- Table of Contents
-
- 06-Layer 3 - IP Services Command Reference
- 00-Preface
- 01-ARP commands
- 02-IP addressing commands
- 03-DHCP commands
- 04-DNS commands
- 05-NAT commands
- 06-IP forwarding basics commands
- 07-Fast forwarding commands
- 08-Flow classification commands
- 09-Adjacency table commands
- 10-IRDP commands
- 11-IP performance optimization commands
- 12-UDP Helper commands
- 13-IPv6 basics commands
- 14-DHCPv6 commands
- 15-IPv6 fast forwarding commands
- 16-Tunneling commands
- 17-GRE commands
- 18-ADVPN commands
- 19-AFT commands
- 20-WAAS commands
- Related Documents
-
Title | Size | Download |
---|---|---|
05-NAT commands | 303.17 KB |
Contents
display nat outbound port-block-group
nat log port-block usage threshold
nat port-block global-share enable
nat static inbound object-group
nat static-load-balance enable
nat static outbound net-to-net
nat static outbound object-group
NAT commands
address
Use address to add an address range to a NAT address group.
Use undo address to remove an address range from a NAT address group.
Syntax
address start-address end-address
undo address start-address end-address
Default
No address ranges exist.
Views
NAT address group view
Predefined user roles
network-admin
mdc-admin
Parameters
start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.
Each address range can contain a maximum of 65535 addresses.
Make sure the address ranges do not overlap.
Examples
# Add two address ranges to an address group.
<Sysname> system-view
[Sysname] nat address-group 2
[Sysname-address-group-2] address 10.1.1.1 10.1.1.15
[Sysname-address-group-2] address 10.1.1.20 10.1.1.30
Related commands
nat address-group
block-size
Use block-size to set the port block size.
Use undo block-size to restore the default.
Syntax
block-size block-size
undo block-size
Default
The port block size is 256.
Views
NAT port block group view
Predefined user roles
network-admin
mdc-admin
Parameters
block-size: Specifies the number of ports for a port block. The value range for this argument is 1 to 65535.
Usage guidelines
Set an appropriate port block size based on the number of private IP addresses, the number of public IP addresses, and the port range in the port block group.
The port block size cannot be larger than the number of ports in the port range.
Examples
# Set the port block size to 1024 for port block group 1.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] block-size 1024
Related commands
nat port-block-group
display nat alg
Use display nat alg to display the NAT with ALG status for all supported protocols.
Syntax
display nat alg
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display the NAT with ALG status for all supported protocols.
<Sysname> display nat alg
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Related commands
display nat all
display nat all
Use display nat all to display all NAT configuration information.
Syntax
display nat all
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display all NAT configuration information.
<Sysname> display nat all
NAT address group information:
Totally 1 NAT address groups.
Address group ID 1:
Port range: 1-65535
Address information:
Start address End address
1.1.1.1 1.1.1.5
NAT inbound information:
Totally 1 NAT inbound rules.
Interface: Route-Aggregation1
ACL: 2000
Address group ID: 1
Add route: N NO-PAT: N Reversible: N
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: ACL.
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NAT hairpinning:
Totally 1 interfaces enabled with NAT hairpinning.
Interface: Route-Aggregation1
Config status: Active
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
The output shows all NAT configuration information. Table 1 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.
Field |
Description |
NAT address group information |
Information about the NAT address group. See Table 2 for output description. |
NAT server group information |
Information about the internal server group. See Table 14 for output description. |
NAT inbound information: |
Inbound dynamic NAT configuration. See Table 5 for output description. |
NAT outbound information |
Outbound dynamic NAT configuration. See Table 8 for output description. |
NAT internal server information |
NAT Server configuration. See Table 13 for output description. |
Static NAT mappings |
Static NAT mappings. See Table 16 for output description. |
NAT DNS mappings |
NAT with DNS mappings. See Table 3 for output description. |
NAT logging |
NAT logging configuration. See Table 6 for output description. |
NAT hairpinning |
NAT hairpin configuration. |
Totally n interfaces enabled NAT hairpinning |
Number of interfaces with NAT hairpin enabled. |
Interface |
NAT hairpin-enabled interface. |
Config status |
Status of the NAT hairpin configuration: Active or Inactive. |
NAT mapping behavior |
Mapping behavior mode of PAT: Endpoint-Independent or Address and Port-Dependent. |
ACL |
ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---). |
Config status |
Status of the NAT mapping behavior configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status is Inactive. |
NAT ALG |
NAT with ALG configuration for different protocols. |
NAT port block group information |
Configuration information about NAT port block groups. See Table 11 for output description. |
NAT outbound port block group information |
Configuration information about static NAT444. See Table 9 for output description. |
display nat address-group
Use display nat address-group to display NAT address group information.
Syntax
display nat address-group [ group-id ]
Views
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify the group-id argument, this command displays information about all NAT address groups.
Examples
# Display information about all NAT address groups.
<Sysname> display nat address-group
NAT address group information:
Totally 5 NAT address groups.
Address group ID: 1 Address group name: a
Port range: 1-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
...
Field |
Description |
Address group ID |
ID of the NAT address group. |
Address group name |
Name of the NAT address group. If no address group name is configured, this field is not displayed. |
Port range |
Port range for public IP addresses. |
Block size |
Number of ports in a port block. This field is not displayed if the port block size is not set. |
Extended block number |
Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set. |
Address information |
Information about the IP addresses in the address group. |
Start address |
Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---). |
End address |
End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---). |
Related commands
nat address-group
display nat dns-map
Use display nat dns-map to display NAT with DNS mapping configuration.
Syntax
display nat dns-map
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display NAT with DNS mapping configuration.
<Sysname> display nat dns-map
NAT DNS mapping information:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : ---
Global port : 12
Protocol : TCP(6)
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: interface IP address.
Description |
|
NAT DNS mapping information |
Information about NAT with DNS mappings. |
Domain name |
Domain name of the internal server. |
Global IP |
Public IP address of the internal server. · If Easy IP is configured, this field displays the IP address of the specified interface. · If you do not specify a public IP address, this field displays hyphens (---). |
Global port |
Public port number of the internal server. |
Protocol |
Protocol name and number of the internal server. |
Config status |
Status of the DNS mapping configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status is Inactive. |
Related commands
nat dns-map
display nat eim
Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.
Syntax
In standalone mode:
display nat eim [ slot slot-number ]
In IRF mode:
display nat eim [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays EIM entry information for all member devices. (In IRF mode.)
Usage guidelines
EIM entries are created when PAT operates in EIM mode. An EIM entry records the mapping between a private address/port and a public address/port.
The EIM entry provides the following functions:
· The same EIM entry applies to subsequent connections initiated from the same source IP and port.
· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.
Examples
# (In standalone mode.) Display information about EIM entries for slot 1.
<Sysname> display nat eim slot 1
Slot 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
Protocol: UDP(17)
Total entries found: 2
# (In IRF mode.) Display information about NAT EIM entries for slot 1 on IRF member device 1.
<Sysname> display nat eim chassis 1 slot 1
Slot 1 in chassis 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
Protocol: UDP(17)
Total entries found: 2
Table 4 Command output
Field |
Description |
Local IP/port |
Private IP address and port number. |
Global IP/port |
Public IP address and port number. |
Local VPN |
MPLS L3VPN instance to which the private IP address belongs. If no VPN is specified, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP address belongs. If no VPN is specified, this field is not displayed. |
Protocol |
Protocol name and number. |
Total entries found |
Total number of EIM entries. |
Related commands
nat mapping-behavior
nat outbound
display nat inbound
Use display nat inbound to display information about inbound dynamic NAT.
Syntax
display nat inbound
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display information about inbound dynamic NAT.
<Sysname> display nat inbound
NAT inbound information:
Interface: Route-Aggregation1
ACL: 2000
Address group ID: 1
Add route: N NO-PAT: N Reversible: N
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: ACL
Field |
Description |
NAT inbound information |
Information about inbound dynamic NAT. |
Interface |
Interface where the inbound dynamic NAT rule is configured. |
ACL |
ACL number or name. |
Address group ID |
ID of the NAT address group used by the inbound dynamic NAT rule. |
Address group name |
Name of the address group used by the inbound dynamic NAT rule. The command does not display this field if the address group name is not configured. |
Add route |
Whether to add a route when a packet matches the inbound dynamic NAT rule. |
NO-PAT |
Whether NO-PAT or PAT is used: · Y—NO-PAT is used. · N—PAT is used. |
Reversible |
Whether reverse address translation is allowed. |
VPN instance |
MPLS L3VPN instance to which the NAT address group belongs. If the group does not belong to any VPN, the field is not displayed. |
Config status |
Status of the inbound dynamic NAT configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the inbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive. |
nat inbound
display nat log
Use display nat log to display NAT logging configuration.
Syntax
display nat log
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display NAT logging configuration.
<Sysname> display nat log
NAT logging:
Log enable : Enabled(ACL 2000)
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Enabled(10 minutes)
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
Field |
Description |
NAT logging |
NAT logging configuration. |
Log enable |
Whether NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. |
Flow-begin |
Whether logging is enabled for NAT session establishment events. |
Flow-end |
Whether logging is enabled for NAT session removal events. |
Flow-active |
Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated. |
Port-block-assign |
Whether logging is enabled for NAT444 port block assignment. |
Port-block-withdraw |
Whether logging is enabled for NAT444 port block withdrawal. |
Alarm |
Whether logging is enabled for NAT444 alarms. |
nat log enable
nat log flow-active
nat log flow-begin
display nat no-pat
Use display nat no-pat command to display information about NAT NO-PAT entries.
Syntax
In standalone mode:
display nat no-pat [ slot slot-number ]
display nat no-pat [ chassis chassis-number slot slot-number ]
Views
Any view
Default user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays NO-PAT entry information for all member devices. (In IRF mode.)
Usage guidelines
A NO-PAT entry records the mapping between a private address and a public address.
The NO-PAT entry provides the following functions:
· The same entry applies to subsequent connections initiated from the same source IP address.
· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.
Outbound and inbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.
Examples
# (In standalone mode.) Display information about NO-PAT entries for slot 1.
<Sysname> display nat no-pat slot 1
Slot 1:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
# (In IRF mode.) Display information about NO-PAT entries for slot 1 on IRF member device 1.
<Sysname> display nat no-pat chassis 1 slot 1
Slot 1 in chassis 1:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
Table 7 Command output
Field |
Description |
Local IP |
Private IP address. |
Global IP |
Public IP address. |
Local VPN |
MPLS L3VPN instance to which the private IP address belongs. If the IP address does not belong to any VPN, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP address belongs. If the IP address does not belong to any VPN instance, this field is not displayed. |
Reversible |
Whether reverse address translation is allowed. |
Type |
Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT. |
Total entries found |
Total number of NO-PAT entries. |
Related commands
nat inbound
nat outbound
display nat outbound
Use display nat outbound to display information about outbound dynamic NAT.
Syntax
display nat outbound
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display information about outbound dynamic NAT.
<Sysname> display nat outbound
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: Route-Aggregation2
ACL: 2000
Address group ID: ---
Port-preserved: N NO-PAT: N Reversible: N
VPN instance: a
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: global VPN, interface
IP address, and ACL.
Field |
Description |
NAT outbound information |
Information about outbound dynamic NAT. |
Interface |
Interface where the outbound dynamic NAT rule is configured. |
ACL |
IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---). |
DS-Lite B4 ACL |
Number or name of the IPv6 ACL used by DS-Lite NAT444. |
Address group ID |
ID of the address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---). |
Address group name |
Name of the address group used by the outbound dynamic NAT rule. The command does not display this field if the address group name is not configured. |
Port-preserved |
Whether to try to preserve the port numbers for PAT. |
NO-PAT |
Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used. |
Reversible |
Whether reverse address translation is allowed. |
VPN instance |
MPLS L3VPN instance to which the NAT address group belongs. If the group does not belong to any VPN instance, the field is not displayed. |
Config status |
Status of the outbound dynamic NAT configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive. |
Related commands
nat outbound
display nat outbound port-block-group
Use display nat outbound port-block-group to display information about port block group application for NAT444.
Syntax
display nat outbound port-block-group
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display information about port block group application for NAT444.
<Sysname> display nat outbound port-block-group
NAT outbound port block group information:
Totally 1 outbound port block group items.
Interface: Route-Aggregation5
port-block-group: 1
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: port block group.
Field |
Description |
Interface |
Interface to which a port block group is applied. |
Port block group |
ID of the port block group. |
Config status |
Status of the port block group application: Active or Inactive. |
Reasons for inactive status |
Reasons why the port block group application fails. This field is available when the Config status is Inactive. |
Related commands
nat outbound port-block-group
display nat port-block
Use display nat port-block to display NAT444 mappings.
Syntax
display nat port-block { dynamic [ ds-lite-b4 ] | static } [ slot slot-number ]
display nat port-block { dynamic [ ds-lite-b4 ] | static } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dynamic: Displays dynamic NAT444 mappings.
ds-lite-b4: Displays DS-Lite NAT444 mappings.
static: Displays static NAT444 mappings.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays NAT444 mappings for all member devices. (In IRF mode.)
Examples
# Display static NAT444 mappings.
<Sysname> display nat port-block static
Slot 0:
Local VPN Local IP Global IP Port block Connections
--- 100.100.100.111 202.202.100.101 10001-10256 0
--- 100.100.100.112 202.202.100.101 10257-10512 0
--- 100.100.100.113 202.202.100.101 10513-10768 0
vpn012345678 100.100.100.113 202.202.100.101 10769-11024 0
901234567890
1234567
Total entries found: 4
# Display dynamic NAT444 mappings.
<Sysname> display nat port-block dynamic
Slot 0:
Local VPN Local IP Global IP Port block Connections
--- 101.1.1.12 192.168.135.201 10001-11024 1
Total entries found: 1
# Display DS-Lite NAT444 mappings.
<Sysname> display nat port-block dynamic ds-lite-b4
Slot 0:
Local VPN DS-Lite B4 addr Global IP Port block Connections
--- 2000::2 192.168.135.201 10001-11024 1
Total entries found: 1
Table 10 Command output
Field |
Description |
Local VPN |
VPN to which the private IP address belongs. If the private IP address does not belong to any VPN, this field displays hyphens (---). |
Local IP |
Private IP address. |
DS-Lite B4 addr |
IPv6 address of the DS-Lite B4 element. |
Global IP |
Public IP address. |
Port block |
Port block defined by a start port and an end port. |
Connections |
Number of connections established by using the ports in the port block. |
display nat port-block-group
Use display nat port-block-group to display information about NAT port block groups.
Syntax
display nat port-block-group [ group-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-id: Specifies the ID of a NAT port block group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays information about all NAT port block groups.
Examples
# Display information about all NAT port block groups.
<Sysname> display nat port-block-group
NAT port block group information:
Totally 3 NAT port block groups.
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Port block group 2:
Port range: 10001-30000
Block size: 500
Local IP address information:
Start address End address VPN instance
10.1.1.1 10.1.10.255 vpnb
Global IP pool information:
Start address End address
202.10.10.101 202.10.10.120
Port block group 3:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
--- --- ---
Global IP pool information:
Start address End address
--- ---
# Display information about NAT port block group 1.
<Sysname> display nat port-block-group 1
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Field |
Description |
Port block group |
ID of the NAT port block group. |
Port range |
Port range for the public IP addresses. |
Block size |
Number of ports in a port block. |
Local IP address information |
Information about private IP addresses. |
Global IP pool information |
Information about public IP addresses. |
Start address |
Start IP address of a private or public IP address range. If no start IP address is specified for the address range, this field displays hyphens (---). |
End address |
End IP address of a private or public IP address range. If no end IP address is specified for the address range, this field displays hyphens (---). |
VPN instance |
VPN to which the private IP address range belongs. If no VPN instance is specified for the address range, this field displays hyphens (---). |
Related commands
nat port-block-group
display nat port-block-usage
Use display nat port-block-usage to display the port block usage for dynamic NAT444 address groups.
Syntax
In standalone mode:
display nat port-block-usage [ address-group group-id ] [ slot slot-number ]
In IRF mode:
display nat port-block-usage [ address-group group-id ] [ chassis chassis-number slot slot-number ]
Views
System view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
address-group group-id: Specifies the ID of an address group. The value range for this argument is 0 to 65535. If you do not specify an address group, this command displays the port block usage for all address groups.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays the port block usage for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display the port block usage for dynamic NAT444 address groups in slot 1.
<Sysname> display nat port-block-usage slot 1
Slot 1:
Address group 0 on channel 0:
Total port block entries :1071
Active port block entries:100
Current port block usage :9%
Total NAT address groups found: 1
Table 12 Command output
Description |
|
Address group |
|
Total port block entries |
Number of port blocks in the address group. |
Active port block entries |
Number of assigned port blocks in the address group. |
Current port block usage |
Port block usage in the address group. |
Total NAT address groups found |
Number of address groups. |
display nat server
Use display nat server to display NAT Server configuration.
Syntax
display nat server
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display NAT Server configuration.
<Sysname> display nat server
NAT internal server information:
Totally 1 internal servers.
Interface: Route-Aggregation3
Protocol: 6(TCP)
Global IP/port: 10.1.2.1-10.1.2.9/2001
Local IP/port : 192.168.1.1-192.168.1.9/2001
Local VPN : a
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN.
Field |
Description |
|
NAT internal server information |
Information about NAT Server configuration. |
|
Interface |
Interface where NAT Server is configured. |
|
Protocol |
Protocol number and name of the internal server. |
|
Global IP/port |
Public IP address and port number of the internal server. · Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). |
|
Local IP/port |
For common NAT Server, this field displays the private IP address and port number of the server. · Local IP—A single IP address or an IP address range. · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT Server, this field displays the internal server group ID, IP address, port number, and number of connections of each member. |
|
Global VPN |
MPLS L3VPN instance to which the public IP addresses belong. If you do not specify a VPN instance, this field is not displayed. |
|
Local VPN |
MPLS L3VPN instance to which the private IP addresses belong. If you do not specify a VPN instance, this field is not displayed. |
|
ACL |
ACL number or name. If no ACL is specified, this field is not displayed. |
|
Config status |
Status of the NAT Server configuration: Active or Inactive. |
|
Reasons for inactive status |
Reasons why the NAT Server configuration does not take effect. This field is available when the Config status is Inactive. |
|
nat server
display nat server-group
Use display nat server-group to display internal server group configuration.
Syntax
display nat server-group [ group-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-id: Specifies the ID of the internal server group. The value range is 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.
Examples
# Display configuration about all internal server groups.
<Sysname> display nat server-group
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
# Display configuration about internal server group 1.
<Sysname> display nat server-group 1
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
Field |
Description |
Group Number |
ID of the internal server group. |
Inside IP |
Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---). |
Port |
Private port number of a member in the internal server group. If no member is specified, this field displays hyphens (---). |
Weight |
Weight of a member in the internal server group. If no member is specified, this field displays hyphens (---). |
Related commands
inside ip
nat server-group
display nat session
Use display nat session to display NAT session entries.
Syntax
In standalone mode:
display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
In IRF mode:
display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
Responder: Displays NAT session entries by responder. If you do not specify this keyword, this command displays NAT session entries by indicator.
source-ip source-ip: Displays NAT session entries for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.
destination-ip destination-ip: Displays NAT session entries for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.
vpn-instance vpn-instance-name: Displays NAT session entries for the destination VPN specified by the vpn-instance-name argument. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. To display NAT session entries for the public network, do not specify this option.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays NAT session entries for all member devices. (In IRF mode.)
verbose: Display detailed information about NAT session entries. If you do not specify this keyword, this command displays brief information about NAT session entries.
Usage guidelines
If you do not specify any parameters, this command displays all NAT session entries.
Examples
# (In standalone mode.) Display detailed information about NAT session entries for slot 1.
<Sysname> display nat session slot 1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (In IRF mode.) Display detailed information about NAT session entries for slot 1 on IRF member device 1.
<Sysname> display nat session chassis 1 slot 1 verbose
Slot 1 in chassis 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 15 Command output
Field |
Description |
Initiator |
Session information about the initiator. |
Responder |
Session information about the responder. |
Source IP/port |
Source IP address and port number. |
Destination IP/port |
Destination IP address and port number. |
DS-Lite tunnel peer |
Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-). |
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the session belongs. VLAN ID to which the session belongs for Layer 2 forwarding. Inline to which the session belongs for Layer 2 forwarding. If a setting is not specified, this field displays a hyphen (-). |
Protocol |
Transport layer protocol type, DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
Inbound interface |
Input interface. |
Source security zone |
Security zone to which the input interface belongs. If the input interface does not belong to any security zone, this field displays a hyphen (-).
|
State |
NAT session status. |
Application |
Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports. |
Start time |
Time when the session starts. |
TTL |
Remaining NAT session lifetime in seconds. |
Initiator->Responder |
Number of packets and packet bytes from the initiator to the responder. |
Responder->Initiator |
Number of packets and packet bytes from the responder to the initiator. |
Total sessions found |
Total number of session tables. |
reset nat session
display nat static
Use display nat static to display static NAT mappings.
Syntax
display nat static
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display static NAT mappings.
<Sysname> display nat static
Static NAT mappings:
Totally 1 outbound static NAT mappings.
IP-to-IP:
Local IP : 192.168.1.1
Global IP : 2.2.2.2
Config status: Active
Interfaces enabled with static NAT:
Totally 1 interfaces enabled with static NAT.
Interface: Route-Aggregation4
Config status: Active
Field |
Description |
Net-to-net |
Net-to-net static NAT mapping. |
IP-to-IP |
One-to-one static NAT mapping. |
Local IP |
Private IP address or address range. |
Global IP |
Public IP address or address range. |
Netmask |
Network mask. |
Local VPN |
MPLS L3VPN instance to which the private IP addresses belong. If no VPN instance is specified, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP addresses belong. If no VPN instance is specified, this field is not displayed. |
ACL |
ACL number or name. If no ACL is specified, this field is not displayed. |
Reversible |
Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed. |
Config status |
Status of the static NAT mapping configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status is Inactive. |
Related commands
nat static
nat static net-to-net
nat static enable
display nat statistics
Use display nat statistics to display NAT statistics.
Syntax
In standalone mode:
display nat statistics [ summary ] [ slot slot-number ]
In IRF mode:
display nat statistics [ summary ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays NAT statistics for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display detailed information about all NAT statistics.
<Sysname> display nat statistics
Slot 1:
Total session entries: 100
Total EIM entries: 1
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 10
Total dynamic port block entries: 15
Active static port block entries: 0
Active dynamic port block entries: 0
# (In IRF mode.) Display detailed information about all NAT statistics.
<Sysname> display nat statistics
Slot 1 in chassis 1:
Total session entries: 100
Total EIM entries: 1
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 10
Total dynamic port block entries: 15
Active static port block entries: 0
Active dynamic port block entries: 0
Table 17 Command output
Field |
Description |
Total session entries |
Number of NAT session entries. |
Total EIM entries |
Number of EIM entries. |
Total inbound NO-PAT entries |
Number of inbound NO-PAT entries. |
Total outbound NO-PAT entries |
Number of outbound NO-PAT entries. |
Total static port block entries |
Number of static NAT444 mappings. |
Total dynamic port block entries |
Number of dynamic NAT444 mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. |
Active static port block entries |
Number of static NAT444 mappings that are in use. |
Active dynamic port block entries |
Number of dynamic NAT444 mappings that have been created. It equals the number of dynamically assigned port blocks. |
# (In standalone mode.) Display summary information about all NAT statistics.
<Sysname> display nat statistics summary
EIM: Total EIM entries.
SPB: Total static port block entries.
DPB: Total dynamic port block entries.
ASPB: Active static port block entries.
ADPB: Active dynamic port block entries.
Slot Sessions EIM SPB DPB ASPB ADPB
2 0 0 0 1572720 0 0
# (In IRF mode.) Display summary information about all NAT statistics.
<Sysname> display nat statistics summary
EIM: Total EIM entries.
SPB: Total static port block entries.
DPB: Total dynamic port block entries.
ASPB: Active static port block entries.
ADPB: Active dynamic port block entries.
Chassis Slot Sessions EIM SPB DPB ASPB ADPB
1 2 0 0 0 1572720 0 0
Table 18 Command output
Field |
Description |
Chassis |
Member ID of the IRF member device (in IRF mode). |
Slot |
Number of the slot (in standalone mode). |
Sessions |
Number of NAT session entries. |
EIM |
Number of EIM entries. |
SPB |
Number of static NAT444 mappings. |
DPB |
Number of dynamic NAT444 mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. |
ASPB |
Number of static NAT444 mappings in use. |
ADPB |
Number of dynamic NAT444 mappings that have been created. It equals the number of dynamically assigned port blocks. |
global-ip-pool
Use global-ip-pool to add a public IP address range to a NAT port block group.
Use undo global-ip-pool to remove a public IP address range from a NAT port block group.
Syntax
global-ip-pool start-address end-address
undo global-ip-pool start-address
Default
No public IP address ranges exist.
Views
NAT port block group view
Predefined user roles
network-admin
mdc-admin
Parameters
start-address end-address: Specifies the start IP address and end IP address of a public IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one public IP address is specified.
Usage guidelines
Static NAT444 maps a public IP address to multiple private IP addresses and assigns a unique port block to each private IP address. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.
You can add multiple public IP address ranges to a port block group, but they cannot overlap.
Public IP address ranges in different port block groups can overlap. The port ranges for overlapped public IP address ranges cannot overlap.
Examples
# Add a public IP address range to the port block group 1. The public IP address range consists of IP addresses from 202.10.1.1 to 202.10.1.10.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] global-ip-pool 202.10.1.1 202.10.1.10
Related commands
nat port-block-group
inside ip
Use inside ip to add a member to an internal server group.
Use undo inside ip to remove a member from an internal server group.
Syntax
inside ip inside-ip port port-number [ weight weight-value ]
undo inside ip inside-ip port port-number
Default
No members exist in an internal server group.
Views
Internal server group view
Predefined user roles
network-admin
mdc-admin
Parameters
inside-ip: Specifies the IP address of an internal server.
port port-number: Specifies the port number of an internal server, in the range of 1 to 65535, excluding FTP port 20.
weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.
Examples
# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.
<Sysname> system-view
[Sysname] nat server-group 1
[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30
nat server-group
local-ip-address
Use local-ip-address to add a private IP address range to a NAT port block group.
Use undo local-ip-address to remove a private IP address range from a NAT port block group.
Syntax
local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]
undo local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]
Default
No private IP address ranges exist in a NAT port block group.
Views
NAT port block group view
Predefined user roles
network-admin
mdc-admin
Parameters
start-address end-address: Specifies the start IP address and end IP address of a private IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one private IP address is specified.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the private IP address range belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this parameter if the private IP address range does not belong to any VPN.
Usage guidelines
Static NAT444 maps one public IP address to multiple private IP addresses and assigns a unique port block to each private IP address.
You can add multiple private IP address ranges to a port block group, but they cannot overlap.
Private IP address ranges in different port block groups can overlap.
In a NAT port block group, the number of private IP addresses cannot be larger than the number of assignable port blocks. Otherwise, some private IP addresses cannot obtain port blocks. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.
Examples
# Add a private IP address range to port block group 1. The private IP address range consists of IP addresses from 172.16.1.1 to 172.16.1.255 in VPN instance vpn1.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] local-ip-address 172.16.1.1 172.16.1.255 vpn-instance vpn1
Related commands
nat port-block-group
nat address-group
Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.
Use undo nat address-group to delete a NAT address group.
Syntax
nat address-group group-id [ name group-name ]
undo nat address-group group-id
Default
No NAT address groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.
name group-name: Assigns a name to the NAT address group. The group-name argument is a case-sensitive string of 1 to 63 characters.
Usage guidelines
A NAT address group consists of multiple address ranges. Use the address command to add an address range to a NAT address group.
Examples
# Create a NAT address group numbered 1 and named abc.
<Sysname> system-view
[Sysname] nat address-group 1 name abc
address
display nat address-group
display nat all
nat inbound
nat outbound
nat alg
Use nat alg to enable NAT with ALG for the specified or all supported protocols.
Use undo nat alg to disable NAT with ALG for the specified or all supported protocols.
Syntax
nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }
undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }
Default
NAT with ALG is enabled for DNS, FTP, ICMP error messages, RTSP, and PPTP, and is disabled for the other supported protocols.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
all: Enables NAT with ALG for all supported protocols.
dns: Enables NAT with ALG for DNS.
ftp: Enables NAT with ALG for FTP.
H323: Enables NAT with ALG for H.323.
icmp-error: Enables NAT with ALG for ICMP error messages.
ils: Enables NAT with ALG for ILS.
mgcp: Enables NAT with ALG for MGCP.
nbt: Enables NAT with ALG for NBT.
pptp: Enables NAT with ALG for PPTP.
rsh: Enables NAT with ALG for RSH.
rtsp: Enables NAT with ALG for RTSP.
sccp: Enables NAT with ALG for SCCP.
sip: Enables NAT with ALG for SIP.
sqlnet: Enables NAT with ALG for SQLNET.
tftp: Enables NAT with ALG for TFTP.
xdmcp: Enables NAT with ALG for XDMCP.
Usage guidelines
NAT with ALG translates address or port information in the application layer payload to ensure connection establishment.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT with ALG to translate the address and port information to establish the data connection.
Examples
# Enable NAT with ALG for FTP.
<Sysname> system-view
[Sysname] nat alg ftp
Related commands
display nat all
nat dns-map
Use nat dns-map to configure a DNS mapping for NAT.
Use undo nat dns-map to remove a DNS mapping for NAT.
Syntax
nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port
undo nat dns-map domain domain-name
Default
No DNS mappings for NAT exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.
protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.
interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.
ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.
port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:
· A number in the range of 1 to 65535.
· A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.
Usage guidelines
NAT with DNS mapping must cooperate with the NAT Server feature. NAT with DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.
You can configure multiple NAT with DNS mappings.
Examples
# Configure a NAT with DNS mapping to map the domain name www.server.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.
<Sysname> system-view
[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345
Related commands
display nat all
display nat dns-map
nat server
nat hairpin enable
Use nat hairpin enable to enable NAT hairpin.
Use undo nat hairpin enable to disable NAT hairpin.
Syntax
nat hairpin enable
undo nat hairpin enable
Default
NAT hairpin is disabled.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.
Examples
# Enable NAT hairpin on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat hairpin enable
Related commands
display nat all
nat icmp-error reply
Use nat icmp-error reply to enable sending ICMP error messages for NAT failures.
Use undo nat icmp-error reply to restore the default.
Syntax
nat icmp-error reply
undo nat icmp-error reply
Default
No ICMP error messages are sent for NAT failures.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Disabling sending ICMP error messages for NAT failures reduces useless packets, saves bandwidth, and avoids exposing the IP address of the NAT device to the public network.
This command is required for traceroute.
Examples
# Enable sending ICMP error messages for NAT failures.
<Sysname> system-view
[Sysname] nat icmp-error reply
nat inbound
Use nat inbound to configure an inbound dynamic NAT rule.
Use undo nat inbound to delete an inbound dynamic NAT rule.
Syntax
nat inbound { ipv4-acl-number | name ipv4-acl-name } address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] [ no-pat [ reversible ] [ add-route ] ] [ disable ] [ description text ]
undo nat inbound { ipv4-acl-number | name ipv4-acl-name }
Default
No inbound dynamic NAT rules exist.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
address-group: Specifies an address group for address translation.
group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.
name group-name: Specifies the address group name, a case-sensitive string of 1 to 63 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group belong to the public network, do not use this option.
no-pat: Uses NO-PAT for inbound NAT. If you do not specify this keyword, PAT is used. PAT supports only TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to external hosts. It uses existing NO-PAT entries to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
add-route: Automatically adds a route to the source address after translation. The output interface is the NAT interface and the next-hop is the source address before translation. If you do not specify this keyword, you must manually add the route. As a best practice, add routes manually because automatic route adding is slow. Do not specify this keyword if the subnets where the internal and external networks reside overlap.
disable: Disables the inbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.
description text: Specifies a description for the inbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Inbound dynamic NAT translates the source IP addresses of incoming packets permitted by the ACL into IP addresses in the address group.
Inbound dynamic NAT supports the PAT and NO-PAT modes.
· PAT—Performs both IP address translation and port translation.
· NO-PAT—Performs only IP address translation.
The NO-PAT mode supports reverse address translation. Reverse address translation uses ACL reverse matching to identify packets to be translated. ACL reverse matching works as follows:
· Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
· Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Inbound dynamic NAT typically cooperates with one of the following to implement bidirectional NAT:
· Outbound dynamic NAT (the nat outbound command).
· NAT Server (the nat server command).
· Outbound static NAT (the nat static command).
An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat inbound command in both PAT and NO-PAT modes.
An ACL can be used by only one inbound dynamic NAT rule on an interface.
You can configure multiple inbound dynamic NAT rules on an interface.
The vpn-instance parameter is required if you deploy inbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 in VPN vpn10 to pass through.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit vpn-instance vpn10 source 10.110.10.0 0.0.0.255
[Sysname-acl-ipv4-basic-2001] rule deny
[Sysname-acl-ipv4-basic-2001] quit
# Configure the MPLS L3VPN instance named vpn10.
[Sysname] ip vpn-instance vpn10
[Sysname-vpn-instance-vpn10] route-distinguisher 100:001
[Sysname-vpn-instance-vpn10] vpn-target 100:1 export-extcommunity
[Sysname-vpn-instance-vpn10] vpn-target 100:1 import-extcommunity
[Sysname-vpn-instance-vpn10] quit
# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10 202.110.10.12
[Sysname-address-group-1] quit
# Configure an inbound NO-PAT rule on interface GigabitEthernet 1/1/1. NAT translates the source addresses of incoming packets into the addresses in address group 1, and automatically adds routes for translated packets.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat inbound 2001 address-group 1 vpn-instance vpn10 no-pat add-route
display nat all
display nat inbound
display nat no-pat
nat log alarm
Use nat log alarm to enable NAT alarm logging.
Use undo nat log alarm to disable NAT alarm logging.
Syntax
nat log alarm
undo nat log alarm
Default
NAT alarm logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Before configuring NAT alarm logging for NAT444, you must configure the custom NAT444 log generation and outputting features. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable NAT alarm logging.
<Sysname> system-view
[Sysname] nat log alarm
Related commands
display nat all
display nat log
nat log enable
nat log enable
Use nat log enable to enable NAT logging.
Use undo nat log enable to disable NAT logging.
Syntax
nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat log enable
Default
NAT logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl: Specifies an ACL.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
You must enable NAT logging before you enable NAT session logging, NAT444 user logging, or NAT alarm logging. NAT444 user logging records log information about NAT444 port block assignment and withdrawal.
The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.
Examples
# Enable NAT logging.
<Sysname> system-view
[Sysname] nat log enable
Related commands
display nat all
display nat log
nat log alarm
nat log flow-active
nat log flow-begin
nat log flow-end
nat log port-block-assign
nat log port-block-withdraw
nat log flow-active
Use nat log flow-active to enable logging for active NAT flows and set the logging interval.
Use undo nat log flow-active to disable logging for active NAT flows.
Syntax
nat log flow-active time-value
undo nat log flow-active
Default
Logging for active NAT flows is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.
Usage guidelines
Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.
Logging for active NAT flows takes effect only after you enable NAT logging.
Examples
# Enable logging for active NAT flows and set the logging interval to 10 minutes.
<Sysname> system-view
[Sysname] nat log flow-active 10
Related commands
display nat all
display nat log
nat log enable
nat log flow-begin
Use nat log flow-begin to enable logging for NAT session establishment events.
Use undo nat log flow-begin to disable logging for NAT session establishment events.
Syntax
nat log flow-begin
undo nat log flow-begin
Default
Logging for NAT session establishment events is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Logging for NAT session establishment events takes effect only after you enable NAT logging.
Examples
# Enable logging for NAT session establishment events.
<Sysname> system-view
[Sysname] nat log flow-begin
Related commands
display nat all
display nat log
nat log enable
nat log flow-end
Use nat log flow-end to enable logging for NAT session removal events.
Use undo nat log flow-end to disable logging for NAT session removal events.
Syntax
nat log flow-end
undo nat log flow-end
Default
Logging for NAT session removal events is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Logging for NAT session removal events takes effect only after you enable NAT logging.
Examples
# Enable logging for NAT session removal events.
<Sysname> system-view
[Sysname] nat log flow-end
Related commands
display nat all
display nat log
nat log enable
nat log port-block-assign
Use nat log port-block-assign to enable NAT444 user logging for port block assignment.
Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.
Syntax
nat log port-block-assign
undo nat log port-block-assign
Default
NAT444 user logging is disabled for port block assignment.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
For static NAT444, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.
For dynamic NAT444, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.
Enable NAT logging before you enable NAT444 user logging for port block assignment.
Examples
# Enable NAT444 user logging for port block assignment.
<Sysname> system-view
[Sysname] nat log port-block-assign
Related commands
display nat all
display nat log
nat log enable
nat log port-block-withdraw
Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.
Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.
Syntax
nat log port-block-withdraw
undo nat log port-block-withdraw
Default
NAT444 user logging is disabled for port block withdrawal.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
For static NAT444, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.
For dynamic NAT444, the NAT444 gateway generates a user log when all the following conditions are met:
· All connections from a private IP address are disconnected.
· The port blocks (including the extended ones) assigned to the private IP address are withdrawn.
· The corresponding mapping entry is deleted.
Enable NAT logging before you enable NAT444 user logging for port block withdrawal.
Examples
# Enable NAT444 user logging for port block withdrawal.
<Sysname> system-view
[Sysname] nat log port-block-withdraw
Related commands
display nat all
display nat log
nat log enable
nat mapping-behavior
Use nat mapping-behavior to configure the mapping behavior mode for PAT.
Use undo nat mapping-behavior to restore the default.
Syntax
nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat mapping-behavior endpoint-independent
Default
Address and Port-Dependent Mapping applies.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl: Specifies an ACL. Endpoint-Independent Mapping applies to packets that are permitted by the ACL. If you do not specify an ACL, Endpoint-Independent Mapping applies to all packets.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
PAT supports the following types of NAT mappings:
· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.
· Address and Port-Dependent Mapping—Uses different IP and port mappings for packets with the same source IP and port to different destination IP addresses and ports. APDM allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.
This command takes effect only on outbound PAT. Address and Port-Dependent Mapping always applies to inbound PAT.
Examples
# Apply the Endpoint-Independent Mapping mode to all packets for address translation.
<Sysname> system-view
[Sysname] nat mapping-behavior endpoint-independent
# Apply the Endpoint-Independent Mapping to FTP and HTTP packets, and the Address and Port-Dependent Mapping to other packets for address translation.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80
[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 21
[Sysname-acl-ipv4-adv-3000] quit
[Sysname] nat mapping-behavior endpoint-independent acl 3000
Related commands
nat outbound
display nat eim
nat outbound
Use nat outbound to configure an outbound dynamic NAT rule.
Use undo nat outbound to delete an outbound dynamic NAT rule.
Syntax
NO-PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] no-pat [ reversible ] [ disable ] [ description text ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group { group-id | name group-name } ] [ vpn-instance vpn-instance-name ] [ port-preserved ] [ disable ] [ description text ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
Default
No outbound dynamic NAT rules exist.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
address-group group-id: Specifies an address group for NAT. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.
group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.
name group-name: Specifies the address group name, a case-sensitive string of 1 to 63 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group belong to the public network, do not use this option.
no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.
reversible: Allows reverse address translation. Reverse address translation uses existing NO-PAT entries to translate destination addresses for packets of connections actively initiated by external hosts to internal hosts.
port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic NAT444.
disable: Disables the outbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.
description text: Specifies a description for the outbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.
Outbound dynamic NAT supports the following modes:
· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.
· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Dynamic NAT444 does not support the NO-PAT mode.
When you specify a NAT address group, follow these restrictions and guidelines:
· An address group cannot be used by both the nat inbound and nat outbound commands.
· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.
· When a port range and port block parameters are specified in the NAT address group, this command configures a dynamic NAT444 rule. Packets matching the ACL permit rule are processed by dynamic NAT444.
When you specify an ACL, follow these restrictions and guidelines:
· An ACL can be used by only one outbound dynamic NAT rule on an interface.
· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.
· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.
· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher ACL number represents a higher priority.
The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Sysname-acl-ipv4-basic-2001] rule deny
[Sysname-acl-ipv4-basic-2001] quit
# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10 202.110.10.12
[Sysname-address-group-1] quit
# Configure an outbound dynamic PAT rule on interface GigabitEthernet 1/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat outbound 2001 address-group 1
[Sysname-GigabitEthernet1/1/1] quit
Or
# Configure an outbound NO-PAT rule on interface GigabitEthernet 1/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat outbound 2001 address-group 1 no-pat
[Sysname-GigabitEthernet1/1/1] quit
Or
# Enable Easy IP to use the IP address of GigabitEthernet 1/1/1 as the translated address.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet 1/1/1] nat outbound 2001
[Sysname-GigabitEthernet 1/1/1] quit
Or
# Configure an outbound NO-PAT rule on GigabitEthernet 1/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat outbound 2001 address-group 1 no-pat reversible
Related commands
display nat eim
display nat outbound
nat mapping-behavior
nat outbound ds-lite-b4
Use nat outbound ds-lite-b4 to configure DS-Lite NAT444.
Use undo nat outbound ds-lite-b4 to remove the DS-Lite NAT444 configuration.
Syntax
nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name } address-group { group-id | name group-name } [ disable ]
undo nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name }
Default
No DS-Lite NAT444 configuration exists.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6-acl-number: Specifies the number of an IPv6 ACL to match the IPv6 addresses of B4 elements. The value range for the argument is 2000 to 2999.
name ipv6-acl-name: Specifies the name of an IPv6 ACL to match the IPv6 addresses of B4 elements. The ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
address-group group-id: Specifies an address group by its ID. The value range for the group-id argument is 0 to 65535. Port block parameters are required in the address group for DS-Lite NAT444.
name group-name: Specifies the address group name, a case-sensitive string of 1 to 63 characters.
disable: Disables the inbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.
Usage guidelines
DS-Lite NAT444 applies to the scenario where a DS-Lite tunnel connects an IPv6 network to an IPv4 network. DS-Lite NAT444 is configured on the AFTR's interface connected to the external IPv4 network and performs dynamic NAT444 based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host.
DS-Lite NAT444 dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.
Examples
# Configure IPv6 ACL 2100 to identify packets from subnet 2000::/64.
<Sysname> system-view
[Sysname] acl ipv6 basic 2100
[Sysname-acl-ipv6-basic-2100] rule permit source 2000::/64
[Sysname-acl-ipv6-basic-2100] quit
# Create address group 1 and add public addresses 202.110.10.10 through 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-nat-address-group-1] address 202.110.10.10 202.110.10.12
# Set the port block size to 256.
[Sysname-nat-address-group-1] port-block block-size 256
[Sysname-nat-address-group-1] quit
# Configure DS-Lite NAT444 on GigabitEthernet 1/1/1 to use address group 1 to translate packets permitted by ACL 2100.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat outbound ds-lite-b4 2100 address-group 1
Related commands
display nat outbound
nat outbound port-block-group
Use nat outbound port-block-group to apply a NAT port block group to the outbound direction of an interface.
Use undo nat outbound port-block-group to remove a NAT port block group application.
Syntax
nat outbound port-block-group group-id
undo nat outbound port-block-group group-id
Default
No NAT port block group is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
group-id: Specifies a NAT port block group by its ID. The value range for this argument is 0 to 65535.
Usage guidelines
After you apply a NAT port block group to an interface, the system automatically computes the NAT444 mappings and creates entries for them. When a private IP address accesses the public network, the private IP address is translated to the mapped public IP address, and the ports are translated to ports in the selected port block.
You can apply multiple NAT port block groups to an interface.
In an IRF fabric, you must execute the ip fast-forwarding load-sharing command. Otherwise, the port assignment conflict will occur.
Examples
# Apply NAT port block group 1 to the outbound direction of GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat outbound port-block-group 1
Related commands
display nat all
display nat outbound port-block-group
display nat port-block
nat port-block-group
nat log port-block usage threshold
Use nat log port-block usage threshold to set the port block usage threshold for dynamic NAT444.
Use undo nat log port-block usage threshold to restore the default.
Syntax
nat log port-block usage threshold threshold-value
undo nat log port-block usage threshold
Default
The port block usage threshold for dynamic NAT444 is 90%.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the port block usage threshold in percentage, in the range of 40 to 100.
Usage guidelines
The system generates alarm logs if the port block usage exceeds the threshold.
Examples
# Set the port block usage threshold for dynamic NAT444 to 60%.
<Sysname> system-view
[Sysname] nat log port-block usage threshold 60
nat port-block global-share enable
Use nat port-block global-share enable to enable global mapping sharing for dynamic NAT444.
Use undo nat port-block global-share enable to disable global mapping sharing for dynamic NAT444.
Syntax
nat port-block global-share enable
undo nat port-block global-share enable
Default
Global mapping sharing is disabled for Dynamic NAT444.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
When multiple interfaces have dynamic NAT444 configured, the interfaces might create different NAT444 mappings for packets from the same IP address. You can use this command to configure the interfaces to share the same NAT444 mapping for translating packets from the same IP address.
Examples
# Enable global mapping sharing for dynamic NAT444.
<Sysname> system-view
[Sysname] nat port-block global-share enable
Related commands
port-block
nat port-block-group
Use nat port-block-group to create a NAT port block group and enter its view, or enter the view of an existing NAT port block group.
Use undo nat port-block-group to delete a NAT port block group.
Syntax
nat port-block-group group-id
undo nat port-block-group group-id
Default
No NAT port block groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-id: Assigns an ID to the NAT port block group. The value range for this argument is 0 to 65535.
Usage guidelines
A NAT port block group is configured to implement static NAT444.
You must configure the following items for a NAT port block group:
· A minimum of one private IP address range (see the local-ip-address command).
· A minimum of one public IP address range (see the global-ip-address command).
· A port range (see the port-range command).
· A port block size (see the block-size command).
The system computes static NAT444 mappings according to the port block group configuration, and creates entries for the mappings.
Examples
# Create NAT port block group 1.
<Sysname>system-view
[Sysname]nat port-block-group 1
[Sysname-port-block-group-1]
Related commands
block-size
display nat all
display nat port-block-group
global-ip-pool
local-ip-address
nat outbound port-block-group
port-range
nat server
Use nat server to create a mapping from the private IP address and port of an internal server to a public address and port for an internal server.
Use undo nat server to delete a mapping.
Syntax
Common NAT Server:
· A single public address with no or a single public port:
nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ disable ] [ description text ]
undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]
· A single public address with consecutive public ports:
nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ disable ] [ description text ]
undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]
· Consecutive public addresses with no or a single public port:
nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ disable ] [ description text ]
undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]
· Consecutive public addresses with a single public port:
nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside local-address local-port1 local-port2 [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ disable ] [ description text ]
undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]
Load sharing NAT Server:
nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-number [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ disable ] [ description text ]
undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]
ACL-based NAT Server:
nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ disable ] [ description text ]
undo nat server global { ipv4-acl-number | name ipv4-acl-name }
Default
No NAT Server mappings exist.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:
· A number in the range of 1 to 255.
· A protocol name of icmp, tcp, or udp.
global-address: Specifies the public address of an internal server.
global-address1 global address2: Specifies a public IP address range, which can include a maximum of 10000 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.
global: Specifies an ACL. The destination IP addresses of packets permitted by the ACL can be translated.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.
interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.
global-port1 global-port2: Specifies a public port number range, which can include a maximum of 10000 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:
· A number in the range of 1 to 65535. Both the start port and the end port support this format.
· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.
local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.
local-port: Specifies the private port number. The private port number format can be one of the following:
· A number in the range of 1 to 65535, excluding FTP port 20.
· A protocol name, a string of 1 to 15 characters. For example, http and telnet.
global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.
local-address: Specifies the private IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the advertised public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the public IP addresses do not belong to any VPN instance.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the internal server does not belong to any VPN instance.
server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for this argument is 0 to 65535.
acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.
disable: Disables the NAT Server mapping. If you do not specify this keyword, the mapping is enabled.
description text: Specifies a description for the NAT Server mapping. The text argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure the NAT Server feature to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.
NAT Server is usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. The following table describes the address-port mappings between an external network and an internal network for NAT Server.
Table 19 Address-port mappings for NAT Server
External network |
Internal network |
One public address |
One private address |
One public address and one public port number |
One private address and one private port number |
One public address and N consecutive public port numbers |
One private address and one private port number |
N consecutive private addresses and one private port number |
|
One private address and N consecutive private port numbers |
|
N consecutive public addresses |
One private address |
N consecutive private addresses |
|
N consecutive public addresses and one public port number |
One private address and one private port number |
N consecutive private addresses and one private port number |
|
One private address and N consecutive private port numbers |
|
One public address and one public port number |
One private server group |
One public address and N consecutive public port numbers |
|
N consecutive public addresses and one public port number |
|
Public addresses matching an ACL |
One private address |
One private address and one private port |
The number of the nat server commands that can be configured on an interface varies by device model. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.
As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.
If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicted address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.
The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:
· One public address and N consecutive public port numbers are mapped to one internal server group.
· N consecutive public addresses and one public port number are mapped to one internal server group.
Examples
# Allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http
[Sysname-GigabitEthernet1/1/1] quit
# Allow external users to access the internal FTP server at 10.110.10.11 in the MPLS VPN vrf10 through ftp://202.110.10.10.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10
[Sysname-GigabitEthernet1/1/1] quit
# Allow external hosts to ping the host at 10.110.10.12 in the VPN vrf10 by using the ping 202.110.10.11 command.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10
[Sysname-GigabitEthernet1/1/1] quit
# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the MPLS VPN vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10
# Configure ACL-based NAT Server to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255
[Sysname-acl-ipv4-adv-3000] quit
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat server global 3000 inside 10.0.0.172
Related commands
display nat all
display nat server
nat server-group
nat server-group
Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.
Use undo nat server-group to delete an internal server group.
Syntax
nat server-group group-id
undo nat server-group group-id
Default
No internal server groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-id: Assigns an ID to the internal server group. The value range is 0 to 65535.
Usage guidelines
An internal server group can contain multiple members configured by the inside ip command.
Examples
# Create internal server group 1.
<Sysname> system-view
[Sysname] nat server-group 1
Related commands
display nat all
display nat server-group
inside ip
nat server
nat static enable
Use nat static enable to enable static NAT on an interface.
Use undo nat static enable to disable static NAT on an interface.
Syntax
nat static enable
undo nat static enable
Default
Static NAT is disabled.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.
Examples
# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] nat static outbound 192.168.1.1 2.2.2.2
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] nat static enable
display nat all
display nat static
nat static
nat static net-to-net
nat static inbound
Use nat static inbound to configure a one-to-one mapping for inbound static NAT.
Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.
Syntax
nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ]
undo nat static inbound global-ip [ vpn-instance global-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
global-ip: Specifies a public IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.
local-ip: Specifies a private IP address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the internal hosts that can access the external network.
ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external host. It uses the mapping to translate the destination address for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the one-to-one inbound static mapping. If you do not specify this keyword, the mapping is enabled.
Usage guidelines
When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip. When the destination IP address of a packet from the private network to the public network matches the local-ip, the destination IP address is translated into the global-ip.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address of packets is not translated for connections actively initiated by internal hosts to the external host.
· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated by internal hosts to the external host are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP address/port in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.
The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] nat static inbound 2.2.2.2 192.168.1.1
Related commands
display nat all
display nat static
nat static enable
nat static inbound net-to-net
Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.
Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.
Syntax
nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ]
undo nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
global-start-address global-end-address: Specifies a public address range which can contain a maximum of 255 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
local-network: Specifies a private network address.
mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.
mask: Specifies the mask of the private network address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private network address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private network address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the internal hosts that can access the external network.
ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the net-to-net inbound static mapping. If you do not specify this keyword, the mapping is enabled.
Usage guidelines
Specify a public network through a start address and an end address, and a private network through a private address and a mask.
When the source address of a packet from the public network matches the public address range, the source address is translated into a private address in the private address range. When the destination address of a packet from the private network matches the private address range, the destination address is translated into a public address in the public address range.
The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all incoming packets and the destination addresses of all outgoing packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by internal hosts to the external hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. If packets of connections actively initiated by internal hosts to the external hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.
The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure an inbound static NAT mapping between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.
<Sysname> system-view
[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24
Related commands
display nat all
display nat static
nat static enable
nat static inbound object-group
Use nat static inbound object-group to configure an object group-based inbound static NAT mapping.
Use undo nat static inbound object-group to remove an object group-based inbound static NAT mapping.
Syntax
nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ]
undo nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
object-group global-object-group-name: Specifies an object group of public IPv4 addresses. The global-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
object-group local-object-group-name: Specifies an object group of private IPv4 addresses. The local-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the internal hosts that can access the external network.
ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the object group based inbound static mapping. If you do not specify this keyword, the mapping is enabled.
Usage guidelines
This command specifies public and private IP addresses through IPv4 address object groups.
When the source address of a packet from the public network matches the public address object group, the source address is translated into a private address in the private address object group. When the destination address of a packet from the private network matches the private address object group, the destination address is translated into a public address in the public address object group.
When you specify object groups, follow these restrictions and guidelines:
· The public or private IPv4 address object group can contain only one IPv4 address object.
· The quantity of IPv4 addresses in the private IPv4 address object group cannot be smaller than that in the public IPv4 address object group.
· The object in the private IPv4 address object group cannot be an address range.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all incoming packets and the destination addresses of all outgoing packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by internal hosts to the external hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. If packets of connections actively initiated by internal hosts to the external hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple inbound static NAT mappings by using the nat static inbound , nat static inbound net-to-net , and nat static inbound object-group commands.
The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
An IPv4 address object group used by an object group-based inbound static mapping can only contain a host object or a subnet object. Otherwise, the configuration does not take effect.
Examples
# Configure an object group-based inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] object-group ip address global
[Sysname-obj-grp-ip-global] network host address 2.2.2.2
[Sysname-obj-grp-ip-global] quit
[Sysname] object-group ip address local
[Sysname-obj-grp-ip-local] network host address 192.168.1.1
[Sysname-obj-grp-ip-local] quit
[Sysname] nat static inbound object-group global object-group local
Related commands
display nat all
display nat static
nat static enable
nat static-load-balance enable
Use nat static-load-balance enable to enable static NAT load sharing.
Use undo nat static-load-balance enable to disable static NAT load sharing.
Syntax
nat static-load-balance enable
undo nat static-load-balance enable
Default
Static NAT load sharing is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
If the main security engine is overwhelmed by the static NAT load, enable this feature to distribute the static NAT load to different security engines.
After you enable or disable this feature, execute the reset nat session and reset session table commands to clear session entries. Otherwise, static NAT cannot function correctly. Use this feature with caution because deleting session entries can result in service interruption.
The term "static NAT" in this command refers to static NAT, NAT Server, and static NAT444.
Examples
# Enable static NAT load sharing.
<Sysname> system-view
[Sysname] nat static-load-balance enable
nat static outbound
Use nat static outbound to configure a one-to-one mapping for outbound static NAT.
Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.
Syntax
nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ]
undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
local-ip: Specifies a private IP address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.
global-ip: Specifies a public IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.
ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal host. It uses the mapping to translate the destination address for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the one-to-one outbound static mapping. If you do not specify this keyword, the mapping is enabled.
Usage guidelines
When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address of packets is not translated for connections actively initiated by external hosts to the internal host.
· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated by external hosts to the internal host are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP address/port in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] nat static outbound 192.168.1.1 2.2.2.2
# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001
Related commands
display nat all
display nat static
nat static enable
nat static outbound net-to-net
Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.
Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.
Syntax
nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ]
undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
local-start-address local-end-address: Specifies a private address range which can contain a maximum of 255 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
global-network: Specifies a public network address.
mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.
mask: Specifies the mask of the public network address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.
ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the net-to-net outbound static mapping. If you do not specify this keyword, the mapping is enabled.
Usage guidelines
Specify a private network through a start address and an end address, and a public network through a public address and a mask.
When the source IP address of a packet from the private network matches the private address range, the source IP address is translated into a public address in the public address range. When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range.
The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all outgoing packets and the destination addresses of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by external hosts to the internal hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. If packets of connections actively initiated by external hosts to the internal hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.
<Sysname> system-view
[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24
# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001
Related commands
display nat all
display nat static
nat static enable
nat static outbound object-group
Use nat static outbound object-group to configure an object group-based outbound static NAT mapping.
Use undo nat static outbound object-group to remove an object group-based outbound static NAT mapping.
Syntax
nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ]
undo nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
object-group local-object-group-name: Specifies an object group of private IPv4 addresses. The local-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
object-group global-object-group-name: Specifies an object group of public IPv4 addresses. The global-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.
ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the object group based outbound static mapping. If you do not specify this keyword, the mapping is enabled.
Usage guidelines
This command specifies public and private IP addresses through IPv4 address object groups.
When the source address of a packet from the private network matches the private address object group, the source address is translated into a public address in the public address object group. When the destination address of a packet from the public network matches the public address object group, the destination address is translated into a private address in the private address object group.
When you specify object groups, follow these restrictions and guidelines:
· The public or private IPv4 address object group can contain only one IPv4 address object.
· The quantity of IPv4 addresses in the private IPv4 address object group cannot be larger than that in the public IPv4 address object group.
· The object in the public IPv4 address object group cannot be an address range.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all outgoing packets and the destination addresses of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by external hosts to the internal hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. If packets of connections actively initiated by external hosts to the internal hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound, nat static outbound net-to-net, and nat static outbound object-group commands.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
An IPv4 address object group used by an object group-based outbound static mapping can only contain a host object or a subnet object. Otherwise, the configuration does not take effect.
Examples
# Configure an object group-based outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2.
<Sysname> system-view
[Sysname] object-group ip address global
[Sysname-obj-grp-ip-global] network host address 2.2.2.2
[Sysname-obj-grp-ip-global] quit
[Sysname] object-group ip address local
[Sysname-obj-grp-ip-local] network host address 192.168.1.1
[Sysname-obj-grp-ip-local] quit
[Sysname] nat static outbound object-group local object-group global
Related commands
display nat all
display nat static
nat timestamp delete
Use nat timestamp delete to enable the deletion of timestamps in TCP SYN and SYN ACK packets.
Use undo nat timestamp delete to restore the default.
Syntax
nat timestamp delete [ vpn-instance vpn-instance-name ]
undo nat timestamp delete [ vpn-instance vpn-instance-name ]
Default
The TCP SYN and SYN ACK packets carry the timestamp.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the TCP SYN and SYN ACK packets belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify this option, this command applies to TCP SYN and SYN ACK packets on the public network.
Usage guidelines
With this feature configured, the system deletes the timestamps from the TCP SYN and SYN ACK packets after dynamic address translation.
If PAT mode is configured on an interface by using nat inbound or nat outbound, and the tcp_timestams and tcp_tw_recycle function is configured on the TCP server, TCP connections might not be established. To solve the problem, you can shut down the tcp_tw_recycle function or configure the nat timestamp delete command.
You can enable this feature for multiple VPN instances by repeating the command with different VPN parameters.
Examples
# Enable the deletion of the timestamp for TCP SYN and SYN ACK packets on the public network.
<Sysname> system-view
[Sysname] nat timestamp delete
# Enable the deletion of the timestamp for TCP SYN and SYN ACK packets on the VPN instance aa.
<Sysname> system-view
[Sysname] nat timestamp delete vpn-instance aa
Related commands
nat outbound
nat inbound
nat redirect reply-route
Use nat redirect reply-route enable to enable NAT reply redirection.
Use undo nat redirect reply-route enable to disable NAT reply redirection.
Syntax
nat redirect reply-route enable
undo nat redirect reply-route enable
Default
NAT reply redirection is disabled.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
NAT reply redirection allows an interface to use the NAT session entry information to translate the destination IP addresses for NAT reply packets and find the output interfaces for the NATed reply packets.
Examples
# Enable NAT reply redirection on GigabitEthernet 1/1/2.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/2
[Sysname-GigabitEthernet1/1/2] nat redirect reply-route enable
port-block
Use port block to configure port block parameters for a NAT address group.
Use undo port block to restore the default.
Syntax
port block block-size block-size [ extended-block-number extended-block-number ]
undo port block
Default
Port block parameters are not configured for a NAT address group.
Views
NAT address group view
Predefined user roles
network-admin
mdc-admin
Parameters
block-size block-size: Specifies the port block size. The value range for this argument is 1 to 65535. In a NAT address group, the port block size cannot be larger than the number of ports in the port range.
extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When a private IP address accesses the public network, but the ports in the selected port block are all occupied, the NAT444 gateway extends port blocks one by one for the private IP address.
Usage guidelines
To configure dynamic NAT444, port block parameters are required in the NAT address group. When a private IP address initiates a connection to the public network, the NAT444 gateway assigns it a public IP address and a port block, and creates an entry for the mapping. For subsequent connections from the private IP address, the NAT444 gateway translates the private IP address to the mapped public IP address and the ports to ports in the selected port block.
Examples
# Set the port block size to 256 and the number of extended port blocks to 1 in NAT address group 2.
<Sysname> system-view
[Sysname] nat address-group 2
[Sysname-address-group-2] port-block block-size 256 extended-block-number 1
Related commands
nat address-group
port-range
Use port-range to specify a port range for public IP addresses.
Use undo port-range to restore the default.
Syntax
port-range start-port-number end-port-number
undo port-range
Default
The port range for public IP addresses is 1 to 65535.
Views
NAT address group view
NAT port block group view
Predefined user roles
network-admin
mdc-admin
Parameters
start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number.
Usage guidelines
The port range must include all ports that public IP addresses use for address translation.
The number of ports in a port range cannot be smaller than the port block size.
Examples
# Specify the port range as 1024 to 65535 for NAT address group 1.
<Sysname> system-view
[Sysname] nat address-group 1
[Sysname-address-group-1] port-range 1024 65535
# Specify the port range as 30001 to 65535 for NAT port block group 1.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] port-range 30001 65535
Related commands
nat address-group
nat port-block-group
reset nat session
Use reset nat session to clear NAT session entries.
Syntax
In standalone mode:
reset nat session [ slot slot-number ]
In IRF mode:
reset nat session [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command clears NAT session entries for all member devices. (In IRF mode.)
Usage guidelines
After you clear the NAT session entries, the corresponding NAT EIM table and NO-PAT table are cleared at the same time.
Examples
# (In IRF mode.) Clear NAT session entries on chassis 1.
<Sysname> reset nat session chassis 1 slot 0
Related commands
display nat session