Table of Contents

Related Documents

05-NAT Commands

Title	Size	Download
05-NAT Commands	217.17 KB

NAT configuration commands

NOTE:

Only the cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, SPE-1020-E-II, IM-NAT, and IM-NAT-II support NAT service interface configuration.

connection-limit apply policy

Syntax

connection-limit apply policy policy-number

undo connection-limit apply policy policy-number

View

NAT service interface view

Default level

2: System level

Parameters

policy-number: Connection limit policy number, in the range of 0 to 255.

Description

Use the connection-limit apply policy command to apply a connection limit policy to the NAT service interface.

Use the undo connection-limit policy command to remove the application.

Note the following:

· A NAT interface can be associated with only one policy.

· To modify a bound policy that is applied, use the undo connection-limit apply policy command to remove the application first.

· The connection limit policy to be bound must have been configured.

· If no connection limit policy is matched, the default connection limit policy is used.

Examples

# Bind connection limit policy 0 to NAT service interface 3/0/1.

<Sysname> system-view

[Sysname] interface nat 3/0/1

[Sysname-NAT3/0/1] connection-limit apply policy 0

connection-limit log enable

Syntax

connection-limit log enable

undo connection-limit log enable

View

NAT service interface view

Default level

2: System level

Parameters

None

Description

Use the connection-limit log enable command to enable the connection limit logging function.

Use the undo connection-limit enable command to disable the function.

By default, the connection limit logging function is disabled.

Only the cards IM-NAT and IM-NAT-II support this function.

Examples

# Enable the connection limit logging function.

<Sysname> system-view

[Sysname] interface nat 3/0/1

[Sysname-NAT3/0/1] connection-limit log enable

connection-limit policy

Syntax

connection-limit policy policy-number

undo connection-limit policy { policy-number | all }

View

System view

Default level

2: System level

Parameters

policy-number: Connection limit policy number, in the range of 0 to 255.

all: Specifies all connection limit policies.

Description

Use the connection-limit policy command to create a connection limit policy and enter connection limit policy view.

Use the undo connection-limit policy command to delete a specified or all connection limit policies.

Note that:

· A connection limit policy contains a set of rules that are defined to limit specified connections. By default, the connection limit mode and the maximum connection rate are subject to the default configuration.

· When creating a connection limit policy, you need to assign it a number that uniquely identifies that policy.

· You can modify the rules in a policy only before binding the policy to a NAT module. No matter a connection limit policy is bound to a NAT module or not, however, you can add or delete rules to/from the policy.

· If multiple sub rules are configured in a connection limit policy, the source IP address with the longest mask is matched first.

Examples

# Create a connection limit policy numbered 1 and enter its view.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1]

display connection-limit policy

Syntax

display connection-limit policy { policy-number | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

policy-number: Number of a connection limit policy.

all: Displays all connection limit policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection-limit policy command to display a specific or all connection-limit policies.

Related commands: limit source.

Examples

# Display all connection limit policies configured.

<Sysname> display connection-limit policy all

There are 2 policies:

Connection-limit policy 0, refcount 0, 3 limits

limit 0 source 11.0.0.0 32 vpn-instance 1 amount other 10000

limit 8000 source 12.0.0.0 31 vpn-instance 1 bandwidth 123 shared

limit 12000 source 13.0.0.0 31 vpn-instance 1 rate 1

Connection-limit policy 1, refcount 0, 1 limit

limit 9999 source any rate 200 shared

Table 1 Output description

Field	Description
Connection-limit policy	Number of the connection limit policy.
refcount 0, 3 limits	Number of times that a policy is referenced, and number of rules included in a policy.
limit	Number of rules in the policy. For more information, see the limit command in connection limit policy view.

display connection-limit statistics

Syntax

display connection-limit statistics [ ip user-ip ] [ vpn-instance vpn-instance-name ] interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

ip user-ip: Specifies the IP address of a user.

vpn-instance vpn-instance-name: Specifies the MPLS VPN instance that connections belong to. A VPN instance name is a case-sensitive string of 1 to 31 characters. Without this option, this command displays the connection statistics of users belonging to a public network rather than an MPLS VPN instance.

interface interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection-limit statistics command to display connection limit statistics.

Note the following:

· This command takes effect only on the IM-NAT and IM-NAT-II cards.

· The display connection-limit statistics [ ip user-ip ] command only displays the connection limit statistics of the specified user.

· In shared segment mode, use the display connection-limit statistics interface command to display connection limit statistics of all users.

· In non-shared segment mode, use the display connection-limit statistics total interface command to display connection limit statistics of all users.

· If you specify the IP address of a user without specifying any VPN instance, this command displays connection limit statistics of the user belonging to a public network, but not belongings to any MPLS VPN instance.

· If no IP address or VPN instance is specified, this command displays connection limit statistics for all VPN domains and non-VPN domains.

Examples

# Display connection limit statistics on IP address 2.2.2.2 of interface NAT 3/0/1.

<Sysname> display connection-limit statistics ip 2.2.2.2 vpn-instance vpn1 interface nat 3/0/1

IP-address VPN-instance Amount Bytes

2.2.2.2 vpn1 100 ---

Table 2 Output description

Field	Description
IP-address	Source IP address.
VPN-instance	Name of the MPLS VPN instance that IP address belongs to. Public specifies the public network address.
Amount	Number of connections allowed.
Bytes	Number of bytes (in kbps). This field is not supported on the router.

display connection-limit statistics total

Syntax

display connection-limit statistics total interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection-limit statistics total command to display total connection limit statistics, including the total number of users and number of connections established at present.

This command takes effect only on the IM-NAT and IM-NAT-II cards.

Example

# Display total limit statistics on interface NAT 3/0/1.

<Sysname> display connection-limit statistics total interface nat 3/0/1

Total connection-limit statistics information:

Users: 200

Connections: ---

NOTE:

The router does not support displaying the total number of established connections.

display interface

Syntax

display interface nat-interface [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

nat-interface: Number of the NAT service interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display interface nat-interface command to display address translation statistics on the NAT service interface.

Examples

# Display address translation statistics on the NAT service interface on an SPE-1010-II, SPE-1010-E-II, SPE-1020-II, or SPE-1020-E-II card.

<Sysname> display interface NAT 4/0/1

NAT5/0/1 current state: UP

Line protocol current state: DOWN

Description: NAT5/0/1 Interface

Internet protocol processing : disabled

NAT input packet of each VCPU:

0 0 0 0

159882 159882 161434 161434

161434 161434 159882 159882

144359 144358 144358 144359

NAT Output packet of each VCPU:

0 0 0 0

159882 159882 161434 161434

161434 161434 159882 159882

144359 144358 144358 144359

NAT input packet count: total 1862698 error 0

NAT Output packet count: total 1862698 error 0

# Display address translation statistics on the NAT service interface on an IM-NAT or IM-NAT-II card.

<Sysname> display interface NAT 4/0/1

NAT4/0/1 current state: UP

Line protocol current state: DOWN

Description: NAT4/0/1 Interface

Internet protocol processing : disabled

Session log : disable

BlackList : enable, log disable

Session Entry : 0

------ Packets Received : 50454521

------ TCP Packets Sent : 0

------ UDP Packets Sent : 2823732

------ ICMP Packets Sent : 0

------ Fragments Sent : 0

------ Unknown Packets Sent : 0

Table 3 Output description

Field	Description
NAT4/0/1 current state: UP	The NAT service interface is up.
Line protocol current state	Link layer protocol state.
Description	Interface name.
Internet protocol processing	Whether the network layer protocol is enabled.
NAT input packet of each VCPU	Total number of NAT packets received by each VCPU.
NAT Output packet of each VCPU	Total number of NAT packets sent by each VCPU.
NAT input packet count	Total number of received NAT packets.
NAT Output packet count	Total number of sent NAT packets.
Session log : enable	The logging function is enabled.
BlackList : enable, mode PerUsr, log disable	The blacklist function is enabled. The blacklist logging function is not enabled.
Session Entry	Number of session entries. Use the display session statistics command in Session Management in the Security Command Reference to display the statistics of the session entries.
Packets Received	Total number of packets received by the NAT service card.
TCP Packets Sent	Total number of TCP packets sent by the NAT service card.
UDP Packets Sent	Total number of UDP packets sent by the NAT service card.
ICMP Packets Sent	Total number of ICMP packets sent by the NAT service card.
Fragments Sent	Total number of fragments sent by the NAT service card.
Unknown Packets Sent	Total number of unknown packets sent by the NAT service card.

display nat address-group

Syntax

display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

group-number: NAT address group number, in the range of 0 to 511. If this argument is not provided, information of all NAT address pools is displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat address-group command to display the NAT address pool information.

Related commands: nat address-group.

Examples

# Display the NAT address pool information.

<Sysname> display nat address-group

NAT address-group information:

There are currently 3 nat address-group(s)

1 : from 1.0.0.1 to 1.0.0.64

2 : from 1.0.1.1 to 1.0.1.64

3 : from 1.0.2.2 to 1.0.2.2

# Display the information of NAT address group 1.

<Sysname> display nat address-group 1

NAT address-group information:

1 : from 202.110.10.10 to 202.110.10.15

Table 4 Output description

Field	Description
NAT address-group information	NAT address pool information.
There are currently 3 nat address-group(s)	There are currently three NAT address groups.
1 : from 202.110.10.10 to 202.110.10.15	The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15.

display nat all

Syntax

display nat all [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat all command to display all NAT configuration information.

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address-group information:

There are currently 3 nat address-group(s)

1 : from 66.1.1.1 to 66.1.1.10

2 : from 99.1.1.1 to 99.1.1.64

3 : from 88.1.1.1 to 88.1.1.10

NAT bound information:

There are currently 1 nat bound rule(s)

Interface: GigabitEthernet3/1/2

Direction: outbound ACL: 3009 Address-group: 2--- NO-PAT: N

VPN-instance: ---

Out-interface: ---

Next-hop: ---

Status: Active

NAT server in private network information:

There are currently 1 internal server(s)

Interface: GigabitEthernet13/1/2, Protocol: 17(udp)

Global: 59.1.1.59 : 0(any)

Local : 59.1.1.100 : 0(any)

Status: Active

NAT static information:

There are currently 2 NAT static configuration(s)

net-to-net:

Local-IP : 59.0.0.0

Global-IP : 44.0.0.0

Netmask : 255.0.0.0

Unidirectional : N

Local-VPN : ---

Global-VPN : ---

Destination : ---

Destination Mask: ---

Out-interface : ---

Next-hop : ---

Status : Active

Local-IP : 77.0.0.0

Global-IP : 69.0.0.0

Netmask : 255.0.0.0

Unidirectional : N

Local-VPN : ---

Global-VPN : ---

Destination : ---

Destination Mask: ---

Out-interface : ---

Next-hop : ---

Status : Active

Table 5 Output description

Field	Description
NAT address-group information	NAT address pool information.
There are currently 3 nat address-group(s)	For description on the specific fields, see the display nat address-group command.
NAT bound information	Configuration information about internal address-to-external address translation. For description on the specific fields, see the display nat bound command.
NAT server in private network information	Internal server information. For description on the specific fields, see the display nat server command.
NAT static information	Information about static NAT. For description on the specific fields, see the display nat static command.

display nat bound

Syntax

display nat bound [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat bound command to display the NAT configuration information.

Related commands: nat inbound and nat outbound.

Examples

# Display the NAT configuration information.

<Sysname> display nat bound

NAT bound information:

There are currently 3 nat bound rule(s)

Interface:Vlan-interface10

Direction: outbound ACL: 2000 Address-group: 319 NO-PAT: Y

VPN-instance: vpn1

Out-interface: ---

Next-hop: 100.100.100.1

Status: Inactive

Interface:Vlan-interface10

Direction: inbound ACL: 3000 Address-group: 300 NO-PAT: N

VPN-instance: vpn2

Out-interface: Vlan-interface200

Next-hop: 100.100.110.1

Status: Inactive

Interface:Vlan-interface20

Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N

VPN-instance: ---

Out-interface: ---

Next-hop: ---

Table 6 Output description

Field	Description
NAT bound information:	Display configured NAT address translation information.
Interface	The interface associated with a NAT address pool.
Direction	Address translation direction: inbound or outbound.
ACL	ACL number.
Address-group	Address group number. The field is displayed as null in Easy IP mode.
VPN-instance	VPN instance name of the private network where the NAT address pool belongs. The field is displayed as “---” if it is not configured.
Output-interface	The specified outbound interface. The field is displayed as “---” if it is not configured.
Next-hop	The specified next hop address. The field is displayed as “---” if it is not configured.
Status	Current status of the configuration, which can be active or inactive.
NO-PAT	Support for NO-PAT mode or not.

display nat dns-map

Syntax

display nat dns-map [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat dns-map command to display NAT DNS mapping configuration information.

Related commands: nat dns-map.

Examples

# Display NAT DNS mapping configuration information.

<Sysname> display nat dns-map

NAT DNS mapping information:

There are currently 2 NAT DNS mapping(s)

Domain-name: www.server.com

Global-IP : 202.113.16.117

Global-port: 80(www)

Protocol : 6(tcp)

Domain-name: ftp.server.com

Global-IP : 202.113.16.100

Global-port: 21(ftp)

Protocol : 6(tcp)

Table 7 Output description

Field	Description
NAT DNS mapping information	NAT DNS mapping information
There are currently 2 DNS mapping(s)	There are two DNS mapping entries
Domain-name	Domain name of the internal server
Global-IP	Public IP address of the internal server
Global-port	Public port number of the internal server
Protocol	Protocol type of the internal server

display nat server

Syntax

display nat server [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat server command to display information about internal servers.

Related commands: nat server.

Examples

# Display information about internal servers.

<Sysname> display nat server

NAT server in private network information:

There are currently 2 internal server(s)

Interface: Vlan-interface10, Protocol: 6(tcp)

Global: 100.100.120.120 : 21(ftp)

Local : 192.168.100.100 : 21(ftp)

Status: Inactive

Interface: Vlan-interface11, Protocol: 6(tcp)

Global: 100.100.100.121 : 80(www)

Local : 192.168.100.101 : 80(www)

Status: Inactive

Table 8 Output description

Field	Description
Server in private network information	Information about internal servers.
Interface	Internal server interface.
Protocol	Protocol type.
Global	Public IP address and port number of a server, and the VPN instance name that the public address belongs to.
Local	Private IP address and port number of a server, and the VPN instance name that the private IP address belongs to.
Status	Current status of the configuration, which can be active or inactive.

display nat server-group

Syntax

display nat server-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

group-number: Internal server group number, in the range of 0 to 1023. If this argument is not specified, information of all internal server groups is displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat server-group command to display configuration information about internal server groups.

Related commands: nat server-group.

Examples

# Display configuration information about all internal server groups.

<Sysname> display nat server-group

NAT server-group information:

There are currently 2 NAT server-group(s)

Server-group Inside-IP Port

1 1.1.1.1 15

1 1.1.1.2 15

1 1.1.1.3 15

2 1.1.2.1 16

Table 9 Output description

Field	Description
Server-group	Internal server group number
Inside-IP	IP address of an internal server
Port	Port number of the internal server

display nat static

Syntax

display nat static [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat static command to display static NAT entries and interface(s) with static NAT enabled.

Related commands: nat outbound static and nat static.

Examples

# Display static NAT entries and interface(s) with static NAT enabled.

<Sysname> display nat static

NAT static information:

There are currently 2 NAT static configuration(s)

net-to-net:

Local-IP : 59.0.0.0

Global-IP : 44.0.0.0

Netmask : 255.0.0.0

Unidirectional : N

Local-VPN : ---

Global-VPN : ---

Destination : ---

Destination Mask: ---

Out-interface : ---

Next-hop : ---

Status : Active

Local-IP : 77.0.0.0

Global-IP : 69.0.0.0

Netmask : 255.0.0.0

Unidirectional : N

Local-VPN : ---

Global-VPN : ---

Destination : ---

Destination Mask: ---

Out-interface : ---

Next-hop : ---

Status : Active

NAT static enabled information:

Interface Direction

Vlan-interface11 out-static

Table 10 Output description

Field	Description
NAT static information	Configuration information of static NAT.
net-to-net	Net-to-net static NAT.
Local-IP	Private IP address.
Global-IP	Public IP address.
Netmask	Network mask.
Unidirectional	Indicates whether only unidirectional address translation is supported.
Local-VPN	VPN instance that the private IP address belongs to.
Global-VPN	VPN instance that the public IP address belongs to.
Destination	Destination network address.
Destination Mask	Destination network mask.
Output-interface	Outbound interface.
Next-hop	Next hop IP address.
Status	Current status of the configuration, which can be active or inactive.
NAT static enabled information	Information about static NAT enabled on the interface(s).

inside ip

Syntax

inside ip inside-ip port port-number

undo inside ip inside-ip

View

Internal server group view

Default level

2: System level

Parameters

inside-ip: IP address of an internal server.

port port-number: Port number of the internal server, in the range of 1 to 65535.

Description

Use the inside ip command to add a member into an internal server group.

Use the undo inside ip command to remove a member from the internal server group.

Note that:

· Only the IM-NAT and IM-NAT-II cards support this function.

· Each member in the internal server group should have a different IP address.

· You can configure up to eight internal servers in a group.

Examples

# Add a member with IP address 10.110.10.20 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.110.10.20 port 30

limit source

Syntax

limit limit-id source { user-ip mask-length | any } [ vpn-instance vpn-instance-name ] { amount { dns max-amount | http max-amount | other max-amount | tcp max-amount } * | { bandwidth max-bandwidth | rate max- rate } } * [ shared ]

undo limit limit-id [ source { user-ip mask-length | any } [ vpn-instance vpn-instance-name ] { amount { dns max-amount | http max-amount | other max-amount | tcp max-amount } * | { bandwidth max-bandwidth | rate max- rate } } * [ shared ] ]

View

Connection limit policy view

Default level

2: System level

Parameters

limit-id: Number of a rule in the connection limit policy. The value range is as follows:

· Host limit mode: 0 to 7999.

· Non-shared segment limit mode: 12000 to 12999.

· Shared segment limit mode: 8000 to 11999.

source: Limits connections by source address.

user-ip mask-length: Limits user connections by source IP address. user-ip indicates the source IP address, and mask-length indicates the length of the mask. The value range of mask-length can be:

· 32 bits when the IP address of a user is specified (Host limit mode).

· 1 to 31 bits when the IP address of a network segment is specified (Shared and Non-shared segment limit modes).

any: Limits connections sourced from the public network or VPN instance. This keyword is not available when a source IP address is specified (Host limit mode).

vpn-instance vpn-instance-name: Specifies the name of the VPN instance to which the source IP address belongs, a case-sensitive string of 1 to 31 characters. Absence of this argument indicates that the source IP address belongs to a public network rather than an MPLS VPN instance.

amount: Specifies connection limits.

dns max-amount: Specifies the upper limit of DNS connections, in the range of 1 to 1000000.

http max-amount: Specifies the upper limit of HTTP connections, in the range of 1 to 1000000.

other max-amount: Specifies the upper limit for connections of other protocols, in the range of 1 to 1000000.

tcp max-amount: Specifies the upper limit of TCP connections, in the range of 1 to 1000000.

bandwidth max-bandwidth: Specifies the bandwidth limit of the connection limit policy, in Mbps, in the range of 1 to 2097151.

rate max-rate: Specifies the rate limit of the connection limit policy, in connections per second, in the range of 1 to 262143.

shared: Limits connections from the specified network segment on which all the users share the specified resources. This keyword is supported only in shared segment limit mode.

Description

NOTE:

· The amount keyword is available only on the SPE-1010-II, SPE-1010-E-II, SPE-1020-II, SPE-1020-E-II, IM-NAT, and IM-NAT-II cards.

· The bandwidth and rate keywords are available only on the IM-NAT and IM-NAT-II cards.

Use the limit source command to configure a source IP address based connection limit rule, which limits connection number, connection rate, or bandwidth of matching user connections.

Use the undo limit command to remove a connection limit rule.

Note that:

· You can specify various limit rules for a connection limit policy.

· Either of the connection rate limit or bandwidth limit is required to be configured.

· You can specify the dns, http, tcp or other keyword in one limit rule, with other representing other protocols. If you specify the dns, tcp and http keywords and the other keyword in one limit rule, then other indicates all the other protocols except DNS, TCP and HTTP; if you specify neither the dns, tcp nor the http keyword, other indicates all protocol types.

· If the keyword any is specified, the set limits apply to all users; if the MPLS VPN is also specified, the set limits apply to all users of the VPN instance.

Related commands: display connection-limit policy and connection-limit policy.

Examples

# Configure a rule for connection limit policy 1 to limit TCP connections sourced from 1.1.1.1 to 200.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1] limit 1 source 1.1.1.1 32 amount tcp 200

nat address-group

Syntax

nat address-group group-number start-address end-address

undo nat address-group group-number

View

System view

Default level

2: System level

Parameters

group-number: Index of the address pool, in the range of 0 to 511.

start-address: Start IP address of the address pool.

end-address: End IP address of the address pool. The end-address cannot be smaller than the start-address.

You can add up to 255 IP addresses to an address pool.

Description

Use the nat address-group command to configure an address pool for NAT.

Use the undo nat address-group command to remove an address pool.

An address pool consists of a set of consecutive IP addresses. When an internal packet is to be forwarded to the external network, an address is selected from the pool to replace the original source address. If the start-address and end-address parameters have the same value, there is only one IP address in the address pool.

Note that:

· You cannot remove an address pool that has been associated with an ACL.

· An address pool is not needed in the case of Easy IP where the interface’s public IP address is used as the translated IP address.

Related commands: display nat address-group.

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15.

<Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

nat binding

Syntax

nat binding interface interface-type interface-number

undo nat binding interface interface-type interface-number

View

NAT service interface view

Default level

2: System level

Parameters

interface interface-type interface-number: Specifies an interface to be bound to the NAT service interface.

Description

Use the nat binding command to bind a NAT-capable interface with the current NAT service interface.

Use the undo nat binding command to remove a binding.

NOTE:

· A NAT service interface can be bound with multiple NAT-capable interfaces. A NAT-capable interface can be bound with only one NAT service interface.

· An interface bound with a NAT service interface cannot serve as the outbound interface for QoS redirection. This is because all outbound packets of the interface will be processed by the NAT service card, making QoS redirection ineffective.

Examples

# Configure ACL 2000, permitting packets from 10.110.10.0/24.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2000] rule deny

[Sysname-acl-basic-2000] quit

# Configure an address pool.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Enable NAT to use addresses from address pool 1 and the port information.

[Sysname] interface vlan-interface 1000

[Sysname-Vlan-interface1000] nat outbound 2000 address-group 1

[Sysname-Vlan-interface1000] quit

# Configure a service interface binding.

[Sysname] interface nat 6/0/1

[Sysname-NAT6/0/1] nat binding interface vlan-interface 1000

nat dns-map

Syntax

nat dns-map domain domain-name protocol pro-type ip global-ip port global-port

undo nat dns-map domain domain-name

View

System view

Default level

2: System level

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits; besides, dashes (-) can be included.

protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp.

ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network.

port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.

Description

Use the nat dns-map command to map the domain name to the public network information of an internal server.

Use the undo nat dns-map command to remove a DNS mapping.

The router supports up to 16 DNS mappings.

Related commands: display nat dns-map.

Examples

# A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the web server using its domain name.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port www

nat inbound

Syntax

nat inbound acl-number address-group group-number [ vpn-instance vpn-instance-name ] [ interface interface-type interface-number [ next-hop ip-address ] ] [ no-pat ]

undo nat inbound acl-number [ address-group group-number [ vpn-instance vpn-instance-name ] [ interface interface-type interface-number [ next-hop ip-address ] ] [ no-pat ] ]

View

Interface view

Default level

2: System level

Parameters

acl-number: ACL number, in the range of 2000 to 3999.

address-group group-number: Specifies an existing address pool. The group-number argument is in the range of 0 to 511.

vpn-instance vpn-instance-name: Specifies name of the MPLS VPN instance to which the public network address belongs, a case-sensitive string of 1 to 31 characters. Absence of this parameter indicates that the public network address belongs to a common network and does not belong to any MPLS VPN instance.

interface interface-type interface-number: Specifies an outbound interface by its type and number.

next-hop ip-address: Specifies a next hop.

no-pat: Translates IP addresses only, without dealing with the port information.

Description

Use the nat inbound command to associate an ACL with an address pool on the inbound interface. If a packet received from the inbound interface matches the ACL, it is delivered to the NAT service card. Then, the source IP address of the packet will be translated into an address in the address pool group-number.

Use the undo nat inbound command to remove the association.

Note that:

· Only the IM-NAT and IM-NAT-II cards support this function.

· You can bind an ACL to only one address pool on an interface; an address pool can be bound to multiple ACLs.

· In practice, you need to configure a QoS policy on the inbound interface to redirect packets to the NAT service card. QoS policy configuration does not support ACLs with VPN parameters. For how to configure a QoS policy, see ACL and QoS Command Reference.

· The address pool associated on an inbound interface does not support Easy IP.

Related commands: display nat bound and nat address-group.

Examples

# Enable NAT for hosts in the 10.110.10.0/24 subnet, using addresses 202.110.10.10 to 202.110.10.12 as the external IP addresses. Assume that interface GigabitEthernet 3/1/4 is connected to the internal network.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit vpn-instance vrf11 source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

[Sysname] acl number 2002

[Sysname-acl-basic-2002] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2002] rule deny

[Sysname-acl-basic-2002] quit

[Sysname] ip vpn-instance vrf10

[Sysname-vpn-instance-vrf10] route-distinguisher 100:001

[Sysname-vpn-instance-vrf10] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance-vrf10] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance-vrf10] quit

# Configure an address pool.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Configure an QoS policy to redirect packets to NAT 4/0/1.

[Sysname] traffic classifier 1

[Sysname-classifier-1] if-match acl 2002

[Sysname-classifier-1] quit

[Sysname] traffic behavior 1

[Sysname-behavior-1] redirect interface nat 4/0/1

[Sysname-behavior-1] quit

[Sysname] qos policy 1

[Sysname-qospolicy-1] classifier 1 behavior 1

[Sysname-qospolicy-1] quit

[Sysname] interface GigabitEthernet 3/1/4

[Sysname-GigabitEthernet3/1/4] qos apply policy 1 inbound

[Sysname-GigabitEthernet3/1/4] quit

# Associate the inbound interface GigabitEthernet 3/1/4 with NAT 4/0/1.

[Sysname] interface nat 3/0/1

[Sysname-NAT4/0/1] nat binding interface GigabitEthernet 3/1/4

[Sysname-NAT4/0/1] quit

# Associate ACL 2001 and address pool 1 to the inbound interface to perform NAT, with TCP and UDP port numbers translated.

[Sysname] interface GigabitEthernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat inbound 2001 address-group 1 vpn-instance vrf10

# Perform the following configurations if TCP/UDP port numbers are not to be translated.

[Sysname-GigabitEthernet3/1/4] nat inbound 2001 address-group 1 vpn-instance vrf10 no-pat

# Perform the following configurations if a next hop and an outbound interface need to be specified.

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat inbound 2001 address-group 1 vpn-instance vrf10 interface GigabitEthernet 3/1/5 next-hop 3.3.3.3 no-pat

nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ vpn-instance vpn-instance-name ] [ next-hop ip-address ] [ no-pat ] ]

nat outbound acl-number [ next-hop ip-address ]

undo nat outbound acl-number [ address-group group-number [ vpn-instance vpn-instance-name ] [ next-hop ip-address] [ no-pat ] ]

undo nat outbound acl-number [ next-hop ip-address ]

View

Interface view

Default level

2: System level

Parameters

acl-number: ACL number, in the range of 2000 to 3999.

address-group group-number: Specifies an existing address pool for NAT by its index. The group-number argument is in the range of 0 to 511. If no address pool is specified, the IP address of the interface will be used, enabling Easy IP.

vpn-instance vpn-instance-name: Specifies the name of the VPN instance to which the address pool belongs, which indicates inter-VPN access through NAT is supported. A VPN instance name is a case-sensitive string of 1 to 31 characters. Only the IM-NAT and IM-NAT-II cards support this parameter.

next-hop ip-address: Specifies a next hop for packets that need address translation, which can only belong to Class A, B, or C. Only the IM-NAT and IM-NAT-II cards support this parameter.

no-pat: NAT is implemented without using the TCP/UDP port information.

Description

Use the nat outbound command to associate an ACL with an address pool, so that the source IP address of the packet matching the ACL can be translated into an IP address in the address pool specified with the group-number argument.

Use the undo nat outbound command to remove an association.

Note the following:

· If the group-number argument is not specified, the IP address of the interface will be used as the NATed address of the packet matching the specified ACL.

· You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to external networks.

· In the case of Easy IP, if you modify the interface address, you must clear the existing NAT address mapping entry by using the reset session command. Once the new NAT address mapping entry is installed in the NAT address mapping table, the old NAT address mapping cannot be automatically deleted or deleted with the reset session command.

· When the undo nat outbound command is executed to remove an association, the NAT address mapping entries depending on the association are not deleted; they will be aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access external networks whereas all the other users are not affected. You can also use the reset session command to clear all the NAT address mapping entries, but NAT service will be terminated and all users will have to reinitiate connections.

· When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication.

· If a packet matches the specified next hop, the packet will be translated using an IP address in the address pool; if not, the packet will not be translated.

· You can bind an ACL to only one address pool on an interface; an address pool can be bound to multiple ACLs.

NOTE:

For some routers, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address and VPN instance information in any two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in any two ACL rules are the same, a conflict occurs.

Examples

# Enable NAT for hosts in the 10.110.10.0/24 segment, using addresses 202.110.10.10 to 202.110.10.12 as the external IP addresses. Assume that interface GigabitEthernet 3/1/4 is connected to the external network.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

# Configure a NAT address pool.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# To use TCP/UDP port information in translation, do the following:

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat outbound 2001 address-group 1

# To ignore the TCP/UDP port information in translation, do the following:

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/4

[Sysname- GigabitEthernet3/1/4] nat outbound 2001 address-group 1 no-pat

# To use the IP address of the GigabitEthernet 3/1/4 interface, do the following:

<Sysname> system-view

[Sysname] interface gigabitethernet3/1/4

[Sysname-GigabitEthernet3/1/4] nat outbound 2001

nat outbound static

Syntax

nat outbound static

undo nat outbound static

View

Interface view

Default level

2: System level

Parameters

None

Description

Use the nat outbound static command to enable static NAT on an interface, making the configured static NAT mappings take effect.

Use the undo nat outbound static command to disable static NAT on the interface.

Related commands: display nat static.

Examples

# Configure a one-to-one NAT mapping and enable static NAT on interface GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface nat 2/0/1

[Sysname-NAT2/0/1] nat static 192.168.1.1 2.2.2.2

[Sysname-NAT2/0/1] nat binding interface GigabitEthernet 3/1/1

[Sysname-NAT2/0/1] quit

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound static

nat server (for extended nat server)

Syntax

nat server protocol pro-type global global-address global-port [ vpn-instance global-name ] inside server-group group-number [ vpn-instance local-name ]

undo nat server protocol pro-type global global-address global-port [ vpn-instance global-name ] inside server-group group-number [ vpn-instance local-name ]

View

Interface view

Default level

2: System level

Parameters

protocol pro-type: Specifies a protocol type, TCP, UDP or ICMP.

global-address: Public IP address for the internal server.

global-port: Public port number for the internal server, in the range of 0 to 65535.

· You can use service names to represent well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on.

· You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.

vpn-instance global-name: MPLS VPN instance to which the advertised public IP address belongs, where global-name specifies the VPN instance name, a case-sensitive string of 1 to 31 characters. Absence of this parameter indicates that the advertised public network address is a common public network address that does no belong to any MPLS VPN instance.

inside server-group group-number: Internal server group to which the internal server belongs. group-number specifies the internal server group number, in the range of 0 to 1023.

vpn-instance local-name: MPLS VPN instance to which the internal server belongs. local-name specifies the VPN instance name, a case-sensitive string of 1 to 31 characters. Absence of this parameter indicates that the internal server is a common internal server that does no belong to any MPLS VPN instance.

Description

Use the nat server command to configure a load sharing internal server.

Use the undo nat server command to remove the configuration.

Note that:

· Only the IM-NAT and IM-NAT-II cards support this function.

· Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users.

· An internal server can reside in a private network or an MPLS VPN instance. This command support inter-VPN access through NAT.

· This command is usually configured on the interface that connects to the ISP and serves as the outgoing interface of the internal network.

Related commands: display nat server and nat server-group.

Examples

# Allow external users to access the internal web server 10.110.10.10 on the LAN through http://202.110.10.10:8080. Assume that interface GigabitEthernet 3/1/4 is connected to external networks.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.110.10.10 port 30

[Sysname-nat-server-group-1] quit

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat server protocol tcp global 202.110.10.10 8080 vpn vrf10 inside server-group 1

nat server (for normal nat server)

Syntax

nat server protocol pro-type global global-address global-port1 global-port2 [ vpn-instance global-name ] inside local-address1 local-address2 local-port [ vpn-instance local-name ]

nat server protocol pro-type global global-address [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ]

undo nat server protocol pro-type global global-address global-port1 global-port2 [ vpn-instance global-name ] inside local-address1 local-address2 local-port [ vpn-instance local-name ]

undo nat server protocol pro-type global global-address [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ]

View

Interface view

Default level

2: System level

Parameters

protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server.

global-address: Public IP address for the internal server.

global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. Note that global-port2 must be greater than global-port1.

local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. Note that local-address2 must be greater than local-address1 and that the number of addresses must match that of the specified ports.

local-port: Port number provided by the internal server, in the range of 0 to 65535 (except FTP port number 20).

· You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on.

global-port: Global port number for the internal server, in the range of 0 to 65535.

local-address: Internal IP address of the internal server.

vpn-instance global-name: MPLS VPN instance to which the advertised public network address belongs. global-name specifies the VPN instance name, a case-sensitive string of 1 to 31 characters. Absence of this parameter indicates that the advertised public network address is a common public network address that does not belong to any MPLS VPN instance. Only the IM-NAT and IM-NAT-II cards support this parameter.

vpn-instance local-name: MPLS VPN instance to which the internal server belongs. local-name specifies the VPN instance name, a case-sensitive string of 1 to 31 characters.

Description

Use the nat server command to define an internal server.

Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port.

Use the undo nat server command to remove the configuration.

Note that:

· If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined.

· Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in a private network or an MPLS VPN instance.

· Up to 1024 internal server configuration commands can be configured on an interface. The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands.

· In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external networks.

· Currently, the router supports Easy IP, which uses an interface address as the public IP address of an internal server.

· Only the IM-NAT and IM-NAT-II cards support this command.

· It is strongly recommended that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the public address of another internal server; vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the public address of the internal server.

Related commands: display nat server.

CAUTION:

When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure only one-to-one NAT between an internal IP address and an external IP address.

Examples

# Allow external users to access the internal web server 10.110.10.10 on the LAN through http://202.110.10.10:8080, and the internal FTP server 10.110.10.11 in MPLS VPN vrf10 through ftp://202.110.10.10/. Assume that the interface GigabitEthernet 3/1/4 is connected to external networks.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

[Sysname-GigabitEthernet3/1/4] quit

[Sysname] ip vpn-instance vrf10

[Sysname-vpn-instance-vrf10] route-distinguisher 100:001

[Sysname-vpn-instance-vrf10] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance-vrf10] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance-vrf10] quit

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

# Allow external hosts to ping the host with an IP address of 10.110.10.12 in VPN vrf10 by using the command ping 202.110.10.11.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

# Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 in MPLS VPN vrf10 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can telnet to 202.110.10.10:1001 to access 10.110.10.1, telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Remove the web server.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

# Remove the FTP server from VPN vrf10.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/4

[Sysname-GigabitEthernet3/1/4] undo nat server protocol tcp global 202.110.10.11 21 inside 10.110.10.11 ftp vpn-instance vrf10

nat server-group

Syntax

nat server-group group-number

undo nat server-group group-number

View

System view

Default level

2: System level

Parameters

group-number: Internal server group number, in the range of 0 to 1023.

Description

Use the nat server-group command to configure an internal server group.

Use the undo nat server-group command to remove the specified internal server group.

Note that:

· Only the IM-NAT and IM-NAT-II cards support this function.

· An interval server group referenced by the nat server command on an interface cannot be removed.

Related commands: nat server.

Examples

# Configure internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

nat static

Syntax

nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] [ destination ip-address { mask-length | mask } ] [ interface interface-type interface-number [ next-hop ip-address ] ] [ unidirectional ]

undo nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] [ destination ip-address { mask-length | mask } ] [ interface interface-type interface-number [ next-hop ip-address ] ] [ unidirectional ]

View

NAT service interface view

Default level

2: System level

Parameters

local-ip: Internal IP address.

vpn-instance local-name: Name of the VPN to which the internal IP address belongs. local-name specifies the VPN name, a case-sensitive character string of 1 to 31 characters.

global-ip: External IP address.

vpn-instance global-name: Name of the VPN to which the external IP address belongs. global-name specifies the VPN name, a case-sensitive character string of 1 to 31 characters. Only the IM-NAT and IM-NAT-II cards support this parameter.

destination ip-address: Specifies a destination address.

mask-length: Mask length of the destination address.

mask: Mask of the destination address.

interface interface-type interface-number: Specifies an outbound interface by its type and number.

next-hop ip-address: Specifies a next hop.

unidirectional: Specifies unidirectional address translation, which means only the packets sourced from the internal network can be serviced by NAT.

Description

Use the nat static command to configure a one-to-one static NAT mapping.

Use the undo nat static command to remove a one-to-one static NAT mapping.

Note that:

· If vpn-instance local-name is not specified, the internal IP address is a common private network address.

· If vpn-instance global-name is not specified, the external IP address is a common public network address.

· If unidirectional is not specified, bidirectional address translation is supported. Different from traditional address translation which only allows the internal hosts to access the external network, bidirectional address translation allows the internal network and external network to access each other. In this case, packets sourced from the internal network will be translated if their source IP addresses match the local IP address; the packets sourced from the external network will be translated if their destination IP addresses match the global IP address.

· When a destination address is specified in the static mapping, if the destination IP address of a packet from the private network matches the specified destination address, the source IP address of the packet is translated according to the static mapping. If the source IP address of a packet from the public network matches the specified destination address, the destination IP address of the packet is translated according to the static mapping. Other packets cannot be translated through the static mapping.

· If a packet matches the specified outbound interface, it will be translated according to the configured static mapping; if not, the packet will not be translated.

· If a packet matches the specified next hop, it will be translated according to the configured static mapping; if not, the packet will not be translated.

Related commands: display nat static.

Examples

# In NAT service interface view, configure a unidirectional one-to-one static NAT mapping: Internal IP address is 192.168.1.1 that belongs to VPN vpn10, and external IP address is 10.0.0.1 that belongs to VPN vpn 20.

<Sysname> system-view

[Sysname] interface nat 3/0/1

[Sysname-NAT3/0/1] nat static 192.168.0.1 vpn-instance vpn10 10.0.0.1 vpn-instance vpn20 unidirectional

nat static net-to-net

Syntax

nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { mask-length | mask } [ destination ip-address { mask-length | mask } ] [ interface interface-type interface-number [ next-hop ip-address ] ] [ unidirectional ]

undo nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { mask-length | mask } [ destination ip-address { mask-length | mask } ] [ interface interface-type interface-number [ next-hop ip-address ] ] [ unidirectional ]

View

NAT service interface view

Default level

2: System level

Parameters

local-network: Private network address.

vpn-instance local-name: MPLS VPN instance to which the internal network belongs. local-name specifies the VPN instance name, a case-sensitive character string of 1 to 31 characters.

global-network: Public network address.

vpn-instance global-name: MPLS VPN instance to which the external network belongs. global-name specifies the VPN instance name, a case-sensitive character string of 1 to 31 characters. Only the IM-NAT and IM-NAT-II cards support this parameter.

mask-length: Length of the network mask.

mask: Network mask.

destination ip-address: Specifies a destination address.

interface interface-type interface-number: Specifies an outbound interface by its type and number.

next-hop ip-address: Specifies a next hop.

unidirectional: Specifies unidirectional address translation, which means only the packets sourced from the private network to the public network can be translated if their source IP addresses match this entry.

Description

Use the nat static net-to-net command to configure a net-to-net static NAT mapping.

Use the undo nat static net-to-net command to remove a net-to-net static NAT mapping.

Note that:

· If vpn-instance local-name is not specified, the internal network address is a common private network address.

· If vpn-instance global-name is not specified, the public network address is a common public network address.

· If unidirectional is not specified, bidirectional address translation is supported. That is, packets sourced from the private network will be translated if their source IP addresses match this entry; packets sourced from the public network will be translated if their destination IP addresses match this entry.

· If a packet matches the specified next hop, it is translated according to the configured static mapping; if not, the packet will not be translated.

· The IP addresses of the private network must be on the same network segment according to the mask length of the public network address.

Related commands: display nat static.

Examples

# Configure a unidirectional net-to-net static NAT mapping: Internal network address is 192.168.1.0/24 that belongs to VPN vpn10, and public network address is 10.1.1.0/24 that belongs to VPN vpn 20.

<Sysname> system-view

[Sysname] interface nat 3/0/1

[Sysname-NAT3/0/1] nat static net-to-net 192.168.1.0 vpn-instance vpn10 10.1.1.0 24 vpn-instance vpn20 unidirectional

05-Layer 3 - IP Services Command Reference

connection-limit policy

display connection-limit policy

display nat server

display nat server-group

nat address-group

nat outbound

nat outbound static

nat server (for extended nat server)

nat server-group

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us