:18

useful document, thanks
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.