Currently, the
LS81VSNP boards installed in S7500 series switches support the NAT feature. In
this manual, the LS81VSNP board is called LPU (line processing unit).
Syntax
display nat
address-group
View
Any view
Parameter
None
Description
Use the display nat address-group
command to display NAT address pool configuration.
Example
# Display NAT address pool configuration.
<H3C> display nat address-group
 NAT address-group information:
     0 : from  1.1.1.1  to Â
1.1.1.2
     1 : from  2.2.2.2  to Â
2.2.2.3Â slot 3
Syntax
display nat aging-time
View
Any view
Parameter
None
Description
Use the display nat aging-time command
to display the settings for NAT entry aging time.
Example
# Display the settings for NAT table entry
aging time.
<H3C> display nat aging-time
NAT aging-time value information:
    NAT aging-time value
information:
    alg ---- aging-time value is  Â
120 (seconds)
    ftp ---- aging-time value is Â
7200 (seconds)
The slot 3 NP-timer configuration:
   Selection of NP-timer is :
Fast-Timer
   Fast-Timer : 300 seconds
   Slow-Timer : 3600 seconds
Table 1-1 Description
on the fields of the display nat aging-time command
|
Field
|
Description
|
|
NAT aging-time value information
|
NAT aging time information follows.
|
|
alg ---- aging-time value is   120
(seconds)
|
The aging time for ALG NAT entries is 120
seconds.
|
|
ftp ---- aging-time value is  7200
(seconds)
|
The aging time for FTP connections is
7200 seconds.
|
|
The slot 3 NP-timer configuration
|
The NP-timer settings on the board in
slot 3 follows.
|
|
Selection of NP-timer is : Fast-Timer
|
The fast NP timer is selected.
|
|
Fast-Timer : 300 seconds
|
The fast timer is 300 seconds.
|
|
Slow-Timer : 3600 seconds
|
The slow timer is 3600 seconds.
|
Syntax
display nat all
View
Any view
Parameter
None
Description
Use the display nat all command to
display all information of the current NAT configurations, including NAT
address pool, NAT ACL (ACL referenced by nat outbound command), internal
server and aging time related configurations.
Example
# Display all information of the current
NAT configurations.
<H3C> display nat all
NAT address-group information:
 1 : from        3.3.3.6 Â
to        3.3.3.8 slot: 5
NAT outbound information:
 Vlan-interface3: acl(2000) --- NAT
address-group(1) slot:Â 5
Server in private network
information:
 Interface   GlobalAddr  Â
GlobalPort  InsideAddr  InsidePort Pro  Slot
 Vlanif3     3.3.3.10    Â
21(ftp)Â Â Â Â 192.168.1.10Â Â 21(ftp)Â 6(tcp)Â 5
NAT aging-time value information:
 alg ---- aging-time value is   120
(seconds)
 ftp ---- aging-time value is  7200
(seconds)
The slot 5 NP-timer configuration:
 Selection of NP-timer is :
Fast-Timer
 Fast-Timer : 300 seconds
 Slow-Timer : 3600 seconds
1.1.4Â display nat blacklist
Syntax
display nat
blacklist { all | ip [ ip-address ] slot
slot-number }
View
Any view
Parameter
all:
Displays all blacklist configurations and status.
ip: Displays
IP address-specific blacklist configurations and status.
ip-address:
IP address whose blacklist configuration you want to query.
slot-number:
Slot number of an LPU.
Description
Use the display nat blacklist command
to display the configurations and status of NAT blacklist.
l
The display nat blacklist all command
displays all blacklist configurations.
l
The display nat blacklist ip [ ip-address
] slot slot-number command displays IP address-specific
blacklist configurations and status.
Example
# Display all blacklist configurations.
<H3C> display nat blacklist all
Blacklist function global
configuration:
 Blacklist function of the NO. 7
L3plus board is started.
 Connection amount control is
enabled.
 Connection set-up rate control is
enabled.
 Amount control limit: 500 sessions.
 Rate control limit: 250 session/s.
 Special rate control limit: 250
session/s.
 Global Committed Burst Size is 375
 Special IP Committed Burst Size is
375
 Global Extended Burst Size is 0
 Special IP Extended Burst Size is 0
Altogether 1 IP addresses have
special configuration:
Control limit configuration of IP
1.1.1.1:
 Amount control limit: 100 sessions.
 Rate control limit uses global
configuration.
# Display blacklist status on the LPU in
slot 6.
<H3C> display nat blacklist ip
slot 6
This query may last a long time,
please wait for a moment...
 There are 6 ip address in
blacklist.
    192.168.1.4    Â
192.168.1.1Â Â Â Â Â 192.168.1.5Â Â Â Â Â 192.168.1.2
    192.168.1.6     192.168.1.3
1.1.5Â display
nat outbound
Syntax
display nat
outbound
View
Any view
Parameter
None
Description
Use the display nat outbound command
to display all ACL-NAT address pool associations.
Example
# Display all ACL-NAT
address pool associations.
<H3C> display nat outbound
NAT outbound information:
 Vlan-interface2: acl(2001) --- NAT
address-group(1) [no-pat] slot:3
 Vlan-interface2: acl(2002) --- NAT
address-group(0) slot:3
 Vlan-interface3: acl(2001) --- NAT
address-group(2) [no-pat] slot:3
 Vlan-interface3: acl(2002) ---
interface slot:3
Syntax
display nat
server
View
Any view
Parameter
None
Description
Use the display
nat server command to display information about all internal
servers.
Example
# Display information about all internal
servers.
<H3C> display nat server
Server in private network
information:
 Interface   GlobalAddrÂ
GlobalPort   InsideAddr   InsidePort  Pro  Slot
 Vlanif2       1.1.1.1 Â
80(www)Â Â Â Â Â Â Â Â Â 4.4.4.4Â Â 80(www)Â 6(tcp)Â 3
 Vlanif2       2.2.2.2 Â
53(dns)Â Â Â Â Â Â Â Â Â 3.3.3.3Â Â 53(dns) 17(udp)Â 3
 Vlanif3       2.2.2.3Â
69(tftp)Â Â Â Â Â Â Â Â Â 4.4.4.5Â 69(tftp) 17(udp)Â 3
Syntax
display nat
statistics slot slot-number
View
Any view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the display nat statistics
command to display the current NAT statistics.
Example
# Display the
current NAT statistics.
<H3C> display nat statistics
slot 3
Current statistics information in
slot 3:
 active PAT session table count in
CPU: 0
 active PAT session table count in
NP: 1
 active NO-PAT session table count:
0
 active SERVER session table count:
0
 the number of good packet in NP: 0
 the number of bad packet in NP: 0
Syntax
nat address-group group-number start-addr end-addr
undo nat address-group group-number
View
System view
Parameter
group-number:
Address pool index, a number ranging from 0 to 319.
start-addr:
Start IP address of the address pool.
end-addr:
End IP address of the address pool.
Description
Use the nat address-group command to
configure a NAT address pool.
Use the undo nat address-group command
to delete a NAT address pool.
A NAT address pool is a set of consecutive
public IP addresses. If start-addr and end-addr are the same,
there is only one address in the pool.
Â
Caution:
l
A NAT address pool can contain at most 256 IP
addresses.
l
You cannot delete an address pool that has been
associated with an ACL.
l
An address pool can be used for NAPT (network
address port translation) only when it contains no more than three addresses.
Example
# Configure address pool 1 with addresses
from 202.110.10.10 to 202.110.10.15.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat address-group 1
202.110.10.10 202.110.10.15
1.1.9Â nat aging-time
Syntax
nat aging-time { alg time-value | np slow } slot slot-number
undo nat aging-time [ alg | np ] slot slot-number
View
System view
Parameter
alg: Sets
the NAT connection aging time for CPU processed ALG (application layer gateway)
NAT mapping entries
time-value:
Aging time in seconds, ranging from 10 to 86,400. By default, it is 120.
np slow: Sets
the NP (network processor) to use the slow aging timer (the aging time is 3,600
seconds). By default, the NP uses the fast aging timer (the aging time is 300
seconds).
slot-number:
Slot number of an LPU.
Description
Use the nat aging-time command to
set the NAT connection aging time for CPU processed ALG NAT mapping entries or
the NAT connection aging time for NP processed NAT mapping entries. A NAT
connection is terminated when its aging time expires.
Use the undo nat aging-time command
to restore the default settings for NAT connection aging time. Executing this
command will set the aging time for ALG entries to 120 seconds and enable the
NP to use the fast aging timer.
Example
# Set the NAT connection aging time for ALG
entries to 245 seconds for the LPU in slot 6.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat aging-time alg 245 slot 6
Syntax
nat blacklist start slot slot-number
undo nat blacklist start slot slot-number
View
System view
Parameter
slot slot-number: Specifies the slot number of an LPU.
Description
Use the nat blacklist start command
to enable NAT blacklist for an LPU.
Use the undo nat blacklist start command
to disable NAT blacklist for an LPU.
By default, the feature is disabled.
Example
# Enable NAT blacklist for the LPU in slot
3.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist start slot 3
Syntax
nat blacklist mode { all | amount | rate }
undo nat blacklist mode { all | amount | rate }
View
System view
Parameter
all:
Configures to control both the number of NAT connections and the connection
setup rate.
amount:
Configures to control the number of NAT connections.
rate:
Configures to control the connection setup rate.
The connection here
refers to an address mapping established during NAT, and connection setup rate
refers to the rate at which NAT connection is established.
Description
Use the nat blacklist mode
command to set the control mode of the NAT blacklist feature, thus using
the feature to control the number of NAT connections, the connection setup
rate, or both.
Use the undo nat blacklist mode command
to cancel the setting of NAT blacklist control mode.
Â
Caution:
l
Each command that is used to modify blacklist-related
configuration and is not source IP address-specific must be coupled with the reset
nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Configure the NAT blacklist feature to
control the number of NAT connections.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist mode amount
Syntax
nat blacklist limit amount [ source user-ip ] amount-value
undo nat blacklist limit amount [ source user-ip ]
View
System view
Parameter
amount:
Limits the number of NAT connections.
user-ip: IP
address of a user.
amount-value:
Control threshold for the number of NAT connections per user. This argument
ranges from 20 to 20,000.
Description
Use the nat blacklist limit
amount command to set the global or a specific control threshold for the
number of NAT connections, so as to limit the number of NAT connections that
can be established for each global user or a specific user.
Use the undo nat blacklist limit amount
command to restore the default control threshold for the number of NAT
connections.
The default control threshold for the
number of NAT connections is 500.
l
If you do not use the source keyword, the
command applies to global users.
l
If you use the source keyword, the
command applies to the user with the specified IP address.
Â
Caution:
l
With the nat blacklist limit amount source
user-ip command, you can set different specific thresholds to limit the
NAT connection quantities of different specified users. While, with the nat
blacklist limit rate source ip command, the specific
thresholds you set to limit connection setup rate are for all specific users
(users specified by the nat blacklist limit rate source user-ip
command), and you cannot set different thresholds for different specific users.
l
Each command that is used to modify
blacklist-related configuration and is not source IP address-specific must be
coupled with the reset nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Set the global threshold to control the
number of NAT connections per user.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit amount 600
# Set a specific threshold to control the
number of NAT connections of the user with IP address 1.1.1.2.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit amount
source 1.1.1.2 800
Syntax
nat blacklist limit rate [ source ip ] cir cir-value [ cbs
cbs-value ebs ebs-value ]
undo nat blacklist limit rate [ source ip ]
View
System view
Parameter
source ip:
Specifies that the control thresholds for connection setup rate are set for
specific source IP addresses (IP addresses specified by the nat blacklist
limit rate source user-ip command).
cir-value:
CIR control threshold for connection setup rate, long time average rate on
port, in the unit of sessions per second This argument ranges from 20 to
262,144. The default value is 250. (CIR: committed information rate.)
cbs-value:
CBS control threshold for connection setup rate, in the unit of sessions per
second. This argument ranges from cir-value to 90 x cir-value
and must be less than 4,294,960. The default value is 375. (CBS: conformed
burst size.)
ebs-value:
EBS control threshold for connection setup rate, in the unit of sessions per
second. This argument ranges from 0 to 90 x cir-value and must be less
than or equal to cbs-value. The default value is 0. (EBS: extended burst
size.)
Description
Use the nat blacklist limit rate
command to set the global or specific control thresholds for connection setup
rate (number of connections established per second).
Use the undo nat blacklist limit rate
command to restore the default control thresholds for connection setup rate.
Note that:
l
If you do not use the source ip
keyword, the command applies to all global users.
l
If you use the source ip keyword, the
command applies to only specific users (users specified by the nat blacklist
limit rate source user-ip command with source IP addresses).
l
If you do not use the nat blacklist limit
rate command, the system adopts the default values for cir-value, cbs-value,
and ebs-value. They are 250, 375, and 0 respectively.
l
If you only configure cir-value by using
the nat blacklist limit rate command, the value of cbs-value is cir-value
x 1.5 and the value of ebs-value is 0.
Â
Caution:
l
With the nat blacklist limit amount source
user-ip command, you can set different specific thresholds to limit the
NAT connection quantities of different specified users. While, with the nat
blacklist limit rate source ip command, the specific
thresholds you set to limit connection setup rate are for all specific users
(users specified by the nat blacklist limit rate source user-ip
command), and you cannot set different thresholds for different specific users.
l
Each command that is used to modify
blacklist-related configuration and is not source IP address-specific must be
coupled with the reset nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Set the specific CIR, CBS and EBS control
thresholds to 100, 500 and 40 respectively.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit rate source
ip cir 100 cbs 500 ebs 40
Syntax
nat blacklist limit rate source user-ip
undo nat
blacklist limit rate source user-ip
View
System view
Parameter
user-ip: IP
address of a user.
Description
Use the nat blacklist limit rate source
command to specify the IP address of a user, so as to adopt the specific
connection setup rate control thresholds to the user.
Use the undo nat blacklist limit
rate source command to remove the configuration.
Â
Caution:
l
With the nat blacklist limit amount source
user-ip command, you can set different specific thresholds to limit the
NAT connection quantities of different specified users. While, with the nat
blacklist limit rate source ip command, the specific
thresholds you set to limit connection setup rate are for all specific users
(users specified by the nat blacklist limit rate source user-ip
command), and you cannot set different thresholds for different specific users.
l
Each command that is used to modify
blacklist-related configuration and is not source IP address-specific must be
coupled with the reset nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Specify to control user 2.2.2.2 with
specific connection setup rate thresholds.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit rate source
2.2.2.2
1.1.15Â nat
outbound
Syntax
nat outbound acl-number [ address-group group-number
[ no-pat ] ] slot slot-number
undo nat outbound acl-number [ address-group group-number
[ no-pat ] ] slot slot-number
View
VLAN interface view
Parameter
address-group: Specifies an address pool to be used for NAT. If you do not
specify an address pool in the command, the IP address of the current interface
will be used as the translated source IP address, that is, the Easy IP feature
is enabled.
no-pat:
Specifies to use one-to-one NAT, so that only the source IP addresses in
packets are translated while the port numbers are not translated.
acl-number:
Index of an ACL, in the range from 2000 to 3999.
group-number:
Index of a NAT address pool, in the range from 0 to 319.
slot-number:
Slot number of an LPU, to which the address pool will be bound. All NAT
operations using the NAT rule will be carried out on this LPU.
Description
Use the nat outbound command to
associate an ACL with a NAT address pool, and bind the address pool to an LPU,
so as to translate the addresses matching the ACL to the addresses in the pool
on the LPU.
Use the undo nat outbound command to
remove the configuration.
If you use the nat outbound command
to associate an ACL with an address pool, the NAT process will use the IP
addresses in the pool to translate the source addresses of the packets that
match the ACL. You can configure multiple NAT associations on a VLAN interface,
which is normally connected to an ISP network and serves as the egress of the
internal network.
If you execute the nat outbound
command without the address-group keyword, the Easy IP feature is
implemented, and the IP address of the interface is used to translate the
source addresses that match the specified ACL.
When you execute the nat outbound
command on a VLAN interface with an address pool specified, the address pool
should be on the same network segment with the IP address of the VLAN
interface. Otherwise, NAT may not operate normally. In this case, you can use
one of the following two ways to solve the problem.
1)
Configuring a static route: Configure a static
route to the VLAN interface on an upstream router (a router on the upstream
network of the NAT-enabled switch).
2)
Using routing protocol to advertise the routes
of the IP addresses in the address pool. To do this, you need to configure
static routes for the IP addresses in the address pool on the NAT-enabled
switch, with the outbound interface being NULL. Note that the configured static
route segments should accommodate the combined segments of the IP addresses in
the address pool.
l
For NAT function, basic ACLs (2000 to 2999) support only source IP address as the filtering item, advanced
ACLs (3000 to 3999) support both source IP address and
destination IP address as filtering items. Other ACL filtering items are not
supported currently.
l
After you configure the nat outbound
command with an ACL, any modifications to the ACL (adding/deleting rules) will
not have effect on the NAT configuration.
Example
Perform the following procedure to allow
hosts on segment 10.110.10.0/24 to be translated into addresses from
202.110.10.10 to 202.110.10.12. Suppose VLAN interface 2 is connected to an ISP
network.
# Configure an ACL.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule permit
source 10.110.10.0 0.0.0.255
[H3C-acl-basic-2000] rule deny
[H3C-acl-basic-2000] quit
# Configure a NAT address pool.
[H3C] nat address-group 1
202.110.10.10 202.110.10.12
# Configure NAPT on the LPU in slot 3 with
address pool 1.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat outbound
2000 address-group 1 slot 3
# Remove the NAPT configuration.
[H3C-Vlan-interface2] undo nat
outbound 2000 address-group 1 slot 3
# Configure one-to-one NAT on the LPU in
slot 3 with address pool 1.
[H3C-Vlan-interface2] nat outbound
2000 address-group 1 no-pat slot 3
# Remove the one-to-one NAT configuration.
[H3C-Vlan-interface2] undo nat
outbound 2000 address-group 1 no-pat slot 3
# Configure the Easy IP feature, to
directly use the IP address of VLAN interface 2 for address translation.
[H3C-Vlan-interface2] nat outbound
2000 slot 3
# Remove the Easy IP configuration.
[H3C-Vlan-interface2] undo nat outbound
2000 slot 3
Syntax
1)
Configure an internal server
l
Use the following command when TCP/UDP is used.
nat server protocol pro-type global global-addr global-port inside
host-addr host-port slot slot-number
l
Use the following command when protocols other
than TCP/UDP are used.
nat server protocol pro-type global global-addr inside host-addr slot slot-number
2)
Delete an internal server
l
Use the following command when TCP/UDP is used.
undo nat
server protocol pro-type global global-addr global-port inside host-addr host-port slot
slot-number
l
Use the following command when protocols other
than TCP/UDP are used.
undo nat server protocol pro-type global global-addr inside
host-addr slot slot-number
3)
Configure a group of consecutive internal
servers
nat server protocol
pro-type global global-addr global-port1 global-port2
inside host-addr1 host-addr2 host-port slot slot-number
4)
Delete a group of consecutive internal servers
undo nat server protocol pro-type global global-addr global-port1
global-port2 inside host-addr1 host-addr2 host-port slot
slot-number
View
VLAN interface view
Parameter
pro-type:
Protocol carried by the IP protocol, which can be specified by using a keyword
such as tcp, udp, or icmp.
global-addr:
Public IP address provided for access from external networks.
global-port:
Public port number provided for access from external networks.
host-addr:
Private IP address of an internal server.
host-port:
Private port number provided by the server, in the range from 0 to 65535. At
the position of this argument, you can also use a keyword to indicate a
well-known port. For example, you can use www for WWW service port 80,
and ftp for ftp service port 21. Keyword any has the same meaning
with port number 0, which indicates that the internal server can provide any
available services in the internal network; but this is not supported
currently.
Â
Caution:
The global-port
and host-port arguments are not needed if a protocol other than TCP and
UDP is used which does not use port number.
global-port1,
global-port2: Specifies a range of consecutive port numbers, which are
one-to-one corresponding to the private addresses in the specified internal
host address range. global-port2 must be larger than global-port1.
host-addr1,
host-addr2: Specifies a range of consecutive addresses, which are
one-to-one corresponding to the port numbers in the above port number range. host-addr2
must be larger than host-addr1.
slot-number:
Slot number of an LPU.
Description
Use the nat server command to define
mapping table entries for internal servers. By using the address and port
number specified by the global-addr and the global-port arguments
for an internal server, external users can access the internal server with the
address and port number specified by the host-addr and host-port arguments.
Use the undo nat server command to
delete an internal server mapping entry.
You can use the nat server command
to allow some internal servers to be accessed by external users. Some examples
of such servers are WWW, FTP, Telnet, POP3, and DNS.
Â
Caution:
l
Up to 128 internal servers can be configured in
one nat server command.
l
Up to 768 nat server commands can be configured for one VLAN interface.
l
Up to 4,096 internal servers can be configured
for one VLAN interface.
l
Up to 1,024 nat
server commands and 4,096 internal servers can be
configured in a system.
l
The interface configured with this command is an
egress of the internal network and should be directly connected to an ISP
network.
l
Currently, secondary address translations on a
NAT connection is not supported.
l
To use the NetMeeting software or enable an
internal FTP server, you need to configure both the nat server and nat
outbound commands. For details, refer to 1.1.15Â “nat outbound”.
Example
# Specify the IP address of the internal
WWW server to be 10.110.10.10, the IP address of the internal FTP server to be 10.110.10.11,
and allow external hosts to access the WWW server and FTP server by
http://202.110.10.10:8080 and ftp://202.110.10.10 respectively. Suppose that
VLAN interface 2 is connected to an ISP network.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat server
protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3
[H3C-Vlan-interface2] nat server
protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3
# Specify an internal host 10.110.10.12
which can be successfully pinged by external hosts using the ping
202.110.10.11 command.
[H3C-Vlan-interface2] nat server
protocol icmp global 202.110.10.11 inside 10.110.10.12 slot 2
# Delete the WWW server.
[H3C-Vlan-interface2] undo nat server
protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3
# Delete the FTP server.
[H3C-Vlan-interface2] undo nat server
protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3
# Specify an external address
202.110.10.10, map ports from 1001 to 1100 to the Telnet service of internal
hosts from 10.110.10.1 to 10.110.10.100, thus allowing external access to
10.110.10.1 through 202.110.10.10:1001, access to 10.110.10.2 through 202.110.10.10:1002,
and so on.
[H3C-Vlan-interface2] nat server
protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100
telnet slot 5
Syntax
reset nat session slot slot-number
View
User view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the reset nat session command to
clear NAT mapping table from memory and NP (network processor).
Example
# Clear the NAT mapping table established
by the LPU in slot 3.
<H3C> reset nat session slot 3
Syntax
nat ftp server global global-addr global-port inside host-addr host-port slot
slot-number
undo nat ftp server global global-addr global-port inside host-addr host-port slot
slot-number
View
VLAN interface view
Parameter
global-addr:
Public IP address of an internal FTP server.
global-port:
Public port number of the internal FTP server. This argument ranges from 0 to
12287. For port 21, you can use keyword ftp to replace this argument..
host-addr:
Private IP address of the internal FTP server.
host-port:
Private port number of the internal FTP server. This argument ranges from 0 to
65535. For port 21, you can use keyword ftp to replace this argument.
 Caution:
Among the ports of
a non-standard internal FTP server available to the private network (that is, port
0 through port 65535), do not use the known ports other than port 21. (You will
be prompted in CLI if you specify them in the commands listed in the following
commands.)
Among ports 0
through 65,535, any well-known ports other than port 21 cannot be used as the
private ports of non-standard internal FTP servers. (You can see those
well-known ports on CLI by command help.)
slot-number:
Slot number of an LPU.
Description:
Use the nat ftp server command to
configure a non-standard internal FTP server.
Use the undo nat ftp server command
to remove a non-standard internal FTP server configuration.
These two commands can be accompanied by
other internal server-related commands, such as the nat server and undo
nat server commands. In this case, bear in mind that:
l
The nat server command can only be used
to configure internal FTP servers that use private port 21.
l
The undo nat server command can be used
to remove internal FTP servers configured by the nat ftp server command.
l
The undo nat ftp server command can be
used to remove internal FTP servers configured by the nat server
command.
Related command: nat server.
Example
# Configure a non-standard internal FTP
server that uses 202.10.10.1 and 11225 as the public IP address and port
number, and 1.1.1.3 and 1698 and the private IP address and port number.
<H3C> system-view
[H3C] interface vlan-interface 3
[H3C-Vlan-interface3] nat ftp server
global 202.10.10.1 11225 inside 1.1.1.3 1698 slot 3
Syntax
display ip userlog export slot slot-number
View
Any view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the display ip userlog export command
to display the configuration and statistics of NAT logging.
Example
# Display the configuration of NAT logging.
<H3C> display ip userlog export
slot 6
NAT:
 IP userlog export is not enabled
 Version 1 export is enabled
 Export logs to 0.0.0.0 (Port: 0)
 (DEFAULT)Export logs to 0.0.0.0
(Port: 0)
 Export using source address 0.0.0.0
 IP userlog flowbegin mode is not
enabled
 IP userlog active time: 0 minutes
 0 logs exported in 0 udp datagrams
 0 logs in 0 udp datagrams failed to
output
 0 entries buffered currently
Syntax
ip userlog nat slot slot-number acl acl-number
undo ip userlog nat slot slot-number
View
System view
Parameter
slot-number:
Slot number of an LPU.
acl-number:
Index of an ACL, in the range from 2000 to 3999.
Description
Use the ip userlog nat slot slot-number
acl command to enable NAT logging and configure NAT logging ACL, which
defines what packets’ information will be logged.
Use the undo ip userlog nat slot command
to disable NAT logging.
By default, NAT logging is disabled for any
LPU.
Example
# Enable NAT logging on the LPU in slot 3,
and use ACL 2000 as the logging ACL.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat slot 3 acl 2000
Syntax
ip userlog nat active-time minutes
undo ip userlog nat active-time
View
System view
Parameter
minutes:
Wait interval to log active NAT connections, in minutes. The NAT process will
periodically log an active connection at this interval after the active time of
the connection reaches this interval. This argument ranges from 10 to 120. The
default value is 0, indicating the logging of active connections is disabled.
Description
Use the ip userlog nat active-time command
to set the wait interval to log active NAT connections.
Use the undo ip userlog nat active-time command
to disable the logging of active connections.
The NAT process performs logging when a NAT
connection is deleted. It may be needed to have the NAT process regularly log
the connections that keep active for a long time at a specific interval. You
can use the command here to achieve this by setting the value of the
corresponding timer on the SRPU.
Example
# Set the wait interval to log active NAT
connections to 30 minutes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat active-time 30
Syntax
ip userlog nat export [ slot slot-number ] host ip-address udp-port
undo ip userlog nat export [ slot slot-number ] host
View
System view
Parameter
ip-address:
IP address of a log server, that is, the destination IP address for log
packets. By default, it is 0.0.0.0, indicating NAT logging is disabled.
udp-port:
UDP port number of a log server, that is, the destination port number for log
packets. It ranges from 0 to 65535 and is 0 by default.
slot-number:
Slot number of an LPU. If you specify the slot-number argument, the
configuration is only effective for the specified LPU; otherwise, the
configuration is effective for all LPUs. The configuration with the slot-number
argument specified takes precedence over the global configuration.
Description
Use the ip userlog nat export host command
to set the address and port number of the global destination server for log
packets.
Use the undo ip userlog nat export host command
to restore the default settings for global destination server.
Use the ip userlog nat export slot slot-number
host command to set the address and port number of a specific destination
server for log packets on a specified LPU.
Use the undo ip userlog nat export slot slot-number
host command to restore the settings of global destination server for log
packets on a specified LPU.
Example
# Set the destination IP address and UDP
port number of log packets on the LPU in slot 3 to 169.254.1.1 and 200 respectively.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat export slot 3
host 169.254.1.1 200
Syntax
ip userlog nat export source-ip src-address
undo ip userlog nat export source-ip
View
System view
Parameter
src-address:
Source IP address for log packets. The default source IP address is 0.0.0.0,
indicating that the VLAN interface IP address is used as the source IP address.
Description
Use the ip userlog nat export source-ip command
to set the source IP address of log packets.
Use the undo ip userlog nat export
source-ip command to restore the default source IP address setting.
By default, a log packet uses its VLAN
interface IP address as its source IP address.
Example
# Set the source IP address of log packets
to 169.254.3.1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat export source-ip
169.254.3.1
Syntax
ip userlog nat export version version-number
undo ip userlog nat export version
View
System view
Parameter
version-number: Version of log packets. It defaults to 1, and can only be 1
currently because it is for the future use of network management software to
identify extended log packets.
Description
Use the ip userlog nat export version command
to set the version of log packets.
Use the undo ip userlog nat export
version command to restore the default version of log packets.
Example
# Set the version of log packets to 1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat export version 1
Syntax
ip userlog nat mode flow-begin
undo ip userlog nat mode flow-begin
View
System view
Parameter
None
Description
Use the ip userlog nat mode flow-begin command
to have NAT logging performed whenever an NAT connection is established.
Use the undo ip userlog nat mode
flow-begin command to restore the default logging mode.
NAT logging has the following two modes,
and you can choose one by using the commands here.
l
Perform logging only when a NAT connection is
deleted.
l
Perform logging whenever a NAT connection is
established or deleted.
By default, the NAT logging is performed
only when a NAT connection is deleted.
Example
# Configure to have NAT logging performed
whenever a connection is established.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat mode flow-begin