Easy ip, Nat support for vpns, Low-priority address pool – H3C Technologies H3C SecPath F1000-E User Manual
Page 12
5
A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name
in the message against the DNS mapping entries. If a match is found, the private address of the internal
server is found and the interface replaces the public IP address in the reply with the private IP address.
Then, the host can use the private address to access the internal server.
Easy IP
Easy IP uses the public IP address of an interface on the firewall as the translated source address to save
IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.
NAT support for VPNs
NAT allows users from different VPNs to access external networks through the same outbound interface,
and allows the VPN users to use the same private address space.
1.
Upon receiving a request from an MPLS VPN to an external network, NAT replaces the private
source IP address and port number with a public IP address and port number, and records the
MPLS VPN information, such as the protocol type and router distinguisher (RD).
2.
When the response packet arrives, NAT replaces the public destination IP address and port
number with the internal IP address and port number, and sends the packet to the target VPN.
This feature can also apply to internal servers so that external users can access an internal host of a VPN.
For example, suppose a host in VPN 1 needs to provide Web services for the Internet. It has a private
address of 10.110.1.1. To achieve this purpose, configure NAT to use 202.110.10.20 as the public IP
address of the host so that the Internet users can use this IP address to access Web services on the host.
NAT allows hosts in multiple VPNs to access each other by using the VPN information carried in the
external IP address.
Low-priority address pool
An address pool is a set of consecutive public IP addresses used for dynamic NAT. A NAT gateway
selects addresses from the address pool and uses them as the translated source IP addresses.
When two devices in a stateful failover implementation carry out NAT, identical address pools must be
configured on both devices, to make sure that service traffic is successfully taken over by the other device
if one device fails. However, if the devices select the same IP addresses from their address pool and
assign them the same port numbers, reverse sessions on the two devices are the same. As a result, session
data cannot be backed up between the devices.
To solve the problem, the low-priority address pool attribute is introduced to NAT. You can configure
address pools on the two devices to have different priorities. For example, suppose that two addresses
pools, 100.0.0.1 through 100.0.0.5 (A), and 100.0.0.6 through 100.0.0.10 (B), are configured on the
two devices. You can configure A as the low-priority address pool on a device and configure B as the
low-priority address pool on the other device. Because addresses in the low-priority address pool are not
selected by NAT. The two devices use different addresses as translated source addresses, and thus
session data can be backed up successfully.
NOTE:
For more information about stateful failover, see
High Availability Configuration Guide.