Internal server, Dns mapping – H3C Technologies H3C SecPath F1000-E User Manual

Page 11

Internal server

NAT hides the internal network structure, including the identities of internal hosts. However, some internal

hosts such as an internal Web server or FTP server may need to be accessed by external hosts. NAT
satisfies this need by supporting internal servers.
You can configure an internal server on the NAT device by mapping a public IP address and port number

to the private IP address and port number of the internal server. For instance, you can configure an

address like 20.1.1.12:8080 as an internal Web server's external address and port number.
In

Figure 3

, when the NAT device receives a packet destined for the public IP address of an internal server,

it looks in the NAT entries and translates the destination address and port number in the packet to the

private IP address and port number of the internal server. When the NAT device receives a response

packet from the internal server, it translates the source private IP address and port number of the packet
into the public IP address and port number of the internal server.

Figure 3 Internal server operation

DNS mapping

Generally, the DNS server and users that need to access internal servers reside on the public network.

You can specify an external IP address and port number for an internal server on the public network

interface of a NAT device, so that external users can access the internal server using its domain name or

pubic IP address. In

Figure 4

, an internal host wants to access an internal Web server by using its domain

name, when the DNS server is located on the public network. Typically, the DNS server replies with the

public address of the internal server to the host and thus the host cannot access the internal server. The

DNS mapping feature can solve the problem.

Figure 4 Operation of NAT DNS mapping

192.168.1.3

192.168.1.1

20.1.1.1

1.1.1.2

NAT

Intranet

Internet

Host

Server

Dst : 20.1.1.1:8080

Dst : 192.168.1.3:8080

Src : 192.168.1.3:8080

Src : 20.1.1.1:8080

Before NAT

20.1.1.1:8080

After NAT

192.168.1.3:8080

Direction

Inbound

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI