Access a NAS file system from a data center by using a NAT gateway - File Storage NAS

If you need to access a File Storage NAS (NAS) file system from a data center and you do not require high data security, you can connect the on-premises network to the NAS file system by using the NAT Gateway service. This topic describes how to access a NAS file system from a data center by using a NAT gateway.

Create a file system and a mount target

Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.
Create a mount target in a virtual private cloud (VPC). For more information, see Create a mount target.

(Optional) Configure a whitelist

In NAS, each permission group represents a whitelist. To ensure data access security in different scenarios, you can create a custom permission group and add rules to grant different access permissions to specific IP addresses or CIDR blocks.

Log on to the NAS console.
Create a permission group.
1. In the left-side navigation pane, choose File System > Permission Group.
2. In the top navigation bar, select a region.
3. On the Permission Group page, click the General-purpose NAS or Extreme NAS tab. Then, click Create Permission Group.
4. In the Create Permission Group dialog box, configure the required parameters.
  For more information about the parameters, see Required parameters.
Add rules to the permission group.
1. Find the permission group that you created and click Manage Rules in the Actions column. On the page that appears, click Create Rule. In the Create Rule dialog box, configure the parameters described in the following table.
  For more information about the parameters for management rules, see Parameter description.
2. Click OK.
Apply the permission group to the file system.
1. Open the File System List page, find the file system and click Manage in the Actions column.
2. On the Mount Targets page, find the mount target and click Edit Permission Group in the Actions column. Then select the created permission group.
3. Click OK.

Configure a NAT gateway

You can perform the following steps to mount a NAS file system on a Windows or Linux host that is connected to the Internet. After the file system is mounted, you can upload files to or download files from the file system on the host.

Log on to the VPC console.
Create a NAT gateway. For more information, see Create and manage an Internet NAT gateway.
Note
The VPC in which the NAT gateway resides must be the same as the VPC in which the NAS file system resides.
Bind an EIP to the NAT gateway. For more information, see Apply for EIPs.

Create a DNAT entry. For more information, see Create and manage DNAT entries.

You must configure the parameters that are described in the following table.

Parameter	Description
Select EIP	The public IP address that is generated when you create an EIP.
Select Private IP Address	Select Manual Input and enter the IP address of the mount target for the file system. To obtain the IP address, you can `ping` the mount target from the ECS instance on which the file system is mounted. Sample code: `ping 0dc404**-**.cn-hangzhou.nas.aliyuncs.com` For more information about mount targets, see Manage mount targets.
Port Settings	Custom Port: This option is recommended. NFS file system: Public Port: ports 111 and 2049. Private Port: ports 111 and 2049. Protocol: Select TCP. SMB file system: Public Port: port 4456. Private Port: port 445. Protocol: Select TCP. Any Port: This option is not recommended. All requests to access the EIP are forwarded to the destination NAS file system. We recommend that you specify the ports.

Mount the file system

NFS file system

Install an NFS client. For more information, see Step 1: Install an NFS client.
If an NFS client is already installed, skip this step and mount the NFS file system.
Mount the NFS file system. For more information about the mount command parameters, see Parameters.
```
mount -t nfs4 100.10.xx.xx:/ /mnt
```
- 100.10.xx.xx is the public IP address that is generated when you create an EIP. Replace the IP address with the actual value.
- /mnt is the directory on which you want to mount the file system. Replace the directory with the actual value.

SMB file system

Start the Workstation and TCP/IP NetBIOS Helper services. For more information, see Mount an SMB file system on a Windows ECS instance.
Check whether port 445 is in use.
- Run the following command:
```
netstat -ano | findstr ":445"
```
- If the output is similar to the following information, port 445 is in use:
```
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    [::]:445               [::]:0                 LISTENING       4
```
  4 is the PID of the program that is using port 445.
If port 445 is in use, run the following command in Command Prompt, or press Win+R and type services.msc to enter the local service. Then, check the status of the Server service.
```
sc query LanmanServer
```
- If the Server service is in the RUNNING state, run the following command in Command Prompt, or press Win+R and type services.msc to enter the local service. Then, stop and disable the Server service. Restart the server and verify that port 445 is no longer in use.
```
net stop LanmanServer && sc config LanmanServer start= disabled
```
- If the Server service is in the STOPPED state, or port 445 is still in use after the server is restarted, you can run the following command to check the program that is using port 445. After you confirm that the program can be stopped, stop the program and then restart the server.
```
tasklist /FI "PID eq 4"
```
  4 is the PID in the returned information of the netstat -ano | findstr ":445" command. Replace "4" with the actual value.
Configure local port forwarding.
The default port 445 of the SMB protocol is a high-risk port. By default, the port is disabled by your Internet service provider (ISP). If you want to access NAS from a data center by using a NAT gateway over the Internet, you must configure port forwarding in the data center.
Run the netsh tool on a local Windows client to forward network traffic from port 445 to port 4456.
```
netsh interface portproxy add v4tov4 listenaddress=192.168.xx.xx listenport=445 connectaddress=100.10.xx.xx connectport=4456
```
192.168.xx.xx is the IP address of the on-premises server, and 100.10.xx.xx is the public IP address that is generated when you create an EIP. Replace the IP addresses with the actual values. You can also use 127.0.0.1 as the IP address of the on-premises server.
Note
If the public port of the DNAT entry is port 445 or if the port is set to any port, you do not need to configure local port forwarding. You can directly use the EIP to mount the file system.
Mount the SMB file system. For more information, see Mount an SMB file system on a Windows ECS instance.
```
net use D: \\192.168.xx.xx\myshare
```
- D is the letter of the destination drive on which you want to mount a file system. Replace the drive letter based on your business requirements.
- 192.168.xx.xx is the IP address of the on-premises server. You can also use 127.0.0.1. Replace the IP address with the actual value.
- myshare is the name of the shared SMB directory. You cannot change the name.

Verify the mount result

NFS file system

If the result similar to the following information appears after you run the mount command, the mount is successful. You can read data from and write data to the files of the NFS file system.

SMB file system

If you can access the SMB file system from your local File Explorer, the mount is successful. You can read data from and write data to the files of the NFS file system.

Note

If no drive letter is found, you can enter \\192.168.xx.xx\myshare in the File Explorer to access the drive. 192.168.xx.xx is the IP address of the on-premises server. Replace it with the actual value.

挂载结果