Easy ip, Internal server, Dns mapping – H3C Technologies H3C SecBlade FW Cards User Manual
Page 11
4
When response packets arrive, the NAT gateway can forward them to corresponding hosts based on the
destination addresses and port numbers.
Easy IP
Easy IP uses the public IP address of an interface on the firewall as the translated source address and uses
ACLs to permit only certain internal IP addresses to be NATed.
Internal server
NAT hides the internal network structure as well as the identities of internal hosts. However, internal hosts
such as a Web server or an FTP server may need to be accessed by external hosts in practice. NAT
satisfies this requirement by supporting internal servers.
With NAT, you can deploy an internal server easily and flexibly. For instance, you can use 20.1.1.10 as
the Web server’s external address and 20.1.1.11 as the FTP server’s external address. You can even use
an address like 20.1.1.12:8080 as the Web server’s external address.
With an internal server configured, the NAT device, when receiving a packet to the server, translates the
destination address of the packet to the internal IP address of the internal server. When a response
packet from the internal server arrives, the NAT device translates the private source address of the packet
into the public IP address.
DNS mapping
As introduced above, you can specify a public IP address and port number for an internal server on the
public network interface of a NAT gateway, so that external users can access the internal server using its
domain name or pubic IP address.
Figure 3 Diagram for NAT DNS mapping operation
, an internal host wants to access an internal server on the same private network by using its
domain name, while the DNS server is located on the public network. Typically, the DNS server replies
with the public address of the internal server to the host. However, without relevant processing of the NAT
device, the host cannot access the internal server using its domain name. In this case, the DNS mapping
feature can solve the problem.
A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. Upon receiving a DNS reply, the NAT-enabled device matches the domain name in
the message against the DNS mapping entries. If a match is found, the private address of the internal
server is found and NAT replaces the public IP address in the reply with the private IP address. Then, the
host can use the private address to access the internal server.