NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)

Latest reply: Sep 30, 2018 11:30:57 5570 3 0 0

NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)-1315835-1

VPN A and VPN B need to access the Internet, in the lab as above, we only need to ping IP address 202.100.1.2 to test the Internet access.

What should we do now? The first step is to configure all IP addresses. VPN instance is strange to me, so I need to deal with it later. Just forget about it right now.

We can discuss easy IP first. What’s easy IP? Easy IP allows hosts to access the Internet using temporary public address, which is the same as my current Juniper firewall SSG20 using China Telecom EPON PPPoE dialup.

NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)-1315835-2


The example seems easy, but if you try to configure it by yourself without reference, it’s still a task. If you want to ping 200.100.1.1 from client1, it’s easy by using routing protocol, but here we have to use NAT.

I configure an ACL rule 2000 to permit 192.168.0.x out and then apply NAT outbound 2000 on GE0/0/1 of Router. After that, I can ping 200.100.1.1.

[Router]display nat outbound

 NAT Outbound Information:

 --------------------------------------------------------------------------

 Interface                     Acl     Address-group/IP/Interface      Type

 --------------------------------------------------------------------------

 GigabitEthernet0/0/1         2000                    200.100.1.2    easyip 

 --------------------------------------------------------------------------

I can see that the type is easyip. The answer has a default route. This kind of mode can only use one public IP address.

So let’s talk about the mode of using several public IP addresses---NAT Pool.

NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)-1315835-3


I can’t ping 202.169.10.201, it turns out I forget to configure IP address for GE 0/0/0. While pinging, I can see nat session as below

[Router]display nat session all

  NAT Session Table Information:

 

     Protocol          : ICMP(1)

     SrcAddr   Vpn     : 192.168.20.2                                  

     DestAddr  Vpn     : 202.169.10.201                                

     Type Code IcmpId  : 0   8   20773

     NAT-Info

       New SrcAddr     : 202.169.10.125

       New DestAddr    : ----

       New IcmpId      : 10256

 

     Protocol          : ICMP(1)

     SrcAddr   Vpn     : 192.168.20.2                                  

     DestAddr  Vpn     : 202.169.10.201                                

     Type Code IcmpId  : 0   8   20772

     NAT-Info

       New SrcAddr     : 202.169.10.125

       New DestAddr    : ----

       New IcmpId      : 10255

 

  Total : 2

We can also see this kind NAT Pool mode’s name is PAT.

[Router]display nat outbound

 NAT Outbound Information:

 --------------------------------------------------------------------------

 Interface                     Acl     Address-group/IP/Interface      Type

 --------------------------------------------------------------------------

 GigabitEthernet0/0/0         2000                              1       pat

 --------------------------------------------------------------------------

  Total : 1

Sometimes, we configure a internal server such as http server and we want outside users to access the server. Here we go.

NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)-1315835-4


Error: The address conflicts with the NAT address group IP.

Error: The address conflicts with interface or ARP IP.

So I use nat server protocol tcp global current-interface www inside 192.168.20.2 80 and you can see the effort as below.

NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)-1315835-5

     I have second choice and prefer to use ftp.

 nat server protocol tcp global current-interface ftp inside 192.168.20.2 21

This time I can access FTP server remotely with success!

NAT Series---Easy IP, PAT, NAT Server(Internal Server Access)-1315835-6


In a word:

[Router]display nat server

 

  Nat Server Information:

  Interface  : GigabitEthernet0/0/0

    Global IP/Port     : current-interface/21(ftp) (Real IP : 202.169.10.1)

    Inside IP/Port     : 192.168.20.3/21(ftp)

    Protocol : 6(tcp)  

    VPN instance-name  : ----                           

    Acl number         : ----

    Description : ----

 

    Global IP/Port     : current-interface/80(www) (Real IP : 202.169.10.1)

    Inside IP/Port     : 192.168.20.3/80(www)

    Protocol : 6(tcp)  

    VPN instance-name  : ----                           

    Acl number         : ----

    Description : ----

 

  Total :    2

 

 

 

 

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_2790689
Created Dec 27, 2014 09:25:54 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

faysalji
Created Sep 30, 2018 11:01:14 Helpful(0) Helpful(0)

Thanks mate:)
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Mysterious.color
MVE Created Sep 30, 2018 11:30:57 Helpful(0) Helpful(0)

Thanks for sharing the topology on eNSP
i can open it and see configuration
  • x
  • convention:

Passion%20to%20learn

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login