Comware Based
1748123 Members
3357 Online
108758 Solutions
New Discussion

Setting up both inbound and outbound 1:1 NAT translation...

 
MDella
Advisor

Setting up both inbound and outbound 1:1 NAT translation...

I've been working with the various Comware based devices such as te F1000 firewall, the A5800 switches, and the MSR30-20 routers.  Specifically I'm trying to figure out how (on the firewall and router) to create a NAT translation that is 1:1 on BOTH inbound and outbound.

 

Currently the problem is that I can get a 1:1 on the inbound (using the nat-server command) however my outbounds ignore the nat-server and use the PAT address grouping for outbound originated traffic.  Specifically I have a public DNS server that the outside world needs to get to. I can get that part working, however when the server contacts the primary for zone transfers, the "originated" packets use the PAT address space rather than the NAT 1:1 address space.

 

The blow example has:

     205.140.10.16 -> 172.16.0.16 (tcp/udp port 53)

     172.16.0.16 -> public (sows up as some random address in the 205.140.10.240-244 range)

 

What I wanted was:

     172.16.0.16 -> packet source 205.140.10.16

 

So, here is a cutout of what I'm using:

 

#

 nat address-group 205.140.10.240 205.140.10.244

#

acl number 2000 name authorize_nat_outbound

 rule 100 permit source 172.16.0.0 0.0.3.255

 rule 105 deny

#

interface GigabitEthernet 0/0

 port link-mode route

 nat outbound static

 nat outbound 2000 address-group 1

 nat server protocol tcp global 205.140.10.16 dns inside 172.16.0.16 dns

 nat server protocol udp global 205.140.10.16 dns inside 172.16.0.16 dns

 ip address 205.140.10.199 255.255.255.0

#

interface GigabitEthernet 0/1

 port link-mode route

 ip address 172.16.0.1 255.255.255.0

#

ip route-static 0.0.0.0 0.0.0.0 205.140.10.1