3Com Router User Manual

							Configure DHCP Relay 347
II. Networking Diagram
Figure 128   Networking diagram of an DHCP relay configuration example 
III. Configuration Procedure
1Configure DHCP relay router:
[Router-Ethernet0] ip address 10.110.1.1 255.255.0.0
[Router-Ethernet0] ip relay-address 202.38.160.2
To configure helper address 202.38.160.2 on the Ethernet interface 0 you need to 
specify the address for the DHCP server. When requesting for configuration 
information, the DHCP client host sends out a DHCP broadcast message. After 
receiving the broadcast message, the Ethernet interface of the DHCP relay router 
processes and sends it to the helper address of the interface, i.e. the DHCP server. 
The DHCP server returns the generated reply message to the DHCP relay router, 
then the router notifies the DHCP client host of the reply message.
Configuration example of transparent transmission forwarding protocol 
I. Configuration Requirements
The host and TFTP server should not be in the same network segment. As the host 
does not know the IP address of TFTP server, it sends a request message with the 
broadcast address as the destination address so as to transmit it transparently to 
the TFTP server via router A. 
DHCP client host
202.38.160.1
DHCPserver
202.38.160.2Intermediate
network
10.110.1.1
DHCP trunk router 
						

							348CHAPTER 21: CONFIGURING IP APPLICATION
II. Networking Diagram
Figure 129   Configuration example of transparent transmission forwarding protocol
III. Configuration Procedure
1Configure Router A:
[Router] ip relay protocol udp 69
[Router] interface ethernet 0
[Router-Ethernet0] ip address 10.110.1.1 255.255.0.0
[Router-Ethernet0] ip relay-address 202.38.160.2
Troubleshooting DHCP When DHCP relay or transparent transmission function is abnormal, locate the 
fault with 
display command or debugging information. Here are some common 
faults as examples to illustrate the troubleshooting procedure.
Fault 1: (DHCP client host fails to obtain configuration information.
Troubleshooting: perform as follows.
■Check whether the DHCP server is configured with the address pool of the 
network segment where the DHCP client host is located.
■Check whether the DHCP relay router and the DHCP server have routes 
reachable to each other.
■Check whether the DHCP relay router is configured with the correct helper 
address on the client host interface, and whether multiple helper addresses 
have caused a collision.
Fault 2: fail to forward transparent transmission protocol.
Troubleshooting: perform as follows.
■Display the current forwarding protocol.
■Display the helper addresses configured for the interface.
■Check whether there is a reachable route between the source and target 
equipment of transparent transmission.
Host
10.110.1.1
Router A
202.38.160.1
TFTP server
202.38.160.2Intermediate
network 
						

							Configure Network Address Translation (NAT)349
■Check whether the transparent transmission router itself is configured with 
services of the protocol transmitted transparently.
Configure Network 
Address Translation 
(NAT)Network Address Translation (NAT), also known as address proxy, implements the 
function for the private network to visit the external network.
Private Network Address and Public Network Address
Private address refers to the address of the internal network or the host computer. 
Public address refers to the sole IP address worldwide on the Internet. The Internet 
Address Allocation Organization prescribes that the following IP addresses be 
retained as private addresses: 
■10.0.0.0 --- 10.255.255.255
■172.16.0.0 --- 172.31.255.255  
■192.168.0.0 --- 192.168.255.255 
That is to say, the addresses within the three ranges will not be allocated on the 
Internet. They can be used internally in a unit or a company. The enterprises can 
select appropriate internal network addresses according to their forecast of the 
number of internal host computers and networks in future.   The internal network 
addresses of different enterprises can be the same. Disorders are most likely to 
occur, if a company select the network segments outside the three ranges above 
as the internal network address.
Under which condition should the address be translated
As shown in the diagram above: The address needs to be translated when the host 
computer of the internal network visits the Internet or communicates with the 
host computers of the external networks.
Figure 130   Schematic diagram of Network Address Translation (NAT)
The address of the internal network is 10.0.0.0 network segment, while the 
formal external IP address is 203.196.3.23. The internal host computer 10.1.1.48 
visits the server 202.18.245.251 outside the network by means of WWW The host 
computer 10.1.1.48 sends one data message with the source port selected as 
6048 and the destination port as 80. After it passes by the proxy server, the source 
address and port of the data message will probably be changed to 
10.1.1.48
         202.18.245.251
10.1.1.10
            203.196.3.23......
Internet
www
client
www
server 
						

							350CHAPTER 21: CONFIGURING IP APPLICATION
203.196.3.23:32814. The destination address and port remains unchanged. In the 
proxy server, it maintains one corresponding table of address port. After the 
WWW server of the external network returns a result, the proxy server will 
translate the destination IP address and port in the result data message to 
10.1.1.48:6084. In this way, the internal computer 10.1.1.48 will be able to visit 
the external server.
The role the Network Address Translation (NAT) plays
During the course of the development of the Internet, Network Address 
Translation first emerged as a solution to tackle the problem of Internet address 
shortage. As show in the diagram below: after address translation, PC1 and PC2 
will have access to the resources on the Internet by Modem.
Figure 131   Access the Internet through address translation
Mechanism of Network Address Translation (NAT)
The mechanism of address translation is to translate the IP address and port 
number of the host computer in the network to the external network address and 
port number, to implement the translation from  
to .
Characteristic of Network Address Translation (NAT)
■Transparent address allocation to the user (allocation of the external addresses)
■Achievement of “transparent routing” effect. The routing here refers to the 
ability to forward IP message, not a technique of the exchange of routing 
information.
Advantages and Disadvantages of Network Address Translation (NAT)
Advantages:
■It enables the host computer of the external network to visit the network 
resources through this function.
■It provides privacy protection for the internal host computer.
Disadvantages:
■lThe header of the data message concerning IP address cant be encrypted, as 
the IP address in the data message needs to be translated.  In application 
protocol, FTP link encryption cant be used. Otherwise, the port command of 
FTP cant be translated correctly.
PC 1
Modem
Internet
PC 2
Router 
						

							Configure Network Address Translation (NAT)351
■The debugging of the network becomes even more difficult. For instance, 
when one host machine of the internal network attempts to attack other 
networks, it is very difficult to pinpoint which computer is attacking computer, 
since the IP address of the host machine is shielded.
Performance of Network Address Translation (NAT)
When the speed of the broadband of the link is below 1Mbps, the address 
translation has little impact on the performance of the network. In this case, the 
bottleneck of the network transmission is on the transmission line. When the 
speed is above 1Mbps, the address translation will have some impact on the 
performance of the routers. 
Configure NATNAT configuration includes:
■Configure the address pool
■Configure the correlation between the access control list and address pool
■Configure the correlation between the access control list and the interface 
(EASY IP)
■Configure the internal server
■Configure the valid time of address translation
1Configure the address pool
The address pool is a pool of the consecutive IP addresses. When the internal data 
packet arrives at the external network through address translation, it will select 
one address from the address pool as the translated source address. 
Please process the following configurations in the system view.
Ta b l e 383   Configure address pool
All the addresses in the address pool should be consecutive. For the most, 64 
addresses can be defined in each address pool.
An address pool can not be deleted, if it is correlated to one access control list and 
address translation has started.
2Configure the correlation between the access control list and address pool
Multiple-to-multiple address translation can be implemented, after the access 
control list and the address pool are correlated. The access control list is generated 
by 
rule command. It defines some rules, according to the format of the header of 
the IP data packet message and the header of data packet of the lower layer 
protocol it bears, which denotes the enable or disable of the data packets with 
certain features. For the data packet configured with NAT, it goes though address 
analysis before the message is forwarded. For the data packet no configured with 
NAT, it goes ahead with the normal forwarding process.
s according to this correlation relationship the addresses are translated. When the 
data packets of the internal network are to be transmitted to the external 
network: firstly, it is determined if the data packets are allowed according to the 
OperationCommand
Define one address poolnat address-group start-addr 
end-addr pool-name
Delete one address poolundo nat address-group 
pool-name  
						

							352CHAPTER 21: CONFIGURING IP APPLICATION
access control list, then locate the corresponding data pool according to the 
correlation. Thus, the source address is translated into one address in the data 
pool and the address translation process is completed. In the translation 
correlation form, the necessary corresponding information of the translation, 
including access list, data pool information and the HASH table index 
corresponding to the address pool are recorded.
HASH table is correlated to the data pool. That is to say, “the data packet that 
implements address translation using the addresses in the address pool” will have 
the record recorded in HASH table. During the translation, we can find the data 
pool that corresponds with the data packet according to the translation 
relationship. According to the address pool, we can find HASH and records the 
translation record in the corresponding HASH table. In the restoration process, the 
address pool can be located according to the destination address. And according 
to the address pool, the relevant HASH table can be located, to implement 
restoration operation.
Please carry out the following configuration under interface view.
Ta b l e 384   Configure the correlation between the access control list and address pool
By default, the access control list is not correlated to any address pools.
3Configure the incidence between the access control list and the interface (EASY IP 
feature)
Configure the correlation between the access control and the interface is also 
known as EASY IP feature. It refers to taking the IP address of the interface as the 
translated source address directly during the course of address translation, which 
is applicable to two conditions. In dial view, the user hopes to take the interface IP 
address obtained through negotiation as the translated source address; or the user 
hopes to take the IP address of the interface itself as the translated source address.
Please carry out the following configuration under interface view.
Ta b l e 385   Configure the correlation between the access control list and the interface 
By default, the access control list is not correlated to any interface.
4Configure the Internal Server
The user can map the corresponding external address, the external port number 
etc. to the internal server, to implement function for the external network to visit 
the internal server. The mapping table between the internal server and external 
network address and port number is configured by nat 
server command. During 
the course of address restoration, the destination address of the external data 
packet will be looked up according to the configuration of the user. To visit the 
internal server, it is translated to the destination address and port number of the 
OperationCommand
Add the correlation between the access control list 
and address pool.nat outbound acl-number 
address-group pool-name
Delete the correlation between the access control 
list and address pool.undo nat outbound acl-number 
address-group pool-name
OperationCommand
Add the correlation between the access control list and 
interface.nat outbound acl-number 
interface
Delete the correlation between the access control list 
and interface.undo nat outbound 
acl-number interface 
						

							Configure Network Address Translation (NAT)353
corresponding internal server. During the course of address translation, it will look 
up the resource address of the message, to determine if the message is sent from 
the internal server. If yes, the source address is translated to the corresponding 
public network address.
The information the user needs to configure includes: external address, external 
port, external server address and the type of internal server port and protocol.
Please carry out the following configuration under interface view.
Ta b l e 386   Configure the Internal Server
inside-port is indispensable, ranging 1 to 65535.
If global-port is not defined, its value equals to that of inside-port.
When deleting one internal server, if the global key word is used, then the external 
address, port and protocol information also need to be provided; If inside key 
word is used, only the internal address and port number need to be provided.
The protocol can be TCP, UDP, IP or ICMP.
5Configure the Timeout of address translation
As the HASH table used in the address translation cant be saved permanently, the 
user can set up the Timeout of address translation for TCP, UDP and ICMP 
protocol.  If this address is not used for translation within the time set up, the 
system will delete the link.
Please process the following configurations in the system view.
Ta b l e 387   Configure the Timeout of address translation
By default, the Timeout for TCP address translation is 240 seconds and 40 seconds 
for UDP address translation.
The Timeout for ICMP address translation is 20 seconds.
OperationCommand
Add one internal servernat server global global-addr { global-port | 
any | domain | ftp | pop2 | pop3 | smtp | telnet 
| www } inside inside-addr { inside-port | any | 
domain | ftp | pop2 | pop3 | smtp | telnet | www 
} { protocol-number | ip | icmp | tcp | udp }
Delete one internal serverundo nat server { global | inside } address { 
port | any | domain | ftp | pop2 | pop3 | smtp | 
telnet | www } { protocol-number | ip | icmp | 
tcp | udp }
OperationCommand
Configure the Timeouts of NATnat aging-time { tcp | udp | 
icmp } seconds
Restore the default value of the Timeout of address 
translationnat aging-time default 
						

							354CHAPTER 21: CONFIGURING IP APPLICATION
Display and Debug NATTa b l e 388   Display and debug NAT
Ty p i c a l  N AT  
Configuration Example An enterprise is connected to WAN by the address translation function of 
an internal server.
I. Networking Requirement
An enterprise is connected to WAN by the address translation function of the 
3Com Router series. It is required that the enterprise can access the Internet via 
serial port 0 of the 3Com Router series, and provide WWW, FTP and SNMP services 
to the outside, as well as two WWW servers. The internal network address of the 
enterprise is 10.110.0.0/16.
There are three legal public network IP addresses of the enterprise from 
202.38.160.101 to 202.38.160.103. The internal FTP server address is 
10.110.10.1, using the public network address 202.38.160.101. The internal 
WWW server1 address is 10.110.10.2. The internal WWW server 2 address is 
10.110.10.3, using the 8080 port for external communications, and the two 
WWW servers both use the public network address 202.38.160.102. The internal 
SNMP server address 10.110.10.4. It is expected to provide uniform server IP 
address to the outside, using the public network address 202.38.160.103. 
Internal network segment 10.110.10.0/24 may access Internet, but PC on other 
segments cannot access Internet. External PC may access internal server. 
OperationCommand
Browse the condition of NATdisplay nat [ translations [ 
global ip-address | inside 
ip-address ] ]
Clear up the mapping table of NATnat reset
Enable the information debugging of NAT eventdebugging nat event
Enable the information debugging of NAT data 
packetdebugging nat packet 
						

							Configure Network Address Translation (NAT)355
II. Networking Diagram
Figure 132   NAT configuration case networking diagram 1
III. Configuration Procedure
aConfigure address pool and access list
[Router] nat address-group 202.38.160.101 202.38.160.105 pool 1
[Router] acl 1
[Router-acl-1]rule permit source 10.110.10.0 0.0.0.255
bAllow address translation of segment at 10.110.10.0/24
[Router-Serial0] nat outbound 1 address-group pool
cSet internal FTP server
[Router-Serial0] nat server global 202.38.160.101 inside 10.110.10.1 
ftp tcp 
dSet internal WWW server 1
[Router-Serial0] nat server global 202.38.160.102 inside 10.110.10.2 
www tcp
eSet internal WWW server 2
[Router-Serial0] nat server global 202.38.160.102 8080 inside 
10.110.10.3 www tcp
fSet internal SNMP server
[Router-Serial0] nat server global 202.38.160.103 inside 10.110.10.4  
snmp  udp
Internal Ethernet
of enterprise
FTP serverSMTP server
Internal PCInternal PC
 Quidway
Router
DDN
External PC
10.110.10.1
10.110.10.2 10.110.10.3 10.110.10.4
10.110.10.10010.110.12.100 www server1 www server2 
						

							356CHAPTER 21: CONFIGURING IP APPLICATION
The internal LAN of an enterprise can dial-up to access Internet by the 
address translation.
I. Networking Requirement
The internal LAN of an enterprise can dial-up to access Internet through serial port 
S0 by the address translation of the 3Com Router series.
II. Networking Diagram
Figure 133   NAT configuration case networking diagram 2
III. Configuration Procedure
1Configure address access control list and dialer-list
[Router] acl 1
[Router-acl-1] rule permit source 10.110.10.0 0.0.0.255
[Router] dialer listen-rule 1 ip 10.110.10.0 255.255.255.0
2Configure dial-up property for the interface
[Router-Serial0] physical-mode async
[Router-Serial0] link-protocol ppp
[Router-Serial0] ip address ppp-negotiate
[Router-Serial0] ppp pap local-user 169 password simple 169
[Router-Serial0] modem
[Router-Serial0] dialer enable-legacy
[Router-Serial0] dialer-group 1
[Router-Serial0] dialer number 169
3Correlate the address translation list and the interface
[Router-Serial0] nat outbound 1 interface
4Configure a default route to serial 0
[Router] ip route-static 0.0.0.0 0.0.0.0 serial 0
Troubleshooting NAT 
Configuration Fault 1: Address translation abnormal
Troubleshooting: Turn ON the debug switch for NAT, and refer to debugging nat 
in the debugging command for specific operation. According to the Debug 
information displayed on the router, initially locate the failure, and then use other 
commands to check further. Observe the source address after translation carefully, 
and make sure that it is the expected address. Otherwise, it is possible that the 
configuration of address pool is wrong. Meanwhile, make sure that there is 
routing to return to the address pool segment in the network to be accessed. Take 
into consideration the influence of firewall and address list of the address 
conversion itself on address conversion, and also route configuration.
PC A
Modem Router
Internet
PC B