start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. Each address range can contain a maximum of 256 addresses.

Usage guidelines

A NAT address group or address pool is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

Make sure the address ranges do not overlap.

If a public address range overlaps with the address range in static port block mappings, make sure the port ranges in static port block mappings do not overlap with those in dynamic port block mappings. Otherwise, the device might assign the same IP address and port block to two different users, in which condition NAT sessions might not be established for one user.

When an address group is used by a NAT rule, you cannot use the undo address command to delete an address from the address group.

Examples

# Add two address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

nat address-group

block-size

Use block-size to set the port block size.

Use undo block-size to restore the default.

Syntax

block-size block-size

undo block-size

Default

The port block size is 256.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

block-size: Specifies the number of ports for a port block. The value range for this argument is 1 to 65535.

Usage guidelines

Set an appropriate port block size based on the number of private IP addresses, the number of public IP addresses, and the port range in the port block group.

The port block size cannot be larger than the number of ports in the port range.

Examples

# Set the port block size to 1024 for port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] block-size 1024

Related commands

nat port-block-group

display nat address-group

Use display nat address-group to display NAT address group information.

Syntax

display nat address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group, in the range of 0 to 65535. If you do not specify the group-id argument, this command displays information about all NAT address groups.

Examples

# Display information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

Totally 5 NAT address groups.

Address group 1:

Port range: 1-65535

Failover group name: nat

Address information:

Start address End address

202.110.10.10 202.110.10.15

Address group 2:

Port range: 1-65535

Failover group name: trans

Address information:

Start address End address

202.110.10.20 202.110.10.25

202.110.10.30 202.110.10.35

Address group 3:

Port range: 1024-65535

Failover group name: nat

Address information:

Start address End address

202.110.10.40 202.110.10.50

Address group 4:

Port range: 10001-65535

Port block size: 500

Failover group name: nat

Extended block number: 1

Address information:

Start address End address

202.110.10.60 202.110.10.65

Address group 5:

Port range: 10001-65535

Port block size: 6400

Extended block number: 1

Extended block size: 64

Address information:

Start address End address

202.110.10.70 202.110.10.75

Address group 6:

Port range: 1-65535

Failover group name: nat

Address information:

Start address End address

--- ---

# Display information about NAT address group 1.

<Sysname> display nat address-group 1

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Table 1 Command output

Field	Description
Address group	ID of the NAT address group.
Port range	Port range for public IP addresses.
Block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Failover group name	Name of the failover group that is bound to the NAT address group. This field is not displayed if no failover group is specified.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Extended block size	Number of ports in each extended port block. This field is not displayed if the extended port block size is not set.
Address information	Information about the IP addresses in the address group.
Start address	Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---).

Related commands

nat address-group

display nat address-pool

Use display nat address-pool to display NAT address pool configuration.

Syntax

display nat address-pool [ pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool-name: Specifies a NAT address pool by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this argument, this command displays information about all NAT address pools.

Usage guidelines

This command is supported only on CP devices.

Examples

# Display configuration about all NAT address pools.

<Sysname> display nat address-pool

NAT address pool information:

Totally 1 NAT address pools.

Address pool vbras:

IP block size: 10

Port range: 10001-65535

Port block size: 500

Address information:

Start address End address

202.110.10.60 202.110.10.65

Table 2 Command output

Field	Description
Totally n NAT address pools	Total number of NAT address pools.
Address pool name	Name of the NAT address pool.
IP block size	Maximum number of IP addresses that can be allocated to one address group.
Port range	Port range for public IP addresses.
Port block size	Number of ports in a port block.
Address information	Information about the IP addresses in the address pool.
Start address	Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---).

Related commands

nat address-pool

display nat address-pool-alloc statistics

Use display nat address-pool-alloc statistics to display allocation statistics for NAT address pools.

Syntax

display nat address-pool-alloc [ pool-name ] statistics [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool-name: Specifies a NAT address pool by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this argument, this command displays allocation statistics for all NAT address pools.

verbose: Displays detailed information about NAT address pool allocation. If you do not specify this keyword, this command displays brief information about NAT address pool allocation.

Usage guidelines

You can only execute this command on CP devices.

Examples

# Display brief information about NAT address pool allocation statistics.

<Sysname> display nat address-pool-alloc statistics

NAT address pool allocation statistics:

Totally 1 NAT address pools.

Address pool vbras:

Total ip block entries: 10

Active ip port block entries: 0

# Display detailed information about NAT address pool allocation statistics.

<Sysname> display nat address-pool-alloc statistics verbose

NAT address pool allocation statistics:

Totally 1 NAT address pools.

Address pool vbras:

VXLAN ID DP_ADDR Start address End address

100 1.1.1.1 200.110.10.60 200.110.10.65

200 2.2.2.2 210.110.10.60 210.110.10.65

Table 3 Command output

Field	Description
Totally n NAT address pools	Total number of NAT address pools.
Address pool name	Name of the NAT address pool.
Total ip block entries	Total number of IP blocks that can be allocated to address groups.
Active ip block entries	Number of IP blocks that have been allocated to address groups.
VXLAN ID	VXLAN ID.
DP_ADDR	IP address of the DP at one end of the VXLAN tunnel.
Start address	Start IP address of the IP address range.
End address	End IP address of the IP address range.

Related commands

nat address-pool

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# (In standalone mode.) Display all NAT configuration information. (Interface-based NAT.)

<Sysname> display nat all

NAT address group information:

Totally 5 NAT address groups.

Address group 1:

Port range: 1-65535

Failover group name: nat

Address information:

Start address End address

202.110.10.10 202.110.10.15

Address group 2:

Port range: 1-65535

Failover group name: group1

Failover group name: trans

Address information:

Start address End address

202.110.10.20 202.110.10.25

202.110.10.30 202.110.10.35

Address group 3:

Port range: 1024-65535

Failover group name: abc

Address information:

Start address End address

202.110.10.40 202.110.10.50

Address group 4:

Port range: 10001-65535

Port block size: 500

Extended block number: 1

Failover group name: trans

Address information:

Start address End address

202.110.10.60 202.110.10.65

Address group 5:

Port range: 10001-65535

Port block size: 6400

Extended block number: 1

Extended block size: 64

Address information:

Start address End address

202.110.10.70 202.110.10.75

Address group 6:

Port range: 1-65535

Address information:

Start address End address

--- ---

NAT server group information:

Totally 3 NAT server groups.

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

2 --- --- ---

3 192.168.0.26 69 100

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: GigabitEthernet3/1/2

ACL: 2036 Address group: 1 Port-preserved: Y

NO-PAT: N Reversible: N

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: address group, and ACL.

Interface: GigabitEthernet3/1/2

ACL: 2037 Address group: 1 Port-preserved: N

NO-PAT: Y Reversible: Y

VPN instance: vpn_nat

Config status: Active

NAT internal server information:

Totally 4 internal servers.

Interface: GigabitEthernet3/1/3

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

ACL : 2000

Service card : Slot 3

Config status : Active

Interface: GigabitEthernet3/1/4

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Service card : Slot 3

Config status : Active

Interface: GigabitEthernet3/1/4

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Global VPN : vpn2

Local VPN : vpn4

ACL : 3000

Service card : Slot 3

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: local VPN, and ACL.

Interface: GigabitEthernet3/1/5

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

192.168.0.26/23 (Connections: 10)

192.168.0.27/23 (Connections: 20)

Global VPN : vpn1

Local VPN : vpn3

Service card : Slot 3

Config status : Active

Static NAT mappings:

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 1.1.1.1 - 1.1.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

Local VPN : vpn1

Global VPN : vpn2

ACL : 2000

Reversible : Y

Failover group name: abc

Config status: Active

IP-to-IP:

Local IP : 4.4.4.4

Global IP : 5.5.5.5

Local VPN : vpn1

Global VPN : vpn2

ACL: : 2001

Reversible : Y

Failover group name: group1

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.

Interface: GigabitEthernet3/1/4

Service card : Slot 3

Config status: Active

Interface: GigabitEthernet3/1/6

Service card : ---

Config status: Active

NAT DNS mappings:

Totally 2 NAT DNS mappings.

Domain name : www.server.com

Global IP : 6.6.6.6

Global port : 23

Protocol : TCP(6)

Config status: Active

Domain name : www.service.com

Global IP : ---

Global port : 12

Protocol : TCP(6)

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: interface IP address.

NAT logging:

Log enable : Enabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Enabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(40%)

NAT hairpinning:

Totally 2 interfaces enabled with NAT hairpinning.

Interface: GigabitEthernet3/1/4

Service card : Slot 3

Config status: Active

Interface: GigabitEthernet3/1/6

Service card : Slot 3

Config status: Active

NAT mapping behavior:

Mapping mode : Connection-dependent

NAT ALG:

DNS : Disabled

FTP : Enabled

H323 : Disabled

ICMP-ERROR : Enabled

ILS : Disabled

MGCP : Disabled

NBT : Disabled

PPTP : Disabled

RTSP : Enabled

RSH : Disabled

SCCP : Disabled

SIP : Disabled

SQLNET : Disabled

TFTP : Disabled

XDMCP : Disabled

NAT port block group information:

Totally 3 NAT port block groups.

Port block group 1:

Port range: 1-65535

Block size: 256

Failover group name: nat

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 vpna

192.168.3.1 192.168.3.254 vpna

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Port block group 2:

Port range: 10001-30000

Block size: 500

Failover group name: group1

Local IP address information:

Start address End address VPN instance

10.1.1.1 10.1.10.255 vpnb

Global IP pool information:

Start address End address

202.10.10.101 202.10.10.120

Port block group 3:

Port range: 1-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

--- --- ---

Global IP pool information:

Start address End address

--- ---

NAT outbound port block group information:

Totally 2 outbound port block group items.

Interface: GigabitEthernet3/1/2

Port-block-group: 2

Config status : Active

Interface: GigabitEthernet3/1/2

Port-block-group: 10

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

The output shows all NAT configuration information. Table 4 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.

Table 4 Command output

Field	Description
NAT address group information	Information about the NAT address group. See Table 1 for output description.
NAT Instance information	Information about NAT instances. See Table 8 for output description.
NAT server group information	Information about the internal server group. See Table 17 for output description.
NAT outbound information	Outbound dynamic NAT configuration. See Table 11 for output description.
NAT internal server information	NAT Server configuration. See Table 16 for output description.
Static NAT mappings	Static NAT mappings. See Table 19 for output description.
NAT DNS mappings	NAT DNS mappings. See Table 5 for output description.
NAT logging	NAT logging configuration. See Table 9 for output description.
NAT hairpinning	NAT hairpin configuration.
Totally n interfaces enabled NAT hairpinning	Number of interfaces with NAT hairpin enabled. If NAT hairpin is not configured, this field is not displayed.
Interface	NAT hairpin-enabled interface.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field displays hyphens (---).
Config status	Status of the NAT hairpin configuration: Active or Inactive.
NAT Mapping mode	Mapping mode of PAT: Endpoint-Independent or Connection-dependent.
NAT ALG	NAT ALG configuration for different protocols.
NAT port block group information	Configuration information about NAT port block groups. See Table 15 for output description.
NAT outbound port block group information	Configuration information about static port block mapping. See Table 12 for output description.

display nat dns-map

Use display nat dns-map to display NAT DNS mapping configuration.

Syntax

display nat dns-map

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT DNS mapping configuration.

<Sysname> display nat dns-map

NAT DNS mapping information:

Totally 2 NAT DNS mappings.

Domain name : www.server.com

Global IP : 6.6.6.6

Global port : 23

Protocol : TCP(6)

Config status: Active

Domain name : www.service.com

Global IP : ---

Global port : 12

Protocol : TCP(6)

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: interface IP address.

Table 5 Command output

Field	Description
NAT DNS mapping information	Information about NAT DNS mappings.
Domain name	Domain name of the internal server.
Global IP	Public IP address of the internal server. · If Easy IP is configured, this field displays the IP address of the specified interface. · If you do not specify a public IP address, this field displays hyphens (---).
Global port	Public port number of the internal server.
Protocol	Protocol name and number of the internal server.
Config status	Status of the DNS mapping configuration: Active or Inactive.
Reasons for inactive status	Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status is Inactive.

Related commands

nat dns-map

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

In standalone mode:

display nat eim [ slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ]

In IRF mode:

display nat eim [ chassis chassis-number slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entries for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays EIM entries for all cards. (In IRF mode.)

protocol: Specifies a protocol by its type.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip local-ip: Displays EIM entry information for a private IP address. The local-ip argument specifies a private IP address.

local-ip b4 ipv6-address: Displays EIM entry information for a B4 device IP address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-port local-port: Displays EIM entry information for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Displays EIM entry information for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Displays EIM entry information for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

Usage guidelines

EIM entries are created when PAT operates in EIM mode. An EIM entry is a 3-tuple entry, and it records the mapping between a private address/port and a public address/port.

The EIM entry provides the following functions:

· The same EIM entry applies to subsequent connections initiated from the same source IP and port.

· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.

Examples

# Display information about EIM entries for the specified slot.

<Sysname> display nat eim slot 3

Slot 3:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

DS-Lite tunnel peer: -

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: group1

Local IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

DS-Lite tunnel peer: -

Protocol: UDP(17)

Failover group name: group1

Total entries found: 2

# Display information about NAT EIM entries for TCP on the specified slot.

<Sysname> display nat eim slot 3 protocol tcp

Slot 3:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

DS-Lite tunnel peer: -

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: group1

Total entries found: 1

Table 6 Command output

Field	Description
DS-Lite tunnel peer	DS-Lite tunnel B4 address. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Protocol	Protocol name and number.
Failover group name	Failover group name. If no failover group is specified, this field displays a hyphen (-).
Total entries found	Total number of EIM entries.

Related commands

nat mapping-behavior

nat outbound

display nat eim statistics

Use display nat eim statistics to display NAT EIM entry statistics.

Syntax

In standalone mode:

display nat eim statistics [ slot slot-number ]

In IRF mode:

display nat eim statistics [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry statistics for all cards. (In standalone mode.)

Usage guidelines

The NAT EIM entry statistics includes the following information:

· The number of EIM entries.

· The creation rate of EIM entries for TCP.

· The creation rate of EIM entries for UDP.

Examples

# Display EIM entry statistics for the specified slot.

<Sysname> display nat eim statistics slot 3

EIM: Total EIM entries.

TCP: Total EIM entries for TCP.

UDP: Total EIM entries for UDP.

Rate: Creating rate of EIM entries.

TCP rate: Creating rate of EIM entries for TCP.

UDP rate: Creating rate of EIM entries for UDP.

Slot EIM TCP UDP Rate TCP rate UDP rate

(entries/s) (entries/s) (entries/s)

2 0 0 0 0 0 0

Table 7 Command output

Field	Description
Total EIM entries	Total number of EIM entries.
Total EIM entries for TCP	Total number of EIM entries for TCP.
Total EIM entries for UDP	Total number of EIM entries for UDP.
Creating rate of EIM entries	Creation rate of EIM entries.
Creating rate of EIM entries for TCP	Creation rate of EIM entries for TCP.
Creating rate of EIM entries for UDP	Creation rate of EIM entries for UDP.

Related commands

nat mapping-behavior

display nat instance

Use display nat instance to display NAT instance configuration information.

Syntax

display nat instance [instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays configuration information about all NAT instances.

Examples

# Display configuration information about all NAT instances.

<Sysname> display nat instance

NAT Instance information:

Totally 2 NAT instance.

Instance instance1:

Instance ID: 10

service-instance-group sgrp

flow trigger alloc port block

nat outbound 3000 address-group 1

nat outbound port-block-group 1

nat centralized-backup enable

nat centralized-backup manual switch

nat centralized-backup auto switchback disable

Instance instance2:

Instance ID: 11

service-instance-group group1

# Display configuration information about the specified NAT instance.

<Sysname> display nat instance instance1

Instance instance1:

Instance ID: 10

nat outbound acl 3000 address-group 1

nat outbound port-block-group 1

service-instance-group group1

nat port-block flow-trigger enable

nat centralized-backup enable

nat centralized-backup manual switch

nat centralized-backup auto switchback disable

Table 8 Command output

Field	Description
Totally n NAT instances	Total number of NAT instances.
Instance xxx	Name of the NAT instance.
Instance ID	NAT instance ID.
nat outbound acl 3000 address-group 1	Outbound dynamic NAT rule.
nat outbound port-block-group 1	Outbound static NAT port block mapping.
service-instance-group group1	Service instance group associated with the NAT instance.
flow trigger alloc port block	Whether flow-triggered port block assignment is enabled. This field is not displayed if flow-triggered port block assignment is disabled.
nat centralized-backup enable	Centralized backup is enabled for distributed CGN.
nat centralized-backup manual switch	Traffic on the distributed CGN device is manually switched to the centralized CGN device.
nat centralized-backup auto switchback disable	Traffic auto switchback from the centralized CGN device to the distributed CGN device is disabled.

Related commands

nat instance

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT logging configuration.

<Sysname> display nat log

NAT logging:

Log enable : Enabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Enabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(40%)

Table 9 Command output

Field	Description
NAT logging	NAT logging configuration.
Log enable	Whether NAT logging is enabled. · Enabled—NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. · Disabled—NAT logging is disabled.
Flow-begin	Whether logging is enabled for NAT session establishment events.
Flow-end	Whether logging is enabled for NAT session removal events.
Flow-active	Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated.
Port-block-assign	Whether logging is enabled for NAT444 port block assignment.
Port-block-withdraw	Whether logging is enabled for NAT444 port block withdrawal.
Port-alloc-fail	Whether logging is enabled for NAT port allocation failures.
Port-block-alloc-fail	Whether logging is enabled for NAT port block assignment failures.
Port-usage	Whether logging is enabled for port usage in port blocks. If logging for port usage in port blocks is enabled, this field also displays the usage threshold in percentage.
Port-block-usage	Logging is enabled for port block usage. This field also displays the port block usage threshold in percentage. The default threshold value is 90%.

Related commands

nat log enable

nat log flow-active

nat log flow-begin

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

In standalone mode:

display nat no-pat [ slot slot-number ]

In IRF mode:

display nat no-pat [ chassis chassis-number slot slot-number ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entries for all cards. (In standalone mode.)

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

· The same entry applies to subsequent connections initiated from the same source IP address.

· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Examples

# Display information about NO-PAT entries for the specified slot.

<Sysname> display nat no-pat slot 3

Slot 3:

Global IP: 200.100.1.100

Local IP: 192.168.100.100

Global VPN: vpn2

Local VPN: vpn1

Reversible: N

Type : Outbound

Total entries found: 1

Table 10 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total entries found	Total number of NO-PAT entries.

Related commands

nat outbound

display nat outbound

Use display nat outbound to display information about outbound dynamic NAT.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about outbound dynamic NAT.

<Sysname> display nat outbound

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: GigabitEthernet3/1/1

ACL: 2036 Address group: 1 Port-preserved: Y

NO-PAT: N Reversible: N

Service card: Slot 3

Config status: Active

Interface: GigabitEthernet3/1/2

ACL: 2037 Address group: 2 Port-preserved: N

NO-PAT: Y Reversible: Y

VPN instance: vpn_nat

Service card: Slot 3

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: global VPN, and ACL.

Interface: GigabitEthernet3/1/1

DS-Lite B4 ACL: 2100 Address group: 0 Port-preserved: N

NO-PAT: N Reversible: N

Service card: Slot 3

Config status: Active

Table 11 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT.
Interface	Interface where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---).
DS-Lite B4 ACL	Number or name of the IPv6 ACL used by DS-Lite port block mapping.
Address group	Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---).
Port-preserved	Whether to try to preserve the port numbers for PAT.
NO-PAT	Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field displays hyphens (---).
Config status	Status of the outbound dynamic NAT configuration: Active or Inactive.
Reasons for inactive status	Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive. The following are possible reasons that the system will display: · The following items don't exist or aren't effective: global VPN, interface IP address, address group, and ACL. · NAT address conflicts.

Related commands

nat outbound

display nat outbound port-block-group

Use display nat outbound port-block-group to display information about NAT port block group application.

Syntax

display nat outbound port-block-group

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about NAT port block group application.

<Sysname> display nat outbound port-block-group

NAT outbound port block group information:

Totally 2 outbound port block group items.

Interface: GigabitEthernet3/1/2

Port-block-group: 2

Config status : Active

Interface: GigabitEthernet3/1/2

Port-block-group: 10

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

Table 12 Command output

Field	Description
Interface	Interface to which a port block group is applied.
Port-block-group	ID of the port block group.
Config status	Status of the port block group application: Active or Inactive.
Reasons for inactive status	Reasons why the port block group application fails. This field is available when the Config status is Inactive.

Related commands

nat outbound port-block-group

display nat port-block

Use display nat port-block to display NAT port block mappings.

Syntax

In standalone mode:

display nat port-block { dynamic [ ds-lite-b4 ] | static } [ ip ipv4-source-address ] [ slot slot-number ] [ verbose ]

display nat port-block dynamic ds-lite-b4 [ ipv6 ipv6-source-address ] [ slot slot-number ] [ verbose ]

In IRF mode:

display nat port-block { dynamic [ ds-lite-b4 ] | static } [ ip ipv4-source-address ] [ chassis chassis-number slot slot-number ] [ verbose ]

display nat port-block { dynamic [ ds-lite-b4 ] | static }[ ipv6 ipv6-source-address ] [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays dynamic port block mappings.

ds-lite-b4: Displays port block mappings for DS-Lite.

static: Displays static port block mappings.

ip ipv4-source-address: Specifies a source IPv4 address. The IPv4 address must be the private source IPv4 address in a port block mapping.

ip ipv6-source-address: Specifies a source IPv6 address. The IPv6 address must be the private source IPv6 address in a port block mapping.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays port block mappings for all cards. (In standalone mode.)

verbose: Displays detailed information about NAT port block mappings. If you do not specify this keyword, this command displays brief information about NAT port block mappings.

Examples

# (In standalone mode.) Display static port block mappings for the specified slot.

<Sysname> display nat port-block static slot 3

Slot 3:

Local VPN Local IP Global IP Port block Connections Extend

--- 100.100.100.111 202.202.100.101 10001-10256 0 ---

--- 100.100.100.112 202.202.100.101 10257-10512 0 ---

--- 100.100.100.113 202.202.100.101 10513-10768 0 ---

vpn01 100.100.100.113 202.202.100.101 10769-11024 0 ---

--- 100.100.100.114 0.0.0.0 --- 0 ---

Total mappings found: 5

# (In standalone mode.) Display detailed information about static port block mappings.

<Sysname> display nat port-block static slot 3 verbose

Slot 3:

Static port block entry

Local IP : 200.1.24.219

Local vpn : ---(0)

Global IP : 202.2.1.8

Global vpn : ---(0)

Port block : 24774-26023

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Static port block entry

Local IP : 200.1.40.231

Local vpn : ---(0)

Global IP : 0.0.0.0

Global vpn : ---(0)

Port block : ---

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Total mappings found: 2

# Display dynamic port block mappings for the specified slot.

<Sysname> display nat port-block dynamic slot 3

Local VPN Local IP Global IP Port block Connections Extend

--- 101.1.1.12 192.168.135.201 10001-11024 1 ---

Total mappings found: 1

# Display DS-Lite port block mappings for the specified slot.

<Sysname> display nat port-block dynamic ds-lite-b4 slot 3

Slot 3:

Local VPN DS-Lite B4 addr Global IP Port block Connections Extend

--- 2000::2 192.168.135.201 10001-11024 1 ---

Total mappings found: 1

# Display detailed information about dynamic port block mappings for the specified slot.

<Sysname> display nat port-block dynamic slot 3 verbose

Slot 3:

Dynamic port block entry

Local IP : 200.1.24.219

Local vpn : ---(0)

Global IP : 202.2.1.8

Global vpn : ---(0)

Port block : 24774-26023

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Dynamic port block entry

Local IP : 200.1.40.231

Local vpn : ---(0)

Global IP : 202.2.1.10

Global vpn : ---(0)

Port block : 32274-33523

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Total mappings found: 2

# Display detailed information about static port block mappings for the specified slot.

<Sysname> display nat port-block static slot 3 verbose

Slot 3:

Static port block entry

Local IP : 200.1.24.219

Local vpn : ---(0)

Global IP : 202.2.1.8

Global vpn : ---(0)

Port block : 24774-26023

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Static port block entry

Local IP : 200.1.40.231

Local vpn : ---(0)

Global IP : 0.0.0.0

Global vpn : ---(0)

Port block : ---

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Total mappings found: 2

Table 13 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field displays hyphens (---).
Local IP	Private IP address.
DS-Lite B4 addr	IPv6 address of the DS-Lite B4 element.
Global IP	Public IP address. If no public address is allocated due to insufficient public network resources, this field displays 0.0.0.0.
Port block	Port block defined by a start port and an end port. If public network resources are insufficient, this field displays hyphens (---).
Connections	Number of connections established by using the ports in the port block.
Extend	Ext indicates an extended port block. If the port block is not an extended port block, this field displays hyphens (---).
Total mappings found	Total number of port block mappings.

Table 14 Command output

Field	Description
Local IP	Private IP address.
Local vpn	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field displays ---(0).
Global IP	Global IP address. If no public address is allocated due to insufficient public network resources, this field displays 0.0.0.0.
Global vpn	MPLS L3VPN instance to which the global IP address belongs. If the global IP address does not belong to any VPN instance, this field displays ---(0).
Port block	Port block defined by a start port number and an end port number. If public network resources are insufficient, this field displays hyphens (---).
Connections	Number of connections established by using the ports in the port block.
FailgroupID	ID of the failover group to which port block mappings belong.
PortLimit TCP	Maximum number of ports that can be assigned to TCP.
PortLimit UDP	Maximum number of ports that can be assigned to UDP.
PortLimit ICMP	Maximum number of ports that can be assigned to ICMP.
PortLimit total	Maximum number of ports that are available for assignment.
PortUsed TCP	Number of ports assigned to TCP packets.
PortUsed UDP	Number of ports assigned to UDP packets.
PortUsed ICMP	Number of ports assigned to ICMP packets.
PortUsed total	Total number of ports in use.
Extend port block	Whether the port block is an extended port block: · Y—The port block is an extended port block. · N—The port block is not an extended port block.
Total mappings found	Total number of port block mappings.

display nat port-block-group

Use display nat port-block-group to display information about NAT port block groups.

Syntax

display nat port-block-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT port block group, in the range of 0 to 65535. If you do not specify this argument, the command displays information about all NAT port block groups.

Examples

# Display information about all NAT port block groups.

<Sysname> display nat port-block-group

NAT port block group information:

Totally 3 NAT port block groups.

Port block group 1:

Port range: 1-65535

Block size: 256

Failover group name: nat

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 vpna

192.168.3.1 192.168.3.254 vpna

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Port block group 2:

Port range: 10001-30000

Block size: 500

Failover group name: trans

Local IP address information:

Start address End address VPN instance

10.1.1.1 10.1.10.255 vpnb

Global IP pool information:

Start address End address

202.10.10.101 202.10.10.120

Port block group 3:

Port range: 1-65535

Block size: 256

Failover group name: nat

Local IP address information:

Start address End address VPN instance

--- --- ---

Global IP pool information:

Start address End address

--- ---

# Display information about NAT port block group 1.

<Sysname> display nat port-block-group 1

Port block group 1:

Port range: 1-65535

Block size: 256

Failover group name: nat

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 vpna

192.168.3.1 192.168.3.254 vpna

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Table 15 Command output

Field	Description
Port block group	ID of the NAT port block group.
Port range	Port range for the public IP addresses.
Block size	Number of ports in a port block.
Failover group name	Name of the failover group specified for the NAT port block group. This field is not displayed if no failover group is specified.
Local IP address information	Information about private IP addresses.
Global IP pool information	Information about public IP addresses.
Start address	Start IP address of a private or public IP address range. If no start IP address is specified for the address range, this field displays hyphens (---).
End address	End IP address of a private or public IP address range. If no end IP address is specified for the address range, this field displays hyphens (---).
VPN instance	MPLS L3VPN instance to which the private IP address range belongs. If no VPN instance is specified for the private address range, this field displays hyphens (---).

Related commands

nat port-block-group

display nat server

Use display nat server to display NAT Server configuration.

Syntax

display nat server

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT Server configuration.

<Sysname> display nat server

NAT internal server information:

Totally 4 internal servers.

Interface: GigabitEthernet3/1/3

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

Config status : Active

Interface: GigabitEthernet3/1/4

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: local VPN.

Interface: GigabitEthernet3/1/4

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Global VPN : vpn2

Local VPN : vpn4

Service card : Slot 3

Config status : Active

Interface: GigabitEthernet3/1/5

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

1.1.1.1/21 (Connections: 10)

192.168.100.200/80 (Connections: 20)

Global VPN : vpn1

Local VPN : vpn10

Service card : Slot 3

Config status : Active

Table 16 Command output

Field	Description
NAT internal server information	Information about NAT Server configuration.
Interface	Interface where NAT Server is configured.
Protocol	Protocol number and name of the internal server.
Global IP/port	Public IP address and port number of the internal server. · Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---).
Local IP/port	For common NAT Server, this field displays the private IP address and port number of the server. · Local IP—A single IP address or an IP address range. · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT Server, this field displays the internal server group ID, IP address, port number, and number of connections of each member.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field displays hyphens (---).
Config status		Status of the NAT Server configuration: Active or Inactive.
Reasons for inactive status		Reasons why the NAT Server configuration does not take effect. This field is available when the Config status is Inactive. The following are possible reasons that the system will display: · The following items don't exist or aren't effective: global VPN, interface IP address, server group, and ACL. · Server configuration conflicts. · NAT address conflicts.

Related commands

nat server

display nat server-group

Use display nat server-group to display internal server group configuration.

Syntax

display nat server-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of the internal server group, in the range of 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.

Examples

# Display configuration about all internal server groups.

<Sysname> display nat server-group

NAT server group information:

Totally 3 NAT server groups.

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

2 --- --- ---

3 192.168.0.26 69 100

# Display configuration about internal server group 1.

<Sysname> display nat server-group 1

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

Table 17 Command output

Field	Description
Group Number	ID of the internal server group.
Inside IP	Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---).
Port	Private port number of a member in the internal server group. If no port number is specified, this field displays hyphens (---).
Weight	Weight of a member in the internal server group. If no weight value is specified, this field displays hyphens (---).

Related commands

nat server-group

display nat session

Use display nat session to display sessions that have been NATed.

Syntax

In standalone mode:

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ brief | verbose ]

In IRF mode:

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions for all cards. (In standalone mode.)

brief: Display brief information about NAT sessions.

verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all NAT sessions.

Examples

# Display detailed information about NAT sessions for the specified slot.

<Sysname> display nat session slot 3 verbose

Slot 3:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet3/1/1

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.10/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet3/1/2

State: TCP_SYN_SENT

Application: SSH

Role: Standby

Failover group ID: 1

Start time: 2017-10-18 11:22:45

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

# Display brief information about NAT sessions for the specified slot.

<Sysname> display nat session slot 3 brief

Slot 3:

Protocol Source IP/port Destination IP/port Global IP/port

TCP 10.2.1.58/2477 20.1.1.2/1025 30.2.4.9/226

Total sessions found: 1

Table 18 Command output

Field	Description
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/VLL ID	MPLS L3VPN instance to which the session belongs. VLAN ID to which the session belongs for Layer 2 forwarding. INLINE to which the session belongs for Layer 2 forwarding. If a setting is not specified, this field displays a hyphen (-).
Protocol	Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Role	Role in the failover group: · Master—Primary node. · Standby—Secondary node.
Failover group ID	ID of the failover group. When the primary node is processing services and sessions are established on the secondary node, this field displays a hyphen (-).
Start time	Time when the session starts.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.
Source IP/port	Source IP address and port number of the initiator.
Destination IP/port	Destination IP address and port number of the initiator.
Global IP/port	Public IP address and port number.

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display static NAT mappings.

<Sysname> display nat static

Static NAT mappings:

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 1.1.1.1 - 1.1.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

Local VPN : vpn1

Global VPN : vpn2

ACL : 2000

Reversible : Y

Config status: Active

IP-to-IP:

Local IP : 4.4.4.4

Global IP : 5.5.5.5

Local VPN : vpn4

Global VPN : vpn3

ACL: : 2000

Reversible : Y

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: local VPN, and global VPN.

Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.

Interface: GigabitEthernet3/1/2

Service card : Slot 3

Config status: Active

Interface: GigabitEthernet3/1/3

Config status: Active

Table 19 Command output

Field	Description
Net-to-net	Net-to-net static NAT mapping.
IP-to-IP	One-to-one static NAT mapping.
Local IP	Private IP address or address range.
Global IP	Public IP address or address range.
Netmask	Network mask.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Reversible	Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field is not displayed.
Config status	Status of the static NAT mapping configuration: Active or Inactive.
Reasons for inactive status	Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status is Inactive. The following are possible reasons that the system will display: · The following items don't exist or aren't effective: local VPN, global VPN, and ACL. · NAT address conflicts.

Related commands

nat static

nat static net-to-net

nat static enable

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

In standalone mode:

display nat statistics [ summary ] [ slot slot-number ]

In IRF mode:

display nat statistics [ summary ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics for all cards. (In standalone mode.)

Examples

# Display detailed information about all NAT statistics.

<Sysname> display nat statistics

Slot 3:

Total session entries: 100

Total EIM entries: 1

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 10

Total dynamic port block entries: 15

Active static port block entries: 0

Active dynamic port block entries: 0

Table 20 Command output

Field	Description
Total session entries	Number of NAT session entries.
Total EIM entries	Number of EIM entries.
Total inbound NO-PAT entries	Number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Number of outbound NO-PAT entries.
Total static port block entries	Number of static port block mappings.
Total dynamic port block entries	Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. If the user-defined extended port block size is different from the pre-allocated port block size, the device calculates the number of dynamic port block mappings that can be created based on the port block size of 64.
Active static port block entries	Number of static port block mappings that are in use.
Active dynamic port block entries	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.

# Display summary information about all NAT statistics.

<Sysname> display nat statistics summary

EIM: Total EIM entries.

SPB: Total static port block entries.

DPB: Total dynamic port block entries.

ASPB: Active static port block entries.

ADPB: Active dynamic port block entries.

Slot Sessions EIM SPB DPB ASPB ADPB

2 0 0 0 1572720 0 0

Table 21 Command output

Field	Description
Sessions	Number of NAT session entries.
EIM	Number of EIM entries.
SPB	Number of static port block mappings.
DPB	Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.
ASPB	Number of static port block mappings in use.
ADPB	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks. If the user-defined extended port block size is different from the pre-allocated port block size, the device calculates the number of dynamic port block mappings that can be created based on the port block size of 64.

display nat user-information

Use display nat user-information to display online user information.

Syntax

In standalone mode:

display nat user-information [ local { ipv4 ipv4-address | ipv6 ipv6–address } | user-id user-id | user-name user-name | nat-instance instance-name ] [ slot slot-number ] [ verbose ]

In IRF mode:

display nat user-information [ local { ipv4 ipv4-address | ipv6 ipv6–address } | user-id user-id | user-name user-name | nat-instance instance-name ] [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

local ipv4 ipv4-address: Specifies the private IPv4 address of a user.

local ipv6 ipv6-address: Specifies the private IPv6 address of a user.

user-id user-id: Specifies the user ID of a user, in the range of 1 to FFFFFFFF.

user-name user-name: Specifies the username of a user, a string of 1 to 253 characters.

nat-instance instance-name: Specifies an NAT instance by its name, a string of 1 to 31 characters.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online user information for all cards. (In standalone mode.)

verbose: Display detailed online user information. If you do not specify this keyword, this command displays brief online user information.

Usage guidelines

This command is applicable to the NAT and BRAS unification scenario.

To view information about an online PPPoE or IPoE user by user ID or username:

1. Execute the display ppp access-user command to obtain the user ID and the username of the user.

2. Specify the user ID or username in the display nat user-information command.

Examples

# Display brief online user information on the specified slot.

<Sysname> display nat user-information slot 1

Slot 1:

User ID : 0x382005a0

Local IP : 1.1.8.192

VPN instacne : ---(0)

Address group : 9

NAT instance : 1

Global IP : 6.1.1.123

Start port : 13003

Block size : 1001

Port total : 1001

Extend port alloc times : 0

Extend port alloc number : 0

First/Second/Third/Fourth/Fifth extend port start : 0/0/0/0/0

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 0/0/0/0

Total/TCP/UDP/ICMP sessions : 0/0/0/0

User ID : 0x38200443

Local IP : 1.1.5.90

VPN instacne : ---(0)

Address group : 9

NAT instance : 1

Global IP : 6.1.1.237

Start port : 13003

Block size : 1001

Port total : 1001

Extend port alloc times : 0

Extend port alloc number : 0

First/Second/Third/Fourth/Fifth extend port start : 0/0/0/0/0

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 0/0/0/0

Total/TCP/UDP/ICMP sessions : 0/0/0/0

Total Users found: 2

# Display detailed online user information on the specified slot.

<Sysname> display nat user-information slot 3 verbose

Slot: 3

User type : NAT444

User ID : 0x382016e8

Local IP : 1.1.1.11

VPN instacne : ---(0)

Address group : 9

NAT instance : 9

Global IP : 6.1.1.130

Start port : 35025

Block size : 1001

Port total : 1001

Extend port alloc times : 0

Extend port alloc number : 0

First/Second/Third/Fourth/Fifth extend port start : 0/0/0/0/0

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 2/0/2/0

Port limit discard count : 0

Total/TCP/UDP/ICMP sessions : 2/0/2/0

Total/TCP/UDP/ICMP reverse sessions : 0/0/0/0

User type : NAT444

User ID : 0x382016e7

Local IP : 1.1.1.10

VPN instacne : ---(0)

Address group : 9

NAT instance : 9

Global IP : 6.1.1.239

Start port : 29019

Block size : 1001

Port total : 1001

Extend port alloc times : 0

Extend port alloc number : 0

First/Second/Third/Fourth/Fifth extend port start : 0/0/0/0/0

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 2/0/2/0

Port limit discard count : 0

Total/TCP/UDP/ICMP sessions : 2/0/2/0

Total/TCP/UDP/ICMP reverse sessions : 0/0/0/0

Total Users found: 2

Table 22 Command output

Field	Description
User type	User type: · NAT444. · DS-Lite.
User ID	User ID. This field displays the user ID in a NAT and BRAS unification scenario. In scenarios without NAT and BRAS unification, this field displays hyphens (---).
Local IP	Private IP address of the user.
VPN instance	Name of the VPN instance to which the user belongs. If the user does not belong to any VPN instance, this field displays ---(0).
Address group	ID of the NAT address group used by the user.
Port block group	ID of the static NAT port block group used by the user.
NAT instance	NAT instance used by the user. If the user comes online through interface-based NAT configuration, no field value is displayed.
Global IP	Public IP address of the user.
Start port	Start port number pre-allocated to the user.
Block size	Port block size pre-allocated to the user.
Port total	Total number of ports pre-allocated to the user.
Extend port alloc times	Number of times an extended port block is allocated.
Extend port alloc number	Number of extended port blocks that have been allocated.
First/Second/Third/Fourth/Fifth extend port start	Start port number in the first, second, third, fourth, and fifth allocation of extended port blocks.
Total/TCP/UDP/ICMP port limit	Maximum number of ports to be assigned to all protocols and maximum number of ports to be assigned to each protocol. They can be set by using the port-limit command.
TCP/UDP/ICMP port current	Number of ports used by TCP, UDP, and ICMP. The same port number can be assigned to different protocols in EIM mode.
Port limit discard count	Number of port block allocation failures after the NAT port usage exceeds the upper limit. If the upper limit is not exceeded, this field displays 0.
Total/TCP/UDP/ICMP sessions	Total number of newly created forward sessions, and the numbers of new forward sessions created by TCP, UDP, and ICMP.
Total/TCP/UDP/ICMP reverse sessions	Total number of newly created reverse sessions, and the numbers of new reverse sessions created by TCP, UDP, and ICMP.
Total Users found	Total number of online users.

failover-group

Use failover-group to specify a failover group for a NAT address group or a NAT port block group.

Use undo failover-group to restore the default.

Syntax

failover-group group-name [ user-group user-group-name ]

undo failover-group

Default

No failover group is specified for a NAT address group or NAT port block group.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. You can specify a nonexistent failover group for this command. The configuration takes effect only after you use the failover group command to create the failover group.

user-group user-group-name: Specifies the name of a user group. The user group name is a case-insensitive string of 1 to 32 characters.

Usage guidelines

If you use a failover group for dynamic NAT or port block-based address translation, make sure the failover group has the CGN cards as the nodes.

After you specify a failover group for a NAT address group or a NAT port block group, do not configure the nat service command to specify a traffic processing slot.

The failover group command and the nat instance command are mutually exclusive.

Examples

# Specify failover group nat-failover for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-nat-address-group-1] failover-group nat-failover

# Specify failover group nat-failover for NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] failover-group nat-failover

Related commands

failover group (High Availability Command Reference)

nat instance

nat service

user-group (BRAS Services Command Reference)

global-ip-pool

Use global-ip-pool to add a public IP address range to a NAT port block group.

Use undo global-ip-pool to remove a public IP address range from a NAT port block group.

Syntax

global-ip-pool start-address end-address

undo global-ip-pool start-address

Default

No public IP address ranges exist.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a public IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one public IP address is specified.

Usage guidelines

Static port block maps a public IP address to multiple private IP addresses and assigns a unique port block to each private IP address. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Every time you execute this command, an address range can contain a maximum of 255 public IP addresses. All public IP address ranges in one port block group cannot overlap.

When you use interface-based NAT for address translation, follow these restrictions and guidelines:

· Public IP address ranges in different port block groups can overlap. The port ranges for overlapped public IP address ranges cannot overlap.

· If a public address range overlaps with the address range in static port block mappings, make sure the port ranges in static port block mappings do not overlap with those in dynamic port block mappings. Otherwise, the device might assign the same IP address and port block to two different users, in which condition NAT sessions might not be established for one user.

When you use global NAT for address translation, public IP address ranges in different port block groups cannot overlap.

Examples

# Add a public IP address range to the port block group 1. The public IP address range consists of IP addresses from 202.10.1.1 to 202.10.1.10.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] global-ip-pool 202.10.1.1 202.10.1.10

Related commands

nat instance

nat port-block-group

inside ip

Use inside ip to add a member to an internal server group.

Use undo inside ip to remove a member from an internal server group.

Syntax

inside ip inside-ip port port-number [ weight weight-value ]

undo inside ip inside-ip port port-number

Default

No members exist in an internal server group.

Views

Internal server group view

Predefined user roles

network-admin

Parameters

inside-ip: Specifies the IP address of an internal server.

port port-number: Specifies the port number of an internal server, in the range of 1 to 65535, excluding FTP port 20.

weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.

Examples

# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30

Related commands

nat server-group

local-ip-address

Use local-ip-address to add a private IP address range to a NAT port block group.

Use undo local-ip-address to remove a private IP address range from a NAT port block group.

Syntax

local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]

undo local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]

Default

No private IP address ranges exist in a NAT port block group.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a private IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one private IP address is specified.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address range belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address range does not belong to any VPN instance, do not specify this option.

Usage guidelines

Static port block maps one public IP address to multiple private IP addresses and assigns a unique port block to each private IP address.

You can add multiple private IP address ranges to the same port block group.

· The private IP address ranges in the same VPN instance cannot overlap.

· The private IP address ranges that do not belong to any VPN instances cannot overlap.

When you add private IP address ranges to different port block groups with the same VPN instance, make sure the IP address ranges do not overlap.

In a NAT port block group, the number of private IP addresses cannot be larger than the number of assignable port blocks. Otherwise, some private IP addresses cannot obtain port blocks. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Examples

# Add a private IP address range to port block group 1. The private IP address range consists of IP addresses from 172.16.1.1 to 172.16.1.255 in VPN instance vpn1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] local-ip-address 172.16.1.1 172.16.1.255 vpn-instance vpn1

Related commands

nat port-block-group

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.

Usage guidelines

A NAT address group consists of multiple address ranges. Use the address command to add an address range to a NAT address group. Dynamic NAT translates the source IP address of a packet into an IP address in the address group.

You cannot use the undo nat address-group command to delete a NAT address group in use.

Examples

# Create a NAT address group numbered 1.

<Sysname> system-view

[Sysname] nat address-group 1

Related commands

address

display nat address-group

display nat all

nat outbound

nat alg

Use nat alg to enable NAT ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

Default

NAT ALG is disabled for all supported protocols except FTP, ICMP error packets, and RTSP.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables NAT ALG for all supported protocols.

dns: Enables NAT ALG for DNS.

ftp: Enables NAT ALG for FTP.

H323: Enables NAT ALG for H323.

icmp-error: Enables NAT ALG for ICMP error packets.

ils: Enables NAT ALG for ILS.

mgcp: Enables NAT ALG for MGCP.

nbt: Enables NAT ALG for NBT.

pptp: Enables NAT ALG for PPTP.

rsh: Enables NAT ALG for RSH.

rtsp: Enables NAT ALG for RTSP.

sccp: Enables NAT ALG for SCCP.

sip: Enables NAT ALG for SIP.

sqlnet: Enables NAT ALG for SQLNET.

tftp: Enables NAT ALG for TFTP.

xdmcp: Enables NAT ALG for XDMCP.

Usage guidelines

NAT ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.

The nat alg h323 command fails if you have executed the nat mapping-behavior endpoint-independent tcp or nat mapping-behavior endpoint-independent udp command.

Examples

# Enable NAT ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat mapping-behavior endpoint-independent

nat centralized-backup auto switchback disable

Use nat centralized-backup auto switchback disable to disable traffic auto switchback for centralized backup of distributed CGN.

Use undo nat centralized-backup auto switchback disable to restore the default.

Syntax

nat centralized-backup auto switchback disable

undo nat centralized-backup auto switchback disable

Default

Auto switchback is enabled for centralized backup of distributed CGN.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

In centralized backup for distributed CGN, the following methods are available to switch over the traffic to the centralized CGN device:

· Automatic switchover—When a distributed CGN card fails, traffic is automatically switched to the centralized CGN device. To enable auto switchover, execute the nat centralized-backup enable command.

· Manual switchover—Traffic is manually switched to the centralized CGN device after you execute the nat centralized-backup manual switch command.

Execute this command on a distributed CGN device if you want the centralized CGN device to perform address translation for the distributed CGN device all the time. In other cases, do not execute this command.

This command is available only after you enable centralized backup for distributed CGN.

Examples

# In NAT instance cgn1, disable traffic auto switchback for centralized backup of distributed CGN.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance- cgn1] nat centralized-backup enable

[Sysname-nat-instance- cgn1] nat centralized-backup auto switchback disable

Related commands

nat centralized-backup enable

nat centralized-backup manual switch

nat centralized-backup enable

Use centralized-backup enable to enable centralized backup for distributed CGN.

Use undo nat centralized-backup enable to disable centralized backup for distributed CGN.

Syntax

nat centralized-backup enable

undo nat centralized-backup enable

Default

Centralized backup for distributed CGN is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With this feature enabled on a distributed CGN device, when the CGN card on the device fails, the QoS policy or policy-based routing for redirecting traffic to the centralized CGN device takes effect. When the faulty CGN card recovers, the QoS policy or PBR no longer takes effect and the traffic is again redirected to the distributed CGN device. Online users are not affected during the traffic switchover and switchback.

The undo nat centralized-backup enable command is not available when one of the following commands is used:

· nat centralized-backup manual switch.

· nat centralized-backup auto switchback disable.

Creating NAT instance and enabling this feature in system view are mutually exclusive.

Examples

# Enable centralized backup for distributed CGN.

<Sysname> system-view

[Sysname] nat centralized-backup enable

# Enable centralized backup for distributed CGN in NAT instance cgn with ID 1.

<Sysname> system-view

[Sysname] nat instance cgn id 1

[Sysname-nat-instance-cgn] nat centralized-backup enable

Related commands

http://localhost:7890/pages/30007870/01/30007870/01/resources/software/nev8r9_vrpv8r15/user/ne/nat_centralized-backup_manual_switch.html

nat centralized-backup auto switchback disable

nat instance

nat centralized-backup manual switch

Use nat centralized-backup manual switch to manually switch traffic from the distributed CGN device to the centralized CGN device.

Use undo nat centralized-backup manual switch to cancel manual traffic switchover and allow auto switchback.

Syntax

nat centralized-backup manual switch

undo nat centralized-backup manual switch

Default

Traffic is switched to the centralized CGN device only when the CGN card on the distributed CGN device fails.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

In centralized backup for distributed CGN, a distributed CGN device might not be available when it is upgrading the software or hardware. To ensure non-stop processing of NAT services, execute this command on the distributed CGN device before the upgrading. Then traffic will be redirected to the centralized CGN device. When the distributed CGN device becomes available, traffic cannot be automatically switched back. As a best practice, execute the undo nat centralized-backup manual switch command to allow traffic auto switchback. Online users are not affected during the traffic switchover and switchback.

This command is available only after you enable centralized backup for distributed CGN.

This feature takes effect only on the traffic of the NAT instance for which the feature is enabled.

Examples

# Manually switch the traffic of NAT instance cgn1 from distributed CGN device to the centralized CGN device.

<Sysname> system-view

[Sysname] nat instance cpe1 id 1

[Sysname-nat-instance-cgn1] nat centralized-backup enable

[Sysname-nat-instance-cgn1] nat centralized-backup manual switch

nat dns-map

Use nat dns-map to configure a NAT DNS mapping.

Use undo nat dns-map to remove a NAT DNS mapping.

Syntax

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

undo nat dns-map domain domain-name

Default

No NAT DNS mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.

protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.

interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.

ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.

port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:

· A number in the range of 1 to 65535.

· A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.

Usage guidelines

NAT DNS mapping must cooperate with the NAT Server feature. NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

You can configure multiple NAT DNS mappings.

Examples

# Configure a NAT DNS mapping to map the domain name www.server.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345

Related commands

display nat all

display nat dns-map

nat server

nat extended-port-block report-radius enable

Use nat extended-port-block report-radius enable to enable reporting mappings between user private IP addresses and extended port blocks to the RADIUS server.

Use undo nat extended-port-block report-radius enable to restore the default.

Syntax

nat extended-port-block report-radius enable

undo nat extended-port-block report-radius enable

Default

The device does not report mappings between user private IP addresses and extended port blocks to the RADIUS server.

Views

System view

NAT instance view

Predefined user roles

network-admin

Usage guidelines

This feature can be used for user tracing in scenarios with NAT and BRAS unification. After a RADIUS authenticated user obtains a private address, the device pre-allocates a public IP address and port block to the user, and reports the mapping to the RADIUS server. The RADIUS server stores the mapping as online user information for user tracing. If an extended port block is assigned to the user for accessing the external network, the device does not update the mapping to the RADIUS server.

You can use this feature to report the mapping between the user private IP address and the extended port block to the RADIUS server. This feature provides user tracing for connections using extended port blocks.

For global NAT, enable this feature in NAT instance view. For interface-based NAT, enable this feature in system view.

You cannot enable or disable this feature when a PPPoE or IPoE user is online.

Examples

# Enable reporting mappings between user private IP addresses and extended port blocks to the RADIUS server. (Global NAT.)

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] nat outbound 2001 address-group 2

[Sysname-nat-instance-cgn1] nat extended-port-block report-radius enable

# Enable reporting mappings between user private IP addresses and extended port blocks to the RADIUS server. (Interface-based NAT.)

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] port-block block-size 256 extended-block-number 1

[Sysname-address-group-2] quit

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound 2001 address-group 2

[Sysname-GigabitEthernet3/1/1] quit

[Sysname] nat extended-port-block report-radius enable

Related commands

port-block block-size

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

The nat hairpin enable command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Enable NAT hairpin on interface GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat hairpin enable

Related commands

display nat all

nat instance

Use nat instance to create a NAT instance and enter its view, or enter the view of an existing NAT instance.

Use undo nat instance to delete the specified NAT instance.

Syntax

nat instance instance-name [ id id ]

undo nat instance instance-name

Default

No NAT instances exist.

Views

System view

Predefined user roles

network-admin

Parameters

instance-name: Specifies a NAT instance name, a case-sensitive string of 1 to 31 characters. If the instance name contains spaces, use quotation marks to enclose the instance name (for example, "xxx xxx").

id id: Specifies a NAT instance ID in the range of 1 to 127. This option is a must for creating a NAT instance, and it is optional for entering the view of an existing NAT instance.

Usage guidelines

According to the application scope of NAT rules, NAT supports the following application types:

· Interface-based NAT—Uses NAT rules (such as static NAT rules and dynamic NAT rules) configured on a per interface basis to translate packets. It is applicable to a network with a fixed output interface.

· Global NAT—Uses NAT rules configured on a per NAT instance basis to translate packets. The packets are redirected to the NAT instance by using a QoS policy. The service card in the service instance group associated with the NAT instance performs address translation. Global NAT is applicable to a network with unfixed output interfaces. You do not need to change the NAT configuration if the packet output interface changes.

A NAT instance takes effect when the following requirements are met:

· The NAT instance is associated with a service instance group.

· The service instance group is associated with a failover group and the primary node in the failover group can normally process services.

The NAT instance name and ID must be unique. Different NAT instances cannot use the same NAT instance ID.

A maximum of 16 NAT instances can be created.

You cannot delete a NAT instance if the NAT instance contains an online user.

The nat instance command in system view cannot coexist with the following commands in interface view:

· nat hairpin enable.

· nat inbound.

· nat outbound.

· nat outbound ds-lite-b4.

· nat outbound easy-ip failover-group.

· nat outbound port-block-group.

· nat server (interface-based NAT).

· nat service.

· nat static enable.

Examples

# Create a NAT instance named cgn1 with instance ID 1, and enter its view.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1]

Related commands

display nat instance

nat hairpin enable

nat outbound

nat outbound ds-lite-b4

nat outbound easy-ip failover-group

nat outbound port-block-group

nat server

nat service

nat static enable

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

You must enable NAT logging before you enable NAT session logging, NAT444 user logging, or NAT444 alarm logging.

The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

display nat all

display nat log

nat log flow-active

nat log flow-begin

nat log flow-end

nat log port-alloc-fail

nat log port-block-alloc-fail

nat log port-block-assign

nat log port-block-withdraw

nat log flow-active

Use nat log flow-active to enable logging for active NAT flows and set the logging interval.

Use undo nat log flow-active to disable logging for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.

Usage guidelines

Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

Related commands

display nat all

display nat log

nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT session establishment events.

Use undo nat log flow-begin to disable logging for NAT session establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT session establishment events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

Related commands

display nat all

display nat log

nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT session removal events.

Use undo nat log flow-end to disable logging for NAT session removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT session removal events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT session removal events.

<Sysname> system-view

[Sysname] nat log flow-end

Related commands

display nat all

display nat log

nat log enable

nat log port-alloc-fail

Use nat log port-alloc-fail to enable logging for NAT port allocation failures.

Use undo nat log port-alloc-fail to disable logging for NAT port allocation failures.

Syntax

nat log port-alloc-fail

undo nat log port-alloc-fail

Default

Logging for NAT port allocation failures is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to generate logs when port allocation fails in dynamic NAT. Typically, the failure is caused by the fact that all ports are occupied in a port block.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT port allocation failures.

<Sysname> system-view

[Sysname] nat log port-alloc-fail

Related commands

display nat all

display nat log

nat log enable

nat log port-block port-usage threshold

Use nat log port-block port-usage threshold to enable logging for port usage in port blocks and set the usage threshold.

Use undo nat log port-block port-usage threshold to disable logging for port usage in port blocks.

Syntax

nat log port-block port-usage threshold value

undo nat log port-block port-usage threshold

Default

Logging for port usage in port blocks is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies a threshold in the range of 40 to 100 in percentage.

Usage guidelines

This feature enables the device to generate a log when the port usage in a port block exceeds the threshold.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for port usage in port blocks and set the threshold to 90%.

<Sysname> system-view

[Sysname] nat log port-block port-usage threshold 90

Related commands

display nat all

display nat log

nat log enable

nat log port-block usage threshold

Use nat log port-block usage threshold to set the port block usage threshold.

Use undo nat log port-block port-usage threshold to restore the default.

Syntax

nat log port-block usage threshold value

undo nat log port-block usage threshold

Default

The port block usage threshold is 90%.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies a threshold in the range of 40 to 100 in percentage.

Usage guidelines

A log is generated when the port block usage exceeds the threshold.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Set the port block usage threshold to 80%.

<Sysname> system-view

[Sysname] nat log port-block usage threshold 80

Related commands

display nat all

display nat log

nat log enable

nat log port-block-alloc-fail

Use nat log port-block-alloc-fail to enable logging for NAT port block assignment failures.

Use undo nat log port-block-alloc-fail to disable logging for NAT port block assignment failures.

Syntax

nat log port-block-alloc-fail

undo nat log port-block-alloc-fail

Default

Logging for NAT port block assignment failures is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to generate logs when the system fails to assign port blocks in dynamic NAT.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT port allocation failures.

<Sysname> system-view

[Sysname] nat log port-block-alloc-fail

Related commands

display nat all

display nat log

nat log enable

nat log port-block-assign

Use nat log port-block-assign to enable NAT444 user logging for port block assignment.

Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.

Syntax

nat log port-block-assign

undo nat log port-block-assign

Default

NAT444 user logging is disabled for port block assignment.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For static port block mapping, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.

For dynamic port block mapping, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block assignment.

<Sysname> system-view

[Sysname] nat log port-block-assign

Related commands

display nat all

display nat log

nat log enable

nat log port-block-withdraw

Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.

Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.

Syntax

nat log port-block-withdraw

undo nat log port-block-withdraw

Default

NAT444 user logging is disabled for port block withdrawal.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For static port block mapping, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.

For dynamic port block mapping, the NAT444 gateway generates a user log when all the following conditions are met:

· The port blocks (including the extended ones) assigned to the private IP address are withdrawn.

· The corresponding mapping entry is deleted.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block withdrawal.

<Sysname> system-view

[Sysname] nat log port-block-withdraw

Related commands

display nat all

display nat log

nat log enable

nat mapping-behavior endpoint-independent

Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping mode for PAT.

Use undo nat mapping-behavior endpoint-independent to restore the default.

Syntax

nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *

undo nat mapping-behavior endpoint-independent

Default

Connection-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

Parameters

tcp: Creates EIM entries for TCP connections.

udp: Creates EIM entries for UDP connections.

tcp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for TCP connections. If you do not specify this keyword, only EIM entries are created.

udp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for UDP connections. If you do not specify this keyword, only EIM entries are created.

Usage guidelines

PAT supports the following types of NAT mappings:

· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.

· Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.

The nat mapping-behavior endpoint-independent tcp or nat mapping-behavior endpoint-independent udp command cannot be configured if one or more of following commands have been configured on the device:

· nat server.

· nat static outbound.

· nat static outbound net-to-net.

· nat alg h323.

This command always creates EIM entries and five-tuple session entries for ICMP packets.

The existing and newly configured dynamic NO-PAT rules do not take effect if you specify the Endpoint-Independent Mapping mode for outbound dynamic PAT rules.

Examples

# Apply the Endpoint-Independent Mapping mode and create EIM entries for TCP packet address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent tcp

Related commands

display nat eim

display nat eim statistics

nat outbound

nat server

nat static outbound

nat static outbound net-to-net

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for NAT, in the range of 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network.

port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic port block mappings.

Usage guidelines

Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.

Outbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.

· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

? Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

? Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

The dynamic port block mapping does not support the NO-PAT mode.

When you specify a NAT address group, follow these restrictions and guidelines:

· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

· When a port range and port block parameters are specified in the NAT address group, this command configures a dynamic port block mapping rule. Packets matching the ACL permit rule are processed by dynamic port block mapping.

If the Endpoint-Independent Mapping mode is used for outbound dynamic PAT rules, NO-PAT configurations do not take effect.

When you specify an ACL, follow these restrictions and guidelines:

· An ACL can be used by only one outbound dynamic NAT rule on an interface.

· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.

· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.

· For dynamic port block mappings, make sure the ACL rules in a newly added NAT rule do not overlap with ACL rules in existing NAT rules that already have matching traffic.

A user is not allowed to access a service on an internal server through different external addresses or external port numbers. When configuring load sharing NAT Server, the number of members cannot be less than the value N in one of the following situations:

· A public address, N consecutive public port numbers, and one internal server group.

· N consecutive public addresses, a public port number, and one internal server group.

The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

When you use this command for a NAT instance, you must specify the address-group keyword. Outbound dynamic rules in different NAT instances cannot use the same NAT address group.

The nat outbound command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface GigabitEthernet 3/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound 2001 address-group 1

[Sysname-GigabitEthernet3/1/1] quit

# Configure an outbound NO-PAT rule on interface GigabitEthernet 3/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound 2001 address-group 1 no-pat

[Sysname-GigabitEthernet3/1/1] quit

# Enable Easy IP to use the IP address of GigabitEthernet 3/1/1 as the translated address.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet 3/1/1] nat outbound 2001

[Sysname-GigabitEthernet 3/1/1] quit

# Configure an outbound NO-PAT rule on GigabitEthernet 3/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound 2001 address-group 1 no-pat reversible

Related commands

display nat eim

display nat outbound

nat instance

nat mapping-behavior

nat outbound ds-lite-b4

Use nat outbound ds-lite-b4 to configure DS-Lite B4 address translation.

Use undo nat outbound ds-lite-b4 to remove the DS-Lite B4 address translation configuration.

Syntax

nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name } address-group group-id

undo nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name }

Default

No DS-Lite B4 address translation configuration exists.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Parameters

ipv6-acl-number: Specifies the number of an IPv6 ACL to match the IPv6 addresses of B4 elements. The value range for the argument is 2000 to 3999.

name ipv6-acl-name: Specifies the name of an IPv6 ACL to match the IPv6 addresses of B4 elements. The ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group by its ID, in the range of 0 to 65535.

Usage guidelines

DS-Lite B4 address translation applies to the scenario where a DS-Lite tunnel connects an IPv6 network to an IPv4 network. DS-Lite port block mapping is configured on the AFTR's interface connected to the external IPv4 network and performs dynamic port block mapping based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host.

DS-Lite B4 address translation dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.

The nat outbound ds-lite-b4 command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Configure IPv6 ACL 2100 to identify packets from subnet 2000::/64.

<Sysname> system-view

[Sysname] acl ipv6 basic 2100

[Sysname-acl-ipv6-basic-2100] rule permit source 2000::/64

[Sysname-acl-ipv6-basic-2100] quit

# Create address group 1 and add public addresses 202.110.10.10 through 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-nat-address-group-1] address 202.110.10.10 202.110.10.12

# Set the port block size to 256.

[Sysname-nat-address-group-1] port-block block-size 256

[Sysname-nat-address-group-1] quit

# Configure DS-Lite port block mapping on GigabitEthernet 3/1/1 to use address group 1 to translate packets permitted by ACL 2100.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound ds-lite-b4 2100 address-group 1

Related commands

display nat outbound

nat instance

nat outbound easy-ip failover-group

Use nat outbound port-block-group to specify a failover group for Easy IP.

Use undo nat outbound easy-ip failover-group to restore the default.

Syntax

nat outbound easy-ip failover-group group-name

undo nat outbound easy-ip failover-group

Default

No failover group is specified for Easy IP.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

This command allows the device to direct flows that need Easy IP address translation to the specified failover group.

If a manual failover group exist on the device, you can specify only the manual failover group in this command.

This command is mutually exclusive with the nat service command.

The nat outbound easy-ip failover-group command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Specify failover group nat-failover for Easy IP on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound easy-ip failover-group nat-failover

Related commands

display nat outbound

nat instance

nat service

nat outbound port-block-group

Use nat outbound port-block-group to apply a NAT port block group to the outbound direction of an interface.

Use undo nat outbound port-block-group to remove a NAT port block group application.

Syntax

nat outbound port-block-group group-id

undo nat outbound port-block-group group-id

Default

No NAT port block group is applied to an interface.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Parameters

group-id: Specifies a NAT port block group by its ID, in the range of 0 to 65535.

Usage guidelines

After you apply a NAT port block group to an interface, the system automatically computes the NAT444 mappings and creates entries for them. When a private IP address accesses the public network, the private IP address is translated to the mapped public IP address, and the ports are translated to ports in the selected port block.

You can apply multiple NAT port block groups to an interface.

Different NAT instances cannot use the same port block group.

The nat outbound port-block-group command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Apply NAT port block group 1 to the outbound direction of GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat outbound port-block-group 1

Related commands

display nat all

display nat outbound port-block-group

display nat port-block

nat instance

nat port-block-group

nat port-block flow-trigger enable

Use nat port-block flow-trigger enable to enable flow-triggered port block assignment.

Use undo nat port-block flow-trigger enable to disable flow-triggered port block assignment.

Syntax

nat port-block flow-trigger enable

undo nat port-block flow-trigger enable

Default

Flow-triggered port block assignment is disabled.

Views

System view

NAT instance view

Predefined user roles

network-admin

Usage guidelines

This command applies to the centralized backup for distributed CGN deployment. You must enable this command on the device that performs centralized backup. This operation ensures the device to assign addresses and port blocks when errors occur on the CGN card of a BRAS device.

You cannot modify the enabling status of flow-triggered port block assignment if a user is online or global NAT entries exist.

The nat port-block flow-trigger enable command and the nat instance command are mutually exclusive.

Examples

# Enable flow-triggered port block assignment.

<Sysname> system-view

[Sysname] nat port-block flow-trigger enable

Related commands

nat instance

nat port-block-group

Use nat port-block-group to create a NAT port block group and enter its view, or enter the view of an existing NAT port block group.

Use undo nat port-block-group to delete a NAT port block group.

Syntax

nat port-block-group group-id

undo nat port-block-group group-id

Default

No NAT port block groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT port block group. The value range for this argument is 0 to 65535.

Usage guidelines

A NAT port block group is configured to implement static port block mapping.

You must configure the following items for a NAT port block group:

· A minimum of one private IP address range (see the local-ip-address command).

· A minimum of one public IP address range (see the global-ip-address command).

· A port range (see the port-range command).

· A port block size (see the block-size command).

The system computes static port block mappings according to the port block group configuration, and creates entries for the mappings.

Examples

# Create NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1]

Related commands

block-size

display nat all

display nat port-block-group

global-ip-pool

local-ip-address

nat outbound port-block-group

port-range

nat server (interface-based NAT)

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a mapping.

Syntax

Common NAT server mapping:

· A single public address with no or a single public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ]

undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

· A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]

· Consecutive public addresses with no or a single public port:

nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]

· Consecutive public addresses with a single public port:

nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside local-address local-port1 local-port2 [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]

Load sharing NAT server mapping:

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-number [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]

ACL-based NAT server mapping:

nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ]

undo nat server global { ipv4-acl-number | name ipv4-acl-name }

Default

No NAT server mappings exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:

· A number in the range of 1 to 255.

· A protocol name of icmp, tcp, or udp.

global: Specifies the external network information that the server uses to provide services to the external network.

global-address: Specifies the public address of an internal server.

global-address1 global address2: Specifies a public IP address range, which can include a maximum of 256 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.

interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.

global-port1 global-port2: Specifies a public port number range, which can include a maximum of 256 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:

· A number in the range of 1 to 65535. Both the start port and the end port support this format.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

inside: Specifies the internal information of the server.

local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.

local-port: Specifies the private port number. The private port number format can be one of the following:

· A number in the range of 1 to 65535, excluding FTP port 20.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.

local-address: Specifies the private IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the advertised public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the internal server does not belong to any VPN instance, do not specify this option.

server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID, in the range of 0 to 65535.

acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.

Usage guidelines

You can configure the NAT Server feature to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

NAT server mappings are usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. To avoid incorrect operation of NAT and packet loss, do not specify the same IP address for the global-address argument and the local-address argument.

The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 23 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number
One public address and N consecutive public port numbers	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
N consecutive public addresses	One private address
N consecutive public addresses	N consecutive private addresses
N consecutive public addresses and one public port number	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
One public address and one public port number	One internal server group
One public address and N consecutive public port numbers
N consecutive public addresses and one public port number
Public addresses matching an ACL	One private address
Public addresses matching an ACL	One private address and one private port

The number of the nat server commands that can be configured on an interface varies by device model. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.

As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.

If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicted address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.

When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

· One public address and N consecutive public port numbers are mapped to one internal server group.

· N consecutive public addresses and one public port number are mapped to one internal server group.

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http

[Sysname-GigabitEthernet3/1/1] quit

# Allow external users to access the internal FTP server at 10.110.10.11 in the VPN instance vrf10 through ftp://202.110.10.10.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

[Sysname-GigabitEthernet3/1/1] quit

# Allow external hosts to ping the host at 10.110.10.12 in the VPN instance vrf10 by using the ping 202.110.10.11 command.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

[Sysname-GigabitEthernet3/1/1] quit

# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the VPN instance vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Configure ACL-based NAT Server to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat server global 3000 inside 10.0.0.172

Related commands

display nat all

display nat server

nat server-group

nat server (global NAT)

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a mapping.

Syntax

A single public address with no public port:

nat server global global-address [ vpn-instance global-vpn-instance-name ] inside local-address [ vpn-instance local-vpn-instance-name ] [ reversible ]

undo nat server global global-address [ vpn-instance global-vpn-instance-

name ]

A single public address with a single public port:

nat server protocol pro-type global { global-address | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ reversible ]

undo nat server protocol pro-type global { global-address | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

NAT interface address as the public address with a single public port:

nat server protocol pro-type global interface interface-type interface-number global-port [ vpn-instance global-vpn-instance-name ] inside local-address local-port [ vpn-instance local-vpn-instance-name ] [ reversible ]

undo nat server protocol pro-type global interface interface-type interface-number global-port [ vpn-instance global-vpn-instance-name ]

Default

No NAT server mappings exist.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. The protocol type format can be one of the following:

· A number in the range of 1 to 255.

· A protocol name of icmp, tcp, or udp.

global: Specifies the external network information that the server uses to provide services to the external network.

global-address: Specifies the public address of the internal server.

inside: Specifies the internal information of the server.

local-port: Specifies the private port number. The private port number format can be one of the following:

· A number in the range of 1 to 65535, excluding FTP port 20.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port: Specifies the public port number. The format requirement is the same as the requirement for the local-port argument.

local-address: Specifies the private IP address of an internal server.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address of the internal server belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option. Support for this option depends on the device model.

Usage guidelines

You can configure the NAT server mappings to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 24 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number

The mapping of the protocol type, public address, and public port number must be unique for an internal server in a NAT instance. This restriction also applies when Easy IP is used.

As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The public address of the internal server and the output interface must belong to the same VPN instance, and the internal server and the input interface must belong to the same VPN instance.

The nat server command might not take effect in global NAT if hardware resources are insufficient.

Examples

# Configure a NAT server mapping in NAT instance inst to allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.

<Sysname> system-view

[Sysname] nat instance inst id 1

[Sysname-nat-instance-inst] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http

Related commands

display nat all

display nat server

nat server-group

Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.

Use undo nat server-group to delete an internal server group.

Syntax

nat server-group group-id

undo nat server-group group-id

Default

No internal server groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the internal server group. The value range is 0 to 65535.

Usage guidelines

An internal server group can contain multiple members configured by the inside ip command.

Examples

# Create internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

display nat all

display nat server-group

inside ip

nat server

nat service

Use nat service to specify a traffic processing slot for a NAT interface.

Use undo nat service to restore the default.

Syntax

In standalone mode:

nat service slot slot-number

undo nat service slot

In IRF mode:

nat service chassis chassis-number slot slot-number

undo nat service chassis

Default

No traffic processing slot is specified for a NAT interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

You must specify a traffic processing slot for a NAT interface. Otherwise, the NAT configuration on the interface does not take effect.

The NAT traffic on a NAT interface must all be processed on the same slot. The traffic processing slot can be any of the NAT-capable slots on the device. If the slot where the NAT interface resides is NAT-capable, specify this slot as the traffic processing slot as a best practice.

If multiple NAT interfaces use the same NAT address group or public IP address, you must specify the same traffic processing slot for the interfaces. If you specify different traffic processing slots for the interfaces, the NAT configuration might not take effect and the configuration might be removed during configuration restoration. Configuration restoration can be caused by device reboot or software update.

To change the traffic processing slot for a NAT interface, execute the undo nat service command to remove the existing setting, and then execute the nat service command.

If you configure this command on an interface that performs outbound dynamic NAT, Easy IP, or port block-based NAT, do not specify a failover group for a NAT address group or NAT port block group in the NAT configuration.

The nat service command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Specify slot 5 to process NAT traffic.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat service slot 5

Related commands

failover-group

nat instance

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.

The nat static enable command in interface view and the nat instance command in system view are mutually exclusive.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on interface GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] nat static enable

Related commands

display nat all

display nat static

nat instance

nat static

nat static net-to-net

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ failover-group group-name ]

undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For more information about failover groups, see High Availability Configuration Guide.

Usage guidelines

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

? Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

? Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

If you use a failover group in an outbound static NAT mapping, make sure the failover group has the CGN cards as the nodes.

The nat static outbound command and the nat instance command are mutually exclusive.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001

Related commands

display nat all

nat instance

display nat static

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ failover-group group-name ]

undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 255 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.

global-network: Specifies a public network address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses.

Usage guidelines

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

? Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

? Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

If you use a failover group in net-to-net outbound static NAT mapping, make sure the failover group has the CGN cards as the nodes.

The nat static outbound net-to-net command and the nat instance command are mutually exclusive.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat instance

nat static enable

port-block

Use port-block to configure port block parameters for a NAT address group.

Use undo port block to restore the default.

Syntax

port-block block-size block-size [ extended-block-number extended-block-number [ extended-block-size extended-block-size ] ]

undo port block

Default

Port block parameters are not configured for a NAT address group or NAT address pool.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

block-size block-size: Specifies the port block size. The value range for the block-size argument is 1 to 65535. If the extended port block size is set, the value of the block-size argument must be an integral multiple of 64. In a NAT address group, the port block size cannot be larger than the number of ports in the port range.

extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When a private IP address accesses the public network, but the ports in the selected port block are all occupied, the NAT444 gateway extends port blocks one by one for the private IP address.

extended-block-size extended-block-size: Specifies the number of ports in an extended port block. The value of the extended-block-size argument must be an integral multiple of 64 in the range of 64 to 8192. If you do not specify this option, the extended port block size is the same as the block-size argument. In a NAT address group, the extended port block size cannot be larger than the number of ports in the port range. Support for this option depends on the device model.

Usage guidelines

The device pre-allocates a port block to an internal user when dynamic port block assignment is triggered in the following conditions:

· In a NAT and BRAS unification scenario, the user passes authentication and comes online.

· In a scenario without NAT and BRAS unification, the device translates the source IP address of the packet from the user when the user initiates the first connection to the external network.

When the pre-allocated port block of a user is used up, the system allocates an extended port block to the user if the extended port blocks are configured. The system withdraws the extended port block when the user releases all ports in the extended port block.

For dynamic port block mappings, port block parameters are required in the NAT address group if the address group is used for outbound address translation.

Examples

# Set the port block size to 256 and the number of extended port blocks to 1 in NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] port-block block-size 256 extended-block-number 1

Related commands

nat address-group

port-limit

Use port-limit to set the maximum number of ports that can be assigned to a protocol.

Use undo port-limit to delete the configuration.

Syntax

port-limit { icmp | tcp | total | udp } number

undo port-limit { icmp | tcp | total | udp }

Default

No upper limit is set for a protocol.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

total: Sets the total number of ports that can be assigned for all protocols.

udp: Specifies the UDP protocol.

number: Specifies the maximum number of ports, in the range of 0 to 65535.

Examples

# Allow NAT address group 1 to assign a maximum of 10 ports for TCP.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-limit tcp 10

# Allow NAT port block group 1 to assign a maximum of 10 ports for TCP.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] port-limit tcp 10

Related commands

nat address-group

nat port-block-group

port-range

Use port-range to specify a port range for public IP addresses.

Use undo port-range to restore the default.

Syntax

port-range start-port-number end-port-number

undo port-range

Default

The port range for public IP addresses is 1 to 65535.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number. As a best practice, set the start port number to be equal to or larger than 1024 to avoid an application protocol identification error.

Usage guidelines

The port range must include all ports that public IP addresses use for address translation.

The number of ports in a port range cannot be smaller than the port block size.

Examples

# Specify the port range as 1024 to 65535 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-range 1024 65535

# Specify the port range as 30001 to 65535 for NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] port-range 30001 65535

Related commands

nat address-group

nat port-block-group

reset nat eim

Use reset nat eim to delete NAT EIM entries.

Syntax

In standalone mode:

reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ slot slot-number ]

In IRF mode:

reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command deletes NAT EIM entries of all protocol types.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip b4 ipv6-address: Deletes the EIM entry for a B4 device IPv6 address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-ip local-ip: Deletes the EIM entry for a private IP address. The local-ip argument specifies a private IP address.

local-port local-port: Deletes the EIM entry for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Deletes the EIM entry for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Deletes the EIM entry for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes NAT EIM entries for all cards. (In standalone mode.)

Examples

# Delete NAT EIM entries for the specified slot.

<Sysname> reset nat eim slot 3

Related commands

display nat session

display nat eim statistics

nat mapping-behavior

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

In standalone mode:

reset nat session [ protocol { tcp | udp } ] [ slot slot-number ]

In IRF mode:

reset nat session [ protocol { tcp | udp } ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command clears NAT sessions of all protocol types.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions for all cards. (In standalone mode.)

Usage guidelines

After you clear the NAT sessions, the corresponding NAT EIM table and NO-PAT table are cleared at the same time.

Examples

# Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 1

Related commands

display nat session

service-instance-group

Use service-instance-group to associate a service instance group with a NAT instance.

Use undo service-instance-group to disassociate a service instance group from a NAT instance.

Syntax

service-instance-group service-instance-group-name

undo service-instance-group service-instance-group-name

Default

A NAT instance does not have any associated service instance groups.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

service-instance-group-name: Specifies a service instance group name, a case-sensitive string of 1 to 31 characters. If the service instance group name contains spaces, use quotation marks to enclose the group name (for example, "xxx xxx"). You can specify a nonexistent service instance group, but the association takes effect after you create the service instance group by using the service-instance-group command. For more information about the service instance group, see service instance group configuration in High Availability Configuration Guide.

Usage guidelines

The service card in the associated service instance group performs address translation for traffic that matches NAT rules in the NAT instance.

A NAT instance can be associated with only one service instance group. Different NAT instances cannot be associated with the same service instance group.

In the NAT and BRAS unification scenario, you can cancel the association between the NAT instance and the service instance group only after all users go offline. The association cannot be canceled if a user is online.

In other scenarios, you can cancel the association between the NAT instance and the service instance group when address translation entries of the NAT instance exist. Use caution to cancel the association because the system will delete all NAT entries of the NAT instance.

Examples

# Associate NAT instance cgn1 with service instance group group1.

<Sysname> system-view

[Sysname ] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] service-instance-group group1

Related commands

nat instance

service-instance-group (High Availability Command Reference)

20-NAT Command Reference

display nat log

nat log enable

nat log flow-active

nat outbound ds-lite-b4

nat server (interface-based NAT)

nat static enable

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us