HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up both inbound and outbound 1:1 NAT translation...

 
MDella
Advisor

Setting up both inbound and outbound 1:1 NAT translation...

I've been working with the various Comware based devices such as te F1000 firewall, the A5800 switches, and the MSR30-20 routers.  Specifically I'm trying to figure out how (on the firewall and router) to create a NAT translation that is 1:1 on BOTH inbound and outbound.

 

Currently the problem is that I can get a 1:1 on the inbound (using the nat-server command) however my outbounds ignore the nat-server and use the PAT address grouping for outbound originated traffic.  Specifically I have a public DNS server that the outside world needs to get to. I can get that part working, however when the server contacts the primary for zone transfers, the "originated" packets use the PAT address space rather than the NAT 1:1 address space.

 

The blow example has:

     205.140.10.16 -> 172.16.0.16 (tcp/udp port 53)

     172.16.0.16 -> public (sows up as some random address in the 205.140.10.240-244 range)

 

What I wanted was:

     172.16.0.16 -> packet source 205.140.10.16

 

So, here is a cutout of what I'm using:

 

#

 nat address-group 205.140.10.240 205.140.10.244

#

acl number 2000 name authorize_nat_outbound

 rule 100 permit source 172.16.0.0 0.0.3.255

 rule 105 deny

#

interface GigabitEthernet 0/0

 port link-mode route

 nat outbound static

 nat outbound 2000 address-group 1

 nat server protocol tcp global 205.140.10.16 dns inside 172.16.0.16 dns

 nat server protocol udp global 205.140.10.16 dns inside 172.16.0.16 dns

 ip address 205.140.10.199 255.255.255.0

#

interface GigabitEthernet 0/1

 port link-mode route

 ip address 172.16.0.1 255.255.255.0

#

ip route-static 0.0.0.0 0.0.0.0 205.140.10.1