NAT configuration commands 1

display nat address-group· 1

display nat all 2

display nat bound· 3

display nat dns-map· 4

display nat server 5

display nat static· 7

display nat statistics 8

nat address-group· 9

nat dns-map· 10

nat outbound· 10

nat outbound static· 12

nat server (for normal NAT server) 13

nat static· 15

 

display nat address-group

Syntax

display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

group-number: NAT address group number. The value range depends on the device model. If this argument is not provided, information of all NAT address pools is displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat address-group to display the NAT address pool information.

Related commands: nat address-group.

Examples

# Display the NAT address pool information.

<Sysname> display nat address-group

NAT address-group information:

  There are currently 2 nat address-group(s)

  1     : from         202.110.10.10     to 202.110.10.15

  2     : from         202.110.10.20     to 202.110.10.25

# Display the information of NAT address group 1.

<Sysname> display nat address-group 1

NAT address-group information:

  1     : from 202.110.10.10     to 202.110.10.15

Table 1 Command output

Field	Description
NAT address-group information	NAT address pool information.
There are currently 2 nat address-group(s)	There are two NAT address groups.
1 : from   202.110.10.10   to   202.110.10.15	The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15.

 

display nat all

Syntax

display nat all [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat all to display all NAT configuration information.

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address-group information:

  There are currently 1 nat address-group(s)

  1     : from 202.110.10.10     to 202.110.10.15

 

NAT bound information:

  There are currently 1 nat bound rule(s)

  Interface: Vlan-interface1

    Direction: outbound  ACL: 2009  Address-group: 1    NO-PAT: N

 

NAT server in private network information:

  There are currently 1 internal server(s)

  Interface: Vlan-interface2, Protocol: 6(tcp)

    Global:         5.5.5.5 : 80(www)

    Local :       192.1.1.1 : 80(www)

 

NAT static information:

  There are currently 1 NAT static configuration(s)

  single static:

    Local-IP        : 1.1.1.1

    Global-IP       : 2.2.2.2

    Local-VPN       : ---

 

NAT static enabled information:

  Interface                                      Direction

  Vlan-interface3                                out-static

Table 2 Command output

Field	Description
NAT address-group information	NAT address pool information.
There are currently 1 nat address-group(s)	See the display nat address-group command for descriptions on the specific fields.
NAT bound information	Configuration information about internal address-to-external address translation. See the display nat bound command for descriptions on the specific fields.
There are currently 1 nat bound rule(s)	There is one NAT bound rule.
NAT server in private network information	Internal server information. See the display nat server command for descriptions on the specific fields.
There are currently 1 internal server(s)	There is one internal server.
NAT static information	Information about static NAT. See the display nat static command for descriptions on the specific fields.
There are currently 1 NAT static configuration(s)	There is one static NAT entry.
NAT static enabled information	Information about static NAT entries and interfaces with static NAT enabled. See the display nat static command for descriptions on the specific fields.

 

display nat bound

Syntax

display nat bound [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat bound to display the NAT configuration information.

Related commands: nat inbound and nat outbound.

Examples

# Display the NAT configuration information.

<Sysname> display nat bound

NAT bound information:

  There are currently 3 nat bound rule(s)

  Interface:Vlan-interface10

    Direction: outbound  ACL: 2000  Address-group: 319  NO-PAT: Y

 

  Interface:Vlan-interface10

    Direction: inbound   ACL: 3000  Address-group: 300  NO-PAT: N

 

  Interface:Vlan-interface20

    Direction: outbound  ACL: 2001  Address-group: ---  NO-PAT: N

Table 3 Command output

Field	Description
NAT bound information:	Display configured NAT address translation information.
There are currently 3 nat bound rule(s)	There are three NAT bound rules.
Interface	Interface associated with a NAT address pool.
Direction	Address translation direction.
ACL	ACL number.
Address-group	Address group number. The field is displayed as null in Easy IP mode.
NO-PAT	Identifies whether NO-PAT mode is supported.

 

display nat dns-map

Syntax

display nat dns-map [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat dns-map to display NAT DNS mapping configuration information.

Related commands: nat dns-map.

Examples

# Display NAT DNS mapping configuration information.

<Sysname> display nat dns-map

NAT DNS mapping information:

  There are currently 2 NAT DNS mapping(s)

  Domain-name: www.server.com

  Global-IP  : 202.113.16.117

  Global-port: 80(www)

  Protocol   : 6(tcp)

 

  Domain-name: ftp.server.com

  Global-IP  : 202.113.16.100

  Global-port: 21(ftp)

  Protocol   : 6(tcp)

Table 4 Command output

Field	Description
NAT DNS mapping information	NAT DNS mapping information
There are currently 2 DNS mapping(s)	Two DNS mapping entries
Domain-name	Domain name of the internal server
Global-IP	External IP address of the internal server
Global-port	Public port number of the internal server
Protocol	Protocol type of the internal server

 

display nat server

Syntax

display nat server [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat server to display information about internal servers.

Related commands: nat server.

Examples

# Display information about internal servers.

<Sysname> display nat server

NAT server in private network information:

  There are currently 2 internal server(s)

  Interface: Vlan-interface10, Protocol: 6(tcp)

    Global: 100.100.120.120 : 21(ftp)

    Local : 192.168.100.100 : 21(ftp)

 

  Interface: Vlan-interface11, Protocol: 6(tcp)

    Global: 100.100.100.121 : 80(www)

    Local : 192.168.100.101 : 80(www)            vpn2

# Display information about internal servers.

<Sysname> display nat server

NAT server in private network information:

  There are currently 2 internal server(s)

  Interface: Vlan-interface1, Protocol: 6(tcp)

    Global:        10.1.1.3 : 80(www)

    Local :         9.9.9.9 : 80(www)

 

  Interface: Vlan-interface1 Protocol: 6(tcp)

    Global:        10.1.1.1 : 21(ftp)

    Local : (server-group 1)                     vpn2

                    2.2.2.2 : 21(ftp) (Connections: 0)

                    2.2.2.5 : 21(ftp) (Connections: 1)

                    2.2.2.6 : 21(ftp) (Connections: 0)

Table 5 Command output

Field	Description
Server in private network information	Information about internal servers.
Interface	Internal server interface.
Protocol	Protocol type.
Global	External IP address and port number of a server.
Local	Internal IP address and port number of a server.

 

display nat static

Syntax

display nat static [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat static to display static NAT entries and interfaces with static NAT enabled.

Related commands: nat static and nat outbound static.

Examples

# Display static NAT entries and interfaces with static NAT enabled.

<Sysname> display nat static

NAT static information:

  There are currently 1 NAT static configuration(s)

  single static:

    Local-IP        : 4.4.4.4

    Global-IP       : 5.5.5.5

    Local-VPN       : ---

 

NAT static enabled information:

Interface                         Direction

Vlan-interface11                  out-static

Table 6 Command output

Field	Description
NAT static information	Configuration information of static NAT.
single static	One-to-one static NAT.
Local-IP	Internal IP address.
Global-IP	External IP address.
Local-VPN	MPLS L3VPN to which the internal IP address belongs.
NAT static enabled information	Information about static NAT enabled on the interfaces.
Interface	Interface on which static NAT is configured.
Direction	Direction of packets to be translated.

 

display nat statistics

Syntax

display nat statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display nat statistics to display NAT statistics.

Examples

# Display NAT statistics.

<Sysname> display nat statistics

  total PAT session table count: 1

  total NO-PAT session table count: 0

  total SERVER session table count: 0

  total STATIC session table count: 0

Table 7 Command output

Field	Description
total PAT session table count	Number of PAT session entries
total NO-PAT session table count	Number of NO-PAT session entries
total SERVER session table count	Number of SERVER session entries
total STATIC session table count	Number of STATIC session entries

 

nat address-group

Syntax

nat address-group group-number [ start-address end-address [ level level ]]

undo nat address-group group-number [ start-address end-address [ level level ]]

Views

System view

Default level

2: System level

Parameters

group-number: Index of the address pool. The value ranges from 0 to 255.

start-address: Start IP address of the address pool.

end-address: End IP address of the address pool. The end-address cannot be lower than the start-address. If they are the same, the address pool has only one IP address. The maximum number of IP addresses is 255.

level level: Specifies the level of port numbers assigned in NAPT translation for this address pool. It takes the value of either 1 or 0. 0 represents a lower level, and the assignable port numbers range from 35000 to 65535. 1 represents a higher level, and the assignable port numbers range from 1024 to 34999 for devices in stateful failover state, and from 1024 to 65535 for devices not in stateful failover state. The default value is 1. In the asymmetric stateful failover network scenario, configure different port assignment levels for the address pools on the two stateful failover devices.

Description

Use nat address-group to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool. Without the start and end IP addresses specified, the command places you into the address group view.

Use undo nat address-group to remove an address pool or address group.

An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command. The address pools of group members may not be consecutive.

·     You cannot remove an address pool or address group that has been associated with an ACL.

·     Different address pools must not overlap.

·     The address pools of group members must not overlap with each other or with other address pools.

·     The number of addresses in all address pools and address groups cannot exceed 255. .

·     An address pool or address group is not needed in the case of Easy IP where the interface's public IP address is used as the translated IP address.

Related commands: display nat address-group.

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15.

<Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

nat dns-map

Syntax

nat dns-map domain domain-name protocol pro-type ip global-ip port global-port

undo nat dns-map domain domain-name

Views

System view

Default level

2: System level

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits. Dashes (-) can also be included.

protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp.

ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network.

port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.

Description

Use nat dns-map to map the domain name to the public network information of an internal server.

Use undo nat dns-map to remove a DNS mapping.

The maximum number of DNS mappings is 16.

Related commands: display nat dns-map.

Examples

# A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port www

nat outbound

Syntax

nat outbound [ acl-number ] [ address-group group-number [ no-pat ] ] [ track vrrp virtual-router-id ]

undo nat outbound [ acl-number ] [ address-group group-number [ no-pat ] ] [ track vrrp virtual-router-id ]

Views

Interface view

Default level

2: System level

Parameters

acl-number: ACL number in the range of 2000 to 3999.

address-group group-number: Specifies an address pool for NAT. The value of the group-number argument ranges from 0 to 255. If no address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is enabled.

no-pat: Indicates that no many-to-many NAT is implemented. If this keyword is not configured, many-to-one NAT is implemented using the TCP/UDP port information.

track vrrp virtual-router-id: Associates address translation on a specific outbound interface with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group in the range of 1 to 255. Without this argument specified, no VRRP group is associated.

Description

Use nat outbound to associate an ACL with the IP address of an outbound interface.

Use undo nat outbound to remove an association.

If an ACL is specified, a packet matching the associated ACL is translated by NAT. If an ACL is not specified, a packet whose source IP address is not the IP address of the outbound interface is translated by NAT.

If no address pool is specified, use the IP address the interface directly as the NATed address. That is, Easy IP is enabled.

You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to the external network.

When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted. They are aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected.

When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication.

You can bind an ACL to only one address pool on an interface. An address pool can be bound to multiple ACLs.

In stateful failover networking, make sure you associate each address pool configured on an interface with one VRRP group only. Otherwise, the system associates the address pool with the VRRP group having the highest group ID.

For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address and VPN instance information in any two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in any two ACL rules are the same, a conflict occurs.

Examples

# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses 202.110.10.10 through 202.110.10.12. Assume that interface VLAN-interface 1 is connected to the Internet.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

# Configure address pool 1.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Use addresses in address pool 1 as translated addresses and TCP/UDP port information.

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound 2001 address-group 1

# Use addresses in address pool 1 as translated addresses without using TCP/UDP port information.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound 2001 address-group 1 no-pat

# Use the IP address of interface VLAN-interface 1 as translated address.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound 2001

nat outbound static

Syntax

nat outbound static [ track vrrp virtual-router-id ]

undo nat outbound static [ track vrrp virtual-router-id ]

Views

Interface view

Default level

2: System level

Parameters

track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. If this option is not specified, no VRRP group is associated.

Description

Use nat outbound static to enable static NAT on an interface, making the configured static NAT mappings take effect.

Use undo nat outbound static to disable static NAT on the interface.

Related commands: display nat static.

Examples

# Configure a one-to-one NAT mapping and enable static NAT on interface VLAN-interface 1.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound static

nat server (for normal NAT server)

Syntax

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port [ track vrrp virtual-router-id ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port [ track vrrp virtual-router-id ]

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] [ track vrrp virtual-router-id ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] [ track vrrp virtual-router-id ]

Views

Interface view

Default level

2: System level

Parameters

protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server.

global-address: Public IP address for the internal server.

current-interface: Uses the current interface address as the external IP address for the internal server.

interface: Uses a specific interface address as the external IP address for the internal server, enabling Easy IP.

interface-type interface-number: Specifies the interface type and interface number. Only loopback interface is supported and must be configured. Otherwise the configuration is considered illegal.

global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. The global-port2 argument must be greater than global-port1.

local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. The local-address2 argument must be greater than local-address1 and that the number of addresses must match that of the specified ports.

local-port: Port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20.

·     You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on.

·     You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.

global-port: Global port number for the internal server, in the range of 0 to 65535.

local-address: Internal IP address of the internal server.

track vrrp virtual-router-id: Associates the internal server with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group to be associated, in the range of 1 to 255. Without this option specified, no VRRP group is associated.

Description

Use nat server to configure a load sharing internal server.

Use undo nat server to remove the configuration.

If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined.

Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in an internal network.

The maximum number of internal server configuration commands that can be configured on an interface depends on the device model. The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands.

In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external network.

The device supports using an interface address as the external IP address of an internal server, which is Easy IP. If you specify the current-interface keyword, the internal server uses the current primary IP address of the current interface. If you use interface { interface-type interface-number } to specify an interface, the interface must be an existing loopback interface and the current primary IP address of the loopback interface is used.

H3C recommends that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the external address of another internal server and vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the external address of the internal server.

In stateful failover networking, make sure you associate the public address of an internal server on an interface with one VRRP group only. Otherwise, the system associates the public address with the VRRP group having the highest group ID.

When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers.

Related commands: display nat server.

Examples

# Allow external hosts to ping the host with an IP address of 10.110.10.12 by using the ping 202.110.10.11 command.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

# Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

# Remove the Web server.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

# Remove the FTP server.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] undo nat server protocol tcp global 202.110.10.11 21 inside 10.110.10.11 ftp

nat static

Syntax

nat static local-ip  global-ip

undo nat static local-ip global-ip

Views

System view

Default level

2: System level

Parameters

local-ip: Internal IP address.

global-ip: External IP address.

Description

Use nat static to configure a one-to-one static NAT mapping.

Use undo nat static to remove a one-to-one static NAT mapping.

Related commands: display nat static.

Examples

# In system view, configure static NAT mapping between internal IP address 192.168.1.1 and external IP address 2.2.2.2.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2