Table of Contents

Related Documents

13-NAT Commands

Title	Size	Download
13-NAT Commands	154.14 KB

NAT configuration commands

display nat address-group

Use display nat address-group to display the NAT address pool information.

Syntax

display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

group-number: NAT address group number. The value range is 0 to 31. If this argument is not provided, information of all NAT address pools is displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the NAT address pool information.

<Sysname> display nat address-group

NAT address-group information:

There are currently 2 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

2 : from 202.110.10.20 to 202.110.10.25

# Display the information of NAT address group 1.

<Sysname> display nat address-group 1

NAT address-group information:

1 : from 202.110.10.10 to 202.110.10.15

Table 1 Command output

Field	Description
NAT address-group information	NAT address pool information.
There are currently 2 nat address-group(s)	There are two NAT address groups.
1 : from 202.110.10.10 to 202.110.10.15	The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15.

Related commands

nat address-group

Field	Description
NAT aging-time value information	NAT aging time settings for various protocols.
tcp	NAT aging time for TCP.
udp	NAT aging time for UDP.
icmp	NAT aging time for ICMP.
pptp	NAT aging time for PPTP.
dns	NAT aging time for DNS.
tcp-fin	NAT aging time for TCP FIN and RST connections.
tcp-syn	NAT aging time for TCP SYN connection.
ftp-ctrl	NAT aging time for FTP control link.
ftp-data	NAT aging time for FTP data link.
no-pat	NAT aging time in NO-PAT mode.

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address-group information:

There are currently 2 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

10 : from 222.110.10.10 to 222.110.10.12

NAT bound information:

There are currently 4 nat bound rule(s)

Interface: Vlan-interface1000

Direction: outbound ACL: 2010 Address-group: 10 NO-PAT: N

Interface: Vlan-interface1000

Direction: outbound ACL: 2002 Address-group: --- NO-PAT: N

Interface: Vlan-interface1000

Direction: outbound ACL: 2001 Address-group: 1 NO-PAT: N

Interface: Vlan-interface1000

Direction: outbound ACL: 2000 Address-group: 1 NO-PAT: N

NAT server-group information:

There are currently 2 NAT server-group(s)

Server-group Inside-IP Port Weight Connections

1 10.1.1.1 21 101 0

1 10.110.10.20 30 100 0

2 --- --- --- ---

NAT server in private network information:

There are currently 3 internal server(s)

Interface: Vlan-interface1000, Protocol: 2

Global: 0.0.0.0 : ---

Local : 1.1.1.1 : ---

Interface: Vlan-interface1000, Protocol: 1(icmp)

Global: 2.2.2.2 : ---

Local : 2.2.2.1 : ---

Interface: Vlan-interface1000, Protocol: 2

Global: 0.0.0.0 : ---

Local : 2.2.2.2 : ---

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 192.167.1.2

Global-IP : 2.2.2.2

Local-VPN : ---

NAT static enabled information:

Interface Direction

Vlan-interface1000 out-static

NAT aging-time value information:

tcp ---- aging-time value is 300 (seconds)

udp ---- aging-time value is 100 (seconds)

icmp ---- aging-time value is 10 (seconds)

pptp ---- aging-time value is 300 (seconds)

dns ---- aging-time value is 10 (seconds)

tcp-fin ---- aging-time value is 10 (seconds)

tcp-syn ---- aging-time value is 10 (seconds)

ftp-ctrl ---- aging-time value is 300 (seconds)

ftp-data ---- aging-time value is 300 (seconds)

no-pat ---- aging-time value is 240 (seconds)

NAT log information:

flow-begin : enable

Table 3 Command output

Field	Description
NAT address-group information	NAT address pool information.
There are currently 2 nat address-group(s)	See the display nat address-group command for descriptions on the specific fields.
NAT bound information:	Configuration information about internal address-to-external address translation. See the display nat bound command for descriptions on the specific fields.
NAT server-group information	Internal server group information. See the display nat server-group command for description on the specific fields.
NAT server in private network information	Internal server information. See the display nat server command for descriptions on the specific fields.
NAT static information	Information about static NAT. See the display nat static command for descriptions on the specific fields.
NAT static enabled information	Information about static NAT entries and interfaces with static NAT enabled. See the display nat static command for descriptions on the specific fields.
NAT aging-time value information	NAT aging time information. See the display nat aging-time command for descriptions on the specific fields.
NAT log information	NAT logging configuration information. See the display nat log command for descriptions on the specific fields.

Field	Description
NAT bound information:	Display configured NAT address translation information.
Interface	Interface associated with a NAT address pool.
Direction	Address translation direction: inbound or outbound.
ACL	ACL number.
Address-group	Address group number. The field is displayed as null in Easy IP mode.
NO-PAT	Identifies whether NO-PAT mode is supported.

display nat log

Use display nat log to view the NAT logging configuration information.

Syntax

display nat log [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# View the NAT logging configuration information.

<Sysname> display nat log

NAT log information:

log enable : enable acl 2000

flow-begin : enable

flow-active : 10(minutes)

Table 5 Command output

Field	Description
NAT log information :	NAT logging configuration information.
log enable : enable acl 2000	Logging data flows matching ACL 2000.
flow-begin : enable	Logging newly established sessions.
flow-active : 10(minutes)	Interval in logging active flows (10 minutes)

Related commands

· nat log enable

· nat log flow-active

· nat log flow-begin

Field	Description
NAT server in private network information	Information about internal servers.
Interface	Internal server interface.
Protocol	Protocol type.
Global	External IP address and port number of a server, and the VPN that the external address belongs to.
Local	Internal IP address and port number of the server.
Status	Current status of the configuration, active or inactive.

Field	Description
Server-group	Internal server group number.
Inside-IP	IP address of an internal server.
Port	Port number of an internal server.
Weight	Weight of an internal server.
Connections	Number of current connections of an internal server. If multiple members exist in an internal server group, this field displays the total number of member connections.

display nat session

Use display nat session to display dynamic NAT entries.

Syntax

display nat session [ source { global global-address | inside inside-address } ] [ destination dst-address ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

source global global-address: Displays NAT entries for the specified external source IP address.

source inside inside-address: Displays NAT entries for the specified internal source IP address.

destination dst-address: Displays NAT entries for the specified destination IP address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display dynamic NAT entries.

<Sysname> display nat session

There are currently 1 NAT session:

Pro GlobalAddr:Port LocalAddr:Port DestAddr:Port

status:11 TTL:00:00:10 Left:00:00:02

Table 8 Command output

Field	Description
Pro	Protocol type.
GlobalAddr:Port	External IP address and port number after translation.
InsideAddr:Port	Internal IP address and port number before translation.
DestAddr:Port	Destination IP address and port number.
status	NAT session status.
TTL	NAT session lifetime in the format of hh:mm:ss.
Left	NAT session remaining lifetime, in the format of hh:mm:ss.

display nat static

Use display nat static to display static NAT entries and interfaces with static NAT enabled.

Syntax

display nat static [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display static NAT entries and interfaces with static NAT enabled.

<Sysname> display nat static

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 4.4.4.4

Global-IP : 5.5.5.5

Local-VPN : ---

NAT static enabled information:

Interface Direction

Vlan-interface11 out-static

Table 9 Command output

Field	Description
NAT static information	Configuration information of static NAT.
single static	One-to-one static NAT.
Local-IP	Internal IP address.
Global-IP	External IP address.
Local-VPN	MPLS L3VPN to which the internal IP address belongs.
NAT static enabled information	Information about static NAT enabled on the interfaces.
Interface	Interface on which static NAT is configured.
Direction	Direction of packets to be translated.

Related commands

· nat static

· nat outbound static

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display NAT statistics.

<Sysname> display nat statistics

total PAT session table count: 1

total NO-PAT session table count: 0

total SERVER session table count: 0

total STATIC session table count: 0

total FRAGMENT session table count: 0

total FULL-CONE session table count: 0

active PAT session table count: 1

active NO-PAT session table count: 0

active FRAGMENT session table count: 0

Table 10 Command output

Field	Description
total PAT session table count	Number of PAT session entries.
total NO-PAT session table count	Number of NO-PAT session entries.
total SERVER session table count	Number of SERVER session entries.
total STATIC session table count	Number of STATIC session entries.
total FRAGMENT session table count	Number of FRAGMENT session entries.
total FULL-CONE session table count	Number of trinity (IP address, port number, and protocol type) session entries.
active PAT session table count	Number of active PAT session entries.
active NO-PAT session table count	Number of active NO-PAT session entries.
active FRAGMENT session table count	Number of active FRAGMENT session entries.

display userlog export

Use display userlog export to view the configuration and statistics of logs output to the log server.

Syntax

display userlog export [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command displays all types of logs output to the log server, including NAT logs.

Examples

# View the configuration and statistics of NAT logs.

<Sysname> display userlog export

nat:

No userlog export is enabled

Table 11 Command output

Field	Description
nat	NAT log information to be displayed.
No userlog export is enabled	NAT logs cannot be exported. The reason may be: · The NAT log function is not enabled. · The NAT log function is enabled, but NAT logs are configured to be exported to the information center. · The NAT log function is enabled, but the IP address and the UDP port number of the log server are not configured.

Field

Description

nat

NAT log information to be displayed.

No userlog export is enabled

NAT logs cannot be exported. The reason may be:

· The NAT log function is not enabled.

· The NAT log function is enabled, but NAT logs are configured to be exported to the information center.

· The NAT log function is enabled, but the IP address and the UDP port number of the log server are not configured.

Related commands

reset userlog nat export

nat address-group

Use nat address-group to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool.

Use undo nat address-group to remove an address pool.

Syntax

nat address-group group-number [ start-address end-address ]

undo nat address-group group-number [ start-address end-address ]

Views

System view

Default command level

2: System level

Parameters

group-number: Index of the address pool. The value range is 0 to 31.

start-address: Start IP address of the address pool.

end-address: End IP address of the address pool. The end-address cannot be lower than the start-address. If they are the same, the address pool has only one IP address.

Usage guidelines

An address pool consists of a set of consecutive IP addresses.

· You cannot remove an address pool that has been associated with an ACL.

· Different address pools must not overlap.

· The number of addresses in all address pools cannot exceed a specific value.

· An address pool is not needed in the case of Easy IP where the interface's public IP address is used as the translated IP address.

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15.

<Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

Related commands

display nat address-group

nat aging-time

Use nat aging-time to set NAT aging time.

Use undo nat aging-time to restore the default.

Syntax

nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } seconds

undo nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } [ seconds ]

Default

The default NAT aging times of various protocols are as follows:

· 10 seconds for DNS.

· 300 seconds for FTP control link.

· 300 seconds for FTP data link.

· 10 seconds for ICMP.

· 240 seconds in NO-PAT mode.

· 300 seconds for PPTP.

· 300 seconds for TCP.

· 10 seconds for TCP FIN and RST connections.

· 10 seconds for TCP SYN connections.

· 240 seconds for UDP.

Views

System view

Default command level

2: System level

Parameters

dns: Specifies the NAT aging time for DNS.

ftp-ctrl: Specifies the NAT aging time for FTP control link.

ftp-data: Specifies the NAT aging time for FTP data link.

icmp: Specifies the NAT aging time for ICMP.

no-pat: Specifies the NAT aging time in No-PAT mode.

pptp: Specifies the NAT aging time for PPTP.

tcp: Specifies the NAT aging time for TCP.

tcp-fin: Specifies the NAT aging time for TCP FIN or RST connection.

tcp-syn: Specifies the NAT aging time for TCP SYN connection.

udp: Specifies the NAT aging time for UDP.

seconds: NAT aging time, in the range of 10 to 86400 seconds.

Usage guidelines

A NAT entry is not permanent. You can use this command to configure NAT aging time for TCP, UDP, ICMP, and other protocols. If a NAT entry is not used within the configured time, it will be aged out. For example, when a user with IP address 10.110.10.10 and port number 2000 establishes an external TCP connection, NAT assigns an IP address and a port number for the user. If, within a preconfigured aging time, the TCP connection is not used, the system removes it.

In NO-PAT mode, if the private network is big and the users frequently go online and offline, you can set a smaller aging time to speed up the release of addresses.

Examples

# Set the NAT aging time for TCP to 240 seconds.

<Sysname> system-view

[Sysname] nat aging-time tcp 240

Related commands

display nat aging-time

nat alg

Use nat alg to enable NAT application layer gateway for one or more protocols.

Use undo nat alg to disable NAT application layer gateway.

Syntax

nat alg { all | dns | ftp | ils | nbt | pptp }

undo nat alg { all | dns | ftp | ils | nbt | pptp }

Default

NAT application layer gateway is enabled.

Views

System view

Default command level

2: System level

Parameters

all: Supports all special protocols.

dns: Supports DNS.

ftp: Supports FTP.

ils: Supports ILS.

nbt: Supports NBT.

pptp: Supports PPTP.

Examples

# Enable NAT application layer gateway for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

nat link-down reset-session enable

Use nat link-down reset-session enable to enable aging out NAT entries upon master link failure.

Use undo nat link-down reset-session enable to restore the default.

Syntax

nat link-down reset-session enable

undo nat link-down reset-session enable

Default

This feature is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable aging out NAT entries upon master link failure.

<Sysname> system-view

[Sysname] nat link-down reset-session enable

nat log enable

Use nat log enable to enable the NAT logging function for all data flows outbound from the internal network or outbound data flows matching a specific ACL.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl acl-number ]

undo nat log enable [ acl acl-number ]

Default

The NAT logging function is disabled.

Views

System view

Default command level

2: System level

Parameters

acl acl-number: Specifies an ACL by its number, in the range of 2000 to 3999.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable acl 2001

nat log flow-active

Use nat log flow-active to enable logging for active NAT sessions and set the logging interval.

Use undo nat log flow-active to disable this function.

Syntax

nat log flow-active minutes

undo nat log flow-active [ minutes ]

Default

This function is disabled.

Views

System view

Default command level

2: System level

Parameters

minutes: Interval for logging active NAT sessions, in the range of 10 to 120 minutes.

Usage guidelines

This function helps in tracking active flows by logging them regularly. Without this function, logs are generated only when a session is established or deleted and no logs are available for tracking a session that lasts for a long period.

Examples

# Enable logging for active NAT sessions and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

nat log flow-begin

Use nat log flow-begin to enable logging of NAT session establishment events.

Use undo nat log flow-begin to restore the default.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

No log is generated when a session is established.

Views

System view

Default command level

2: System level

Examples

# Enable logging of NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

nat outbound

Use nat outbound to enable outbound NAT on an interface.

Use undo nat outbound to disable outbound NAT.

Syntax

nat outbound acl-number address-group group-number [ no-pat ]

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

Views

Interface view

Default command level

2: System level

Parameters

acl-number: ACL number in the range of 2000 to 3999. A packet matching a permit rule in the ACL is translated by NAT. If no ACL is specified, a packet that is not sourced from the outbound interface is translated by NAT.

address-group group-number: Specifies an address pool for NAT. The value range for the group-number argument is 0 to 31. If no address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is enabled.

no-pat: Specifies not to use the TCP/UDP port number for many-to-many NAT. If this keyword is not specified, the TCP/UDP port number is used for many-to-one NAT.

Usage guidelines

You can configure multiple associations or use the undo command to remove an association from an interface that serves as the egress of an internal network to the external network.

In the case of Easy IP, if you modify the interface address, you must clear existing NAT entries by using the reset nat session command. Once the new NAT entry is installed in the address translation table, the old NAT address mapping cannot be automatically deleted or deleted with the reset nat session command.

When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted. They are aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected. You can also use the reset nat session command to clear all NAT entries, but NAT service is terminated and all users have to reinitiate connections. You can make a proper choice as required.

When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication.

If a packet matches the specified next hop, the packet is translated using an IP address in the address pool. If not, the packet is not translated.

You can bind an ACL to only one address pool on an interface. An address pool can be bound to multiple ACLs.

NAPT cannot translate connections from external hosts to internal hosts.

The ACL rules referenced by the same interface cannot conflict. That is, the source IP address and destination IP address in two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address in two ACL rules are the same, a conflict occurs.

Examples

# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses 202.110.10.10 through 202.110.10.12. Assume that VLAN-interface 1000 is connected to the Internet.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Configure address pool 1.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Use addresses in address pool 1 as translated addresses and TCP/UDP port information.

[Sysname] interface vlan-interface 1000

[Sysname-Vlan-interface1000] nat outbound 2001 address-group 1

# Use addresses in address pool 1 as translated addresses without using TCP/UDP port information.

<Sysname> system-view

[Sysname] interface vlan-interface 1000

[Sysname-Vlan-interface1000] nat outbound 2001 address-group 1 no-pat

# Use the IP address of interface VLAN-interface 1000 as translated address.

<Sysname> system-view

[Sysname] interface vlan-interface 1000

[Sysname-Vlan-interface 1000] nat outbound 2001

nat outbound static

Use nat outbound static to enable static NAT on an interface, making the configured static NAT mappings take effect.

Use undo nat outbound static to disable static NAT on the interface.

Syntax

nat outbound static

undo nat outbound static

Views

Interface view

Default command level

2: System level

Examples

# Configure a one-to-one NAT mapping and enable static NAT on interface VLAN-interface 100.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

[Sysname] interface vlan-interface100

[Sysname-Vlan-interface100] nat outbound static

Related commands

display nat static

nat server (for normal NAT server)

Use nat server to configure a load sharing internal server.

Use undo nat server to remove the configuration.

Syntax

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ]

Views

Interface view

Default command level

2: System level

Parameters

protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server.

global-address: Public IP address for the internal server.

current-interface: Uses the current interface address as the external IP address for the internal server.

interface: Uses a specific interface address as the external IP address for the internal server, enabling Easy IP.

interface-type interface-number: Specifies the interface type and interface number. Only loopback interface is supported and must be configured. Otherwise the configuration is considered illegal.

global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. The global-port2 argument must be greater than global-port1.

local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. The local-address2 argument must be greater than local-address1 and that the number of addresses must match that of the specified ports.

local-port: Port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20.

· You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on.

· You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.

Usage guidelines

Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port.

If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined.

Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users.

The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands.

In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external network.

The device supports using an interface address as the external IP address of an internal server, which is Easy IP. If you specify the current-interface keyword, the internal server uses the current primary IP address of the current interface. If you use interface { interface-type interface-number } to specify an interface, the interface must be an existing loopback interface and the current primary IP address of the loopback interface is used.

H3C recommends that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the external address of another internal server and vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the external address of the internal server.

When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers.

Examples

# Allow external hosts to ping the host with an IP address of 10.110.10.12.

<Sysname> system-view

[Sysname] interface vlan-interface1000

[Sysname-Vlan-interface1000] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

Related commands

display nat server

nat server-group

Use nat server-group to configure an internal server group.

Use undo nat server-group to remove the specified internal server group.

Syntax

nat server-group group-number

undo nat server-group group-number

Views

System view

Default command level

2: System level

Parameters

group-number: Internal server group number. The value range is 0 to 19.

Usage guidelines

An internal server group referenced by the nat server command on an interface cannot be removed.

Examples

# Configure internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

nat server

nat static

Use nat static to configure a one-to-one static NAT mapping.

Use undo nat static to remove a one-to-one static NAT mapping.

Syntax

nat static [ acl-number ] local-ip global-ip

undo nat static [ acl-number ] local-ip global-ip

Views

System view

Default command level

2: System level

Parameters

acl-number: Number of an ACL, in the range of 2000 to 3999. You can use an ACL to specify the destination addresses that internal hosts can access.

local-ip: Internal IP address.

global-ip: External IP address.

Examples

# In system view, configure static NAT mapping between internal IP address 192.168.1.1 and external IP address 2.2.2.2.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

# Configure static NAT to allow the internal host 192.168.1.1 to access only the external network 3.3.3.0/24 by using the external IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-adv-3001] quit

[Sysname] nat static 3001 192.168.1.1 2.2.2.2

Related commands

display nat static

reset nat session

Use reset nat session to clear the address translation table and release the memory dynamically assigned for storing the table.

Syntax

reset nat session

Views

User view

Default command level

2: System level

Examples

# Clear the address translation table.

<Sysname> reset nat session

reset userlog nat export

Use reset userlog nat export to clear NAT log statistics.

Syntax

reset userlog nat export

Views

User view

Default command level

2: System level

Usage guidelines

Once the NAT log function is enabled, the system takes statistics for NAT logs periodically.

Examples

# Clear the NAT log information.

<Sysname> reset userlog nat export

Related commands

display userlog export

reset userlog nat logbuffer

Use reset userlog nat logbuffer to clear the NAT log buffer.

Syntax

reset userlog nat logbuffer

Views

User view

Default command level

2: System level

Usage guidelines

Clearing the NAT log buffer causes NAT logs loss. H3C recommends you not to use this command in normal situations.

Examples

# Clear the NAT log buffer.

<Sysname> reset userlog nat logbuffer

userlog nat export host

Use userlog nat export host to specify the IP address and UDP port number of the NAT log server that receives NAT logs.

Use undo userlog nat export host to restore the default.

Syntax

userlog nat export host { ipv4-address | ipv6 ipv6-address } udp-port

undo userlog nat export host { ipv4-address | ipv6 ipv6-address }

Default

No NAT log server IP address or UDP port number is configured.

Views

System view

Default command level

2: System level

Parameters

ipv4-address: IPv4 address of the NAT log server. It must be a valid unicast IPv4 address and cannot be a loopback address.

ipv6 ipv6-address: IPv6 address of the NAT log server. It must be a valid unicast IPv6 address.

udp-port: UDP port number of the NAT log server, ranging from 0 to 65535.

Usage guidelines

Specify the NAT log server to successfully export NAT logs in UDP packets.

Use a UDP port number greater than 1024 to avoid conflicting with common UDP port numbers.

Examples

# Export NAT logs to NAT log server with IP address 169.254.1.1 and port number 2000.

<Sysname> system-view

[Sysname] userlog nat export host 169.254.1.1 2000

Related commands

userlog nat export source-ip

Use userlog nat export source-ip to configure the source IP address for the UDP packets that carry NAT logs.

Use undo userlog nat export source-ip to restore the default.

Syntax

userlog nat export source-ip ip-address

undo userlog nat export source-ip

Default

The source IP address of the UDP packets that carry NAT logs is the IP address of the interface that sends the UDP packets.

Views

System view

Default command level

2: System level

Parameters

ip-address: Source IP address for the UDP packets.

Examples

# Use 169.254.1.2 as the source IP address of the UDP packets that carry NAT logs.

<Sysname> system-view

[Sysname] userlog nat export source-ip 169.254.1.2

Related commands

userlog nat export host

userlog nat export version

Use userlog nat export version to set the version number of the NAT log packets.

Use undo userlog nat export version to restore the default.

Syntax

userlog nat export version version-number

undo userlog nat export version

Default

The version number of NAT log packets is 1.

Views

System view

Default command level

2: System level

Parameters

version-number: Version number for the NAT log packets. The system supports only version 1.

Examples

# Set the version number of NAT log packets to 1.

<Sysname> system-view

[Sysname] userlog nat export version 1

userlog nat syslog

Use userlog nat syslog to configure the device to export NAT logs to the information center.

Use undo userlog nat syslog to restore the default.

Syntax

userlog nat syslog

undo userlog nat syslog

Default

NAT logs are exported to the NAT log server.

Views

System view

Default command level

2: System level

Usage guidelines

As NAT logs may consume a large volume of memory, H3C recommends that you not export large amounts of NAT logs to the information center.

Examples

# Export NAT logs to the information center.

<Sysname> system-view

[Sysname] userlog nat syslog

04-Layer 3 Command Reference

display nat address-group

nat address-group

nat link-down reset-session enable

nat log flow-active

nat outbound static

reset nat session

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us