Non-default vSystems do not support some of the NAT commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.

action

Use action to specify an address translation method for a NAT rule.

Use undo action to delete the address translation method configuration for a NAT rule.

Syntax

Easy IP method:

action easy-ip

NO-NAT method:

action no-nat

NO-PAT method:

action address-group { group-id | name group-name } no-pat [ reversible ]

PAT method:

action address-group { group-id | name group-name } [ port-preserved ]

Default

No address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

address-group: Uses the NAT address group for address translation.

group-id: Specifies the ID of the address group. The value range for this argument is 0 to 65535.

name group-name: Specifies the name of the address group. The name is a case-sensitive string of 1 to 63 characters.

easy-ip: Uses the Easy IP method on the interface where the NAT rule is configured. The IP address of the interface is used as the NAT IP address.

no-nat: Disables the rule and its subsequent rules from translating matching packets.

no-pat: Uses the NO-PAT mode in which port numbers are not translated.

reversible: Allows reverse address translation. Reverse address translation uses existing NO-PAT entries to translate destination addresses for packets of connections actively initiated by external hosts to internal hosts.

port-preserved: Tries to preserve port number for PAT.

Usage guidelines

Non-default vSystems do not support this command.

PAT supports TCP, UDP, and UDPLITE packets, and ICMP request packets.

A NAT address group cannot be used by both the PAT and NO-PAT methods.

If excessive NAT rules exist and you want to disable address translation for specific traffic temporarily, locate the NAT rule matching the traffic and specify the no-nat keyword in the rule.

Examples

# Configure NAT rule aaa to use the PAT mode and NAT address group 0 for address translation.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] action address-group 0

# Configure NAT rule aaa to use the NO-PAT mode and address group 0 for address translation.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] action address-group 0 no-pat

# Configure NAT rule aaa to use Easy IP for address translation.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] action easy-ip

# Disable NAT rule aaa and its subsequent rules from translating matching packets.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] action no-nat

Related commands

display nat all

display nat policy

nat address-group

action dnat (NAT64-type rule view)

Use action dnat to specify a destination address translation method for a NAT rule.

Use undo action dnat to delete the destination address translation method configuration for a NAT rule.

Syntax

Static NAT method:

action dnat static ip-address { local-ipv4-address | local-ipv6-address } [ vrf vrf-name ]

undo action dnat

Server mapping method:

action dnat server ip-address { local-ipv4-address | local-ipv6-address } [ local-port local-port ] [ vrf vrf-name ]

undo action dnat

Prefix method:

action dnat prefix { general { v4tov6 prefix-general prefix-length | v6tov4 } | ivi v4tov6 prefix-ivi | nat64 v6tov4 } [ vrf vrf-name ]

undo action dnat

Default

No destination address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

static: Uses the static NAT method. Mappings between IPv6 and IPv4 addresses are manually configured.

server: Uses the internal server method for address translation.

ip-address: Specifies the IP address after translation.

local-ipv4-address: Specifies the internal destination IPv4 address after translation.

local-ipv6-address: Specifies the internal destination IPv6 address after translation.

local-port local-port: Specifies the internal destination port number after translation, in the range of 1 to 65535. If you do not specify this keyword, the destination port number is not translated. This feature is supported only for TCP, UDP, and ICMP query packets. Because ICMP IPv4/IPv6 packets do not have port numbers, the ICMP IDs in these packets are used as their destination port numbers.

prefix: Uses the prefix method for address translation.

general: Uses the general prefix method for destination address translation.

v4tov6: Translates IPv4 addresses to IPv6 addresses.

v6tov4: Translates IPv6 addresses to IPv4 addresses.

ivi: Uses the IVI prefix method for IPv6-to-IPv4 destination address translation.

prefix-ivi: Specifies an IVI prefix, which is fixed at 32.

nat64: Uses the NAT64 prefix method for IPv6-to-IPv4 destination address translation.

prefix-general: Specifies a general prefix.

general-prefix-length: Specifies the general prefix length. Available values include 32, 40, 48, 56, 64, and 96.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the IPv4 or IPv6 addresses after destination address translation are on the public network.

Usage guidelines

When an IPv6 user accesses an IPv4 network, the following methods are available:

· Static method—In this method, you must manually configure the one-to-one IPv4-to-IPv6 address mappings. An IPv6 user uses the IPv6 address in the matching address mapping as the destination address, and the NAT64 device translates the destination IPv6 address to an IPv4 address according to the address mapping.

· Internal server method—In this method, an IPv4 server address and its port number are mapped to the IPv6 network. An IPv6 user can access the server in the IPv4 network through accessing the translated IPv6 address and port number.

· Prefix method—In this method, a NAT64 prefix or general prefix is used to translate a destination IPv6 address to an IPv4 address.

When an IPv4 user accesses an IPv6 network, the address translation procedure is similar to that when an IPv6 user accesses an IPv4 network.

When you use this command together with the packet match criteria, if you first execute the destination-ip command and then the action dnat static ip-address command, you cannot repeatedly execute the destination-ip command to modify the packet match criteria.

When you use the NAT64 prefix method for IPv6-to-IPv4 destination address translation, if you specify 96 as the IPv6 prefix length, make sure the 64th bit through the 71st bit of the NAT64 prefix are 0.

To perform source and destination address translations simultaneously in a VPN environment, make sure the translated addresses belong to the same VPN instance. To translate a source address and a destination address, execute the action snat and action dnat commands, respectively.

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure NAT rule rule1 to use the server mapping method to translate the destination IP address to 1.1.1.5.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name rule1 type nat64

[Sysname-nat-global-policy-rule-nat64-rule1] action dnat ip-address 1.1.1.5

Related commands

action snat

destination-ip

action dnat (NAT66-type rule view)

Use action dnat to specify a destination address translation method for a NAT rule.

Use undo action dnat to delete the destination address translation method configuration for a NAT rule.

Syntax

Server mapping method:

action dnat ip-address local-ipv6-address [ local-port local-port ] [ vrf vrf-name ]

undo action dnat

NPTv6 method:

action dnat nptv6 translated-ipv6-prefix prefix-length [ vrf vrf-name ]

undo action dnat

NO-NAT method:

action dnat no-nat

undo action dnat

Default

No destination address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

static: Uses the static method for address translation. The mappings between destination IPv6 addresses before and after translation are manually configured.

ip-address local-ipv6-address: Specifies the internal destination IPv6 address after translation.

local-port local-port: Specifies the internal destination port number after translation, in the range of 1 to 65535. If you do not specify this keyword, the destination port number is not translated. This feature is supported only for TCP, UDP, and ICMPv6 query packets. Because ICMPv6 packets do not have port numbers, the ICMP IDs in these packets are used as their destination port numbers.

nptv6: Uses the NPTv6 method for IPv6 address prefix translation.

translated-ipv6-prefix prefix-length: Specifies the IPv6 address prefix after translation. The translated-ipv6-prefix argument indicates the address prefix. The prefix-length argument specifies the IPv6 address prefix length in the range of 1 to 112.

no-nat: Disables the rule and its subsequent rules from translating the destination IP address of the matching packets.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the IPv6 addresses after destination address translation are on the public network.

Usage guidelines

This command is applicable to scenarios where a server in an internal network provides services (for example, Web or FTP service) for external networks. Through configuring mappings between internal servers and external servers in a NAT66-type rule, users in external networks can access servers in internal networks through the specified external network address.

If excessive NAT rules exist and you want to disable address translation for specific traffic temporarily, locate the NAT rule that matches the traffic and specify the no-nat keyword in the rule.

When you use this command together with packet match criteria, follow these restrictions and guidelines:

· When you use the action dnat nptv6 command together with the destination-ip command, if you first execute the destination-ip command and then the action dnat nptv6 command, you cannot repeatedly execute the destination-ip command to modify the packet match criteria.

· You cannot use this command together with the security zone match criteria. To use destination security zones as the packet match criteria for a NAT rule, first execute the undo action dnat command and then the destination-zone command.

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure NAT rule rule1 to use the server mapping method to translate the destination IPv6 address to 3001::5.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name rule1 type nat66

[Sysname-nat-global-policy-rule-nat66-rule1] action dnat ip-address 3001::5

Related commands

action snat

destination-ip

destination-zone

action dnat (NAT-type rule view)

Use action dnat to specify a destination address translation method for a NAT rule.

Use undo action dnat to delete the configuration of a destination address translation method for a NAT rule.

Syntax

Server mapping method:

action dnat { ip-address local-address | object-group ipv4-object-group-name } [ local-port local-port ] [ vrrp virtual-router-id ] [ vrf vrf-name ]

undo action dnat

NO-NAT method:

action dnat no-nat

undo action dnat

Default

No destination address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address local-address: Specifies a private destination IP address after translation.

object-group ipv4-object-group-name: Specifies an IPv4 address object group by its name. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

local-port local-port: Specifies a private destination port number after translation, in the range of 1 to 65535. If you do not specify this option, the device does not translate destination ports of the packets. Only TCP, UDP, and ICMP query packets are supported. For an ICMP packet, the ICMP ID is used as its destination port number.

no-nat: Disables the rule and its subsequent rules from translating the destination IP address of the matching packets.

vrrp virtual-router-id: Binds the destination translation method to a VRRP group. The virtual-router-id parameter represents the virtual router ID in the range of 1 to 255.

Usage guidelines

Non-default vSystems do not support this command.

When external users access an internal server, the NAT device translates the destination IP addresses and ports of the matching packets to the IP address and port of the internal server.

If excessive NAT rules exist and you want to disable address translation for specific traffic temporarily, locate the NAT rule that matches the traffic and specify the no-nat keyword in the rule.

For active/standby HA, bind the destination translation method to a VRRP group on the primary device in the HA group.

For dual-active HA, select one of the following VRRP group binding methods according to the NAT resource allocation between the two devices in the HA group:

· If the two devices share the same NAT addresses, configure VRRP group binding on the primary device. To prevent different master devices from using the same IP-port mapping for different hosts, specify the PAT translation mode and execute the nat remote-backup port-alloc command on the primary device.

· If the two devices use different NAT addresses, user traffic with different source IP addresses is identified by source IP address match criteria in NAT rules. To enable different master devices to translate the forward user traffic, specify different gateway addresses for different internal users. To direct the reverse traffic to different master devices, configure VRRP group binding on the primary device for load sharing.

A NAT rule that uses the destination address translation method does support using a destination security zone as the packet match criterion. To use the destination security zone as the packet match criterion for the rule, execute the undo action dnat command first and then execute the destination-zone command.

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# For NAT rule rule1, specify the server mapping method and specify 1.1.1.5 as the destination address after translation.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name rule1

[Sysname-nat-global-policy-rule-rule1] action dnat ip-address 1.1.1.5

Related commands

action snat

destination-zone

nat remote-backup port-alloc

action snat (NAT64-type rule view)

Use action snat to specify a source address translation method for a NAT rule.

Use undo action snat to delete the source address translation method configuration for a NAT rule.

Syntax

NO-PAT method:

action snat object-group { ipv4-object-group-name | ipv6-object-group-name } no-pat [ vrf vrf-name ]

undo action snat

PAT method:

action snat object-group { ipv4-object-group-name | ipv6-object-group-name } [ vrf vrf-name ]

undo action snat

Prefix translation method:

action snat prefix { general { v4tov6 prefix-general general-prefix-length | v6tov4 } | ivi v6tov4 | nat64 v4tov6 prefix-nat64 nat64-prefix-length } [ vrf vrf-name ]

undo action snat

Static NAT method:

action snat static ip-address { global-ipv4-address | global-ipv6-address } [ vrf vrf-name ]

undo action snat

Default

No source address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group: Specifies the address object group used for address translation.

ipv4-object-group-name: Specifies an IPv4 address object group by its name. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

ipv6-object-group-name: Specifies an IPv6 address object group by its name. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

prefix: Uses the prefix method for source address translation.

general: Uses the general prefix method for source address translation.

ivi: Uses the IVI prefix method for source address translation.

nat64: Uses the NAT64 prefix method for source address translation.

v4tov6: Translates IPv4 addresses to IPv6 addresses.

v6tov4: Translates IPv6 addresses to IPv4 addresses.

prefix-general: Specifies a general prefix.

general-prefix-length: Specifies the general prefix length. Available values include 32, 40, 48, 56, 64, and 96.

prefix-nat64: Specifies a NAT64 prefix.

nat64-prefix-length: Specifies the NAT64 prefix length. Available values include 32, 40, 48, 56, 64, and 96. When 96 is specified as the NAT64 prefix length, make sure the 64th bit through the 71st bit of the NAT64 prefix are 0.

static: Uses the static method for source address translation.

ip-address: Specifies the IP address after translation.

global-ipv4-address: Specifies the source IPv4 address after translation.

global-ipv6-address: Specifies source IPv6 address after translation.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the IPv4 or IPv6 addresses after source address translation are on the public network.

Usage guidelines

You can use different source IP address match criteria together with different source address translation methods to perform address translation. For example, when the source-ip host {ipv4-address | ipv6-address } command is used to configure packet match criteria for a NAT rule, the command can be used together with the action snat static ip-address { global-ipv4-address | global-ipv6-address } command to implement one-to-one static address translation.

When you use this command together with packet match criteria, follow these restrictions and guidelines:

· When you use the action snat static ip-address command together with the source-ip command, if you first execute the source-ip command and then the action snat static ip-address command, you cannot repeatedly execute the source-ip command to modify packet match criteria.

· When you use the static method for address translation, make sure the number of IP addresses in the packet match criteria for matching the source addresses of packets is the same as that in the static address translation method.

When a source address translation method references an address object group, follow these restrictions and guidelines:

· For an address object group to be successfully referenced by the source address translation method, make sure the objects in the referenced address object group are created through the following methods:

¡ [ object-id ] network host address ip-address

¡ [ object-id ] network subnet ip-address { mask-length | mask }

¡ [ object-id ] network range ip-address1 ip-address2

For more information about these commands, see object group commands in Security Command Reference.

· The number of IP addresses in the address object groups referenced by the source address translation method cannot exceed 65535.

· The address object group referenced by the static address translation method cannot contain excluded addresses.

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure NAT rule aaa to use the PAT method and reference source IPv4 address object group srcIP1.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa type nat64

[Sysname-nat-global-policy-rule-nat64-aaa] action snat object-group srcIP1

Related commands

action dnat

display nat all

display nat global-policy

network (Security Command Reference)

action snat (NAT66-type rule view)

Use action snat to specify a source address translation method for a NAT rule.

Use undo action snat to delete the configuration of a source address translation method for a NAT rule.

Syntax

NO-PAT method:

action snat object-group ipv6-object-group-name no-pat [ vrf vrf-name ]

undo action snat

PAT method:

action snat object-group ipv6-object-group-name [ vrf vrf-name ]

undo action snat

Static NAT method:

action snat static ip-address global-ipv6-address [ vrf vrf-name ]

undo action snat

NPTv6 method:

action snat nptv6 translated-ipv6-prefix prefix-length [ vrf vrf-name ]

undo action snat

NO-NAT method:

action snat no-nat

undo action snat

Default

No source address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group ipv6-object-group-name: Specifies an IPv6 address object group by its name for address translation. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

no-pat: Uses the NO-PAT mode in which port numbers are not translated.

static: Uses the static method for address translation. The mappings between source IPv6 addresses before and after translation are manually configured.

ipv6-address global-ipv6-address: Specifies the source IPv6 address after translation.

nptv6: Uses the NPTv6 method for IPv6 address prefix translation.

translated-ipv6-prefix nptv6-prefix-length: Specifies the IPv6 address prefix after translation. The translated-ipv6-prefix argument indicates the address prefix. The nptv6-prefix-length argument specifies the IPv6 address prefix length in the range of 1 to 112.

no-nat: Disables the rule and its subsequent rules from translating the source IP address of the matching packets.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the IPv6 addresses after source address translation are on the public network.

Usage guidelines

If you have configured a large number of NAT rules, to exclude some packets with addresses in a small range from source address translation, use the NO-PAT method.

When you use this command together with packet match criteria, follow these restrictions and guidelines:

· The action snat nptv6 command can be used together with only the source-ip subnet command. If you first execute the source-ip subnet command and then the action snat nptv6 command, you cannot repeatedly execute the source-ip command to modify the packet match criteria.

When a source address translation method references an address object group, follow these restrictions and guidelines:

¡ [ object-id ] network host address ip-address

¡ [ object-id ] network subnet ip-address { mask-length | mask }

¡ [ object-id ] network range ip-address1 ip-address2

For more information about these commands, see object group commands in Security Command Reference.

· The number of IP addresses in the address object group referenced by the source address translation method cannot exceed 65535.

· An address object group referenced by the static address translation method cannot contain excluded addresses.

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure NAT rule aaa to use the NAT66 prefix method to translate the source IPv6 address prefix to 2101::/64 for packets whose source IP addresses match subnet fd9C:58ed:7d73:2::/64.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa type nat66

[Sysname-nat-global-policy-rule-nat66-aaa] source-ip subnet fd9C:58ed:7d73:2:: 64

[Sysname-nat-global-policy-rule-nat66-aaa] action snat prefix 2101:: 64

Related commands

action dnat

display nat all

display nat global-policy

source-ip

action snat (NAT-type rule view)

Use action snat to specify a source address translation method for a NAT rule.

Use undo action snat to delete the configuration of a source address translation method for a NAT rule.

Syntax

NO-PAT method:

action snat { address-group { group-id | name group-name } | object-group ipv4-object-group-name } no-pat [ reversible ] [ vrrp virtual-router-id ] [ vrf vrf-name ]

undo action snat

PAT method:

action snat { address-group { group-id | name group-name } | object-group ipv4-object-group-name } [ port-preserved ] [ vrrp virtual-router-id ] [ vrf vrf-name ]

undo action snat

Easy IP:

action snat easy-ip [ port-preserved ] [ vrf vrf-name ]

undo action snat

Static NAT method:

action snat static { ip-address global-address | object-group object-group-name | subnet subnet-ip-address mask-length } [ vrrp virtual-router-id ] [ vrf vrf-name ]

undo action snat

NO-NAT method:

action snat no-nat

undo action snat

Default

No source address translation method is specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

address-group: Uses the NAT address group for address translation.

group-id: Specifies the ID of the NAT address group. The value range is 0 to 65535.

name group-name: Specifies the name of an address group, a case-sensitive string of 1 to 63 characters.

easy-ip: Uses the Easy IP method. The IP address of the packet output interface is used as the NAT IP address.

ip-address global-address: Specifies a public IP address as the NAT IP address for source address translation.

no-nat: Disables the rule and its subsequent rules from translating the source IP address of the matching packets.

no-pat: Uses the NO-PAT mode in which port numbers are not translated.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the internal network to the external network.

port-preserved: Tries to preserve port number for PAT.

static: Uses the static NAT method. Mappings between private and public addresses are manually configured.

object-group object-group-name: Specifies the name of an address object group. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

subnet subnet-ip-address mask-length: Specifies a subnet as NAT IP address resources for address translation. The subnet-ip-address argument specifies the subnet address. The mask-length argument specifies the mask length, which can be 8, 16, or an integer in the range of 24 to 31.

vrrp virtual-router-id: Binds the source translation method to a VRRP group. The virtual-router-id parameter represents the virtual router ID in the range of 1 to 255.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the IPv4 addresses after source address translation are on the public network.

Usage guidelines

Non-default vSystems do not support this command.

A NAT address group cannot be used by both the PAT and NO-PAT methods.

You can configure combinations between source IP address match criteria and source IP address translation methods. In each static combination, the number of IP addresses in the match criteria must equal the number of NAT IP addresses in the translation method. For example, the action snat static ip-address global-address command and the source-ip host ip-address command can define a one-to-one static source address translation.

If excessive NAT rules exist and you want to disable address translation for specific traffic temporarily, locate the NAT rule that matches the traffic and specify the no-nat keyword in the rule.

When the source address translation method references an address object group, follow these restrictions and guidelines:

¡ [ object-id ] network host address ip-address

¡ [ object-id ] network subnet ip-address { mask-length | mask }

¡ [ object-id ] network range ip-address1 ip-address2

For more information about these commands, see object group commands in Security Command Reference.

· The number of IP addresses in the address object groups referenced by the source address translation method cannot exceed 65535.

· An address object group referenced by the static address translation method cannot contain excluded addresses.

For active/standby HA, bind the source translation method to a VRRP group on the primary device in the HA group.

For dual-active HA, select one of the following VRRP group binding methods according to the NAT resource allocation between the two devices in the HA group:

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure NAT rule aaa to use the PAT mode and NAT address group 0 for address translation.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] action address-group 0

# Configure NAT rule aaa to use the NO-PAT mode and address group 0 for address translation.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] action address-group 0 no-pat

# Configure NAT rule aaa to use the static NAT method to translate source IP address 1.1.1.1 to 100.10.0.1.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] source-ip host 1.1.1.1

[Sysname-nat-global-policy-rule-aaa] action snat static ip-address 100.10.0.1

# Disable address translation for NAT rule aaa.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] action snat no-nat

Related commands

display nat all

display nat policy

nat address-group

address

Use address to add an address range to a NAT address group.

Use undo address to remove an address range from a NAT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

NAT address group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address.

Usage guidelines

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

You can specify a maximum of 65535 addresses in one command execution. Make sure the address ranges do not overlap.

The address command and the address interface command are mutually exclusive for one NAT address group.

The number of IP addresses in all NAT address groups cannot be smaller than the number of security engines or security cards.

Examples

# Add address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

address interface

nat address-group

address interface

Use address interface to add the IP address of an interface to a NAT address group.

Use undo address interface to restore the default.

Syntax

address interface interface-type interface-number

undo address interface

Default

No interface address exists in a NAT address group.

Views

NAT address group view

Predefines user roles

network-admin

context-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable to Easy IP with the IP address of the NAT interface dynamically obtained through DHCP. After you configure this command, the primary IPv4 address of the specified interface will be added to the NAT address group.

You can specify only one interface for a NAT address group.

The address command and the address interface command are mutually exclusive for one NAT address group.

The IP address of an interface cannot be added to different NAT address groups.

Make sure addresses in different NAT address groups do not overlap.

Examples

# Add the IP address of GigabitEthernet 1/0/2 to NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address interface gigabitethernet 1/0/2

Related commands

address

nat address-group

blade-load-sharing-group

Use blade-load-sharing-group to specify a load sharing group for a NAT address group.

Use undo blade-load-sharing-group to restore the default.

Syntax

blade-load-sharing-group group-name

undo blade-load-sharing-group

Default

No load sharing group is specified for a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

context-admin

Parameters

group-name: Specifies a load sharing group by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

After you specify a load sharing group, traffic to be translated by dynamic NAT or dynamic NAT444 will be directed to the load sharing group.

Make sure the specified load sharing group already exists.

Examples

# Specify the load sharing group Blade4fw1 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-nat-address-group-1] blade-load-sharing-group Blade4fw1

block-size

Use block-size to set the port block size.

Use undo block-size to restore the default.

Syntax

block-size block-size

undo block-size

Default

The port block size is 256.

Views

NAT port block group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

block-size: Specifies the number of ports for a port block. The value range for this argument is 1 to 65535.

Usage guidelines

Set an appropriate port block size based on the number of private IP addresses, the number of public IP addresses, and the port range in the port block group.

The port block size cannot be larger than the number of ports in the port range.

Examples

# Set the port block size to 1024 for port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] block-size 1024

Related commands

nat port-block-group

counting enable

Use counting enable to enable hit counting for a NAT rule.

Use undo counting enable to disable hit counting for a NAT rule.

Syntax

counting enable

undo counting enable

Default

NAT rule hit counting is disabled.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command enables the devices to count the number of times the rule is matched (or hit). To view hit statistics for the rule, execute the display nat policy or display nat global-policy command.

Examples

# Enable hit counting for NAT rule aaa in the interface-based NAT policy.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] counting enable

# Enable hit counting for NAT rule aaa in the global NAT policy.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] counting enable

Related commands

display nat all

display nat global-policy

display nat policy

description

Use description to configure a description for the NAT rule.

Use undo description to restore the default.

Syntax

description text

undo description

Default

A NAT rule does not have any description.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

text: Specifies the description, a case-sensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Configure a description for NAT rule aaa in the interface-based NAT policy.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] description This is a nat rule of abc policy

# Configure a description for NAT rule aaa in the global NAT policy.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] description This is a nat rule of abc policy

destination-ip

Use destination-ip to specify a destination IP address match criterion in a NAT rule.

Use undo destination-ip to delete a destination IP address match criterion from a NAT rule.

Syntax

NAT-type rule view in the interface-based NAT policy or the global NAT policy:

destination-ip ipv4-object-group-name

undo destination-ip [ ipv4-object-group-name ]

NAT-type rule view in the global NAT policy:

destination-ip { host ip-address | subnet subnet-ip-address mask-length }

undo destination-ip { host [ ip-address ] | subnet [subnet-ip-address mask-length ] }

NAT64-type rule view in the global NAT policy:

destination-ip { ipv4-object-group-name | ipv6-object-group-name }

undo destination-ip [ ipv4-object-group-name | ipv6-object-group-name ]

destination-ip { host { ipv4-address | ipv6-address } | subnet { subnet-ipv4-address mask-length | ipv6-prefix prefix-length } }

undo destination-ip { host [ ipv4-address | ipv6-address ] | subnet [ subnet-ipv4-address mask-length | ipv6-prefix prefix-length ] }

NAT66-type rule view in the global NAT policy:

destination-ip ipv6-object-group-name

undo destination-ip [ ipv6-object-group-name ]

destination-ip { host ipv6-address | subnet ipv6-prefix prefix-length }

undo destination-ip { host [ ipv6-address ] | subnet [ ipv6-prefix mask-length ] }

Default

A NAT rule does not have any destination IP address match criteria.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv4-object-group-name: Specifies the name of an IPv4 address object group. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

ipv6-object-group-name: Specifies the name of an IPv6 address object group. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

host ipv4-address: Specifies an IPv4 address to match destination IP address. The IPv4 address cannot be an all-zero address, all-one address, Class D address, Class E address, or loopback address.

host ipv6-address: Specifies an IPv6 address to match destination IP address.

subnet subnet-ipv4-address mask-length: Specifies a subnet to match destination IPv4 addresses. The subnet-ipv4-address argument specifies the subnet address. The mask-length argument specifies the mask length, which can be 8, 16, or an integer in the range of 24 to 31.

subnet ipv6-prefix prefix-length: Specifies an IPv6 prefix for a NAT rule. The ipv6-prefix argument indicates an IPv6 prefix. The prefix-length argument indicates the prefix length in the range of 1 to 128.

Usage guidelines

Non-default vSystems do not support this command.

The NAT device uses the destination IP addresses specified in this command to identify matching packets. Only packets with the matching destination IP addresses are translated.

To translate destination IP addresses of packets from the internal network to the external network, use this command with the action dnat command.

When referencing an address object group, follow these restrictions and guidelines:

· The address object group must already exist.

· For an address object group to be successfully referenced by the destination address translation method, make sure the objects in the referenced address object group are created through the following methods:

¡ [ object-id ] network host address ip-address

¡ [ object-id ] network subnet ip-address { mask-length | mask }

¡ [ object-id ] network range ip-address1 ip-address2

For more information about these commands, see object group commands in Security Command Reference.

If you do not specify any parameters in the undo destination-ip command, the command deletes all destination address match criteria in the NAT rule.

When you configure match criteria for a NAT rule, follow these restrictions and guidelines:

· A NAT rule can have a maximum of 256 destination address object groups.

· A NAT rule can have a maximum of 256 destination IP addresses or a maximum of 256 subnets.

· If you configure multiple packet match criteria in a NAT64-type rule, the type of IP addresses in the later configured packet match criteria must be the same as that in the earlier configured packet match criteria. For example, if you first execute the destination-ip host 192.168.1.1 command, the destination-ip host 100::1 command executed later does not take effect. Select an IP type as needed.

· If you execute the following commands in the same NAT rule, the most recent configuration takes effect:

¡ destination-ip subnet

¡ destination-ip

¡ destination-ip host

Examples

# In the interface-based NAT policy, configure NAT rule aaa to use destination address object groups desIP1, desIP2, and desIP3 as the packet match criteria.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] destination-ip desIP1

[Sysname-nat-policy-rule-aaa] destination-ip desIP2

[Sysname-nat-policy-rule-aaa] destination-ip desIP3

# In the global NAT policy, configure NAT rule aaa to use destination address object groups desIP1, desIP2, and desIP3 as the packet match criteria.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] destination-ip desIP1

[Sysname-nat-global-policy-rule-aaa] destination-ip desIP2

[Sysname-nat-global-policy-rule-aaa] destination-ip desIP3

Related commands

display nat all

display nat global-policy

display nat policy

object-group (Security Command Reference)

destination-zone

Use destination-zone to specify a destination security zone in a NAT rule.

Use undo destination-zone to delete a destination security zone from a NAT rule.

Syntax

destination-zone destination-zone-name

undo destination-zone [ destination-zone-name ]

Default

No destination security zones are specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

destination-zone-name: Specifies the name of a destination security zone. The name is a case-insensitive string of 1 to 31 characters, and it cannot be any. You can specify a nonexistent security zone. This command takes effect after you use the security-zone name command to create the security zone. For more information about security zones, see Security Configuration Guide.

Usage guidelines

Non-default vSystems do not support this command.

The NAT device uses the destination security zones specified in this command to identify matching packets. Only packets with the matching destination security zones are translated.

To translate source IP addresses of outgoing packets, use this command with the action snat command. This command cannot be used with the action dnat command.

This command does not support modifying destination security zones. To modify the destination security zone for a NAT rule, first execute the undo destination-zone command to delete the zone, and then execute the destination-zone command to specify a new one.

If you do not specify a destination security zone in the undo destination-zone command, the command deletes all destination security zones in the rule.

This command is available only in NAT-type rule view and NAT66-type rule view of the global NAT policy.

A NAT rule can have a maximum of 16 destination security zones.

Examples

# Specify destination security zone trust for NAT rule rule1.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name rule1

[Sysname-nat-global-policy-rule-rule1] destination-zone trust

Related commands

rule name

security-zone name (Security Command Reference)

disable

Use disable to disable a NAT rule.

Use undo disable to enable a NAT rule.

Syntax

disable

undo disable

Default

A NAT rule is enabled.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command does not delete a NAT rule, but makes the rule ineffective. You can use the display nat policy command or the display nat global-policy command to view the status of the NAT rules. If you want to delete a NAT rule, use the undo rule name command.

Examples

# Disable the NAT rule aaa in the interface-based NAT policy.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] disable

# Disable the NAT rule aaa in the global NAT policy.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] disable

Related commands

display nat all

display nat global-policy

display nat policy

display nat address-group

Use display nat address-group to display NAT address group information.

Syntax

display nat address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify the group-id argument, this command displays information about all NAT address groups.

Examples

# Display information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

Totally 5 NAT address groups.

Address group ID: 1 Address group name: a

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Address group ID: 2

Port range: 1-65535

VRID : 1

Address information:

Start address End address

202.110.10.20 202.110.10.25

202.110.10.30 202.110.10.35

Address group ID: 3

Port range: 1024-65535

Address information:

Start address End address

202.110.10.40 202.110.10.50

Address group ID: 4

Port range: 10001-65535

Port block size: 500

Extended block number: 1

Address information:

Start address End address

202.110.10.60 202.110.10.65

Address group ID: 5

Port range: 1-1024

Port block size: 500

Address information:

20.1.1.1 (GigabitEthernet1/0/1)

Address group ID: 6

Port range: 1-65535

Address information:

Start address End address

--- ---

# Display information about NAT address group 1.

<Sysname> display nat address-group 1

Address group ID: 1 Address group name: a

VRID : 1

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Table 1 Command output

Field	Description
NAT address group information	Information about the NAT address group
Address group ID	ID of the NAT address group.
Totally n NAT address groups	Total number of NAT address groups.
Address group name	Name of the NAT address group. If no address group name is configured, this field is not displayed.
VRID	Virtual router ID (VRRP group number). If no VRRP group is specified, this field is not displayed.
Port range	Port range for public IP addresses.
Port block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Address information	Information about the IP addresses in the address group. · For addresses added by using the address command: ¡ Start address—Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---). ¡ End address—End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---). · For addresses added by using the address interface command: ¡ 20.1.1.1 (GigabitEthernet1/0/1)—IP address 20.1.1.1 of GigabitEthernet 1/0/1 has been added to the NAT address group. ¡ --- (GigabitEthernet1/0/2)—Failed to add the IP address of GigabitEthernet 1/0/2 to the NAT address group because this interface does not have an IP address.

‌

Related commands

nat address-group

display nat alg

Use display nat alg to display the NAT ALG status for all supported protocols.

Syntax

display nat alg

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display the NAT ALG status for all supported protocols.

<Sysname> display nat alg

NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Disabled

ICMP-ERROR : Enabled

ILS : Disabled

MGCP : Disabled

NBT : Disabled

PPTP : Enabled

RTSP : Enabled

RSH : Disabled

SCCP : Disabled

SCTP : Disabled

SIP : Disabled

SQLNET : Disabled

TFTP : Disabled

XDMCP : Disabled

Related commands

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# (In standalone mode.) Display all NAT configuration information.

<Sysname> display nat all

NAT address group information:

Totally 5 NAT address groups.

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Exclude address information:

Start address End address

--- ---

Address group 2:

Port range: 1-65535

Address information:

Start address End address

202.110.10.20 202.110.10.25

202.110.10.30 202.110.10.35

Exclude address information:

Start address End address

--- ---

Address group 3:

Port range: 1024-65535

Address information:

Start address End address

202.110.10.40 202.110.10.50

Exclude address information:

Start address End address

--- ---

Address group 4:

Port range: 10001-65535

Port block size: 500

Extended block number: 1

Address information:

Start address End address

202.110.10.60 202.110.10.65

Exclude address information:

Start address End address

--- ---

Address group 6:

Port range: 1-65535

Address information:

Start address End address

--- ---

Exclude address information:

Start address End address

--- ---

NAT server group information:

Totally 3 NAT server groups.

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

2 --- --- ---

3 192.168.0.26 69 100

NAT global-policy information:

Totally 1 NAT global-policy rules.

Rule name: rule1

Description : global nat rule

SrcIP object group : srcObj1

SrcIP object group : srcObj2

SrcIP object group : srcObj3

DestIP object group : desObj1

DestIP object group : desObj2

DestIP object group : desObj3

Service object group : serviceObj1

Service object group : serviceObj2

Service object group : serviceObj3

Source zone name : Trust

Destination zone name : Local

SNAT action:

Address group ID: 2 Address group name: a

NO-PAT: Y

Reversible: N

Port-preserved: N

DNAT action:

IP address: 1.1.2.1

Port: 80

NAT counting : 0

Config status: Active

NAT policy information:

Totally 1 NAT policy rules.

Rule name: rule1

Description : first rule

Routing-interface : GigabitEthernet1/0/2

SrcIP object group : srcObj1

SrcIP object group : srcObj2

SrcIP object group : srcObj3

DestIP object group : desObj1

DestIP object group : desObj2

DestIP object group : desObj3

Service object group : serviceObj1

Service object group : serviceObj2

Service object group : serviceObj3

Action

Address group ID: 2 Address group name: a

NO-PAT: Y

Reversible: N

Port-preserved: N

Config status: Active

NAT inbound information:

Totally 1 NAT inbound rules.

Interface: GigabitEthernet1/0/1

ACL: 2038

Address group ID: 2

Add route: Y NO-PAT: Y Reversible: N

VPN instance: vpn_nat

Rule name: abcdefg

Priority: 1000

Description: NatInbound1

Config status: Active

Global flow-table status: Active

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: GigabitEthernet1/0/2

ACL: 2036

Address group ID: 1

Port-preserved: Y NO-PAT: N Reversible: N

Configuration mode : NETCONF (action)

Rule name: cdefg

Priority: 1001

Description: NatOutbound1

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: address group, and ACL.

Global flow-table status: Active

Interface: GigabitEthernet1/0/2

ACL: 2037

Address group ID: 1

Port-preserved: N NO-PAT: Y Reversible: Y

VPN instance: vpn_nat

Rule name: blue

Priority: 1002

Config status: Active.

Global flow-table status: Active

NAT internal server information (object-group):

Totally 1 object-group-based NAT server rules.

Rule name: aaa

Interface: GigabitEthernet1/0/1

Local IP/Port: 1.1.1.1/80

DestIP Object group: abc

NAT counting : 0

Config status : Active

NAT internal server information:

Totally 5 internal servers.

Interface: GigabitEthernet1/0/1

Global ACL : 2000

Local IP/port : 192.168.10.1/23

Rule name : cdefgab

Priority : 1000

Configuration mode : NETCONF (action)

NAT counting : 0

Description : NatServerDescription1

Config status : Active

Interface: GigabitEthernet1/0/2

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

ACL : 2000

Rule name : green

NAT counting : 0

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/3

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Rule name : blue

NAT counting : 0

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/4

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Global VPN : vpn2

Local VPN : vpn4

ACL : 3000

Rule name : white

NAT counting : 0

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/5

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

192.168.0.26/23 (Connections: 10)

192.168.0.27/23 (Connections: 20)

Global VPN : vpn1

Local VPN : vpn3

Rule name : black

NAT counting : 0

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 2.2.2.1 – 2.2.2.255

Local IP : 1.1.1.0

Netmask : 255.255.255.0

Global VPN : vpn2

Local VPN : vpn1

ACL : 2000

Reversible : Y

Rule name : pink

Priority : 1000

Config status: Active

Global flow-table status: Active

Local flow-table status: Active

IP-to-IP:

Global IP : 5.5.5.5

Local IP : 4.4.4.4

ACL : 2001

Reversible : Y

Rule name : yellow

Priority : 1000

Description : NatStaticDescription1

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Global flow-table status: Active

Local flow-table status: Active

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 1.1.1.1 - 1.1.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

ACL : 2000

Reversible : Y

Rule name : grey

Priority : 1000

Config status: Active

Global flow-table status: Active

Local flow-table status: Active

IP-to-IP:

Local IP : 4.4.4.4

Global IP : 5.5.5.5

ACL: : 2001

Reversible : Y

Rule name : orange

Priority : 10000

Description : NatStaticDescription2

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Global flow-table status: Active

Local flow-table status: Active

Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.

Interface: GigabitEthernet1/0/4

Config status: Active

Interface: GigabitEthernet1/0/6

Config status: Active

NAT DNS mappings:

Totally 2 NAT DNS mappings.

Domain name : www.server.com

Global IP : 6.6.6.6

Global port : 23

Protocol : TCP(6)

Config status: Active

Domain name : www.service.com

Global IP : ---

Global port : 12

Protocol : TCP(6)

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: interface IP address.

NAT logging:

Log enable : Enabled(ACL 2000)

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Enabled(10 minutes)

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NO-PAT IP usage : Disabled

NAT hairpinning:

Totally 2 interfaces enabled with NAT hairpinning.

Interface: GigabitEthernet1/0/4

Config status: Active

Interface: GigabitEthernet1/0/5

Config status: Active

NAT mapping behavior:

Mapping mode : Endpoint-Independent

ACL : 2050

Config status: Active

NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled

ICMP-ERROR : Enabled

ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RTSP : Enabled

RSH : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Disabled

NAT port block group information:

Totally 3 NAT port block groups.

Port block group 1:

Port range: 1-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 ---

192.168.3.1 192.168.3.254 ---

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Port block group 2:

Port range: 10001-30000

Block size: 500

Local IP address information:

Start address End address VPN instance

10.1.1.1 10.1.10.255 ---

Global IP pool information:

Start address End address

202.10.10.101 202.10.10.120

Port block group 3:

Port range: 1-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

--- --- ---

Global IP pool information:

Start address End address

--- ---

NAT outbound port block group information:

Totally 2 outbound port block group items.

Interface: GigabitEthernet1/0/2

port-block-group: 2

Rule name: stone

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/2

port-block-group: 10

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

Global flow-table status: Active

Local flow-table status: Active

Static NAT load balancing: Disabled

NAT link-switch recreate-session: Disabled

The output shows all NAT configuration information. Table 2 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.

Table 2 Command output

Field	Description
NAT address group information	Information about the NAT address group. See Table 1 for output description.
NAT server group information	Information about the internal server group. See Table 20 for output description.
NAT inbound information:	Inbound dynamic NAT configuration. See Table 7 for output description.
NAT outbound information	Outbound dynamic NAT configuration. See Table 11 for output description.
NAT internal server information	NAT server mapping configuration. See Table 19 for output description.
NAT global-policy information	Configuration of the global NAT policy. See Table 6 for output description.
NAT policy information	Configuration of the NAT policy. See Table 14 for output description.
Static NAT mappings	Static NAT mappings. See Table 22 for output description.
NAT DNS mappings	NAT DNS mappings. See Table 3 for output description.
NAT logging	NAT logging configuration. See Table 8 for output description.
NAT hairpinning	NAT hairpin configuration.
Totally n interfaces enabled NAT hairpinning	Number of interfaces with NAT hairpin enabled.
Interface	NAT hairpin-enabled interface.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
Config status	Status of the NAT hairpin configuration: Active or Inactive.
Reasons for inactive status	Reasons why the NAT hairpin configuration does not take effect. This field is available when the Config status is Inactive.
NAT mapping behavior	Mapping behavior mode of PAT: Endpoint-Independent or Address and Port-Dependent.
ACL	ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).
Config status	Status of the NAT mapping behavior configuration: Active or Inactive.
Reasons for inactive status	Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status is Inactive.
Global flow-table status	Status of the flow entries deployed for the public IP addresses: Active or Inactive.
Local flow-table status	Status of the flow entries deployed for the private IP addresses: Active or Inactive.
Reasons for flow-table inactive status	Reasons why the flow entries do not take effect. This field is available when the global or local flow table status is Inactive.
NAT ALG	NAT ALG configuration for different protocols.
NAT port block group information	Configuration information about NAT port block groups. See Table 16 for output description.
NAT outbound port block group information	Configuration information about static outbound port block mapping rules. See Table 12 for output description.
Static NAT load balancing	Whether load balancing is enabled for static NAT on service engines: · Enabled. · Disabled.
NAT link-switch recreate-session	Whether NAT session recreation after link switchover is enabled: · Enabled. · Disabled.

‌

display nat dns-map

Use display nat dns-map to display NAT DNS mappings.

Syntax

display nat dns-map

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Display NAT DNS mappings.

<Sysname> display nat dns-map

NAT DNS mapping information:

Totally 2 NAT DNS mappings.

Domain name : www.server.com

Global IP : 6.6.6.6

Global port : 23

Protocol : TCP(6)

Config status: Active

Domain name : www.service.com

Global IP : ---

Global port : 12

Protocol : TCP(6)

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: interface IP address.

Table 3 Command output

Field	Description
NAT DNS mapping information	Information about NAT DNS mappings.
Totally n NAT DNS mappings	Total number of NAT DNS mappings.
Domain name	Domain name of the internal server.
Global IP	Public IP address of the internal server. · If Easy IP is configured, this field displays the IP address of the specified interface. · If you do not specify a public IP address, this field displays hyphens (---).
Global port	Public port number of the internal server.
Protocol	Protocol name and number of the internal server.
Config status	Status of the DNS mapping: Active or Inactive.
Reasons for inactive status	Reasons why the DNS mapping does not take effect. This field is available when the Config status is Inactive.

‌

Related commands

nat dns-map

display nat easy-ip failover-group port-range

Use display nat easy-ip failover-group port-range to display port ranges used by failover groups to implement Easy IP.

Syntax

display nat easy-ip failover-group port-range

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Display port ranges used by failover groups to implement Easy IP.

<Sysname> display nat easy-ip failover-group port-range

Failover group Port range Channel ID

AutoBackupf0000821 1025 to 22528 0

AutoBackupf0000019 22529 to 44031 0

AutoBackupf0000017 44032 to 65535 0

Table 4 Command output

Field	Description
Failover group	Failover group name. AutoBackup in the failover group name indicates that the failover group is an automatic backup group.
Port range	Port range specified for the failover group.
Channel ID	ID of the channel in the failover group.

‌

Related commands

nat outbound easy-ip port-range

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

In standalone mode:

display nat eim [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat eim [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays EIM entry information for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

EIM entries are created when PAT operates in EIM mode. An EIM entry is a 3-tuple entry, and it records the mapping between a private address/port and a public address/port.

The EIM entry provides the following functions:

· The same EIM entry applies to subsequent connections initiated from the same source IP and port.

· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.

Examples

# (In standalone mode.) Display information about EIM entries for the specified slot.

<Sysname> display nat eim slot 1

Slot 1:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Local IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

Protocol: UDP(17)

Total entries found: 2

Table 5 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Protocol	Protocol name and number.
Total entries found	Total number of EIM entries.

‌

Related commands

nat mapping-behavior

nat outbound

display nat global-policy

Use display nat global-policy to display configuration of the global NAT policy.

Syntax

display nat global-policy [ rule-type { nat | nat64 | nat66 } ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

rule-type: Specifies a NAT rule type. If you do not specify this keyword, this command displays information about all types of NAT rules.

nat: Specifies NAT-type rules.

nat64: Specifies NAT64-type rules.

nat66: Specifies NAT66-type rules.

Usage guidelines

Non-default vSystems do not support this command.

The global NAT policy contains several NAT rules. Each NAT rule contains the following elements:

· Packet match criteria, which are used to match packets for address translation.

· Action, which can be source address translation or destination address translation. The action is taken on matching packets.

Examples

# Display configuration of all types of NAT rules in the global NAT policy.

<Sysname> display nat global-policy

NAT global-policy information:

Totally 5 NAT global-policy rules.

Rule name: rule1

Type : nat

Description : first rule

SrcIP object group : srcObj1

SrcIP object group : srcObj2

SrcIP object group : srcObj3

DestIP object group : desObj1

DestIP object group : desObj2

DestIP object group : desObj3

Service object group : serviceObj1

Service object group : serviceObj2

Service object group : serviceObj3

Source-zone name : Trust

Destination-zone name : Local

SNAT action:

Address group ID: 2 Address group name: a

NO-PAT: Y

Reversible: N

Port-preserved: N

NAT counting : 0

Config status: Active

Rule name: rule2

Type : nat

Description : second rule

SrcIP address : 10.0.0.1

SrcIP address : 10.0.0.2

DestIP address : 100.0.0.11

DestIP address : 100.0.0.12

Service object group : serviceObj1

Source-zone name : Trust

Destination-zone name : local

SNAT action:

Easy-IP

NO-PAT: N

Reversible: N

Port-preserved: N

NAT counting : 0

Config status: Active

Rule name: rule3

Type : nat

Description : third rule

SrcIP object group : srcObj1

DestIP object group : desObj1

Service object group : serviceObj1

Service object group : serviceObj2

Service object group : serviceObj3

Source-zone name : trust

Vrf : vpn1

SNAT action:

Ipv4 address: 20.0.0.1

Vrf: vpn2

DNAT action:

IPv4 address: 1.1.2.1

Port: 80

Vrf: vpn2

NAT counting : 0

Config status: Active

Rule name: rule4

Type : nat

Description : third rule

SrcIP subnet : 10.1.1.0 24

DestIP subnet : 100.1.3.0 24

SNAT action:

Subnet: 20.0.0.0 24

DNAT action:

IPv4 address: 1.1.2.1

Port: 80

NAT counting : 0

Config status: Active

Rule name: rule5

Type : nat

Description : fifth rule

SrcIP subnet : 10.1.1.0 24

DestIP subnet : 100.1.3.0 24

Source-zone name : Trust

VRID: 1

SNAT action:

Object group: obj1

DNAT action:

IPv4 address: 1.1.2.1

NAT counting : 0

Config status: Active

Table 6 Command output

Field	Description
NAT global-policy information	Configuration of the global NAT policy.
Totally n NAT global-policy rules	Total number of NAT rules in the policy.
Rule name	Name of the NAT rule.
Type	NAT rule type: · nat—NAT rule, which is used for translation between IPv4 addresses. · nat64—NAT64-type rule, which is used for translation between IPv4 addresses and IPv6 addresses. · nat66—NAT66-type rule, which is used for translation between IPv6 addresses.
Description	Description of the NAT rule.
SrcIP object group	Source IP address object group in the NAT rule.
SrcIP address	IP address that the NAT rule uses to match packet source IP addresses.
SrcIP subnet	Subnet address that the NAT rule uses to match packet source IP addresses.
DestIP object group	Destination IP address object group in the NAT rule.
DestIP address	IP address that the NAT rule uses to match packet destination IP addresses.
DestIP subnet	Subnet address that the NAT rule uses to match packet destination IP addresses.
Service object group	Service object group in the NAT rule.
Source-zone name	Source security zone in the NAT rule.
Destination-zone name	Destination security zone in the NAT rule.
Vrf	Name of the VPN instance in the NAT rule.
VRID	Virtual router ID (VRRP group number) bound to the NAT rule.
SNAT action	Source address translation method in the NAT rule.
NO-NAT	No address translation.
Address group ID	ID of the NAT address group used in the NAT rule. If no NAT address group is specified, this field is not displayed.
Address group name	Name of the NAT address group used in the NAT rule. If no NAT address group is specified, this field is not displayed.
Easy-IP	Easy IP method used in the NAT rule. This field is not displayed if the Easy IP method is not specified.
IPv4 address	NAT IP address for source address translation. This field is not displayed if no translated source IP address is configured.
IPv6 address	NAT IPv6 address for source address translation. This field is not displayed if no translated source IPv6 address is configured.
Subnet	A range of NAT IP addresses for source address translation. This field is not displayed if no translated source subnet is configured.
NO-PAT	Whether NO-PAT or PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Prefix	Prefix translation method used for source address translation in a NAT64-type rule: · nat64 v4tov6—Uses the NAT64 prefix to translate source IPv4 addresses to IPv6 addresses. · General v4tov6—Uses the general prefix to translate source IPv4 addresses to IPv6 addresses. · General v6tov4—Uses the general prefix to translate source IPv6 addresses to IPv4 addresses. This field is not displayed if the prefix method is not configured for source address translation.
Port-preserved	Whether to try to preserve the port numbers for PAT. · Y—Tries to preserve the port numbers. · N—Allows translating port numbers.
NPTv6	IPv6 address prefix used for source IPv6 address translation in NPTv6 method. The format is translated-ipv6-prefix nptv6-prefix-length, where the translated-ipv6-prefix argument indicates the address prefix and the nptv6-prefix-length argument specifies the IPv6 address prefix length.
Vrf	Name of the VPN instance to which the translated source address belongs.
DNAT action	Destination IP address translation method of the NAT rule.
IPv4 address	NAT IPv4 address for destination IP address translation.
IPv6 address	NAT IPv6 address for destination IP address translation.
Port	Translated port number for destination IP address translation.
Prefix	Prefix translation method used for destination address translation in a NAT64-type rule: · nat64 v6tov4—Uses the NAT64 prefix to translate destination IPv6 addresses to IPv4 addresses. · General v4tov6—Uses the general prefix to translate destination IPv4 addresses to IPv6 addresses. · General v6tov4—Uses the general prefix to translate destination IPv6 addresses to IPv4 addresses. · IVI v4tov6—Uses the IVI prefix to translate IPv4 addresses to IPv6 addresses. This field is not displayed if the prefix method is not configured for destination address translation.
NPTv6	IPv6 address prefix used for destination IPv6 address translation in NPTv6 method. The format is translated-ipv6-prefix nptv6-prefix-length, where the translated-ipv6-prefix argument indicates the address prefix and the nptv6-prefix-length argument specifies the IPv6 address prefix length.
Vrf	Name of the VPN instance to which the translated destination address belongs.
NAT counting	Number of times the NAT rule is matched.
Config status	Status of the global NAT policy: Active or Inactive.
Reasons for inactive status	Reasons why the NAT rule does not take effect. This field is available when the Config status is Inactive.

‌

display nat inbound

Use display nat inbound to display inbound dynamic NAT configuration.

Syntax

display nat inbound

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# (In standalone mode.) Display inbound dynamic NAT configuration.

<Sysname> display nat inbound

NAT inbound information:

Totally 2 NAT inbound rules.

Interface: GigabitEthernet1/0/2

ACL: 2038

Address group ID: 2

Add route: Y NO-PAT: Y Reversible: N

VPN instance: vpn1

Rule name: abcd

Priority: 1000

Description: NatInbound1

NAT counting: 0

Config status: Active

Global flow-table status: Active

Interface: GigabitEthernet1/0/3

Address group ID: 1

Add route: Y NO-PAT: Y Reversible: N

Rule name: eif

Priority: 1001

NAT counting: 0

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Global flow-table status: Active

Table 7 Command output

Field	Description
NAT inbound information	Information about inbound dynamic NAT configuration.
Totally n NAT inbound rules	Total number of inbound dynamic NAT rules.
Interface	Interface where the inbound dynamic NAT rule is configured.
ACL	ACL number or name.
Address group ID	ID of the NAT address group used by the inbound dynamic NAT rule.
Address group name	Name of the NAT address group. If no address group name is configured, this field is not displayed.
Add route	Whether to add a route when a packet matches the inbound dynamic NAT rule: · Y—Adds a route. · N—Does not add a route.
NO-PAT	Whether NO-PAT or PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
Description	Description of the NAT rule. This field is not displayed if no description is configured for the rule.
NAT counting	Number of times the NAT rule is matched.
Config status	Status of the inbound dynamic NAT rule: Active or Inactive.
Reasons for inactive status	Reasons why the inbound dynamic NAT rule does not take effect: This field is available when the Config status is Inactive.
Global flow-table status	Status of the flow entries deployed for the public IP addresses: Active or Inactive.
Reasons for flow-table inactive status	Reasons why the flow entries do not take effect. This field is available when the global flow table status is Inactive.

‌

Related commands

nat inbound

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display NAT logging configuration.

<Sysname> display nat log

NAT logging:

Log enable : Enabled(ACL 2000)

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Enabled(10 minutes)

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NO-PAT IP usage : Disabled

Table 8 Command output

Field	Description
NAT logging	NAT logging configuration.
Log enable	Enabling status of NAT logging. If an ACL is specified for NAT logging, this field also displays the ACL number or name.
Flow-begin	Enabling status of logging for NAT session establishment events.
Flow-end	Enabling status of logging for NAT session removal events.
Flow-active	Enabling status of logging for active NAT flows. If it is enabled, this field also displays the interval in minutes at which active flow logs are generated.
Port-block-assign	Enabling status of NAT444 user logging for port block assignment.
Port-block-withdraw	Enabling status of NAT444 user logging for port block withdrawal.
Alarm	Enabling status of logging for NAT444 alarms.
NO-PAT IP usage	Enabling status of logging for IP usage of NAT address groups when NO-PAT mode is used. If it is enabled, this field also displays IP usage for each configured NAT address group, in percentage.

‌

Related commands

nat log enable

nat log flow-active

nat log flow-begin

nat log no-pat ip-usage

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

In standalone mode:

display nat no-pat { ipv4 | ipv6 } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat no-pat { ipv4 | ipv6 } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Default user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

ipv4: Displays NO-PAT entry information for IPv4 NAT sessions.

ipv6: Displays NO-PAT entry information for IPv6 NAT sessions.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entry information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NO-PAT entry information for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

· The same entry applies to subsequent connections initiated from the same source IP address.

· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Outbound and inbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.

Examples

# (In standalone mode.) Display information about NO-PAT entries for IPv4 NAT sessions on the specified slot.

<Sysname> display nat no-pat ipv4 slot 1

Slot 1:

Global IPv4: 200.100.1.100

Local IPv4: 192.168.100.100

Global VPN: vpn2

Local VPN: vpn1

Reversible: N

Type : Inbound

Local IPv4: 192.168.100.200

Global IPv4: 200.100.1.200

Reversible: Y

Type : Outbound

Total Ipv4 entries found: 2

# (In standalone mode.) Display information about NO-PAT entries for IPv6 NAT sessions on the specified slot.

<Sysname> display nat no-pat slot 1 ipv6

Slot 1:

Global IPv6: FD01:203:405::1

Local IPv6: 2001:DB8:1::100

Global VPN: vpn2

Local VPN: vpn1

Reversible: N

Type : Inbound

Total Ipv6 entries found: 1

Table 9 Command output

Field	Description
Global IPv4	Public IPv4 address.
Local IPv4	Private IPv4 address.
Global IPv6	Public IPv6 address.
Local IPv6	Private IPv6 address.
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total Ipv4 entries found	Total number of IPv4 NO-PAT entries.
Total Ipv6 entries found	Total number of IPv6 NO-PAT entries.

‌

Related commands

nat inbound

nat outbound

display nat no-pat ip-usage

Use display nat no-pat ip-usage to display IP usage of NAT address groups in NO-PAT mode.

Syntax

In standalone mode:

display nat no-pat ip-usage [ address-group { group-id | name group-name } | object-group object-group-name ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat no-pat ip-usage [ address-group { group-id | name group-name } | object-group object-group-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefines user roles

network-admin

network-operator

context-admin

context-operator

Parameters

address-group: Displays the IP usage of the specified NAT address group.

group-id: Specifies the ID of a NAT address group. The value range is 0 to 65535.

name group-name: Specifies the name of a NAT address group, a case-insensitive string of 1 to 63 characters.

object-group: Specifies the IP usage of the specified object group.

object-group-name: Specify the name of an object group. The name is a case-insensitive string of 1 to 63 characters.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the IP usage of address groups in NO-PAT mode for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the IP usage of address groups in NO-PAT mode for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

NAT address groups or object groups in NO-PAT mode are translated address resources. If you do not specify a parameter, this command displays the IP usage of address resources for all types in NO-PAT mode.

Examples

# (In standalone mode.) Display IP usage of address resources for all types in NO-PAT mode for the specified slot.

<Sysname> display nat no-pat ip-usage slot 1

CPU 0 on slot 1:

Totally 2 pieces of information about address usage.

Address group ID: 1

Total IP addresses :10

Used IP addresses :0

Unused IP addresses :10

NO-PAT IP usage :0%

Object group name: obj1

Total IP addresses :10

Used IP addresses :0

Unused IP addresses :10

NO-PAT IP usage :0%

Table 10 Command output

Field	Description
Address group	NAT address group ID.
NO-PAT IP usage	IP usage of the NAT address group in NO-PAT mode.
channel	Field-programmable gate array (FPGA) ID.

Related commands

nat log no-pat ip-usage threshold

display nat outbound

Use display nat outbound to display outbound dynamic NAT configuration.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# (In standalone mode.) Display outbound dynamic NAT configuration.

<Sysname> display nat outbound

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: GigabitEthernet1/0/1

ACL: 2036

Address group ID: 1

Port-preserved: Y NO-PAT: N Reversible: N

Configuration mode : NETCONF (action)

Rule name: abefg

Priority: 1000

NAT counting: 0

Config status: Active

Global flow-table status: Active

Interface: GigabitEthernet1/0/2

ACL: 2037

Address group ID: 2

Port-preserved: N NO-PAT: Y Reversible: Y

VPN instance: vpn_nat

Rule name: cdefg

Priority: 1001

Description: NatOutbound1

NAT counting: 0

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Global flow-table status: Active

Interface: GigabitEthernet1/0/1

DS-Lite B4 ACL: 2100

Address group ID: 2

Port-preserved: N NO-PAT: N Reversible: N

Priority: 0

NAT counting: 0

Config status: Active

Table 11 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT configuration.
Totally n NAT outbound rules	Total number of outbound dynamic NAT rules.
Interface	Interface where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT rule, this field displays hyphens (---).
DS-Lite B4 ACL	Number or name of the IPv6 ACL used by DS-Lite B4 address translation.
Address group ID	ID of the address group used by the outbound dynamic NAT rule. If no address group is specified, the field displays hyphens (---).
Address group name	Name of the NAT address group. If no address group name is configured, this field is not displayed.
Port-preserved	Whether to try to preserve the port numbers for PAT. · Y—Tries to preserve the port numbers. · N—Allows translating port numbers.
NO-PAT	Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
Description	Description of the NAT rule. This field is not displayed if no description is configured for the rule.
Configuration mode	Configuration method of the device. · This field displays NETCONF (action) if the device is configured by using a NETCONF action operation. · This field is not displayed if the device is configured by using other methods.
NAT counting	Number of times the NAT rule is matched.
Config status	Status of the outbound dynamic NAT rule: Active or Inactive.
Reasons for inactive status	Reasons why the outbound dynamic NAT rule does not take effect. This field is available when the Config status is Inactive.
Global flow-table status	Status of the flow entries deployed for the public IP addresses: Active or Inactive.
Reasons for flow-table inactive status	Reasons why the flow entries do not take effect. This field is available when the global flow table status is Inactive.

‌

Related commands

nat outbound

display nat outbound port-block-group

Use display nat outbound port-block-group to display static outbound port block mapping rules for NAT444.

Syntax

display nat outbound port-block-group

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display static outbound port block mapping rules for NAT444.

<Sysname> display nat outbound port-block-group

NAT outbound port block group information:

Totally 2 outbound port block group items.

Interface: GigabitEthernet1/0/2

port-block-group: 2

VPN instance: vpna

Rule name: abcdefg

NAT counting: 0

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/2

port-block-group: 10

VPN instance: vpna

Rule name: abcfg

NAT counting: 0

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

Global flow-table status: Active

Local flow-table status: Active

Table 12 Command output

Field	Description
NAT outbound port block group information	Information about static outbound port block mapping rules.
Totally n outbound port block group items	Total number of static outbound port block mapping rules.
Interface	Interface where the static outbound port block mapping rules configured.
port-block-group	ID of the port block group.
VPN instance	Name of the MPLS L3VPN instance to which the port block group belongs. If the interface does not belong to any MPLS L3VPN instance, this field is not displayed.
Rule name	Name of the static outbound port block mapping rule
NAT counting	Number of times the mapping rule is matched.
Config status	Status of the port block mapping rule: Active or Inactive.
Reasons for inactive status	Reasons why the port block mapping rule does not take effect. This field is available when the Config status is Inactive.
Global flow-table status	Status of the flow entries deployed for the public IP addresses: Active or Inactive.
Local flow-table status	Status of the flow entries deployed for the private IP addresses: Active or Inactive.
Reasons for flow-table inactive status	Reasons why the flow entries do not take effect. This field is available when the global or local flow table status is Inactive.

‌

Related commands

nat outbound port-block-group

display nat periodic-statistics

Use display nat periodic-statistics to display periodic NAT statistics.

Syntax

In standalone mode:

display nat periodic-statistics { address-group [ group-id | name group-name ] | ip global-ip } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat periodic-statistics { address-group [ group-id | name group-name ] | ip global-ip } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

address-group: Displays periodic NAT statistics for the specified NAT address group.

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535.

name group-name: Specifies the name of a NAT address group. The name is a case-insensitive string of 1 to 63 characters.

ip global-ip: Displays periodic NAT statistics for the specified IP address. The global-ip argument specifies an IP address.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays periodic NAT statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays periodic NAT statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

If you do not specify the group-id argument or the name keyword, this command displays periodic NAT statistics for all NAT address groups.

Examples

# (In standalone mode.) Display periodic NAT statistics for address groups for slot 1.

<Sysname> display nat periodic-statistics address-group slot 1

Slot 1:

Totally 1 NAT address groups.

Address group ID: 1 Address group name: abc

NAT sessions : 10

NAT port-block assign failures : 0

# (In standalone mode.) Display periodic NAT statistics for IP address 202.38.6.12 for slot 1.

<Sysname> display nat periodic-statistics ip 202.38.6.12 slot 1

Slot 1:

Global IP: 202.38.6.12

NAT sessions : 10

NAT port-block assign failures : 0

Table 13 Command output

Field	Description
Address group ID	ID of the NAT address group. If no address group is specified, this field displays hyphens (---).
Totally n NAT address groups	Total number of NAT address groups.
Address group name	Name of the NAT address group. If no address group name is configured, this field is not displayed.
Global IP	IP address used for address translation. If the address is not in the specified address group, this field displays hyphens (---).
NAT sessions	Number of NAT sessions.
NAT port-block assign failures	Number of port block assignment failures.

‌

Related commands

nat periodic-statistics enable

nat periodic-statistics interval

reset nat periodic-statistics

display nat policy

Use display nat policy to display the NAT policy configuration.

Syntax

display nat policy

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Display the NAT policy configuration.

<Sysname> display nat policy

NAT policy information:

Totally 1 NAT policy rules.

Rule name: rule1

Description : first rule

Outbound-interface : GigabitEthernet1/0/2

SrcIP object group : srcObj1

SrcIP object group : srcObj2

SrcIP object group : srcObj3

DestIP object group : desObj1

DestIP object group : desObj2

DestIP object group : desObj3

Service object group : serviceObj1

Service object group : serviceObj2

Service object group : serviceObj3

Action:

Address group ID: 2 Address group name: a

NO-PAT: Y

Reversible: N

Port-preserved: N

NAT counting : 0

Config status: Active

Table 14 Command output

Field	Description
NAT policy information	Information about the NAT policy configuration.
Totally n NAT policy rules	Total number of NAT rules in the NAT policy.
Rule name	NAT rule name.
Description	Description of the NAT rule.
Outbound-interface	Direction of the traffic that the NAT rule applies.
SrcIP object group	Source IP address object group in the NAT rule.
DestIP object group	Destination IP address object group in the NAT rule.
Service object group	Service object group in the NAT rule.
Action	Address translation method in the NAT rule.
Easy-IP	Easy IP method.
NO-NAT	Address translation is disabled.
Address group ID	ID of the NAT address group in the NAT rule. If no NAT address group ID is configured, this field is not displayed.
Address group name	Name of the NAT address group. If no address group name is configured, this field is not displayed.
Reversible	Whether reverse address translation is allowed. · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Port-preserved	Whether to try to preserve the port numbers for PAT: · Y—Tries to preserve the port numbers. · N—Allows translating port numbers.
NAT counting	Number of times the rule is matched.
Config status	Status of the NAT policy configuration: Active or Inactive.
Reasons for inactive status	Reasons why the NAT policy does not take effect. This field is available when the Config status is Inactive.

‌

display nat port-block

Use display nat port-block to display NAT port block mappings.

Syntax

In standalone mode:

display nat port-block { dynamic [ address-group { group-id | name group-name } ] [ ds-lite-b4 ] | static [ port-block-group group-id ] } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat port-block { dynamic [ address-group { group-id | name group-name } ] [ ds-lite-b4 ] | static [ port-block-group group-id ] } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

dynamic: Displays dynamic port block mappings.

address-group: Displays port block mappings for the specified address group. If you do not specify a NAT address group, this command displays port block mappings for all address groups.

group-id: Specifies the ID of the address group. The value range for this argument is 0 to 65535.

name group-name: Specifies the name of the address group. The name is a case-insensitive string of 1 to 63 characters.

ds-lite-b4: Displays port block mappings for DS-Lite B4 address translation.

static: Displays static port block mappings.

port-block-group group-id: Displays port block mappings for the specified port block group. The group-id argument specifies the ID of the port block group. The value range for the group-id argument is 0 to 65535. If you do not specify a port block group, this command displays port block mappings for all port block groups.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays port block mappings for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display static port block mappings for the specified slot.

<Sysname> display nat port-block static slot 1

Slot 1:

Local VPN Local IP Global IP Port block Connections

--- 100.100.100.111 202.202.100.101 10001-10256 0

--- 100.100.100.112 202.202.100.101 10257-10512 0

--- 100.100.100.113 202.202.100.101 10513-10768 0

--- 100.100.100.113 202.202.100.101 10769-11024 0

Total entries found: 4

# (In standalone mode.) Display dynamic port block mappings.

<Sysname> display nat port-block dynamic slot 1

Slot 1:

Local VPN Local IP Global IP Port block Connections

--- 101.1.1.12 192.168.135.201 10001-11024 1

Total entries found: 1

# (In standalone mode.) Display port block mappings for DS-Lite B4 address translation.

<Sysname> display nat port-block dynamic ds-lite-b4 slot 1

Slot 1:

Local VPN DS-Lite B4 addr Global IP Port block Connections

--- 2000::2 192.168.135.201 10001-11024 1

Total entries found: 1

Table 15 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field displays hyphens (---).
Local IP	Private IP address.
DS-Lite B4 addr	IPv6 address of the DS-Lite B4 element.
Global IP	Public IP address.
Port block	Port block defined by a start port number and an end port number.
Connections	Number of connections established by using the ports in the port block.

‌

display nat port-block-group

Use display nat port-block-group to display NAT port block group configuration.

Syntax

display nat port-block-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

group-id: Specifies the ID of a NAT port block group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays configuration of all NAT port block groups.

Examples

# Display configuration of all NAT port block groups.

<Sysname> display nat port-block-group

NAT port block group information:

Totally 3 NAT port block groups.

Port block group 1:

VRID : 2

Port range: 1-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 ---

192.168.3.1 192.168.3.254 ---

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Port block group 2:

Port range: 10001-30000

Block size: 500

Local IP address information:

Start address End address VPN instance

10.1.1.1 10.1.10.255 ---

Global IP pool information:

Start address End address

202.10.10.101 202.10.10.120

Port block group 3:

Port range: 1-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

--- --- ---

Global IP pool information:

Start address End address

--- ---

# Display information about NAT port block group 1.

<Sysname> display nat port-block-group 1

Port block group 1:

VRID : 2

Port range: 1-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 ---

192.168.3.1 192.168.3.254 ---

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Table 16 Command output

Field	Description
NAT port block group information	Information about the port block group configuration.
Totally n NAT port block groups	Total number of port block groups.
Port block group	ID of the port block group.
VRID	Virtual router ID (VRRP group number). If no VRRP group is specified, this field is not displayed.
Port range	Port range for the public IP addresses.
Block size	Number of ports in a port block.
Local IP address information	Information about the private IP addresses.
Global IP pool information	Information about the public IP addresses.
Start address	Start IP address of a private or public IP address range. If no start IP address is specified for the address range, this field displays hyphens (---).
End address	End IP address of a private or public IP address range. If no end IP address is specified for the address range, this field displays hyphens (---).
VPN instance	MPLS L3VPN instance to which the private IP address range belongs. If no VPN instance is specified for the private address range, this field displays hyphens (---).

‌

Related commands

nat port-block-group

display nat port-block-usage

Use display nat port-block-usage to display the port block usage for address groups.

Syntax

In standalone mode:

display nat port-block-usage [ address-group group-id ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat port-block-usage [ address-group group-id ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

System view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

address-group group-id: Specifies the ID of an address group. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, this command displays the port block usage for all address groups.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the port block usage for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# (In standalone mode.) Display the port block usage for address groups for slot 1.

<Sysname> display nat port-block-usage slot 1

Slot 1:

Address group 0 on channel 0:

Total port block entries :10

Active port block entries:9

Current port block usage :90%

Total NAT address groups found: 1

Table 17 Command output

Field	Description
CPU	Number of the CPU.
Address group	ID of the address group.
channel	Field-programmable gate array (FPGA) ID.
Total port block entries	Total number of port blocks in the address group.
Active port block entries	Total number of assigned port blocks in the address group.
Current port block usage	Port block usage in the address group.
Total NAT address groups found	Total number of address groups.

‌

display nat probe address-group

Use display nat probe address-group to display NAT address group probe information.

Syntax

display nat probe address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

group-id: Specifies the address group ID. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays probe information for all address groups.

Usage guidelines

Non-default vSystems do not support this command.

The excluded IP addresses displayed by this command only refers to those detected by the address group probe. The excluded IP addresses configured by the exclude-ip command are not included.

Examples

# Display NAT address group probe information

<Sysname> display nat probe address-group

Address group ID: 1

Address-group name: dududu1

Address-group probe status: Partial available

Detected IP count: 5

Excluded IP count: 4

IP address Excluded Excluded time

1.1.1.1 YES 2017/12/26 09:30:39

1.1.1.2 YES 2017/12/26 09:30:39

1.1.1.3 YES 2017/12/26 09:30:39

1.1.1.4 YES 2017/12/26 09:30:39

1.1.1.5 NO ----

Address group ID: 2

Address-group name: dududu2

Address-group probe status: Partial available

Detected IP count: 5

Excluded IP count: 4

IP address Excluded Excluded time

2.1.1.1 YES 2017/12/26 09:31:39

2.1.1.2 YES 2017/12/26 09:31:39

2.1.1.3 YES 2017/12/26 09:31:39

2.1.1.4 YES 2017/12/26 09:31:39

2.1.1.5 NO ----

# Display NAT address group probe information for slot 1.

<Sysname> display nat probe address-group 1

Address group ID: 1

Address-group name: dududu

Address-group probe status: Partial available

Detected IP count: 5

Excluded IP count: 4

IP address Excluded Excluded time

1.1.1.1 YES 2017/12/26 09:30:39

1.1.1.2 YES 2017/12/26 09:30:39

1.1.1.3 YES 2017/12/26 09:30:39

1.1.1.4 YES 2017/12/26 09:30:39

1.1.1.5 NO ----

Table 18 Command output

Field	Description
Address group ID	ID of the NAT address group.
Address group name	Name of the address group. If the address group does not have a name, this field is not displayed.
Address-group probe status	Status of the address group status: · Inactive—The probe is not enabled. · In progress—The probe is in progress. · All available—All IP addresses in the group are available. · Partial available—Partial IP addresses are available. · None available—None of the IP addresses are available.
Detected IP count	Number of IP addresses that have been detected.
Excluded IP count	Number of IP addresses that are excluded from address translation.
IP address	IP addresses in the NAT address group.
Excluded	Whether the IP address is excluded from address translation: · YES—The IP address is excluded from address translation. · NO—The IP address is not excluded and can be used for address translation.
Excluded time	Time when the IP address is excluded from address translation.

‌

Related commands

exclude-ip

probe

display nat server

Use display nat server to display NAT server mappings.

Syntax

display nat server

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# (In standalone mode.) Display NAT server mappings.

<Sysname> display nat server

NAT internal server information (object-group):

Totally 1 object-group-based NAT server rules.

Rule name: aaa

Interface: Vlan-interface1

Local IP/Port: 1.1.1.1/80

DestIP Object group: a1

NAT counting : 0

Description : NatServerDescription1

Config status : Active

NAT internal server information:

Totally 5 internal servers.

Interface: GigabitEthernet1/0/1

VRID : 1

Global ACL : 2000

Local IP/port : 192.168.10.1/23

Rule name : cdefgab

Priority : 1000

Configuration mode : NETCONF (action)

NAT counting : 0

Config status : Active

Interface: GigabitEthernet1/0/3

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

Rule name : ace

NAT counting : 0

Config status : Inactive

Reasons for inactive status:

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/4

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Rule name : abcdef

NAT counting : 0

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/4

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Rule name : cdefg

NAT counting : 0

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Interface: GigabitEthernet1/0/5

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

1.1.1.1/21 (Connections: 10)

192.168.100.200/80 (Connections: 20)

Rule name : white

NAT counting : 0

Config status : Active

Global flow-table status: Active

Local flow-table status: Active

Table 19 Command output

Field	Description
NAT internal server information (object-group)	Information about the object group-based NAT server mappings.
Totally n object-group-based NAT server rules	Total number of object group-based NAT server mappings.
Rule name	Name of the NAT server mapping.
Priority	Priority of the NAT server mapping.
Configuration mode	Configuration method of the device. · This field displays NETCONF (action) if the device is configured by using a NETCONF action operation. · This field is not displayed if the device is configured by using other methods.
NAT internal server information	Information about NAT server mapping.
Interface	Interface where the NAT server mapping is configured.
Protocol	Protocol number and name of the internal server.
VRID	Virtual router ID (VRRP group number). If no VRRP group is specified, this field is not displayed.
Global IP/port	Public IP address and port number of the internal server. · Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---).
Local IP/port	For common NAT server mappings and object group-based NAT server mappings, this field displays the private IP address and port number of the internal server. · Local IP—A single IP address or an IP address range. · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For a load sharing NAT server mapping, this field displays the internal server group ID, IP address, port number, and number of connections of each member.
DestIP Object group	Destination IP object group used by the NAT server mapping.
Service Object group	Service object group used by the NAT server mapping.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Rule name	Name of the NAT server mapping.
NAT counting	Number of times the NAT server mapping is matched.
Description	Description of the NAT server mapping. This field is not displayed if no description is configured for the mapping.
Config status		Status of the NAT server mapping: Active or Inactive.
Reasons for inactive status		Reasons why the NAT server mapping does not take effect. This field is available when the Config status is Inactive.
Global flow-table status	Status of the flow entries deployed for the public IP addresses: Active or Inactive.
Local flow-table status	Status of the flow entries deployed for the private IP addresses: Active or Inactive.
Reasons for flow-table inactive status	Reasons why the flow entries do not take effect. This field is available when the global or local flow table status is Inactive.

‌

Related commands

nat server

display nat server-group

Use display nat server-group to display internal server group configuration.

Syntax

display nat server-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

group-id: Specifies the ID of the internal server group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays the configuration of all internal server groups.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Display the configuration of all internal server groups.

<Sysname> display nat server-group

NAT server group information:

Totally 3 NAT server groups.

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

2 --- --- ---

3 192.168.0.26 69 100

# Display the configuration of internal server group 1.

<Sysname> display nat server-group 1

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

Table 20 Command output

Field	Description
NAT server group information	Information about the NAT server group configuration.
Totally n NAT server groups	Total number of NAT server groups.
Group Number	ID of the internal server group.
Inside IP	Private IP address of a server in the internal server group. If no address is specified, this field displays hyphens (---).
Port	Private port number of a server in the internal server group. If no port number is specified, this field displays hyphens (---).
Weight	Weight of a server in the internal server group. If no weight value is specified, this field displays hyphens (---).

‌

Related commands

nat server-group

display nat session

Use display nat session to display NAT sessions.

Syntax

In standalone mode:

display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ brief | verbose ]

In IRF mode:

display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

responder: Displays NAT sessions by responder. If you do not specify this keyword, this command displays NAT sessions by initiator.

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

brief: Displays brief information about NAT sessions.

verbose: Displays detailed information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about session initiators of all NAT sessions.

Examples

# (In standalone mode.) Display detailed information about NAT sessions for the specified slot.

<Sysname> display nat session slot 1 verbose

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: SrcZone

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.10/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: DestZone

State: TCP_SYN_SENT

Application: SSH

Rule ID: -/-/-

Rule name:

Start time: 2011-07-29 19:12:36 TTL: 28s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

# (In standalone mode.) Display brief information about NAT sessions for the specified slot.

<Sysname> display nat session brief

Slot 1:

Protocol Source IP/port Destination IP/port Global IP/port

TCP 2.1.1.20/1351 10.1.1.110/21 2.1.1.50/1025

Total sessions found: 1

Table 21 Command output

Field	Description
Initiator	Session information about the initiator.
Responder	Session information about the responder.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
Global IP/port	Public IP address and port number.
DS-Lite tunnel peer	Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. ‌ · VLAN ID—VLAN ID to which the session belongs for Layer 2 forwarding. · Inline ID——INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or inline ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
Source security zone	Security zone to which the input interface belongs. If the input interface does not belong to any security zone, this field displays a hyphen (-).
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Rule ID	ID of the security policy rule.
Rule name	Name of the security policy rule.
Start time	Time when the session starts.
TTL	Remaining NAT session lifetime in seconds.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.

‌

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# (In standalone mode.) Display static NAT mappings.

<Sysname> display nat static

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

VRID : 1

Global IP : 1.1.1.1 - 1.1.1.255

Local IP : 2.2.2.0

Netmask : 255.255.255.0

Global VPN : vpn2

Local VPN : vpn1

ACL : 2000

Reversible : Y

Rule name : adefg

Priority : 1000

NAT counting : 0

Description : NatStaticDescription1

Config status: Active

Local flow-table status: Active

Global flow-table status:

Interface GigabitEthernet1/0/2 : Active

Interface GigabitEthernet1/0/3 : Active

IP-to-IP:

VRID : 1

Global IP : 5.5.5.5

Local IP : 4.4.4.4

ACL : 2001

Reversible : Y

Rule name : abefg

Priority : 1000

NAT counting : 0

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Local flow-table status: Active

Global flow-table status:

Interface GigabitEthernet1/0/2 : Inactive

Reasons for flow-table inactive status:

The item is not ready to perform the operation.

Interface GigabitEthernet1/0/3 : Inactive

Reasons for flow-table inactive status:

The item is not ready to perform the operation.

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 1.1.1.1 - 1.1.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

ACL : 2000

Reversible : Y

Rule name : abcd

Priority : 1000

NAT counting : 0

Config status: Active

Local flow-table status: Active

Global flow-table status:

Interface GigabitEthernet1/0/2 : Active

Interface GigabitEthernet1/0/3 : Active

IP-to-IP:

Local IP : 4.4.4.4

Global IP : 5.5.5.5

ACL: : 2000

Rule name : defg

Priority : 1000

NAT counting : 0

Reversible : Y

Description : NatStaticDescription2

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Local flow-table status: Active

Global flow-table status:

Interface GigabitEthernet1/0/2 : Inactive

Reasons for flow-table inactive status:

The item is not ready to perform the operation.

Interface GigabitEthernet1/0/3 : Inactive

Reasons for flow-table inactive status:

The item is not ready to perform the operation.

Interfaces enabled with static NAT:

Totally 1 interfaces enabled with static NAT.

Interface: GigabitEthernet1/0/2

Config status: Active

Table 22 Command output

Field	Description
Static NAT mappings	Information about static NAT mapping configuration.
Totally n inbound static NAT mappings	Total number of inbound static NAT mappings.
Totally n outbound static NAT mappings	Total number of outbound static NAT mappings.
Net-to-net	Net-to-net static NAT mapping.
IP-to-IP	One-to-one static NAT mapping.
Local IP	Private IP address or address range.
Global IP	Public IP address or address range.
Netmask	Network mask.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Reversible	Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed.
Interfaces enabled with static NAT	Interfaces on which static NAT is enabled.
Totally n interfaces enabled with static NAT	Total number of interfaces where static NAT is enabled.
Interface	Interface on which static NAT is enabled.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
VRID	Virtual router ID (VRRP group number). If no VRRP group is specified, this field is not displayed.
NAT counting	Number of times the NAT rule is matched.
Description	Description of the NAT rule. This field is not displayed if no description is configured for the rule.
Config status	Status of the static NAT mapping: Active or Inactive.
Reasons for inactive status	Reasons why the static NAT mapping does not take effect. This field is available when the Config status is Inactive.
Local flow-table status	Status of the flow entries deployed for the private IP addresses: Active or Inactive.
Global flow-table status	Status of the flow entries deployed for the public IP addresses: Active or Inactive.
Reasons for flow-table inactive status	Reasons why the flow entries do not take effect. This field is available when the global or local flow table status is Inactive.

‌

Related commands

nat static enable

nat static inbound

nat static inbound net-to-net

nat static inbound object-group

nat static outbound

nat static outbound net-to-net

nat static outbound object-group

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

In standalone mode:

display nat statistics [ summary ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat statistics [ summary ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display detailed information about NAT statistics.

<Sysname> display nat statistics

Slot 1:

Total session entries: 100

Session creation rate: 0

Total EIM entries: 1

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 10

Total dynamic port block entries: 15

Active static port block entries: 0

Active dynamic port block entries: 0

Table 23 Command output

Field	Description
Total session entries	Number of NAT session entries.
Session creation rate	Number of NAT sessions created per second.
Total EIM entries	Total number of EIM entries.
Total inbound NO-PAT entries	Total number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Total number of outbound NO-PAT entries.
Total static port block entries	Total number of static NAT444 mappings.
Total dynamic port block entries	Total number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.
Active static port block entries	Number of static port block mappings that are in use.
Active dynamic port block entries	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.

‌

# (In standalone mode.) Display NAT statistics summary.

<Sysname> display nat statistics summary

EIM: Total EIM entries.

SPB: Total static port block entries.

DPB: Total dynamic port block entries.

ASPB: Active static port block entries.

ADPB: Active dynamic port block entries.

Slot Sessions EIM SPB DPB ASPB ADPB

2 0 0 0 1572720 0 0

Table 24 Command output

Field	Description
Sessions	Number of NAT session entries.
EIM	Number of EIM entries.
SPB	Number of static NAT444 mappings.
DPB	Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.
ASPB	Number of static port block mappings in use.
ADPB	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.

‌

exclude-ip

Use exclude-ip to exclude IP addresses from being used in address translation.

Use undo exclude-ip to allow the IP addresses to be used in address translation.

Syntax

exclude-ip start-address end-address

undo exclude-ip start-address end-address

Default

All IP addresses in the NAT address group can be used as the NAT addresses.

Views

NAT address group view

Predefined user roles

network-admin

context-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, you specify only one IP address.

Usage guidelines

Non-default vSystems do not support this command.

If some IP addresses in a NAT address group cannot be used for address translation, you can use this command to exclude them.

You can configure this command multiple times to specify a maximum of 100 IP address ranges excluded from address translation. No address ranges can overlap. The start IP address and the end IP address in an excluded range must be in the range configured in the address start-address end-address command. Each excluded IP address range can contain a maximum of 4096 IP addresses.

Examples

# Exclude IP addresses 10.1.1.2, 10.1.1.3 to 10.1.1.5 in NAT address group from being used in address translation.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] exclude-ip 10.1.1.2 10.1.1.2

[Sysname-address-group-2] exclude-ip 10.1.1.3 10.1.1.5

Related commands

address

failover-group

Use failover-group to specify a failover group for a NAT address group.

Use undo failover-group to restore the default.

Syntax

failover-group group-name [ channel channel-id ]

undo failover-group

Default

No failover group is specified for a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. The specified failover group must exist.

channel channel-id: Specifies a channel in the failover group. The channel-id argument represents the ID of the channel. The value range for the channel-id argument is 0 to 1. The default is 0.

Usage guidelines

After you configure this command, traffic to be translated by dynamic NAT or dynamic NAT444 will be directed to the specified channel in the specified failover group.

You can specify both a load sharing group and a failover group for a NAT address group. The security engines in the failover group must also be in the load sharing group. To specify a load sharing group for a NAT address group, use the blade-load-sharing-group command.

If manual failover groups exist, you must specify a manual failover group rather than an automatic failover group for a NAT address group.

Examples

# Specify the failover group nat-failover and channel 0 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-nat-address-group-1] failover-group nat-failover channel 0

Related commands

blade-load-sharing-group

global-ip-pool

Use global-ip-pool to add a public IP address range to a NAT port block group.

Use undo global-ip-pool to remove a public IP address range from a NAT port block group.

Syntax

global-ip-pool start-address end-address

undo global-ip-pool start-address

Default

No public IP address ranges exist.

Views

NAT port block group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a public IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one public IP address is specified.

Usage guidelines

A static port block mapping maps a public IP address to multiple private IP addresses and assigns a unique port block to each private IP address. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Every time you execute this command, an address range can contain a maximum of 256 public IP addresses. All public IP address ranges in one port block group cannot overlap.

Public IP address ranges in different port block groups can overlap. The port ranges for overlapped public IP address ranges cannot overlap.

Examples

# Add a public IP address range to the port block group 1. The public IP address range consists of IP addresses from 202.10.1.1 to 202.10.1.10.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] global-ip-pool 202.10.1.1 202.10.1.10

Related commands

nat port-block-group

inside ip

Use inside ip to add a server to an internal server group.

Use undo inside ip to remove a server from an internal server group.

Syntax

inside ip inside-ip port port-number [ weight weight-value ]

undo inside ip inside-ip port port-number

Default

An internal server group has no server members.

Views

Internal server group view

Predefined user roles

network-admin

context-admin

Parameters

inside-ip: Specifies the IP address of an internal server.

port port-number: Specifies the port number of an internal server, in the range of 1 to 65535, excluding FTP port 20.

weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100.

Usage guidelines

Non-default vSystems do not support this command.

An internal server with a larger weight receives a larger percentage of connections in the internal server group.

Examples

# Add a server with IP address 10.1.1.2 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30

Related commands

nat server-group

local-ip-address

Use local-ip-address to add a private IP address range to a NAT port block group.

Use undo local-ip-address to remove a private IP address range from a NAT port block group.

Syntax

local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]

undo local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]

Default

No private IP address ranges exist in a NAT port block group.

Views

NAT port block group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a private IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one private IP address is specified.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address range belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address range does not belong to any VPN instance, do not specify this option.

Usage guidelines

A static port block mapping maps one public IP address to multiple private IP addresses and assigns a unique port block to each private IP address.

When you add multiple private IP address ranges to the same port block group, follow these restrictions:

· The private IP address ranges in the same VPN instance cannot overlap.

· The private IP address ranges that do not belong to any VPN instances cannot overlap.

In a NAT port block group, the number of private IP addresses cannot be larger than the number of assignable port blocks. Otherwise, some private IP addresses cannot obtain port blocks. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Examples

# Add a private IP address range to port block group 1. The private IP address range consists of IP addresses from 172.16.1.1 to 172.16.1.255.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] local-ip-address 172.16.1.1 172.16.1.255

Related commands

nat port-block-group

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id [ name group-name ]

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535.

name group-name: Assigns a name to the NAT address group. The group-name argument is a case-sensitive string of 1 to 63 characters.

Usage guidelines

A NAT address group is a set of address ranges. Use the address command to add an address range to a NAT address group. Dynamic NAT translates the source IP address of a packet into an IP address in the address group.

Examples

# Create a NAT address group numbered 1 and named abc.

<Sysname> system-view

[Sysname] nat address-group 1 name abc

Related commands

address

display nat address-group

display nat all

nat inbound

nat outbound

nat alg

Use nat alg to enable NAT ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sctp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

Default

NAT ALG is enabled for DNS, FTP, ICMP error messages, PPTP, and RTSP, and is disabled for the other supported protocols.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

all: Enables NAT ALG for all supported protocols.

dns: Enables NAT ALG for DNS.

ftp: Enables NAT ALG for FTP.

h323: Enables NAT ALG for H.323.

icmp-error: Enables NAT ALG for ICMP error packets.

ils: Enables NAT ALG for ILS.

mgcp: Enables NAT ALG for MGCP.

nbt: Enables NAT ALG for NBT.

pptp: Enables NAT ALG for PPTP.

rsh: Enables NAT ALG for RSH.

rtsp: Enables NAT ALG for RTSP.

sccp: Enables NAT ALG for SCCP.

sctp: Enables NAT ALG for SCTP.

sip: Enables NAT ALG for SIP.

sqlnet: Enables NAT ALG for SQLNET.

tftp: Enables NAT ALG for TFTP.

xdmcp: Enables NAT ALG for XDMCP.

Usage guidelines

NAT ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.

Examples

# Enable NAT ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat dns-map

Use nat dns-map to configure a NAT DNS mapping.

Use undo nat dns-map to remove a NAT DNS mapping.

Syntax

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

undo nat dns-map domain domain-name

Default

No NAT DNS mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.

protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.

ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.

port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:

· A number in the range of 1 to 65535.

· A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.

Usage guidelines

Non-default vSystems do not support this command.

NAT DNS mapping must cooperate with the NAT Server feature.

· A NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server.

· A NAT server mapping maps the public IP and port to the private IP and port of the internal server.

The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

You can configure multiple NAT DNS mappings.

Examples

# Configure a NAT DNS mapping to map the domain name www.server.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345

Related commands

display nat all

display nat dns-map

nat server

nat global-policy

Use nat global-policy to create the global NAT policy and enter its view, or enter the view of the existing global NAT policy.

Use undo nat global-policy to delete the global NAT policy and all the configuration in the global NAT policy.

Syntax

nat global-policy

undo nat global-policy

Default

No global NAT policy exists.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

The global NAT policy contains a set of NAT rules to identify and translate matching packets. The packet match criteria includes source IP address, destination IP address, service type, source security zone, and destination security zone. The global NAT policy supports translating the source IP address and destination IP address of the matching packets.

You do not need to apply the global NAT policy to any interface.

The global NAT policy has priority over interface-based NAT. If both are configured, the matching packets are translated as follows:

· If the global NAT policy contains only source address translation rules, the source address translation follows the NAT policy, and the destination address translation follows the interface-based rules.

· If the global NAT policy contains only destination address translation rules, the destination address translation follows the NAT policy, and the source address translation follows the interface-based rules.

· If the global NAT policy contains both source and destination address translation rules, both the source and destination address translations follow the NAT policy. The interface-based source and destination address translation rules do not take effect.

Examples

# Create the global NAT policy and enter its view.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy]

Related commands

display nat all

display nat global-policy

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is disabled.

Views

Interface view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

When NAT hairpin works in conjunction with NAT Server, you must configure NAT server mappings in one of the following methods with a protocol type specified:

· Configuring common NAT server mappings

· Configuring load sharing NAT server mappings

Examples

# Enable NAT hairpin on interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat hairpin enable

Related commands

display nat all

nat outbound

nat server

nat static outbound

nat icmp-error reply

Use nat icmp-error reply to enable sending ICMP error messages upon NAT failures.

Use undo nat icmp-error reply to restore the default.

Syntax

nat icmp-error reply

undo nat icmp-error reply

Default

No ICMP error messages are sent upon NAT failures.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

By default, sending ICMP error messages upon NAT failures is disabled on the NAT device. Applications using the ICMP protocol cannot be notified when an event occurs. With this feature enabled, the NAT device sends ICMP error messages upon NAT failures for the applications to locate and troubleshoot the failures.

Examples

# Enable sending ICMP error messages upon NAT failures.

<Sysname> system-view

[Sysname] nat icmp-error reply

nat inbound

Use nat inbound to configure an inbound dynamic NAT rule.

Use undo nat inbound to delete an inbound dynamic NAT rule.

Syntax

nat inbound { ipv4-acl-number | name ipv4-acl-name } address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] [ no-pat [ reversible ] [ add-route ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ] [ description text ]

undo nat inbound { ipv4-acl-number | name ipv4-acl-name }

Default

No inbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for address translation.

group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.

name group-name: Specifies the address group name, a case-insensitive string of 1 to 63 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.

no-pat: Uses the NO-PAT mode. If you do not specify this keyword, PAT is used. PAT supports only TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

add-route: Automatically adds a route to the source address after translation. The output interface is the NAT interface and the next hop is the source address before translation.

rule rule-name: Specifies a name for the rule, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the rule does not have a name.

priority priority: Specifies a priority for the rule, in the range of 0 to 2147483647. The default value is 4294967295. A smaller value represents a higher priority. If you do not specify this option, the rule has the lowest priority among the same type of NAT rules.

disable: Disables the inbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

description text: Specifies a description for the inbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Inbound dynamic NAT translates the source IP addresses of incoming packets permitted by the ACL into IP addresses in the address group.

Inbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation.

· NO-PAT—Performs only IP address translation.

The NO-PAT mode supports reverse address translation. Reverse address translation uses ACL reverse matching to identify packets to be translated. ACL reverse matching works as follows:

· Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

· Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Inbound dynamic NAT typically cooperates with one of the following to implement bidirectional NAT:

· Outbound dynamic NAT (the nat outbound command).

· NAT Server (the nat server command).

· Outbound static NAT (the nat static command).

An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat inbound command in both PAT and NO-PAT modes.

Do not specify the add-route keyword if the subnets where the internal and external networks reside overlap. For other network scenarios:

· If you specify the add-route keyword, the device automatically adds a route to the source address after translation for a packet. The destination address is the NAT address in the NAT address group, the output interface is the interface where the command is executed, and the next hop is the source address before translation.

· If you do not specify the add-route keyword, you must manually add the route. As a best practice, add routes manually because automatic route adding is slow.

An ACL can be used by only one inbound dynamic NAT rule on an interface.

You can configure multiple inbound dynamic NAT rules on an interface.

The vpn-instance parameter is required if you deploy inbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Inbound dynamic NAT rules configured with the same priority value are matched by using their ACLs.

· NAT rules with named ACLs have higher priorities than NAT rules with unnamed ACLs.

· NAT rules with named ACLs are matched in alphabetical order of their ACL names.

· NAT rules with unnamed ACLs are matched in descending order of their ACL numbers.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 in VPN vpn10 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit vpn-instance vpn10 source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Configure the MPLS L3VPN instance named vpn10.

[Sysname] ip vpn-instance vpn10

[Sysname-vpn-instance-vpn10] route-distinguisher 100:001

[Sysname-vpn-instance-vpn10] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance-vpn10] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance-vpn10] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an inbound NO-PAT rule on interface GigabitEthernet 1/0/1. NAT translates the source addresses of incoming packets into the addresses in address group 1, and automatically adds routes for translated packets. Set the rule name to abc, and the priority to 0.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat inbound 2001 address-group 1 vpn-instance vpn10 no-pat add-route rule abc priority 0

Related commands

display nat all

display nat inbound

display nat no-pat

nat inbound rule move

Use nat inbound rule move to change the priority of an inbound dynamic NAT rule.

Syntax

nat inbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the rule be moved.

after: Moves the rule nat-rule-name1 to the line after the rule nat-rule-name2 (called the reference rule). The priority value of the reference rule is not changed. The priority value of the moved rule equals the priority value of the reference rule plus one.

before: Moves the rule nat-rule-name1 to the line before the rule nat-rule-name2. The priority value of the reference rule is not changed. The priority value of the moved rule equals the priority value of the reference rule minus one.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable only to named inbound dynamic NAT rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the inbound dynamic NAT rule abc to the line before the rule def.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat inbound rule move abc before def

Related commands

nat inbound

nat link-switch recreate-session

Use nat link-switch recreate-session to enable NAT session recreation after link switchover.

Use undo nat link-switch recreate-session to disable NAT session recreation after link switchover.

Syntax

nat link-switch recreate-session

undo nat link-switch recreate-session

Default

NAT session recreation is disabled after link switchover.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable to a WAN network where two interfaces of the NAT device are configured with outbound dynamic NAT rules using different address groups. When the link of one interface fails, traffic on this link is switched to the link of another interface and the NAT device operates as follows:

· If the two interfaces are in different security zones, the NAT device deletes old session entries after link switchover. When user traffic later arrives, it triggers the NAT session recreation. This mechanism ensures that internal users can access the external network.

· If the two interfaces are in the same security zone, the NAT device retains old session entries after link switchover. Internal users cannot access the external network because the device uses old session entries to match the user traffic. To avoid this issue, enable this feature to ensure availability of NAT services.

Examples

# Enable NAT session recreation after link switchover.

<Sysname> system-view

[Sysname] nat link-switch recreate-session

Related commands

display nat all

nat log alarm

Use nat log alarm to enable NAT alarm logging.

Use undo nat log alarm to disable NAT alarm logging.

Syntax

nat log alarm

undo nat log alarm

Default

NAT alarm logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

Packets that need to be translated are dropped if the NAT resources are not enough. In NO-PAT, the NAT resources refer to the public IP addresses. In EIM PAT, the NAT resources refer to public IP addresses and ports. In NAT444, the NAT resources refer to public IP addresses, port blocks, or ports in port blocks. NAT alarm logging monitors the usage of NAT resources and outputs logs if the NAT resources are not enough.

For NAT444 dynamic port block mappings, an alarm log is generated upon the port block assignment failure or the failure that port resources cannot meet the user address translation requirement.

Before configuring alarm logging for NAT, you must configure the custom NAT log generation and outputting features. For more information about information center, see Network Management and Monitoring Configuration Guide.

This command take effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT alarm logging.

<Sysname> system-view

[Sysname] nat log alarm

Related commands

display nat all

display nat log

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

acl: Specifies an ACL.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

You must enable NAT logging before you enable NAT session logging, NAT444 user logging (including port block assignment and withdrawal logging), NAT alarm logging, or NAT NO-PAT logging.

The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

display nat all

display nat log

nat log alarm

nat log flow-active

nat log flow-begin

nat log flow-end

nat log no-pat ip-usage

· nat log port-block-assign

· nat log port-block-withdraw

nat log flow-active

Use nat log flow-active to enable logging for active NAT flows and set the logging interval.

Use undo nat log flow-active to disable logging for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 1 to 6000 minutes.

Usage guidelines

Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.

Logging for active NAT flows takes effect only after you enable NAT logging.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

Related commands

display nat all

display nat log

nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT session establishment events.

Use undo nat log flow-begin to disable logging for NAT session establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT session establishment events is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

Logging for NAT session establishment events takes effect only after you enable NAT logging.

Examples

# Enable logging for NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

Related commands

display nat all

display nat log

nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT session removal events.

Use undo nat log flow-end to disable logging for NAT session removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT session removal events is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

Logging for NAT session removal events takes effect only after you enable NAT logging.

Examples

# Enable logging for NAT session removal events.

<Sysname> system-view

[Sysname] nat log flow-end

Related commands

display nat all

display nat log

nat log enable

nat log no-pat ip-usage

Use nat log no-pat ip-usage to enable logging for the IP usage of a NAT address group in NO-PAT mode and set a usage threshold.

undo nat log no-pat ip-usage disable logging for the IP usage of a NAT address group in NO-PAT mode.

Syntax

nat log no-pat ip-usage [ threshold value ]

undo nat log no-pat ip-usage

Default

Logging for the IP usage of a NAT address group is disabled.

Views

System view

Predefines user roles

network-admin

context-admin

Parameters

threshold value: Specifies the IP usage threshold of a NAT address group, in percentage. The value range is 40 to 100, and the default is 90%.

Usage guidelines

Non-default vSystems do not support this command.

The system generates a log if the IP usage of a NAT address group exceeds the threshold.

This command takes effect only after you enable the NAT logging by using the nat log enable command.

Examples

# Enable logging for the IP usage of a NAT address group in NO-PAT mode and set the threshold to 60%.

<Sysname> system-view

[Sysname] nat log no-pat ip-usage threshold 60

Related commands

display nat log

display nat no-pat ip-usage

nat log enable

nat log port-block usage threshold

Use nat log port-block usage threshold to set the port block usage threshold.

Use undo nat log port-block port-usage threshold to restore the default.

Syntax

nat log port-block usage threshold threshold-value

undo nat log port-block usage threshold

Default

The port block usage threshold is 90%.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

threshold-value: Specifies a threshold in the range of 40 to 100 in percentage.

Usage guidelines

Non-default vSystems do not support this command.

A log is generated when the port block usage exceeds the threshold.

Examples

# Set the port block usage threshold to 60%.

<Sysname> system-view

[Sysname] nat log port-block usage threshold 60

Related commands

display nat all

display nat log

nat log enable

nat log port-block-assign

Use nat log port-block-assign to enable NAT444 user logging for port block assignment.

Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.

Syntax

nat log port-block-assign

undo nat log port-block-assign

Default

NAT444 user logging is disabled for port block assignment.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

For static port block mappings, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.

For dynamic port block mappings, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block assignment.

<Sysname> system-view

[Sysname] nat log port-block-assign

Related commands

display nat all

display nat log

nat log enable

nat log port-block-withdraw

Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.

Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.

Syntax

nat log port-block-withdraw

undo nat log port-block-withdraw

Default

NAT444 user logging is disabled for port block withdrawal.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

For static port block mappings, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.

For dynamic port block mappings, the NAT444 gateway generates a user log when all the following conditions are met:

· The port blocks (including the extended ones) assigned to the private IP address are withdrawn.

· The corresponding mapping entry is deleted.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block withdrawal.

<Sysname> system-view

[Sysname] nat log port-block-withdraw

Related commands

display nat all

display nat log

nat log enable

nat mapping-behavior endpoint-independent

Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping (EIM) mode for PAT.

Use undo nat mapping-behavior to restore the default.

Syntax

nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat mapping-behavior endpoint-independent

Default

Address and Port-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

acl: Specifies an ACL to define the applicable scope of Endpoint-Independent Mapping.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

Non-default vSystems do not support this command.

PAT supports the following NAT mapping modes:

· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the NAT IP address and port. It allows internal hosts behind different NAT gateways to access each other.

· Address and Port-Dependent Mapping—Uses different IP and port mappings for packets with the same source IP and port to different destination IP addresses and ports. APDM allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

This command takes effect only on outbound PAT. Address and Port-Dependent Mapping always applies to inbound PAT.

If you specify an ACL, Endpoint-Independent Mapping applies to packets that are permitted by the ACL. If you do not specify an ACL, Endpoint-Independent Mapping applies to all packets.

Examples

# Apply the Endpoint-Independent Mapping mode to all packets for address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent

# Apply the Endpoint-Independent Mapping mode to FTP and HTTP packets, and the Address and Port-Dependent Mapping mode to other packets for address translation.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80

[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 21

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] nat mapping-behavior endpoint-independent acl 3000

Related commands

nat outbound

display nat eim

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] no-pat [ reversible ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ] [ description text ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group { group-id | name group-name } ] [ vpn-instance vpn-instance-name ] [ port-preserved ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ] [ description text ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group: Specifies an address group for NAT. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.

name group-name: Specifies the address group name, a case-insensitive string of 1 to 63 characters.

no-pat: Uses the NO-PAT mode. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic NAT port block mapping.

disable: Disables the outbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

description text: Specifies a description for the outbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.

Outbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.

· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Dynamic NAT444 does not support the NO-PAT mode.

When you specify a NAT address group, follow these restrictions and guidelines:

· An address group cannot be used by both the nat inbound and nat outbound commands.

· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

· When port block parameters are specified in the NAT address group, this command configures a dynamic NAT port block mapping. Packets matching the ACL permit rule are processed by dynamic NAT444.

When you specify an ACL, follow these restrictions and guidelines:

· An ACL can be used by only one outbound dynamic NAT rule on an interface.

· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.

· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.

The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Outbound dynamic NAT rules configured with the same priority value and an ACL are matched by using the ACLs in the rule.

· NAT rules with named ACLs have higher priorities than NAT rules with unnamed ACLs.

· NAT rules with named ACLs are matched in alphabetical order of their ACL names.

· NAT rules with unnamed ACLs are matched in descending order of their ACL numbers.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface GigabitEthernet 1/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound 2001 address-group 1

[Sysname-GigabitEthernet1/0/1] quit

# Configure an outbound NO-PAT rule on interface GigabitEthernet 1/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound 2001 address-group 1 no-pat

[Sysname-GigabitEthernet1/0/1] quit

# Enable Easy IP to use the IP address of GigabitEthernet 1/0/1 as the NAT address.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet 1/0/1] nat outbound 2001

[Sysname-GigabitEthernet 1/0/1] quit

# Configure an outbound NO-PAT rule on GigabitEthernet 1/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound 2001 address-group 1 no-pat reversible

Related commands

display nat eim

display nat outbound

nat mapping-behavior

nat outbound ds-lite-b4

Use nat outbound ds-lite-b4 to configure DS-Lite B4 address translation.

Use undo nat outbound ds-lite-b4 to remove the DS-Lite B4 address translation configuration.

Syntax

nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name } address-group group-id

undo nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name }

Default

No DS-Lite B4 address translation configuration exists.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-acl-number: Specifies the number of an IPv6 ACL to match the IPv6 addresses of B4 elements. The value range for the argument is 2000 to 2999.

name ipv6-acl-name: Specifies the name of an IPv6 ACL to match the IPv6 addresses of B4 elements. The ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group by its ID. The value range for the group-id argument is 0 to 65535. Port block parameters are required in the address group for DS-Lite B4 address translation.

Usage guidelines

Non-default vSystems do not support this command.

DS-Lite B4 address translation applies to the scenario where a DS-Lite tunnel connects an IPv6 network to an IPv4 network. DS-Lite port block mapping is configured on the AFTR's interface connected to the external IPv4 network and performs dynamic port block mapping based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host.

DS-Lite B4 address translation dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.

Examples

# Configure IPv6 ACL 2100 to identify packets from subnet 2000::/64.

<Sysname> system-view

[Sysname] acl ipv6 basic 2100

[Sysname-acl-ipv6-basic-2100] rule permit source 2000::/64

[Sysname-acl-ipv6-basic-2100] quit

# Create address group 1 and add public addresses 202.110.10.10 through 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-nat-address-group-1] address 202.110.10.10 202.110.10.12

# Set the port block size to 256.

[Sysname-nat-address-group-1] port-block block-size 256

[Sysname-nat-address-group-1] quit

# Configure DS-Lite port block mapping on GigabitEthernet 1/0/1 to use address group 1 to translate packets permitted by ACL 2100.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound ds-lite-b4 2100 address-group 1

Related commands

display nat outbound

nat outbound easy-ip failover-group

Use nat outbound port-block-group to specify a failover group for Easy IP.

Use undo nat outbound easy-ip failover-group to restore the default.

Syntax

nat outbound easy-ip failover-group group-name [ channel channel-id ]

undo nat outbound easy-ip failover-group

Default

No failover group is specified for Easy IP.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. The specified failover group must already exist.

channel channel-id: Specifies a failover group channel by its ID. The value range for the channel-id argument is 0 to 1. The default value is 0.

Usage guidelines

Non-default vSystems do not support this command.

After you configure this command, traffic to be translated by Easy IP will be directed to the specified channel in the specified failover group.

If a manual failover group exist on the device, you can specify only the manual failover group in this command.

If you configure nat outbound easy-ip failover-group in interface view and configure nat outbound easy-ip port-range in system view, the latter command does not take effect.

Examples

# Specify failover group nat-failover for Easy IP on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound easy-ip failover-group nat-failover

Related commands

blade-load-sharing-group

display nat outbound

nat outbound easy-ip port-range

Use nat outbound easy-ip port-range to specify a port range for a failover group to implement Easy IP.

Use undo nat outbound easy-ip port-range to delete the port range specified for the failover group for Easy IP.

Syntax

nat outbound easy-ip port-range mask-value mask-length failover-group group-name [ channel channel-id ]

undo nat outbound easy-ip port-range mask-value mask-length failover-group group-name [ channel channel-id ]

Default

No port range is specified for the failover group to implement Easy IP.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

mask-value: Specifies the mask value of the leftmost bits. The mask value is in the range of 0 to 31. One mask value can be assigned to only one failover group.

mask-length: Specifies the length of the leftmost bits, in the range of 1 to 5.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. If manual failover groups exist, you must specify a manual failover group rather than an automatic failover group for Easy IP.

channel channel-id: Specifies a channel in the failover group. The channel-id argument represents the ID of the channel. The value for the channel-id argument is 0 or 1. The default is 0.

Usage guidelines

Non-default vSystems do not support this command.

This command allows multiple failover groups to use the IP address of the same interface as the NAT IP address without port conflict.

The mask value and length of the leftmost bits define the port range as follows:

1. The mask value and length of the leftmost bits are converted to a binary string. For example, if the mask value is 2 and the length of the leftmost bits is 5, the binary string is 00010.

2. The remaining rightmost binary bits are filled to get the highest and lowest values.

a. All remaining rightmost binary bits are set to 0 to get the lowest value.

b. All remaining rightmost binary bits are set to 1 to get the highest value.

3. The binary highest and lowest values are converted to decimal values to define a port range.

For example, if the mask value is 2 and the length of the leftmost bits is 5, the binary string is 00010. Then lowest and highest binary strings are 0001000000000000 and 0001011111111111. The decimal value range is 4096 to 6142 for these two binary string.

To ensure that each failover group has the unique port range, one mask value can be assigned to only one failover group, and leftmost bit length are the same for each mask value. As a result, a maximum of 32 port ranges can be defined.

One failover group can have a maximum of two mask values.

If you configure nat outbound easy-ip failover-group in interface view and configure nat outbound easy-ip port-range in system view, the latter command does not take effect.

Before you execute this command, configure a QoS policy to redirect the traffic on an interface to different failover groups. For information about traffic redirecting, see ACL and QoS Configuration Guide.

Examples

# Set the mask value of the leftmost bits to 1 and the leftmost bit length to 3 to define a port range 8192 to 16383 for failover group nat-failover to implement Easy IP.

<Sysname> system-view

[Sysname] nat outbound easy-ip port-range 1 3 failover-group nat-failover

Related commands

display nat easy-ip failover-group port-range

failover group (High Availability Command Reference)

nat outbound easy-ip failover-group

nat outbound port-block-group

Use nat outbound port-block-group to configure a static outbound port block mapping rule on an interface.

Use undo nat outbound port-block-group to delete a static port block mapping rule on an interface.

Syntax

nat outbound port-block-group group-id [ rule rule-name ] [ counting ]

undo nat outbound port-block-group group-id

Default

No static outbound port block mapping rule is configured on an interface.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

group-id: Specifies a NAT port block group by its ID. The value range for this argument is 0 to 65535.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

Usage guidelines

After you configure this command on an interface, the system automatically computes the mappings and creates entries for them. When a private IP address accesses the public network, the private IP address is translated to the mapped public IP address, and the ports are translated to ports in the selected port block.

You can configure multiple port block mapping rules on an interface.

In an IRF fabric, you must execute the ip fast-forwarding load-sharing command. Otherwise, the port assignment conflict will occur.

Examples

# Configure a static outbound port block mapping rule on GigabitEthernet 1/0/1, and specify the rule name as abc.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound port-block-group 1 rule abc

Related commands

display nat all

display nat outbound port-block-group

display nat port-block

nat port-block-group

nat outbound rule move

Use nat outbound rule move to change the priority of an outbound dynamic NAT rule.

Syntax

nat outbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable only to named outbound dynamic NAT rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the outbound dynamic NAT rule abc to the line before the rule def.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat outbound rule move abc before def

Related commands

nat outbound

nat periodic-statistics enable

Use nat periodic-statistics enable to enable periodic NAT statistics collection.

Use undo nat periodic-statistics enable to disable periodic NAT statistics collection.

Syntax

nat periodic-statistics enable

undo nat periodic-statistics enable

Default

Periodic NAT statistics collection is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This feature periodically counts sessions and port block assignment failures for address groups.

This feature might cause intensive CPU usage. You can disable this feature when CPU resources are insufficient.

Examples

# Enable periodic NAT statistics collection.

<Sysname> system-view

[Sysname] nat periodic-statistics enable

Related commands

nat periodic-statistics interval

Use nat periodic-statistics interval to set the interval for periodic NAT statistics collection.

Use undo nat periodic-statistics interval to restore the default.

Syntax

nat periodic-statistics interval interval

undo nat periodic-statistics interval

Default

The interval for periodic NAT statistics collection is 300 seconds.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

interval: Specifies the interval for collecting periodic NAT statistics. The value range is 180 to 604800 seconds.

Usage guidelines

Non-default vSystems do not support this command.

A narrower interval indicates intensive CPU usage. As a best practice, use the default interval value.

Examples

# Set the interval for periodic NAT statistics collection to 500 seconds.

<Sysname> system-view

[Sysname] nat periodic-statistics interval 500

Related commands

nat periodic-statistics enable

nat policy

Use nat policy to create a NAT policy and enter its view, or enter the view of an existing NAT policy.

Use undo nat policy to delete the NAT policy and all the configuration in the NAT policy.

Syntax

nat policy

undo nat policy

Default

No NAT policy exists.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

The NAT policy performs address translation for outgoing packets on the interfaces that the rules are applied. The NAT policy contains a set of NAT rules. The device identifies the packets based on the object groups in the NAT rules, and translates addresses according to the method in the matching rule.

The NAT policy supports only dynamic address translation, and the NAT policy has a higher priority than the dynamic address translation configuration on the interface.

Examples

# Create a NAT policy and enter its view.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy]

Related commands

display nat all

display nat policy

rule name

nat port-block global-share enable

Use nat port-block global-share enable to enable port block global sharing.

Use undo nat port-block global-share enable to disable port block global sharing.

Syntax

nat port-block global-share enable

undo nat port-block global-share enable

Default

Port block global sharing is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

When multiple interfaces have dynamic NAT port block mapping configured, the interfaces might create different port block mappings for packets from the same IP address. You can use this command to configure the interfaces to use the same port block mapping for translating packets from the same IP address.

Examples

# Enable port block global sharing.

<Sysname> system-view

[Sysname] nat port-block global-share enable

Related commands

port-block

nat port-block synchronization enable

Use nat port-block synchronization enable to enable dynamic NAT port block mapping synchronization.

Use undo nat port-block synchronization enable to disable dynamic NAT port block mapping synchronization.

Syntax

nat port-block synchronization enable

undo nat port-block synchronization enable

Default

Dynamic NAT port block mapping synchronization is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Dynamic NAT port block mapping synchronization enables the master and the backup to synchronize dynamic port block mappings, which ensures smooth switchover without service interruption.

On an RBM network, this command takes effect only when you enable the service entry hot backup feature by using the hot-backup enable command. On an IRF fabric, this command takes effect only when you enable the session synchronization feature by using the session synchronization enable command.

Examples

# Enable dynamic NAT port block mapping synchronization.

<Sysname> system-view

[Sysname] nat port-block synchronization enable

nat port-block-group

Use nat port-block-group to create a NAT port block group and enter its view, or enter the view of an existing NAT port block group.

Use undo nat port-block-group to delete a NAT port block group.

Syntax

nat port-block-group group-id

undo nat port-block-group group-id

Default

No NAT port block groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

group-id: Assigns an ID to the NAT port block group. The value range for this argument is 0 to 65535.

Usage guidelines

A NAT port block group is configured to implement static port block mapping for NAT444.

You must configure the following items for a NAT port block group:

· A minimum of one private IP address range (see the local-ip-address command).

· A minimum of one public IP address range (see the global-ip-address command).

· A port range (see the port-range command).

· A port block size (see the block-size command).

The system computes static port block mappings according to the port block group configuration, and creates entries for the mappings.

Examples

# Create NAT port block group 1.

<Sysname>system-view

[Sysname]nat port-block-group 1

[Sysname-port-block-group-1]

Related commands

block-size

display nat all

display nat port-block-group

global-ip-pool

local-ip-address

nat outbound port-block-group

port-range

nat redirect reply-route

Use nat redirect reply-route enable to enable NAT reply redirection.

Use undo nat redirect reply-route enable to disable NAT reply redirection.

Syntax

nat redirect reply-route enable

undo nat redirect reply-route enable

Default

NAT reply redirection is disabled.

Views

Interface view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

NAT reply redirection allows an interface to use the NAT session entry information to translate the destination IP addresses for NAT reply packets and find the output interfaces for the NATed reply packets.

Examples

# Enable NAT reply redirection on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat redirect reply-route enable

nat remote-backup port-alloc

Use nat remote-backup port-alloc to specify NAT port ranges for the two devices in the HA group.

Use undo nat remote-backup port-alloc to restore the default.

Syntax

nat remote-backup port-alloc { primary | secondary }

undo nat remote-backup port-alloc

Default

The two devices in the HA group share NAT port resources.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

primary: Specifies the first half of the port range.

secondary: Specifies the second half of the port range.

Usage guidelines

Non-default vSystems do not support this command.

In the HA group in dual-active mode, different IP+port combinations on the two devices might be translated to the same NAT IP+port resources due to the following reasons:

· The two devices in the HA group share NAT addresses.

· The same NAT port range is assigned to each device.

To avoid this situation, execute this command on the primary device to equally divide the port resources for the two devices. Executing the command on the primary device also makes the remaining half of the port range be automatically assigned to the secondary device. For example, if you execute the nat remote-backup port-alloc secondary command on the primary device, the nat remote-backup port-alloc primary command is automatically executed on the secondary device. For more information about configuring the HA group, see High Availability Configuration Guide. You do not need to execute this command for active/standby HA. No port conflict exists in this mode because only one device processes NAT services.

Examples

# Specify the primary device in the HA group to use the first half of the port range.

<Sysname> system-view

[Sysname] nat remote-backup port-alloc primary

nat server

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a NAT server mapping.

Syntax

Common NAT server mapping:

· A single public address with no or a single public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ vrrp virtual-router-id ] [ rule rule-name ] [ disable ] [ counting ] [ description text ]

undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

· A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ vrrp virtual-router-id ] [ rule rule-name ] [ disable ] [ counting ] [ description text ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]

· Consecutive public addresses with no public port:

nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ vrrp virtual-router-id ] [ rule rule-name ] [ disable ] [ counting ] [ description text ]

undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]

· Consecutive public addresses with one single public port:

nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ vrrp virtual-router-id ] [ rule rule-name ] [ disable ] [ counting ] [ description text ]

undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]

Load sharing NAT server mapping:

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ vrrp virtual-router-id ] [ rule rule-name ] [ disable ] [ counting ] [ description text ]

undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]

ACL-based NAT server mapping:

nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ vrrp virtual-router-id ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ] [ description text ]

undo nat server global { ipv4-acl-number | name ipv4-acl-name }

Default

No NAT server mappings exist.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:

· A number in the range of 1 to 255.

· A protocol name of icmp, tcp, or udp.

global: Specifies the public network information about the internal server.

global-address: Specifies the public address of an internal server.

global-address1 global address2: Specifies a public IP address range, which can include a maximum of 10000 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.

interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.

global-port1 global-port2: Specifies a public port number range, which can include a maximum of 10000 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:

· A number in the range of 1 to 65535. Both the start port and the end port support this format.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

inside: Specifies the private network information about the internal server.

local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.

local-port: Specifies the private port number. The private port number format can be one of the following:

· A number in the range of 1 to 65535, excluding FTP port 20.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.

local-address: Specifies the private IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the advertised public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the internal server does not belong to any VPN instance, do not specify this option.

server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for the group-id argument is 0 to 65535.

acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.

vrrp virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255.

rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.

priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. The default value is 4294967295. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.

disable: Disables the NAT server mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

description text: Specifies a description for the NAT server mapping. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can configure the NAT server mapping to allow servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

NAT server mappings are usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 25 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number
One public address and N consecutive public port numbers	· One private address and one private port number · N consecutive private addresses and one private port number · One private address and N consecutive private port numbers
N consecutive public addresses	· One private address · N consecutive private addresses
N consecutive public addresses and one public port number	· One private address and one private port number · N consecutive private addresses and one private port number · One private address and N consecutive private port numbers
One public address and one public port number	One internal server group
One public address and N consecutive public port numbers
N consecutive public addresses and one public port number
Public addresses matching an ACL	One private address
Public addresses matching an ACL	One private address and one private port

‌

The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The maximum number of NAT server mappings equals the number of public ports in the specified public port range.

The vpn-instance parameter is required if you configure NAT server mappings in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

As a best practice, do not configure Easy IP for multiple NAT server mappings by using the same interface.

If the IP address of an interface used by Easy IP changes and conflicts with the IP address of a NAT server mapping not using Easy IP, the Easy IP configuration becomes invalid. If the conflicting IP address is modified to another IP address or the NAT server mapping without Easy IP is removed, the Easy IP configuration takes effect.

When you configure a load sharing NAT server mapping, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

· One public address and N consecutive public port numbers are mapped to one internal server group.

· N consecutive public addresses and a public port number are mapped to one internal server group.

To configure ACL-based NAT server mappings, the ACL rules cannot use object groups as match criteria.

ACL-based NAT server mappings that are configured with the same priority value are matched by using the ACLs in their rules:

· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.

· Mappings with named ACLs are matched in alphabetical order of their ACL names.

· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.

When you configure a NAT server mapping on the primary device in the HA group for high availability, specify a VRRP group facing the external network. This operation ensures that both forward and reverse user traffic is translated on the same master device.

An error message for a rollback failure when you perform a configuration rollback for an internal server in the following situation:

· In the running configuration, the name of a NAT server mapping is assigned automatically by the system.

· In the replacement configuration file, the name does not exist.

The system will compare the running configuration file and the replacement file, and display an error message about the mismatch. You can ignore the error message because the NAT server mapping configuration in the configuration file is installed successfully. For example, the NAT server mapping configuration is nat server global 112.1.1.1 inside 192.168.20.1 in the running configuration, and the is nat server global 112.1.1.1 inside 192.168.20.1 rule ServerRule_num in the replacement configuration file. After the rollback operation, the new NAT server configuration is successfully installed.

Examples

# Allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http

[Sysname-GigabitEthernet1/0/1] quit

# Allow external users to access the internal FTP server at 10.110.10.11 in the VPN instance vrf10 through ftp://202.110.10.10.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

[Sysname-GigabitEthernet1/0/1] quit

# Allow external hosts to ping the host at 10.110.10.12 in the VPN instance vrf10 by using the ping 202.110.10.11 command.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

[Sysname-GigabitEthernet1/0/1] quit

# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the VPN instance vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Configure an ACL-based NAT server mapping to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server global 3000 inside 10.0.0.172

Related commands

display nat all

display nat server

nat server-group

nat server rule

Use nat server rule global destination-ip inside to create an object group-based NAT server rule.

Use undo nat server rule to delete an object group-based NAT server mapping.

Syntax

nat server rule rule-name global destination-ip object-group-name&<1-5> [ service object-group-name ] inside local-address [ local-port ] [ vrrp virtual-router-id ] [ disable ] [ counting ] [ description text ]

undo nat server rule rule-name

nat server rule rule-name global { destination-ip object-group-name&<1-5> | service object-group-name }

undo nat server rule rule-name global { destination-ip object-group-name&<1-5> | service object-group-name }

Default

No object group-based NAT server mapping exists.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

rule-name: Specifies a rule name. The name is a case-insensitive string of 1 to 63 characters, excluding hyphens (-) and percent signs (%). You must use the escape character (\) if you use a backslash (\) or quotation marks (") in the name.

global: Specifies the external network information that the internal server uses to provide services to the external network.

destination-ip object-group-name&<1-5>: Specifies a space-separated list of up to five address object group items. The object-group-name argument specifies the name of an address object group, a case-insensitive string of 1 to 5 characters. If spaces are included in the object group name, enclose the name in quotation marks, for example, "a 1".

service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 63 characters.

inside: Specifies the internal information of the server.

local-address: Specifies the private IP address of the internal server.

local-port: Specifies the private port number of the server. The private port number format can be one of the following:

· A number in the range of 1 to 65535, excluding FTP port 20.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

vrrp virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255. For active/standby HA, specify this keyword on the primary device in the HA group. For dual-active HA, specify different VRRP groups for object group-based NAT server mappings with different public IP addresses on the primary device. The different bindings ensure that the translation of reverse user traffic is load shared by different master devices in VRRP groups.

disable: Disables the object group-based NAT Server rule.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

description text: Specifies a description for the object group-based NAT Server rule. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

When multiple object group-based NAT server rules are configured, the rule configured earlier has a higher priority. The match process of a packet stops when the packet matches a rule. Different object group-based NAT server rules can use the same address object group or service object group.

Before you use the nat server rule rule-name global destination-ip object-group-name or nat server rule rule-name global service object-group-name command, follow these restrictions and guidelines:

· Make sure the rule has been created.

· You cannot add duplicate address object groups to the same rule by using the nat server rule rule-name global destination-ip object-group-name command. If only one address object group is used by the rule, you cannot use the undo nat server rule rule-name global destination-ip object-group-name command to delete this address object group.

· Only one service object group can be used by one rule. If no service object group is specified when you create a rule, you can use the nat server rule rule-name global service object-group-name command to specify it. If a service object group has been specified when you create the rule, you cannot use this command to modify the service object group.

Before you configure an object group-based NAT server rule, make sure the object groups to be used by the NAT server rule have been created.

Only IPv4 address object groups are supported, and the IPv4 address object groups cannot have excluded IPv4 addresses.

The private port number in the NAT server rule takes effect only when the protocol type is TCP or UDP for the service object group.

You can create a maximum of 4096 object group-based NAT server rules.

Examples

# Configure the NAT Server on GigabitEthernet 1/0/1 and use address object groups a1, a2, and a3 to match public IP addresses and use service object group b1 to match public ports.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server rule aaa global destination-ip a1 a2 a3 service b1 inside 1.1.1.1 80

# Configure the NAT Server on GigabitEthernet 1/0/1 and use address object group a1 to match public IP addresses, and then add address object groups a2 and a3 and service object group b1 to the rule.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server rule aaa global destination-ip a1 inside 1.1.1.1 80

[Sysname-GigabitEthernet1/0/1] nat server rule aaa global destination-ip a1 a2 service b1

Related commands

display nat all

display nat server

nat server rule move

Use nat server rule move to change the priority of an ACL-based NAT server rule.

Syntax

nat server rule move nat-rule-name1 { after | before } nat-rule-name2

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable only to named ACL-based NAT server rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the ACL-based NAT server rule abc to the line before the ACL-based NAT server rule def.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat server rule move abc before def

Related commands

nat server

nat server-group

Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.

Use undo nat server-group to delete an internal server group.

Syntax

nat server-group group-id

undo nat server-group group-id

Default

No internal server groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

group-id: Assigns an ID to the internal server group.The value range for this argument is 0 to 65535.

Usage guidelines

Non-default vSystems do not support this command.

An internal server group can contain multiple members configured by the inside ip command.

Examples

# Create internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

display nat all

display nat server-group

inside ip

nat server

nat session create-rate enable

Use nat session create-rate enable to enable statistics collection for NAT session creation rate.

Use undo nat session create-rate enable to disable statistics collection for NAT session creation rate.

Syntax

nat session create-rate enable

undo nat session create-rate enable

Default

Statistics collection for NAT session creation rate is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This feature collects information about NAT session creation rates. To view the statistics, use the display nat statistics command.

Examples

# Enable statistics collection for NAT session creation rate.

<Sysname> system-view

[Sysname] nat session create-rate enable

Related commands

display nat statistics

nat static blade-load-sharing-group

Use nat static blade-load-sharing-group to specify a load sharing group for static NAT.

Use undo nat static blade-load-sharing-group to restore the default.

Syntax

nat static blade-load-sharing-group group-name

undo nat static blade-load-sharing-group

Default

No load sharing group is specified for static NAT.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

group-name: Specifies a load sharing group by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

The term "static NAT" in this command refers to static NAT, NAT Server, and static NAT444.

If the main service engine is overwhelmed by processing static NAT, specify a load sharing group to distribute the static NAT load to different service engines.

Make sure the specified load sharing group already exists.

Examples

# Specify the load sharing group Blade4fw-m90001 for static NAT.

<Sysname> system-view

[Sysname] nat static blade-load-sharing-group Blade4fw-m90001

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat static enable

Related commands

display nat all

display nat static

nat static

nat static net-to-net

nat static inbound

Use nat static inbound to configure a one-to-one mapping for inbound static NAT.

Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.

Syntax

nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ] [ description text ]

undo nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP address.

disable: Disables the one-to-one inbound static mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

description text: Specifies a description for the one-to-one inbound static mapping. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

When the source IP address of a packet from the external network to the internal network matches the global-ip, the source IP address is translated into the local-ip. When the destination IP address of a packet from the internal network to the external network matches the local-ip, the destination IP address is translated into the global-ip.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the internal network to the private IP address.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

One-to-one mappings for inbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.

· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.

· Mappings with named ACLs are matched in alphabetical order of their ACL names.

· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net

Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.

Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.

Syntax

nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ]

undo nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

global-start-address global-end-address: Specifies a public address range which can contain a maximum of 256 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

local-network: Specifies a private network address.

mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.

mask: Specifies the mask of the private network address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private network address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private network address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP addresses.

disable: Disables the net-to-net inbound static mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

Usage guidelines

Specify a public network through a start address and an end address, and a private network through a private address and a mask.

When the source address of a packet from the external network matches the public address range, the source address is translated into a private address in the private address range. When the destination address of a packet from the internal network matches the private address range, the destination address is translated into a public address in the public address range.

The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Net-to-net mappings for inbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.

· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.

· Mappings with named ACLs are matched in alphabetical order of their ACL names.

· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an inbound static NAT between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.

<Sysname> system-view

[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net rule move

Use nat static inbound net-to-net rule move to change the priority of an inbound net-to-net static NAT rule.

Syntax

nat static inbound net-to-net rule move nat-rule-name1 { after | before } nat-rule-name2

Default

An inbound net-to-net static NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Examples

# Move the inbound net-to-net static NAT rule abc to the line before the inbound net-to-net static NAT rule def.

<Sysname> system-view

[Sysname] nat static inbound net-to-net rule move abc before def

Related commands

nat static inbound net-to-net

nat static inbound object-group

Use nat static inbound object-group to configure an object group-based inbound static NAT mapping.

Use undo nat static inbound object-group to remove an object group-based inbound static NAT mapping.

Syntax

nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ] [ counting ]

undo nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

object-group global-object-group-name: Specifies an object group of public IPv4 addresses. The global-object-group-name argument is a case-insensitive string of 1 to 63 characters.

object-group local-object-group-name: Specifies an object group of private IPv4 addresses. The local-object-group-name argument is a case-insensitive string of 1 to 63 characters.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the packets that can use the mapping.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.

disable: Disables the object group based inbound static mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

Usage guidelines

This command specifies public and private IP addresses through IPv4 address object groups.

When the source address of an income packet matches the public address object group, the source address is translated into a private address in the private address object group. When the destination address of an outgoing packet matches the private address object group, the destination address is translated into a public address in the public address object group.

When you specify object groups for an inbound static mapping, follow these restrictions and guidelines:

· The public or private IPv4 address object group can contain only one IPv4 address object.

· The quantity of IPv4 addresses in the private IPv4 address object group cannot be smaller than that in the public IPv4 address object group.

· The object in the private IPv4 address object group cannot be an address range.

· If the private IPv4 object group contains a host address, the host address cannot be on the same subnet as the interface configured with this mapping.

· One IPv4 address object group can only contain one host object or subnet object. Otherwise, the mapping does not take effect.

· A subnet object cannot have excluded addresses. Otherwise, the mapping does not take effect.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source addresses of all incoming packets and the destination addresses of all outgoing packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by internal hosts to the external hosts.

· If you specify both an ACL and the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. If packets of connections actively initiated by internal hosts to the external hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound , nat static inbound net-to-net , and nat static inbound object-group commands.

The vpn-instance parameter is required if you deploy inbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an object group-based inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] object-group ip address global

[Sysname-obj-grp-ip-global] network host address 2.2.2.2

[Sysname-obj-grp-ip-global] quit

[Sysname] object-group ip address local

[Sysname-obj-grp-ip-local] network host address 192.168.1.1

[Sysname-obj-grp-ip-local] quit

[Sysname] nat static inbound object-group global object-group local

Related commands

display nat all

display nat static

nat static enable

nat static inbound rule move

Use nat static inbound rule move to change the priority of an inbound one-to-one static NAT rule.

Syntax

nat static inbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable only to named inbound one-to-one static NAT rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the inbound one-to-one static NAT rule abc to the line before the inbound one-to-one static NAT rule def.

<Sysname> system-view

[Sysname] nat static inbound rule move abc before def

Related commands

nat static inbound

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ vrrp virtual-router-id ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ] [ description text ]

undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

local-ip: Specifies a private IP address.

global-ip: Specifies a public IP address.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address.

vrrp virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255. For active/standby HA, specify this keyword on the primary device in the HA group. For dual-active HA, specify different VRRP groups for one-to-one outbound static NAT mappings with different public IP addresses on the primary device. This operation ensures that the master devices load share the translation of reverse user traffic.

disable: Disables the one-to-one outbound static mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

description text: Specifies a description for the one-to-one outbound static mapping. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

One-to-one mappings for outbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.

· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.

· Mappings with named ACLs are matched in alphabetical order of their ACL names.

· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001

Related commands

display nat all

display nat static

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ vrrp virtual-router-id ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ]

undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

global-network: Specifies a public network address.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses.

vrrp virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255. For active/standby HA, specify this keyword on the primary device in the HA group. For dual-active HA, specify different VRRP groups for net-to-net outbound static NAT mappings with different public IP ranges on the primary device. This operation ensures that the master devices load share the translation of reverse user traffic.

disable: Disables the net-to-net outbound static mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

Usage guidelines

Non-default vSystems do not support this command.

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Net-to-net mappings for outbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.

· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.

· Mappings with named ACLs are matched in alphabetical order of their ACL names.

· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat static enable

nat static outbound net-to-net rule move

Use nat static outbound net-to-net rule move to change the priority of an outbound net-to-net static NAT rule.

Syntax

nat static outbound net-to-net rule move nat-rule-name1 { after | before } nat-rule-name2

Default

An outbound net-to-net static NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Examples

# Move the outbound net-to-net static NAT rule abc to the line before the outbound net-to-net static NAT rule def.

<Sysname> system-view

[Sysname] nat static outbound net-to-net rule move abc before def

Related commands

nat static outbound net-to-net

nat static outbound object-group

Use nat static outbound object-group to configure an object group-based outbound static NAT mapping.

Use undo nat static outbound object-group to remove an object group-based outbound static NAT mapping.

Syntax

nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ vrrp virtual-router-id ] [ disable ] [ counting ]

undo nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

object-group local-object-group-name: Specifies an object group of private IPv4 addresses. The local-object-group-name argument is a case-insensitive string of 1 to 63 characters.

object-group global-object-group-name: Specifies an object group of public IPv4 addresses. The global-object-group-name argument is a case-insensitive string of 1 to 63 characters.

acl: Specifies an ACL to identify the packets that can use the mapping.

ipv4-acl-number: Specifies an ACL number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.

vrrp virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255. For active/standby HA, specify this keyword on the primary device in the HA group. For dual-active HA, specify different VRRP groups for object group-based NAT server mappings with different public IP addresses on the primary device. This operation ensures that the master devices load share the translation of reverse user traffic.

disable: Disables the object group based outbound static mapping. If you do not specify this keyword, the mapping is enabled.

counting: Enables NAT counting. The number of flows that use the address mapping is counted.

Usage guidelines

Non-default vSystems do not support this command.

This command specifies public and private IP addresses through IPv4 address object groups.

When the source address of a packet from the private network matches the private address object group, the source address is translated into a public address in the public address object group. When the destination address of a packet from the public network matches the public address object group, the destination address is translated into a private address in the private address object group.

When you specify object groups for an outbound static mapping, follow these restrictions and guidelines:

· The public or private IPv4 address object group can contain only one IPv4 address object.

· The quantity of IPv4 addresses in the private IPv4 address object group cannot be larger than that in the public IPv4 address object group.

· The object in the public IPv4 address object group cannot be an address range.

· An IPv4 address object group can only contain a host object or a subnet object. Otherwise, the mapping does not take effect.

· A subnet object cannot have excluded IPv4 addresses. Otherwise, the mapping does not take effect.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source addresses of all outgoing packets and the destination addresses of all incoming packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by external hosts to the internal hosts.

· If you specify both an ACL and the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. If packets of connections actively initiated by external hosts to the internal hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound, nat static outbound net-to-net, and nat static outbound object-group commands.

The vpn-instance parameter is required if you deploy outbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an object group-based outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] object-group ip address global

[Sysname-obj-grp-ip-global] network host address 2.2.2.2

[Sysname-obj-grp-ip-global] quit

[Sysname] object-group ip address local

[Sysname-obj-grp-ip-local] network host address 192.168.1.1

[Sysname-obj-grp-ip-local] quit

[Sysname] nat static outbound object-group local object-group global

Related commands

display nat all

display nat static

nat static outbound rule move

Use nat static outbound rule move to change the priority of an outbound one-to-one static NAT rule.

Syntax

nat static outbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

Non-default vSystems do not support this command.

This command is applicable only to named outbound one-to-one static NAT rules..

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the outbound one-to-one static NAT rule abc to the line before the outbound one-to-one static NAT rule def.

<Sysname> system-view

[Sysname] nat static outbound rule move abc before def

Related commands

nat static outbound

nat static-load-balance enable

Use nat static-load-balance enable to enable static NAT load sharing.

Use undo nat static-load-balance enable to disable static NAT load sharing.

Syntax

nat static-load-balance enable

undo nat static-load-balance enable

Default

Static NAT load sharing is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

The term "static NAT" in this command refers to static NAT, NAT Server, and static NAT444.

If the main service engine is overwhelmed by processing static NAT, enable this feature to distribute the static NAT load to different service engines.

After you enable or disable this feature, execute the reset nat session and reset session table commands to clear session entries. Otherwise, static NAT cannot function correctly. Use this feature with caution because deleting session entries can result in service interruption.

Examples

# Enable static NAT load sharing.

<Sysname> system-view

[Sysname] nat static-load-balance enable

nat timestamp delete

Use nat timestamp delete to enable the deletion of timestamps in TCP SYN and SYN ACK packets.

Use undo nat timestamp delete to restore the default.

Syntax

nat timestamp delete [ vpn-instance vpn-instance-name ]

undo nat timestamp delete [ vpn-instance vpn-instance-name ]

Default

The TCP SYN and SYN ACK packets carry the timestamp.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the TCP SYN and SYN ACK packets belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify this option, this command applies to TCP SYN and SYN ACK packets on the public network.

Usage guidelines

Non-default vSystems do not support this command.

With this feature configured, the system deletes the timestamps from the TCP SYN and SYN ACK packets after dynamic address translation.

If PAT mode is configured on an interface by using nat inbound or nat outbound, and the tcp_timestamp and tcp_tw_recycle function is configured on the TCP server, TCP connections might not be established. To solve the problem, you can shut down the tcp_tw_recycle function or configure the nat timestamp delete command.

You can enable this feature for multiple VPN instances by repeating the command with different VPN parameters.

Examples

# Enable the deletion of the timestamp for TCP SYN and SYN ACK packets on the public network.

<Sysname> system-view

[Sysname] nat timestamp delete

# Enable the deletion of the timestamp for TCP SYN and SYN ACK packets on the VPN instance aa.

<Sysname> system-view

[Sysname] nat timestamp delete vpn-instance aa

Related commands

nat outbound

nat inbound

outbound-interface

Use outbound-interface to apply the NAT rule to the outgoing traffic on an interface.

Use undo outbound-interface to restore the default.

Syntax

outbound-interface interface-type interface-number

undo outbound-interface

Default

A NAT rule is not applied to the outgoing traffic on an interface.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

Non-default vSystems do not support this command.

After you execute the command, the NAT rule applies to the outgoing traffic passing through the specified interface.

Examples

# Apply the NAT rule aaa to the outgoing traffic on GigabitEthernet 1/0/2.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] outbound-interface gigabitethernet 1/0/2

Related commands

display nat all

display nat policy

port-block

Use port block to configure port block parameters for a NAT address group.

Use undo port block to restore the default.

Syntax

port block block-size block-size [ extended-block-number extended-block-number ]

undo port block

Default

No port block parameters are configured for a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

block-size block-size: Specifies the port block size. The value range for the block-size argument is 1 to 65535. In a NAT address group, the port block size cannot be larger than the number of ports in the port range.

extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When a private IP address accesses the public network, but the ports in the selected port block are all occupied, the NAT444 gateway extends port blocks one by one for the private IP address.

Usage guidelines

To configure dynamic port block mappings, port block parameters are required in the NAT address group. When a private IP address initiates a connection to the public network, the NAT444 gateway assigns it a public IP address and a port block, and creates an entry for the mapping. For subsequent connections from the private IP address, the NAT444 gateway translates the private IP address to the mapped public IP address and the ports to ports in the selected port block.

Examples

# Set the port block size to 256 and the number of extended port blocks to 1 in NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] port-block block-size 256 extended-block-number 1

Related commands

nat address-group

port-range

Use port-range to specify a port range for public IP addresses.

Use undo port-range to restore the default.

Syntax

port-range start-port-number end-port-number

undo port-range

Default

The port range for public IP addresses is 1 to 65535.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number. As a best practice, set the start port number to be equal to or larger than 1024 to avoid an application protocol identification error.

Usage guidelines

The port range must include all ports that public IP addresses use for address translation.

The number of ports in a port range cannot be smaller than the port block size.

Examples

# Specify the port range as 1024 to 65535 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-range 1024 65535

# Specify the port range as 30001 to 65535 for NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] port-range 30001 65535

Related commands

nat address-group

nat port-block-group

probe

Use probe to specify a probe method for a NAT address group.

Use undo probe to cancel the probe method for a NAT address group.

Syntax

probe template-name

undo probe template-name

Default

No probe method is specified for a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

context-admin

Parameters

template-name: Specifies the name of an NQA template used for address probe. The name is a case-insensitive string of 1 to 32 characters.

Usage guidelines

Non-default vSystems do not support this command.

The NAT address group probing uses an NQA template to detect the reachability of the addresses in the group.

The device periodically sends probe packets to the specified destination address in the NQA template. The source IP addresses in the probe packets are the IP addresses in the NAT address group.

· If the device receives a response packet for a probe, the probed source IP address can be used for address translation.

· If the device does not receive a response packet for a probe, the probed source IP address will be excluded from address translation temporarily. However, in the next NQA operation period, this excluded IP address is also probed. If a response is received in this round, the IP address can be used for address translation.

You can specify multiple NQA templates for one NAT address group. An IP address in the address group is identified as reachable as long as one probe for this IP address succeeds.

This command is applicable to NAT address groups used for outbound address translation. The manually configured excluded IP addresses are not probed.

When you configure NQA template for probing IP addresses in NAT address group, do not configure the source IP address in the template.

Examples

# Create NQA ICMP template 4, and specify it as the probe method for NAT address group 1.

<Sysname> system-view

[Sysname] nqa template icmp t4

[Sysname-nqatplt-icmp-t4] quit

[Sysname] nat address-group 1

[Sysname-lb-lgroup-lg] probe t4

Related commands

display nat probe address-group

exclude-ip

nqa template (Network Management and Monitoring Command Reference)

reset nat count statistics

Use reset nat count statistics to clear NAT counting statistics.

Syntax

reset nat count statistics { all | dynamic | global-policy | server | static | static-port-block }

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

all: Clears all counting statistics for NAT mappings.

dynamic: Clears counting statistics for dynamic NAT mappings.

global-policy: Clears counting statistics for the global NAT policy.

server: Clears counting statistics for NAT server mappings.

static: Clears counting statistics for static NAT mappings.

static-port-block: Clears counting statistics for NAT444 mappings.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Clear all counting statistics for static NAT mappings.

<Sysname> reset nat count statistics all

Related commands

display nat inbound

display nat outbound

display nat outbound port-block-group

display nat port-block

display nat static

display nat server

reset nat dynamic-load-balance

Use reset nat dynamic-load-balance to redistribute the dynamic NAT load on NAT service engines.

Syntax

reset nat dynamic-load-balance [ address-group group-id ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

address-group group-id: Specifies a NAT address group by its ID. The value range for the group-id argument is 0 to 65535. The device redistributes the dynamic NAT load that uses the specified NAT address group. If you do not specify this option, the device redistributes all dynamic NAT load.

Usage guidelines

CAUTION:

Use this command with caution because the command execution will cause a temporary traffic interruption.

Non-default vSystems do not support this command.

The term "dynamic NAT" in this command refers to dynamic NAT and dynamic NAT444.

This command enables the device to redistribute the dynamic NAT load to different NAT service engines.

Examples

# Redistribute the dynamic NAT load to different NAT service engines.

<Sysname> reset nat dynamic-load-balance

reset nat periodic-statistics

Use reset nat periodic-statistics to clear periodic NAT statistics.

Syntax

In standalone mode:

reset nat periodic-statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset nat periodic-statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears periodic NAT statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears periodic NAT statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# (In standalone mode.) Clear periodic NAT statistics of slot 1.

<Sysname> reset nat periodic-statistics slot 1

Related commands

display nat periodic-statistics

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

In standalone mode:

reset nat session [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset nat session [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 1

Related commands

display nat session

reset nat static-load-balance

Use reset nat static-load-balance to redistribute the static NAT load on NAT service engines.

Syntax

reset nat static-load-balance

Views

User view

Predefined user roles

network-admin

context-admin

Usage guidelines

CAUTION:

Use this command with caution because the command execution will cause a temporary traffic interruption.

Non-default vSystems do not support this command.

The term "static NAT" in this command refers to static NAT, NAT Server, and static NAT444.

This command enables the device to redistribute the static NAT load to different NAT service engines.

Examples

# Redistribute the static NAT load on different NAT service engines.

<Sysname> reset nat static-load-balance

rule move (interface-based NAT policy view)

Use rule move to rearrange NAT rules to change their priority.

Syntax

rule move rule-name1 { after | before } [ rule-name2 ]

Views

Interface-based NAT policy view

Global NAT policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name1: Specifies the name of the NAT rule to be moved. The rule name is a case-insensitive string of 1 to 63 characters.

after: Places the rule rule-name1 after the rule rule-name2 (called the reference rule).

before: Places the rule rule-name1 before the reference rule.

rule-name2: Specifies the NAT rule as a reference rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify this argument, the priority of rule-name1 changes as follows:

· If after is specified, the rule rule-name1 will have the lowest priority.

· If before is specified, rule-name1 will have the highest priority.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Place the NAT rule aaa before the NAT rule bbb in the interface-based NAT policy.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule move aaa before bbb

Related commands

display nat all

display nat global-policy

display nat policy

rule move (global NAT policy view)

Use rule move to rearrange NAT rules to change their priority.

Syntax

rule move rule-name1 [ type { nat | nat64 | nat66 } ] { after | before } rule-name2 [ type { nat | nat64 | nat66 } ]

Views

Global NAT policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name1: Specifies the name of the NAT rule to be moved. The rule name is a case-insensitive string of 1 to 63 characters.

type: Specifies the type of the NAT rule to be removed.

nat: Specifies the NAT-type.

nat64: Specifies the NAT64-type.

nat66: Specifies the NAT66-type.

after: Places the rule rule-name1 after the rule rule-name2 (called the reference rule).

before: Places the rule rule-name1 before the reference rule.

rule-name2: Specifies the NAT rule as a reference rule. The rule name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

You can rearrange only existing NAT rules to change their priority.

To rearrange global NAT rules to change their priority successfully, make sure all NAT rules containing destination address translation methods are before the NAT rules containing only source address translation methods.

· Do not place a NAT rule containing a destination address translation method after a NAT rule containing only a source address translation method.

· Do not place a NAT rule containing only a source address translation method before a NAT rule containing a destination address translation method.

On an HA network in active/standby mode, the device issues the rule move command with the type keyword specified automatically to back up global NAT actions in bulk. You do not need to specify the type keyword when rearranging NAT rules to change their priority.

Examples

# Place the NAT rule aaa after the NAT rule bbb in the global NAT policy.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule move aaa after bbb

Related commands

display nat all

display nat global-policy

rule name

Use rule name to create a NAT rule and enter NAT rule view, or enter the view of an existing NAT rule.

Use undo rule name to delete the specified NAT rule.

Syntax

Interface-based NAT policy view:

rule name rule-name

undo rule name rule-name

Global NAT policy view:

rule name rule-name [ type { nat | nat64 | nat66 } ]

undo rule name rule-name

Default

No NAT rule exists.

Views

Interface-based NAT policy view

Global NAT policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name: Specifies the name of the NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. Valid characters cannot include hyphens (-) and percent signs (%). If you want to use a backslash (\) or a quotation mark ("), you must enter the escape character (\) before the backslash or the quotation mark. If you want to include spaces in the string, you must enclose the name string in quotation marks ("), for example, "XXX XXX".

type: Specifies the type of NAT rules in the global NAT policy. If you do not specify this keyword, the NAT rule type is NAT.

nat: Specifies the NAT-type rules in the global NAT policy, which are used for translation between IPv4 addresses.

nat64: Specifies the NAT64-type rules in the global NAT policy, which are used for translation between IPv4 addresses and IPv6 addresses.

nat66: Specifies the NAT66-type rules in the global NAT policy, which are used for translation between IPv6 addresses or translation between IPv6 prefixes.

Usage guidelines

Non-default vSystems do not support this command.

When you create, move, or modify the type of a NAT rule, follow these restrictions and guidelines:

· In a NAT policy, the priority of NAT rules are determined by the configuration order. A rule configured earlier has a higher priority. You can use the rule move command to rearrange the NAT rules. To view the priority order of the NAT rules in a policy, use the display nat policy command or the display nat global-policy command.

· You cannot repeatedly execute the rule name rule-name type command to modify the type of a NAT rule. To modify the type of a NAT rule, first use the undo rule name command to delete the NAT rule, and then execute the rule name rule-name type command to create a NAT rule.

· The interface-based NAT policy supports a maximum of 4096 NAT rules. The global NAT policy supports a maximum of 10000 NAT rules.

Examples

# In the interface-based NAT policy, create a NAT rule named aaa and enter its view.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa]

# In the global NAT policy, create a NAT rule named aaa and enter its view.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa]

Related commands

display nat all

display nat global-policy

display nat policy

rule move

service

Use service to specify a service object group for the NAT rule.

Use undo service to delete a service object group from a NAT rule.

Syntax

service object-group-name

undo service [ object-group-name ]

Default

No service object group is specified for a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies the name of a service object group. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

Usage guidelines

Non-default vSystems do not support this command.

The NAT device uses the services specified in this command to identify matching packets. Only packets with the matching services are translated.

To translate source IP addresses of outgoing packets, use this command with the action snat command. To translate both the source IP address and destination IP address of incoming packets, use this command together with the action snat and action dnat commands.

The service object group must already exist.

If you do not specify a service object group in the undo service command, the command deletes all service object groups in the NAT rule.

A NAT rule can have a maximum of 256 service object groups.

Examples

# In the interface-based policy, specify NAT rule aaa to use service1, service2, and service3 as the service object groups.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] service service1

[Sysname-nat-policy-rule-aaa] service service2

[Sysname-nat-policy-rule-aaa] service service3

# In the global NAT policy, specify NAT rule aaa to use service1, service2, and service3 as the service object groups.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] service service1

[Sysname-nat-global-policy-rule-aaa] service service2

[Sysname-nat-global-policy-rule-aaa] service service3

Related commands

display nat all

display nat global-policy

display nat policy

object-group (Security Command Reference)

source-ip

Use source-ip to specify a source IP address match criterion for a NAT rule.

Use undo source-ip to delete a source IP address match criterion from a NAT rule.

Syntax

NAT-type rule view in the interface-based NAT policy or the global NAT policy:

source-ip ipv4-object-group-name

undo source-ip [ ipv4-object-group-name ]

NAT-type rule view in the global NAT policy:

source-ip { host ip-address | subnet subnet-ip-address mask-length }

undo source-ip { host [ ip-address ] | subnet [subnet-ip-address mask-length ] }

NAT64-type rule view in the global NAT policy:

source-ip { ipv4-object-group-name | ipv6-object-group-name }

undo source-ip [ ipv4-object-group-name | ipv6-object-group-name ]

source-ip { host { ipv4-address | ipv6-address } | subnet { subnet-ipv4-address mask-length | ipv6-prefix prefix-length } }

undo source-ip { host [ ipv4-address | ipv6-address ] | subnet [ ipv4-address mask-length | ipv6-prefix prefix-length ] }

NAT66-type rule view in the global NAT policy:

source-ip ipv6-object-group-name

undo source-ip [ ipv6-object-group-name ]

source-ip { host ipv6-address | subnet ipv6-prefix prefix-length }

undo source-ip { host ipv6-address | subnet ipv6-prefix prefix-length }

Default

A NAT rule does not have any source IP address match criteria.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv4-object-group-name: Specifies the name of a source IPv4 address object group. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

ipv6-object-group-name: Specifies the name of a source IPv6 address object group. The name is a case-insensitive string of 1 to 63 characters, and it cannot be any. If spaces are included in the name, enclose the name in quotation marks ("), for example, "XXX XXX".

host ipv4-address: Specifies an IPv4 address to match source IPv4 address. The IPv4 address cannot be an all-zero address, all-one address, Class D address, Class E address, or loopback address.

host ipv6-address: Specifies an IPv6 address to match source IPv6 address.

subnet subnet-ipv4-address mask-length: Specifies a subnet to match source IPv4 addresses. The subnet-ipv4-address argument specifies the subnet address. The mask-length argument specifies the mask length, which can be 8, 16, or an integer in the range of 24 to 31.

Usage guidelines

Non-default vSystems do not support this command.

The NAT device uses the source IP addresses specified in this command to identify matching packets. Only packets with the matching source IP addresses are translated.

To translate source IP addresses of packets from the internal network to the external network, use this command with the action snat command.

When you reference an address object group, follow these restrictions and guidelines:

· The address object group must already exist.

¡ [ object-id ] network host address ip-address

¡ [ object-id ] network subnet ip-address { mask-length | mask }

¡ [ object-id ] network range ip-address1 ip-address2

For more information about these commands, see object group commands in Security Command Reference.

If you do not specify any parameters in the undo source-ip command, the command deletes all source address match criteria in the NAT rule.

When you configure match criteria for a NAT rule, follow these restrictions and guidelines:

· A NAT rule can have a maximum of 256 source address object groups.

· A NAT rule can have a maximum of 256 source IP addresses or a maximum of 256 subnets.

· If you configure multiple packet match criteria in a NAT64-type rule, the type of IP addresses in the later configured packet match criteria must be the same as that in the earlier configured packet match criteria. For example, if you first execute the source-ip host 192.168.1.1 command, the source-ip host 100::1 command executed later does not take effect. Select an IP type as needed.

· If you execute the following commands in the same NAT rule, the most recent configuration takes effect:

¡ source-ip

¡ source-ip host

¡ source-ip subnet

Examples

# In the interface-based NAT policy, configure NAT rule aaa to use source address object groups desIP1, desIP2, and desIP3 as the packet match criteria.

<Sysname> system

[Sysname] nat policy

[Sysname-nat-policy] rule name aaa

[Sysname-nat-policy-rule-aaa] source-ip srcip1

[Sysname-nat-policy-rule-aaa] source-ip srcip2

[Sysname-nat-policy-rule-aaa] source-ip srcip3

# In the global NAT policy, configure NAT rule aaa to use source address object groups desIP1, desIP2, and desIP3 as the packet match criteria.

<Sysname> system

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name aaa

[Sysname-nat-global-policy-rule-aaa] source-ip srcip1

[Sysname-nat-global-policy -rule-aaa] source-ip srcip2

[Sysname-nat-global-policy -rule-aaa] source-ip srcip3

Related commands

display nat all

display nat global-policy

display nat policy

object-group (Security Command Reference)

source-zone

Use source-zone to specify a source security zone in a NAT rule.

Use undo source-zone to delete a source security zone from a NAT rule.

Syntax

source-zone source-zone-name

undo source-zone [ source-zone-name ]

Default

No source security zones are specified in a NAT rule.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

source-zone-name: Specifies the name of a source security zone. The name is a case-insensitive string of 1 to 31 characters, and it cannot be any. You can specify a nonexistent security zone. This command takes effect after you use the security-zone name command to create the security zone. For more information about security zones, see Security Configuration Guide.

Usage guidelines

Non-default vSystems do not support this command.

The NAT device uses the source security zones specified in this command to identify matching packets. Only packets with the matching source security zones are translated.

This command does not support modifying source security zones. To modify the source security zone for a NAT rule, first execute the undo destination-zone command to delete the zone, and then execute the destination-zone command to specify a new one.

If you do not specify a source security zone in the undo source-zone command, the command deletes all source security zones in the NAT rule.

This command is available only in NAT rule view of the global NAT policy.

A NAT rule can have a maximum of 16 source security zones.

Examples

# Specify source security zone trust for NAT rule rule1.

<Sysname> system-view

[Sysname] nat global-policy

[Sysname-nat-global-policy] rule name rule1

[Sysname-nat-global-policy-rule-rule1] source-zone trust

Related commands

security-zone name (Security Command Reference)

vrf

Use vrf to specify a VPN instance match criterion for a NAT rule.

Use undo vrf to delete a VPN instance match criterion from a NAT rule.

Syntax

vrf vrf-name

undo vrf vrf-name

Default

A NAT rule does not have any VPN instance match criteria.

Views

NAT rule view

Predefined user roles

network-admin

context-admin

Parameters

vrf-name: Specifies an MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Non-default vSystems do not support this command.

When you use this command together with the action snat command, it works as follows:

1. The NAT device uses the VPN instances specified in the vrf command to identify matching packets. If the VPN instance to which a packet belongs matches a specified VPN instance, the NAT device translates the address in the packet and records the VPN instance information in the NAT mapping entry.

2. When the server in the external network replies to the internal host, the NAT device translates the address according to the NAT mapping entry and forwards the translated packet to the internal host.

When you use this command together with the action dnat command, it works as follows:

2. When the internal server replies to the host in the external network, the NAT device translates the address according to the mapping entry and forwards the translated packet to the host.

This command is available only in NAT rule view of the global NAT policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify VPN instance vpn1 for NAT rule rule1.

<sysname> system-view

[sysname] nat global-policy

[sysname-nat-global-policy] rule name rule1

[sysname-nat-global-policy-rule-rule1] vrf vpn1

Related commands

action dnat

action snat

vrrp vrid (interface-based NAT)

Use vrrp vrid to bind a VRRP group to a NAT address group or a NAT port block group.

Use undo vrrp vrid to restore the default.

Syntax

vrrp vrid virtual-router-id

undo vrrp vrid

Default

A NAT address group or a NAT port block group is not bound to any VRRP group.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255.

Usage guidelines

On a HA network, the virtual IP of the VRRP group might be on the same subnet as public IP addresses in the NAT address group or port block group. In this case, both of the HA group members might reply to ARP requests for MAC addresses corresponding to these public IP addresses. As a result, MAC addresses in ARP replies and ARP entries on the Layer 3 devices connected to the HA group might be incorrect. To avoid this situation, execute this command to force the master device to use the virtual MAC address of VRRP group in ARP replies. For more information about configuring the HA group, see High Availability Configuration Guide. For active/standby HA, execute this command on the primary device in the HA group.

For dual-active HA, select one of the following methods for VRRP group binding according to the NAT resource allocation between the two devices in the HA group:

· If the two devices share the same NAT address group or port block group, execute the vrrp command on the primary device. To prevent different master devices from using the same IP-port mapping for different hosts, specify the PAT translation mode and execute the nat remote-backup port-alloc command on the primary device.

· If the two devices use different NAT address groups or port block groups, user traffic with different source IP addresses is identified by ACLs in NAT rules. To enable different master devices to translate the forward user traffic, specify different gateway addresses for different internal users. To direct the reverse traffic to different master devices, bind NAT address groups or port block groups to different VRRP groups on the primary device.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Bind VRRP group 1 to NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] vrrp vrid 1

Related commands

display nat address-group

display nat port-block-group

nat address-group

nat port-block-group

vrrp vrid (High Availability Command Reference)

05-NAT Command Reference

action dnat (NAT-type rule view)

action snat (NAT-type rule view)

nat log flow-active

nat mapping-behavior endpoint-independent

nat outbound ds-lite-b4

nat static enable

rule move (interface-based NAT policy view)

vrrp vrid (interface-based NAT)

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us