Table of Contents

Chapter 1 NAT Configuration Commands. 1-1

1.1 NAT Configuration Commands. 1-1

1.1.1 connection-limit default action. 1-1

1.1.2 connection-limit default amount 1-1

1.1.3 connection-limit default rate. 1-2

1.1.4 connection-limit enable. 1-3

1.1.5 connection-limit policy. 1-4

1.1.6 debugging nat 1-5

1.1.7 debugging connection-limit 1-6

1.1.8 display connection-limit policy. 1-6

1.1.9 display nat address-group. 1-7

1.1.10 display nat all 1-8

1.1.11 display nat connection-limit 1-10

1.1.12 display nat limit 1-11

1.1.13 display nat log. 1-14

1.1.14 display nat outbound. 1-15

1.1.15 display nat server 1-15

1.1.16 display nat session. 1-16

1.1.17 display nat statistics. 1-18

1.1.18 display userlog export 1-19

1.1.19 limit mode. 1-21

1.1.20 limit rate. 1-22

1.1.21 limit source. 1-22

1.1.22 nat address-group. 1-23

1.1.23 nat alg. 1-24

1.1.24 nat binding. 1-25

1.1.25 nat connection-limit-policy. 1-27

1.1.26 nat limit 1-28

1.1.27 nat log enable. 1-29

1.1.28 nat log flow-active. 1-29

1.1.29 nat log flow-begin. 1-30

1.1.30 nat outbound. 1-31

1.1.31 nat server 1-34

1.1.32 reset nat session. 1-37

1.1.33 reset userlog export 1-38

1.1.34 reset userlog nat logbuffer 1-38

1.1.35 userlog nat export host 1-39

1.1.36 userlog nat export source-ip. 1-40

1.1.37 userlog nat export version. 1-41

1.1.38 userlog nat syslog. 1-41

 

Chapter 1  NAT Configuration Commands

1.1  NAT Configuration Commands

1.1.1  connection-limit default action

Syntax

connection-limit default action [ permit | deny ]

undo connection-limit default action

View

System view

Default Level

2: System level

Parameters

deny: Disables the connection-limit function globally.

permit: Enables the connection-limit function globally.

Description

Use the connection-limit default action command to specify the default connection-limit action globally, either permit or deny. The effect of this command applies to all user connections not defined in the connection-limit policy.

Use the undo connection-limit default action command to restore the default.

By default, connection-limit is not enabled.

Examples

# Configure the default connection-limit action as permit.

<Sysname> system-view

[Sysname] connection-limit default action permit

1.1.2  connection-limit default amount

Syntax

connection-limit default amount upper-limit max-amount

undo connection-limit default amount

View

System view

Default Level

2: System level

Parameters

upper-limit max-amount: Specifies the upper limit of connections. The value range is 1 to 65536.

Description

Use the connection-limit default amount command to set the limit(s) of user connections globally.

Use the undo connection-limit default amount command to restore the default.

By default, the upper limit is 200.

Examples

# Configure the upper limit as 100.

<Sysname> system-view

[Sysname] connection-limit default amount upper-limit 100

1.1.3  connection-limit default rate

Syntax

connection-limit default rate max-rate max-rate

undo connection-limit default rate

View

 System view

Default Level

2: System level

Parameters

max-rate max-rate: Specifies the maximum connection rate, that is, the maximum number of connections allowed per second. The value ranges from 1 to 200.

Description

Use the connection-limit default rate command to specify a global maximum connection rate.

Use the undo connection-limit default rate command to restore the default.

By default, the maximum connection rate is 100.

Examples

# Configure the global maximum connection rate.

<Sysname> system-view

[Sysname] connection-limit default rate max-rate 50

1.1.4  connection-limit enable

Syntax

connection-limit enable

undo connection-limit enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the connection-limit enable command to enable the connection-limit function.

Use the undo connection-limit enable command to disable this function.

By default, the connection-limit function is disabled.

Once this function is enabled, both the connection number and the connection rate are limited.

Examples

# Enable the connection-limit function.

<Sysname> system-view

[Sysname] connection-limit enable

# Disable the connection-limit function.

[Sysname] undo connection-limit enable

1.1.5  connection-limit policy

Syntax

connection-limit policy policy-number

undo connection-limit policy { policy-number | all }

View

System view

Default Level

2: System level

Parameters

policy-number: Connection-limit policy number.

all: Deletes all connection-limit policies.

Description

Use the connection-limit policy command to create or edit a connection-limit policy and enter connection-limit policy view.

Use the undo connection-limit policy command to delete a specified or all connection-limit policies.

Note that:

l           A connection-limit policy contains a set of rules that define the connection-limit mode, the maximum connection rate and the connection number. By default, the connection-limit mode and the maximum connection rate are subject to the global configuration.

l           When creating a connection-limit policy, you need to assign it a number that uniquely identifies that policy. Polices are matched by number in descending order.

l           You can modify the rules in a policy only before binding the policy to a NAT module. No matter a connection-limit policy is bound to a NAT module or not, however, you can modify the connection-limit mode and the maximum connection rate. Additionally, you can add or delete rules to/from the policy. The newly modified connection limit policy will take effect after the flow table ages out.

Examples

# Create a connection-limit policy numbered 1.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1]

# Delete a connection-limit policy numbered 2.

<Sysname> system-view

[Sysname] undo connection-limit policy 2

[Sysname-connection-limit-policy-2]

# Delete all the existing connection-limit policies.

<Sysname> system-view

[Sysname] undo connection-limit policy all

1.1.6  debugging nat

Syntax

debugging nat { alg | event | packet } [ interface interface-type interface-number ]

undo debugging nat { alg | event | packet } [ interface interface-type interface-number ]

View

User view

Default Level

1: Monitor level

Parameters

alg: Enables/disables debugging for the ALG (application level gateway).

event: Enables/disables event debugging.

packet: Enables/disables packet debugging.

interface interface-type interface-num: Enables debugging for the NAT data packets on the specified interface. Use the interface-type interface-number argument to specify an interface by interface type and interface number.

Description

Use the debugging nat command to enable specific NAT debugging.

Use the undo debugging nat command to disable specific NAT debugging.

By default, NAT debugging is disabled.

Examples

# Enable NAT ALG debugging on a NAT-capable device.

<Sysname> debugging nat alg

# Enable NAT event debugging on a NAT-capable device.

<Sysname> debugging nat event

# Enable NAT packet debugging on a NAT-capable device.

<Sysname> debugging nat packet

1.1.7  debugging connection-limit

Syntax

debugging connection-limit

undo debugging connection-limit

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the debugging connection-limit command to enable connection limit debugging.

Use the undo debugging connection-limit command to disable connection limit debugging.

By default, connection limit debugging is disabled.

Examples

# Enable connection limit debugging on a NAT-capable device.

<Sysname> debugging connection-limit

1.1.8  display connection-limit policy

Syntax

display connection-limit policy { policy-number | all }

View

Any view

Default Level

1: Monitor level

Parameters

policy-number: Number of a connection-limit policy.

all: Displays all connection-limit policies.

Description

Use the display connection-limit policy command to display a specific or all connection-limit policies.

Related commands: limit

Examples

# Display all connection-limit policies configured.

<Sysname> display connection-limit policy all

There is 1 policy:

Connection-limit policy 1, refcount 0 , 1 limit

 limit mode amount

 limit rate 11

 limit 1 source 192.168.0.12 amount 200

Table 1-1 Description on the fields of the display connection-limit policy all command

Field	Description
Connection-limit policy	Number of the connection-limit policy
refcount	Number of times that a policy is referenced
limit	Number of rules in the policy. For details about the rules, refer to the limit command in connection-limit policy view
limit mode	Connection-limit mode (all, amount, rate): l      all: limits both connection number and connection rate. l      amount: limits connection number only. l      rate: limits connection rate only.
limit rate	Connection rate limit
source	Source address
amount	Upper limit of user connections

 

1.1.9  display nat address-group

Syntax

display nat address-group

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display nat address-group command to display the NAT address pool information.

Examples

# Display the NAT address pool information.

<Sysname> display nat address-group

NAT address-group information:

  There are currently 1 nat address-group(s) and 1 virtual address-group(s)

      1 : from      92.1.1.200   to      92.1.1.202

    320 : from        92.1.1.1   to        92.1.1.1

Table 1-2 Description on the fields of the display nat address-group command

Field	Description
NAT address-group information	NAT address pool information
There are currently 1 nat address-group(s) and 1 virtual address-group(s)	There is one NAT address group and one virtual address pool configured with Easy IP
1 : from   92.1.1.200   to   92.1.1.202	The range of IP addresses in address pool 1 is from 92.1.1.200 to 92.1.1.202.
320 : from        92.1.1.1   to        92.1.1.1	Easy IP is configured and the corresponding IP address is 92.1.1.1.

 

1.1.10  display nat all

Syntax

display nat all

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display nat all command to display the configurations of all NAT parameters.

Examples

# Display the configurations of all NAT parameters.

<Sysname> display nat all

NAT address-group information:

There are currently 2 nat address-group(s)

      1 : from         1.1.1.4   to         1.1.1.6

      2 : from       100.0.0.4   to       100.0.0.4

NAT outbound information:

There are currently 2 nat outbound rule(s)

                Vlan-interface1001: acl(2001) --- NAT address-group(1)

                Vlan-interface1000: acl(2000) --- NAT address-group(2)

NAT server in private network information:

  There are currently 1 internal server(s)

  Interface:Vlan-interface1000, Protocol:6(tcp),

     [global]        100.0.0.8:   21(ftp)   [local]    192.168.0.128:   21(ftp)

NAT log information:

  log enable  :  enable acl 2000

  flow-begin  :  enable

  flow-active :  10(minutes)

Table 1-3 Description on the fields of the display nat all command

Field	Description
NAT address-group information	NAT address pool information
1 : from   1.1.1.4   to   1.1.1.6	The IP address range of address pool 1 is from 1.1.1.4 to 1.1.1.6.
There are currently 2 nat address-group(s)	There are currently two NAT address pools.
2 : from   100.0.0.4   to   100.0.0.4	The IP address range of address pool 2 is from 100.0.0.4 to 100.0.0.4.
NAT outbound information:	Configuration information about internal address-to-external address translation
There are currently 2 nat outbound rule(s)	There are currently two NAT outbound rules.
Vlan-interface1001: acl(2001) --- NAT address-group(1)	Address translation. information configured on VLAN-interface 1001
Vlan-interface1000: acl(2000) --- NAT address-group(2)	Address translation. information configured on VLAN-interface 1000
NAT server in private network information:	Display information of internal servers
There are currently 1 internal server(s)	There is  currently one internal server.
Interface:Vlan-interface1000, Protocol:6(tcp),      [global]        100.0.0.8:   21(ftp)   [local]    192.168.0.128:   21(ftp),	Internal server configured on VLAN-interface 1000: TCP is used. the public network address is 100.0.0.8, with the port number as 21; the internal IP address is 192.168.0.128, with the port number of 21.
NAT  log  information :	Displays address translation log information
log enable: enable  acl  2000	Logging data flows matching acl 2000
flow-begin: enable	Logging newly established sessions
flow-active: 10(minutes)	Interval in logging active flows (10 minutes)

 

1.1.11  display nat connection-limit

Syntax

display nat connection-limit { all | ip user-ip [ vpn-instance vpn-instance-name ] }

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays the connection-limit statistics of all users.

ip user-ip: Displays the connection-limit statistics of the user defined by the specified IP address.

vpn-instance vpn-instance-name: Specifies the MPLS VPN instance that a connection belongs to. The vpn-instance-name argument ranges from 1 to 31 characters. Absence of this keyword and argument indicates that the user whose connection statistics are to be displayed belongs to a normal private network rather than an MPLS VPN instance.

Description

Use the display nat connection-limit command to display NAT connection-limit statistics.

Examples

# Display NAT connection-limit statistics.

<Sysname> display nat connection-limit all

 There are 2 users' connection-limit information:

  IP-address         Vpn-instance                       Amount    Rate

  10.110.10.0        vpn1                                0         0

  10.110.12.0        ---                                 0         0

Table 1-4 Description on the fields of the display nat connection-limit command

Field	Description
vpn-instance	MPLS VPN instance that a connection belongs to. “---“ indicates that the connection does not belong to any MPLS VPN instance.
amount	Number of active connections
rate	Connection rate

 

1.1.12  display nat limit

Syntax

display nat limit { all | public | vpn-instance vpn-instance--name }

View

Any view

Default Level

1: Monitor level

Parameters

all: Displays resource distribution and utilization information about both ordinary (non-VPN) and VPN users.

public: Displays resource distribution and utilization information about the ordinary users.

vpn-instance: Displays resource distribution and utilization information for specified VPN user.

vpn-instance-name: Name of VPN instance.

Description

Use the display nat limit command to display the current resource allocation and utilization information.

Note that:

l           If you have manually configured the resource limits for ordinary users, this command displays the detailed values allocated for them. If not, this command will not display the detailed values, but assume that all the resources belong to the ordinary users.

Examples

# Display the current resource allocation and utilization information (with resources manually allocated for ordinary users).

<Sysname> display nat limit all

The max configurable user amount of system is:                          8192

The available configurable user amount of system is:                   5192

The max configurable connection amount of system is:                1257291

The available configurable connection amount of system is:          1227291

 

Global Configuration

Public                  1000                              10000

VPN1                    1000                              10000

VPN2                    1000                              10000

 

Slot 5             User Amount                  Connection Amount

Public      1000       100        900        10000      200        9800

VPN1        1000         0       1000        10000       0        10000

VPN2        1000         0       1000        10000       0        10000

 

Slot 6             User Amount                  Connection Amount

Public      1000        0        1000        10000       0        10000

VPN1        1000        0        1000        10000       0        10000

VPN2        1000       500        500        10000      500        9500

# Display the current resource allocation and utilization information (without manually allocating resources for ordinary users).

<Sysname> display nat limit all

The max configurable user amount of system is:                          8192

The available configurable user amount of system is:                   5192

The max configurable connection amount of system is:                 1257291

The available configurable connection amount of system is:           1237291

 

Global Configuration

TYPE               Max-User Amount                  Max- Connection Amount

Public            ------------                         ------------

VPN1                 1000                                  10000

VPN2                2000                                  10000

 

Slot 5             User Amount                  Connection Amount

 

Public     ------       0       ------      -------      0      -------

VPN1        1000        0        1000        10000       0        10000

VPN2        2000        0        2000        10000       0        10000

 

Slot 6             User Amount                  Connection Amount

Public     ------       0       ------      -------      0      -------

VPN1        1000        0        1000        10000       0        10000

VPN2        2000      500        1500        10000      500        9500

Table 1-5 Description on the fields of the display nat limit command

Field	Description
The max configurable user amount of system is:	Maximum number of users supported on L3+NAT boards
The available configurable user amount of system is:	The remaining user number allowed
The max configurable connection amount of system is:	Maximum number of user connections supported on L3+NAT boards
The available configurable connection amount of system is:	The remaining user connections that can be created
Global Configuration	Global resource distribution information
Slot	Slot number of a L3+NAT board
User Amount	Information about user number
Connection Amount	Information about user connection number
Max-User Amount	Maximum user number
Max- Connection Amount	Maximum number of user connections
TYPE	User type, either public (non-VPN) or VPN user
Max	Maximum number of users or connections
Cur	Number of current users or connections
Avail	Number of users or connections available

 

1.1.13  display nat log

Syntax

display nat log

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display nat log command to view the NAT log configuration.

Related commands: nat log enable, nat log flow-active, nat log flow-begin

Examples

# View the NAT log configuration.

<Sysname> display nat log

NAT log information:

  log enable  :  enable acl 2000

  flow-begin  :  enable

  flow-active :  10(minutes)

Table 1-6 Description on the fields of the display nat log command:

Field	Description
NAT log information :	NAT log configuration
log enable  : enable acl 2000	Logging data flows matching acl 2000.
flow-begin  : enable	Logging newly established sessions
flow-active : 10(minutes)	Interval in logging active flows (10 minutes)

 

1.1.14  display nat outbound

Syntax

display nat outbound

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display nat outbound command to display the address translation information.

Examples

# Display the NAT address translation information.

<Sysname> display nat outbound

NAT outbound information:

  There are currently 1 nat outbound rule(s)

                  Vlan-interface10: acl(2001) --- NAT address-group(2)

 

Table 1-7 Description on the fields of the display nat outbound command

Field	Description
NAT outbound information:	Display configured NAT address translation information
There are currently 1 nat outbound rule(s)	There is currently one NAT outbound rule.
Vlan-interface10: acl(2001) --- NAT address-group(2)	ACL 2001 is associated with address pool 2 on VLAN-interface 10 to provide many-to-many NAT.

 

1.1.15  display nat server

Syntax

display nat server

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display nat server command to display information about internal servers.

Related commands: nat server

Examples

# Display information about internal servers.

<Sysname> display nat server

NAT server in private network information:

  There are currently 1 internal server(s)

  Interface: Vlan-interface10, Protocol:6(tcp),

     [global]    202.110.10.10:      8080   [local]     10.110.10.10:   80(www)

Table 1-8 Description on the fields of the display nat server command

Field	Description
NAT server in private network information	Information about internal servers
There are currently 1 internal server(s)	There is currently one internal server.
Interface: Vlan-interface10, Protocol:6(tcp), [global]    202.110.10.10:      8080   [local]     10.110.10.10:   80(www)	On VLAN-interface 10, a WWW server is configured. Its internal address and port number are 10.110.10.10 and 80, respectively. Its external address and port number are 202.110.10.10 and 8080, respectively. The protocol type is TCP.

 

1.1.16  display nat session

Syntax

display nat session slot slot-number protocol { tcp | udp } [ vpn-instance vpn-instance-name ] source { global global-address global-port | inside inside-address inside-port } destination dst-address destination-port

View

Any view

Default Level

1: Monitor level

Parameters

protocol { tcp | udp }: Specifies a protocol for NAT session

vpn-instance vpn-instance-name: Displays NAT translation table entries in the specified MPLS VPN instance.

slot slot-number: Displays the NAT sessions for a card on the specified slot.

source global global-address: Displays NAT translation table entries for the specified external source IP address.

source inside inside-address: Displays NAT translation table entries for the specified internal source IP address.

destination dst-address: Displays NAT translation table entries for the specified destination IP address.

global-port, inside-port: Source port number.

destination-port: Destination port number.

Description

Use the display nat session command to display the active NAT sessions.

Examples

# Display the active NAT sessions.

<Sysname> display nat session slot 10 protocol tcp vpn-instance vpn1 source inside 200.1.4.1 1024 destination 5.45.0.2 1025

SlotNumber   10

Protocol      GlobalAddr  Port   VPN      InsideAddr  Port        DestAddr  Port

       6      5.45.0.212 16384     1       200.1.4.1  1024        5.45.0.2  1025

                     status: 0,        TTL: 01:00:00,       Left: 00:00:00

Table 1-9 Description on the fields of the display nat session command

Field	Description
Protocol	Protocol number. A value of 6 represents TCP.
GlobalAddr  Port	Address and port number after translation
InsideAddr  Port	Private IP address and port number
DestAddr  Port	Destination IP address and port number
VPN	Index of the MPLS VPN instance to which translation table entries belong. Its value varies from system to system. For systems that support 1,024 VPN instances, this parameter ranges from 0 to 1,023. A value of 0 indicates that translation table entries do not belong to any MPLS VPN instance.
status	Status of translation table entries
TTL	Lifetime of translation table entries, in the format of hh:mm:ss
Left	Remaining lifetime of translation table entries, in the format of hh:mm:ss

 

1.1.17  display nat statistics

Syntax

display nat statistics slot slot-number

View

Any view

Default Level

1: Monitor level

Parameters

slot slot-number: Displays NAT statistics for a card in the specified slot.

Description

Use the display nat statistics command to display NAT statistics.

Examples

# Display NAT statistics.

<Sysname> display nat statistics slot 6

 Slot number : 6

  total PAT session table count: 0

  total NO-PAT session table count: 0

  total SERVER session table count: 5

  total STATIC session table count: 0

  total FRAGMENT session table count: 0

  total session table count HASH by Internet side IP: 0

  active PAT session table count: 0

  active NO-PAT session table count: 0

  active FRAGMENT session table count: 0

  active session table count HASH by Internet side IP: 0

Table 1-10 Description on the fields of the display nat statistics command

Field	Description
total PAT session table count	Number of PAT session entries
total NO-PAT session table count	Number of No-PAT session entries
total SERVER session table count	Number of SERVER session entries
total STATIC session table count	Number of STATIC session entries
total FRAGMENT session table count	Number of FRAGRANT session entries
total session table count HASH by Internet side IP	Number of HASH entries calculated based upon the external IP address
active PAT session table count	Number of active PAT session entries
active NO-PAT session table count	Number of active No-PAT session entries
active FRAGMENT session table count	Number of active FRAGRANT session entries
active session table count HASH by Internet side IP	Number of active HASH entries calculated based upon the external IP address

 

1.1.18  display userlog export

Syntax

display userlog export slot slot-number

View

Any view

Default Level

1: Monitor level

Parameters

slot-number: Displays the NAT log information for the card in the specified slot.

Description

Use the display userlog export command to view the configuration and statistics of logs output to the log server.

Note that this command can display all types of logs output to the log server, but it only displays NAT logs in this document.

Related commands: userlog nat export

Examples

# Display the configuration and statistics of the NAT logs for the card in Slot 2 of the switch.

<Sysname> display userlog export slot 2

NAT:

   Version 1 export is enabled

   Export logs to 1.2.3.6 (port: 7013)

   Source address of UDP packet of userlog is 1.2.3.7

   137 logs exported in 85 UDP packets

   0 logs in 0 UDP packets failed to be outputted

   0 entries buffered

   vpn-instance is vpn3

Table 1-11 Description on the fields of the display userlog export command

Field	Description
NAT	NAT log information to be displayed. FLOW represents flow logs.
Version 1 export is enabled	UDP packet export enabled, in the version 1 format
Export logs to (port:)	IP address and port number of the NAT log server
Source address of UDP packet of userlog is	Source IP address of NAT logs
137 logs exported in 85 UDP packets	137 logs exported in 85 UDP packets
0 logs in 0 UDP packets failed to be outputted	0 logs in 0 UDP packets failed to be outputted
0 entries buffered	Number of entries in the buffer
No userlog export is enabled	This message appears in one of the following cases: l      NAT log function is not enabled, l      NAT log function is enabled but the logs are not configured to be exported to the information center, l      NAT log function is enabled and logs are exported to the information center, but the IP address and UDP port number of the corresponding log server are not configured.
VPN-Instance is	VPN instance which the log server belongs to

 

1.1.19  limit mode

Syntax

limit mode { all | amount | rate }

undo limit mode

View

Connection-limit policy view

Default Level

2: System level

Parameters

all: Limits both the connection number and the connection rate.

amount: Limits the number of connections only.

rate: Limits the connection rate only.

Description

Use the limit mode command to specify a connection-limit mode.

Use the undo limit mode command to remove the configuration and restore the connection limit mode configured globally.

By default, both the connection number and connection rate are limited.

 

 

Examples

# Specify a connection-limit mode for connection-limit policy 1.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1] limit mode amount

1.1.20  limit rate

Syntax

limit rate max-rate

undo limit rate

View

Connection-limit policy view

Default Level

2: System level

Parameters

max-rate: Specifies the maximum connection rate (number of connections that can be established in a second) for the current connection-limit policy. The value ranges from 1 to 200. By default, the global maximum connection rate is used.

Description

Use the limit rate command to configure the maximum connection rate for a connection-limit policy.

Use the undo limit rate command to remove the configuration and use the global setting.

Examples

# Configure the maximum connection rate for connection-limit policy 1 as 80.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1]limit rate 80

1.1.21  limit source

Syntax

limit limit-id source user-ip [ vpn-instance vpn-instance-name ] { amount max-amount | rate } *

undo limit limit-id

View

Connection-limit policy view

Default Level

2: System level

Parameters

limit-id: ID of a rule in a connection-limit policy. The value is in the range of 0 to 1023.

source: Limits connections based on the source IP address.

user-ip: Source IP address of a user.

vpn-instance-name: Name of a VPN instance to which an internal server belongs. Absence of this argument indicates that the internal server belongs to a normal private network instead of an MPLS VPN instance.

amount: Specifies the connection-limit limits.

max-amount: Value of upper limit, in the range of 1 to 65535.

rate: Applies rate limit configured in connection-limit policy view. Without this keyword, the globally configured rate limit will be adopted.

Description

Use the limit source command to configure a connection-limit rule.

Use the undo limit command to remove the configuration.

Examples

# Configure connection-limit rule 1, gathering statistics on users with the source IP address being 1.1.1.1, setting the upper connection number limit to 200.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1] limit 1 source 1.1.1.1 amount 200

1.1.22  nat address-group

Syntax

nat address-group group-number start-address end-address

undo nat address-group group-number

View

System view

Default Level

2: System level

Parameters

group-number: Index of an address pool, in the range of 0 to 319.

start-address: The beginning IP address in an address pool.

end-address: The ending IP address in an address pool. The end-address must be not smaller than the start-address.

Description

Use the nat address-group command to specify an address pool for NAT.

Use the undo nat address-group command to remove the configuration.

An address pool is a set of continuous IP addresses. When an internal packet is forwarded to the external network, the system selects an address from the pool to serve as the source address after address translation. An equal start-address and end-address means there is only one IP address in the address pool.

l           An address pool is not needed in the case of Easy IP where the interface’s public IP address is used as the translated IP address.

 

 

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15.

<Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

1.1.23  nat alg

Syntax

nat alg { all | dns | ftp | ils | nbt }

undo nat alg { all | dns | ftp | ils | nbt }

View

System view

Default Level

2: System level

Parameters

all: Supports all special protocols.

dns: Supports DNS.

ftp: Supports FTP.

ils: Supports ILS.

nbt: Supports NBT.

Description

Use the nat alg command to enable NAT application layer gateway for the specified protocol.

Use the undo nat alg command to disable NAT application layer gateway.

By default, NAT application layer gateway is enabled.

Examples

# Enable NAT application layer gateway for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

1.1.24  nat binding

Syntax

nat binding interface interface-type interface-number

undo nat binding interface interface-type interface-number

View

NAT service interface view

Default Level

2: System level

Parameters

interface interface-type interface-number: Specifies an interface to be bound to the NAT service interface.

Description

Use the nat binding command to bind an NAT-enabled VLAN interface to the current NAT service interface.

Use the undo nat binding command to remove the binding.

 

 

Examples

# Configure ACL 2000, enabling NAT for the packets from 10.110.10.0/24.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2000] quit

# Configure the address pool.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Perform NAT with the addresses from the address pool 1 while using port information.

[Sysname] interface Vlan-interface 1000

[Sysname-Vlan-interface1000] nat outbound 2000 address-group 1

[Sysname-Vlan-interface1000] quit

# Configure the binding relationship.

[Sysname] interface nat 6/0/1

[Sysname-NAT6/0/1] nat binding interface vlan-interface 1000

1.1.25  nat connection-limit-policy

Syntax

nat connection-limit-policy policy-number

undo nat connection-limit-policy policy-number

View

System view

Default Level

2: System level

Parameters

policy-number: Number of the connection-limit policy to be bound with the NAT module, in the range of 0 to 255.

Description

Use the nat connection-limit-policy command to bind a connection-limit policy with the NAT module.

Use the undo nat connection-limit-policy command to remove the configuration.

Note that:

l           A NAT module can be bound with only one policy.

l           The globally configured connection limits are not effective unless a connection-limit policy is bound to the NAT module.

l           If there are multiple NAT boards, the configuration applies to all the boards.

 

 

Examples

# Bind connection-limit policy 1 with the NAT module.

<Sysname> system-view

[Sysname]nat connection-limit-policy 1

# Remove the binding between connection-limit policy 1 and the NAT module.

<Sysname> system-view

[Sysname]undo nat connection-limit-policy 1

1.1.26  nat limit

Syntax

nat limit { public | vpn-instance vpn-instance-name } user-amount user-limit connection-amount connection-limit

undo nat limit { public | vpn-instance vpn-instance-name }

View

View

Default Level

2: System level

Parameters

public: Allocates resources for ordinary users (non-VPN users).

vpn-instance: Allocates resources for VPN users.

vpn-instance-name: Name of VPN instance.

user-amount user-limit: Maximum number of users that NAT can handle. The value ranges from 0 to 8192 for ordinary users (0 means ordinary user is not supported) and 1 to 8192 for VPN users.

connection-amount connection-limit: Maximum unidirectional connections allowed for NAT. This value ranges from 0 to 1257291 (0 means ordinary user connection is not supported) for ordinary users and 1 to 1257291 for VPN users.

Description

Use the nat limit command to allocate resources for ordinary or VPN users, including maximum user number and maximum connection number.

Use the undo nat limit command to release the resources.

By default, all the system resources belong to the ordinary users.

Note that:

l           If you do not allocate resources for VPN users, the VPN users cannot create connections.

l           You are recommended to allocate resources for VPN users prior to configuring their connection number limits. This is because VPN users are not supported when a system initializes, nor can they create any connections.

Examples

# Configure the maximum number of VPN users as 5000, and maximum connections they can create as 5500.

<Sysname> system-view

[Sysname] nat limit vpn-instance vpn1 user-amount 5000 connection-amount 5500

1.1.27  nat log enable

Syntax

nat log enable [ acl acl-number ]

undo nat log enable

View

System view

Default Level

2: System level

Parameters

acl acl-number: Enables the NAT log function for the data flows that match the specified ACL. The acl-number parameter ranges from 2,000 to 3,999. Absence of this parameter indicates that NAT log function applies to all non-VPN data flows.

Description

Use the nat log enable command to enable the NAT log function.

Use the undo nat log enable command to disable the NAT log function.

By default, the NAT log function is disabled.

Examples

# Enable the NAT log function.

<Sysname> system-view

[Sysname] nat log enable acl 2001

1.1.28  nat log flow-active

Syntax

nat log flow-active minutes

undo nat log flow-active

View

System view

Default Level

2: System level

Parameters

minutes: Interval in logging the active NAT sessions, in the range 10 to 120 minutes.

Description

Use the nat log flow-active command to enable logging for NAT active sessions and specify the interval in creating and sending the logs.

Use the undo nat log flow-active command to disable this function.

By default, this function is disabled.

This command allows you to log active flows regularly. This solves the problem of logging long-last active sessions as logs are normally generated only when a session is established or deleted.

Examples

# Configure the interval between sending NAT active-flow logs as 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

1.1.29  nat log flow-begin

Syntax

nat log flow-begin

undo nat log flow-begin

View

System view

Default Level

2: System level

Parameters

None

Description

Use the nat log flow-begin command to generate NAT logs while establishing a NAT session.

Use the undo nat log flow-begin command to restore the default.

By default, no log is generated when establishing a session.

Examples

# Generate NAT log while establishing a session.

<Sysname> system-view

[Sysname] nat log flow-begin

1.1.30  nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ vpn-instance vrf-name ] [ no-pat ] ]

undo nat outbound acl-number [ address-group group-number [ vpn-instance vrf-name ] [ no-pat ] ]

View

VLAN Interface view

Default Level

2: System level

Parameters

acl-number: ACL (including both the basic and the advanced) number, in the range 2,000 to 3,999.

address-group: Specifies an address pool for NAT. If no address pool is specified, the interface IP address will be used, that is, the Easy IP feature.

group-number: Number of a predefined address pool, in the range of 0 to 319.

vpn-instance: Specifies a VPN that the address pool belongs to. The VPN is used for injecting NAT routes. You can configure VPN attributes to advertise NAT routes to other accessible VPNs, thus implementing interworking between VPNs in a NAT-enabled VPN networking application.

vrf-name: Name of an existing VPN instance, which is a string of 1 to 31 characters.

no-pat: Translates IP addresses only, without dealing with the port information.

Description

Use the nat outbound command to enable NAT and associate an ACL with an address pool (or an interface address). Packets that match the ACL rules will have their internal IP address replaced by an address from the address pool or the specified interface address.

Use the undo nat outbound command to remove the association.

Related commands: nat address-group.

 

 

Note that:

l           Translation of the source IP address of the packet that conforms to the ACL is accomplished by configuring the association between the ACL and the address pool. The system performs address translation by selecting one address in the address pool or by directly using the IP address of the interface.

l           You can configure different associations on one interface. The corresponding undo form of the command can be used to delete the related address translation association. Normally, the associations are configured on the egress interface of an internal network that connects to the external network(s).

l           If the interface address is directly used as the public network address after the NAT translation, after the NAT mapping entry between the private network and the public network is established, modifying the interface address will cause the user to be unable to access the external network through the interface normally because the original entry is not deleted automatically. Therefore, before modifying the interface address, make sure you use the reset nat session command to clear the original entry. This ensures that the user can access the external network normally by using this interface address as the public network address. Executing this command interrupts all the NAT services. Therefore, all the users must reinitiate connections. Be cautious about this operation.

l           After the undo nat outbound command is executed, if the address translation association translates only the addresses of the packets in the address pool but not port configuration, the NAT address mapping entries generated with the nat outbound command will be deleted automatically. Otherwise, these entries will automatically age out in five to 10 minutes. During this period, users who use these table entries cannot access external networks whereas other users are not affected. You can also use the reset nat session command to clear all the NAT address translation table entries. However, use of this command will result in termination of address translation and all users will have to reestablish connections. Users can make a proper choice as required.

l           After removing a NAT-enabled VLAN virtual interface or using the undo nat outbound command to remove the association between an ACL and an address pool, you need to execute the reset nat session command to purge all NAT entries if you want the NATed public network address to be reassigned.

l           If a VLAN interface is bound with a VPN, the NAT routes will be added to the VPN automatically and the hosts of the VPN connected to the VLAN interface can be accessed through NAT. If a VLAN interface is not bound with any VPN, the NAT routes will be added to the public network, and the hosts in the public network or of remote VPNs can be accessed through NAT.

l           If an address pool is configured with the VPN attribute, the NAT routes will be added to the VPN specified by the vrf-name argument. Generally, the VPN has no hosts and is only used for injecting NAT routes. You can configure VPN attributes to advertise NAT routes to other accessible VPNs, thus implementing interworking between VPNs in a NAT-enabled VPN networking application.

l           Because easy IP application does not involve the address pool parameter, you cannot configure VPN attributes for easy IP directly. If necessary, you can configure an address pool containing the interface IP address and then configure the NAT association and VPN attribute for the address pool. 

Examples

# Enable NAT for hosts in the 10.110.10.0/24 segment, using addresses 202.110.10.10 to 202.110.10.12 as the external IP addresses. Assume that VLAN-interface 1000 is connected to the private network.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] quit

# Configure VLAN-interface 1000.

[Sysname] vlan 1000

[Sysname-vlan1000] port GigabitEthernet 4/2/1

[Sysname-vlan1000] quit

[Sysname] interface Vlan-interface 1000

[Sysname-Vlan-interface1000] ip address 202.110.10.1 24

[Sysname-Vlan-interface1000] quit

# Configure the address pool.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Enable NAT. Use the IP addresses from the address pool address-group 1. Use TCP/UDP port information.

[Sysname] interface Vlan-interface 1000

[Sysname-Vlan-interface1000] nat outbound 2001 address-group 1

# Remove the associated configuration.

[Sysname-Vlan-interface1000] undo outbound 2001 address-group 1

# If you do not use the TCP/UDP port information, do the following:

[Sysname-Vlan-interface1000] nat outbound 2001 address-group 1 no-pat

# Remove the associated configuration:

[Sysname-Vlan-interface1000] undo nat outbound 2001 address-group 1 no-pat

# To use the IP address of VLAN-interface 1000, do the following:

[Sysname-Vlan-interface1000] nat outbound 2001

# Remove the associated configuration.

[Sysname-Vlan-interface1000] undo nat outbound 2001

1.1.31  nat server

Syntax

nat server protocol pro-type global global-addr global-port1 global-port2 [ vpn-instance global-vrf-name ] inside host-addr1 host-addr2 host-port [ vpn-instance local-vrf-name ]

nat server protocol pro-type global global-addr [ global-port ] [ vpn-instance global-vrf-name ] inside host-addr [ host-port ] [ vpn-instance local-vrf-name ]

undo nat server protocol pro-type global global-addr global-port1 global-port2  [ vpn-instance global-vrf-name ] inside host-addr1 host-addr2 host-port [ vpn-instance local-vrf-name ]

undo nat server protocol pro-type global global-addr [ global-port ] [ vpn-instance global-vrf-name ] inside host-addr [ host-port ] [ vpn-instance local-vrf-name ]

View

VLAN interface view

Default Level

2: System level

Parameters

pro-type: Type of protocols over IP. It can be provided only as a key word, namely, icmp, tcp, or udp.

global-addr: A valid IP address designated for external access.

global-port1, global-port2: Jointly specifies a port range that corresponds to the IP address range of internal hosts. Note that global-port2 must be greater than global-port1 and the difference between them must be less than or equal to 127.

host-address1, host-address2: Jointly defines a sequence of addresses that corresponds to the port range. Note that host-address2 must be greater than host-address1 and that the number of the addresses must match that of the ports.

host-port: Service port number provided by the internal NAT server, in the range of 0 to 12287. You can use keywords to represent those well-known port numbers. For example, you can use www to represent port number 80 for WWW service and ftp to represent port number 21 for FTP service.

global-port: Port number designated for external access, in the range of 0 to 12287. You can use keywords to represent those well-known port numbers. For example, you can use www to represent port number 80 for WWW service and ftp to represent port number 21 for FTP service. This argument must be provided is the protocol type is UDP/TCP. If it is not provided, its value will be the same as that of host-port.

host-address: IP address of the server in the internal LAN.

global-vrf-name: Name of the VPN that the server’s public IP address belongs to. It is a string of 1 to 31 characters. If this argument is not specified, the public IP address does not belong to any VPN.

local-vrf-name: Name of the VPN that the internal server belongs to. It is a string of 1 to 31 characters. If this argument is not specified, the interval server belongs to an ordinary private network but not any VPN.

Description

Use the nat server command to define a translation table for an internal server.

Using the address and port combination defined by the global-address and global-port parameters, external users can access internal servers with an IP address of host-address and a port of host-port.

Use the undo nat server command to remove the configuration.

Note that:

l           Using this command, you can configure internal servers (such as WWW, FTP, Telnet, POP3, or DNS server) that provide services to external users. An internal server can reside in a private network or in an MPLS VPN instance.

l           An interface can be configured with at most 256 internal server configuration commands. Each command can create a number of internal servers equal to the difference between global-port2 and global-port1. An interface can be configured with at most 4096 internal servers and a system allows at most 1024 internal server configuration commands.

l           If a VLAN interface is bound with a VPN, the NAT routes will be added to the VPN automatically, allowing hosts in the VPN to access the servers specified by the nat server command. If a VLAN interface is not bound with any VPN, the NAT routes will be added to the public network and the hosts in the public network or remote VPNs will be able to access the servers specified by the nat server command.

l           If the global address pool is configured with the VPN attribute, the NAT routes will be added to the VPN specified by the global-vrf-name argument. This VPN has no hosts and is generally used only for injecting NAT routes. You can configure the VPN attributes to advertise the NAT routes to other accessible VPNs, thus allowing hosts in the VPNs to access the servers specified by the nat server command.

l           In general, this command is configured on the interface that serves as the egress of an internal network and connects to an ISP on the external networks.

Related commands: display nat server

 

 

Examples

# Specify the IP address of the WWW Server in a LAN to be 10.110.10.10, the IP address of the FTP Server in MPLS VPN vrf10 to be 10.110.10.11. It is desired to allow external users to access the WWW Server through http:// 202.110.10.10:8080, and the FTP Server through ftp://202.110.10.10:8070. Assume that the VLAN-interface 1000 is connected to external networks.

<Sysname> system-view

[Sysname] vlan 1000

[Sysname-vlan1000] port GigabitEthernet 4/2/1

[Sysname-vlan1000] quit

[Sysname] interface Vlan-interface 1000

[Sysname-Vlan-interface1000] ip address 10.110.10.1 24

[Sysname-Vlan-interface1000] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

[Sysname-Vlan-interface1000] quit

[Sysname] ip vpn-instance vrf10

[Sysname-vpn-instance-vrf10] route-distinguisher 100:001

[Sysname-vpn-instance-vrf10] vpn-target 100:001

[Sysname-vpn-instance-vrf10] quit

[Sysname] interface Vlan-interface 1000

[Sysname-Vlan-interface1000] nat server vpn-instance vrf10 protocol tcp global 202.110.10.10 8070 inside 10.110.10.11 ftp vpn-instance vrf10

# Specify a host with an IP address of 10.110.10.12 in VPN vrf10. An external host pings 202.110.10.11 to examine the connectivity to the host.

[Sysname-Vlan-interface1000] nat server vpn-instance vrf10 protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

# Specify the external IP address as 202.110.10.10. Telnet the hosts which IP addresses range from 10.110.10.1 to 10.110.10.100 in MPLS VPN vrf10 through the ports ranging from 1001 to 1100, for example, telnet 10.110.10.1 from 202.110.10.10:1001, telnet 10.110.10.2 from 202.110.10.10:1002 and so on.

[Sysname-Vlan-interface1000] nat server vpn-instance vrf10 protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

1.1.32  reset nat session

Syntax

reset nat session slot slot-number

View

User view

Default Level

2: System level

Parameters

slot slot-number: Clears the address translation table for the card on the specified slot.

Description

Use the reset nat session command to clear the address translation table and release the memory dynamically assigned for storing the table.

Examples

# Clear the address translation table.

<Sysname> reset nat session slot 1

  Clearing NAT session table, please wait...Done!

1.1.33  reset userlog export

Syntax

reset userlog export slot slot-number

View

Use view

Default Level

2: System level

Parameters

slot-number: Clears NAT log statistics for the card on the specified slot.

Description

Use the reset userlog export command to clear all log statistics.

Once the NAT log function is enabled, the system will take statistics for NAT logs periodically.

Related commands: display userlog export

Examples

# Clear the NAT log information of slot 2

<Sysname> reset userlog export slot 2

1.1.34  reset userlog nat logbuffer

Syntax

reset userlog nat logbuffer slot slot-number

View

User view

Default Level

2: System level

Parameters

slot-number: Clears the NAT log buffer for the card on the specified slot.

Description

Use the reset userlog nat logbuffer command to clear the NAT log buffer.

 

 

Examples

# Clear the NAT log buffer for the card on slot 2

<Sysname> reset userlog nat logbuffer slot 2

1.1.35  userlog nat export host

Syntax

userlog nat export [ slot slot-number ] host ip-address udp-port

undo userlog nat export [ slot slot-number ] host

View

System view

Default Level

2: System level

Parameters

slot slot-number: Specifies a slot.

ip-address: IP address of the NAT log server. The address must be a valid unicast IP address, not a loopback address.

udp-port: UDP port number of the NAT log server, ranging from 0 to 65535.

Description

Use the userlog nat export host command to configure the IP address and UDP port number of the NAT log server that receives NAT logs.

Use the undo userlog nat export host command to restore the default setting.

By default, no IP address or UDP port number of the NAT log server is configured.

Note that:

l           You must configure the NAT log server to successfully export NAT logs in UDP packets.

l           You are recommended to use a UDP port number greater than 1024 to avoid conflicting with common UDP port numbers.

l           On the S9500 series, each interface board can be configured with a separate NAT log server to share the overall server load. The packets exported from these interface boards are numbered independently (sequence numbers of packet headers). If you do not specify the slot number, this command applies to all interface boards without the IP address or UDP port number of the NAT log server configured.

Related commands: userlog nat export source-ip

Examples

# Export the NAT logs of interface board 2 to the NAT log server whose IP address is 169.254.1.1:2000.

<Sysname> system-view

[Sysname] userlog nat export slot 2 host 169.254.1.1 2000

1.1.36  userlog nat export source-ip

Syntax

userlog nat export source-ip ip-address

undo userlog nat export source-ip

View

System view

Default Level

2: System level

Parameters

ip-address: Source IP address of the exported UDP packets.

Description

Use the userlog nat export source-ip command to set the source IP address of the UDP packets that carry NAT logs.

Use the undo userlog nat export source-ip command to restore the default.

By default, the source IP address of the UDP packets that carry NAT logs is the IP address of the interface that sends the UDP packets.

Related commands: userlog nat export host.

Examples

# Set 169.254.1.2 as the source IP address of the UDP packets that carry NAT logs.

<Sysname> system-view

[Sysname] userlog nat export source-ip 169.254.1.2

1.1.37  userlog nat export version

Syntax

userlog nat export version version-number

undo userlog nat export version

View

System view

Default Level

2: System level

Parameters

version-number: Version number of NAT logs. Currently, the system supports version 1 only.

Description

Use the userlog nat export version command to set the version number of NAT logs.

Use the undo userlog nat export version command to restore the default.

By default, the version number of NAT logs is 1.

Examples

# Set the version number of NAT logs to 1.

<Sysname> system-view

[Sysname] userlog nat export version 1

1.1.38  userlog nat syslog

Syntax

userlog nat syslog

undo userlog nat syslog

View

System view

Default Level

2: System level

Parameters

None

Description

Use the userlog nat syslog command to export NAT logs to the information center.

Use the undo userlog nat syslog command to restore the default.

By default, NAT logs are exported to the NAT log server.

Note that as NAT logs may occupy large memory, it is not advisable to export large amount of NAT logs to the information center.

Examples

# Export NAT logs to the information center.

<Sysname> system-view

[Sysname] userlog nat syslog