Contents

NAT commands· 1

address· 1

display nat address-group· 1

display nat all 5

display nat dns-map· 9

display nat eim·· 10

display nat eim statistics· 13

display nat log· 14

display nat no-pat 15

display nat outbound· 16

display nat server 17

display nat server-group· 19

display nat session· 20

display nat static· 23

display nat statistics· 25

inside ip· 26

nat address-group· 27

nat alg· 28

nat dns-map· 29

nat hairpin enable· 30

nat log enable· 31

nat log flow-active· 32

nat log flow-begin· 32

nat log flow-end· 33

nat mapping-behavior endpoint-independent { tcp | udp } * 34

nat outbound· 35

nat per-global-ip user-limit 37

nat server 38

nat server-group· 43

nat static enable· 43

nat static outbound· 44

nat static outbound net-to-net 46

port-single-alloc enable· 48

reset nat eim·· 48

reset nat session· 49

 

NAT commands

address

Use address to add an address range to a NAT address group.

Use undo address to remove an address range from a NAT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. Each address range can contain a maximum of 65536 addresses.

Usage guidelines

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

When you execute this command in a NAT address group, follow these restrictions and guidelines:

·     You can add multiple address ranges to a NAT address group. Make sure the address ranges do not overlap in the NAT address group.

·     All NAT address groups can contain a maximum of 65536 address ranges.

·     If the NAT address group has been used by a NAT rule, you cannot use the undo address command to delete addresses from the group.

Examples

# Add two address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

nat address-group

display nat address-group

Use display nat address-group to display NAT address group information.

Syntax

display nat address-group [ group-id ] [ resource-usage [ verbose ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays information about all NAT address groups.

resource-usage: Displays the resource usage of a NAT address group. If you do not specify this keyword, the command displays only configuration information about the NAT address group.

verbose: Displays the overall resource usage of a NAT address group and the resource usage of each group member. If you do not specify this keyword, the command displays only the overall resource usage of the NAT address group.

Usage guidelines

The resource usage of a NAT address group includes the following information:

·     Address usage—Ratio of the number of used IP addresses to the total number of IP addresses. The used IP addresses are public IP addresses that have been assigned to users for address translation.

·     Port usage—Ratio of the number of assigned ports to the total number of ports. If you set the maximum number of VPN users sharing one single public address in PAT mode by using the nat per-global-ip user-limit command, the port usage might be different. This is normal and needs no actions.

Examples

# Display configuration information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

  Totally 8 NAT address groups.

  Address group name/ID: group1/1

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

 

  Address group name/ID: group2/2

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.20         202.110.10.25

      202.110.10.30         202.110.10.35

 

  Address group name/ID: group3/3

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.40         202.110.10.50

Table 1 Command output

Field	Description
Totally n NAT address groups	Total number of parent NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
Port range	Port range for public IP addresses.
Port block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Extended block size	Number of ports in each extended port block. This field is not displayed if the extended port block size is not set.
Port-single-alloc	Port-by-port allocation method. This field is not displayed if this method is not set.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
Instance name/ID	Name and ID of the NAT instance bound to the NAT address group.
Totally n sub NAT address groups	Number of child address groups generated by the parent NAT address group.
Address group name/ID	Name and ID of the NAT address group.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays three hyphens (---).

 

# Display configuration information about NAT address group 1.

<Sysname> display nat address-group 1

  Address group name/ID: group1/1

    Port range: 1024-65535

    Instance name/ID: nat1/1

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

Table 2 Command output

Field	Description
Address group name/ID	Name and ID of the NAT address group.
Instance name/ID	Name and ID of the NAT instance.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---).

 

# Display the total resource usage of all NAT address groups and resource usage of each group member.

<Sysname> display nat address-group resource-usage verbose

NAT address group information:

  Totally 2 NAT address groups.

  Address group name/ID: group2/2

    Port range: 1024-1000

    IP usage: 100%

    Port usage: 50%

    Port usage of group members:

      Start address         End address         Port usage

      202.110.10.10         202.110.10.15       50%

      202.110.10.20         202.110.10.25       50%

 

  Address group name/ID: group3/3

    Port range: 1024-65535

    IP usage: 0%

    Port usage: 50%

    Port usage of group members:

      Start address         End address         Port usage

      10.1.1.1              10.1.1.10           0%

Table 3 Command output

Field	Description
Totally n NAT address groups	Total number of NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
Port range	Port range for public IP addresses.
Port block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Extended block size	Number of ports in each extended port block. This field is not displayed if the extended port block size is not set.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
Instance name/ID	Name and ID of the NAT instance.
IP usage	Address usage of the NAT address group.
Port usage	Port usage of the NAT address group.
Port usage of group members	Port usage of the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---).

 

Related commands

nat address-group

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address group information:

  Totally 5 NAT address groups.

  Address group name/ID: 1/1

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

 

  Address group name/ID: 2/2

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.20         202.110.10.25

      202.110.10.30         202.110.10.35

 

  Address group name/ID: 3/3

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.40         202.110.10.50

 

NAT server group information:

  Totally 3 NAT server groups.

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

  2                   ---                   ---         ---

  3                   192.168.0.26          69          100

 

NAT outbound information:

  Totally 2 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/0/2

    ACL: 2036         Address group: 1      Port-preserved: Y

    NO-PAT: N         Reversible: N

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/2

    ACL: 2037         Address group: 1      Port-preserved: N

    NO-PAT: Y         Reversible: Y

    VPN instance: vpn_nat

    Config status: Active

 

NAT internal server information:

  Totally 4 internal servers.

  Interface: Ten-GigabitEthernet3/0/3

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23

    Local IP/port : 192.168.10.15/23

    ACL           : 2000

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23-30

    Local IP/port : 192.168.10.15-192.168.10.22/23

    Global VPN    : vpn1

    Local VPN     : vpn3

    Config status : Active

 

Static NAT mappings:

  Totally 2 inbound static NAT mappings.

  Net-to-net:

    Global IP    : 2.2.2.1 – 2.2.2.255

    Local IP     : 1.1.1.0

    Netmask      : 255.255.255.0

    Global VPN   : vpn2

    Local VPN    : vpn1

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Global IP    : 5.5.5.5

    Local IP     : 4.4.4.4

    Global VPN   : vpn3

    Local VPN    : vpn4

    ACL          : 2001

    Reversible   : Y

    Config status: Active

 

  Totally 2 outbound static NAT mappings.

  Net-to-net:

    Local IP     : 1.1.1.1 - 1.1.1.255

    Global IP    : 2.2.2.0

    Netmask      : 255.255.255.0

    Local VPN    : vpn1

    Global VPN   : vpn2

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Local IP     : 4.4.4.4

    Global IP    : 5.5.5.5

    Local VPN    : vpn1

    Global VPN   : vpn2

    ACL:         : 2001

    Reversible   : Y

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: Ten-GigabitEthernet3/0/4

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/6

    Config status: Active

 

NAT DNS mappings:

  Totally 2 NAT DNS mappings.

  Domain name  : www.server.com

  Global IP    : 6.6.6.6

  Global port  : 23

  Protocol     : TCP(6)

  Config status: Active

 

  Domain name  : www.service.com

  Global IP    : 10.1.1.1

  Global port  : 12

  Protocol     : TCP(6)

  Config status: Active

 

NAT logging:

  Log enable               : Enabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(40%)

 

NAT hairpinning:

  Totally 2 interfaces enabled with NAT hairpinning.

  Interface: Ten-GigabitEthernet3/0/4

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/6

    Config status: Active

 

NAT mapping behavior:

  Mapping mode : Connection-dependent

The output shows all NAT configuration information. Table 4 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.

Table 4 Command output

Field	Description
NAT address group information	Information about the NAT address group. See Table 3 for output description.
NAT server group information	Information about the internal server group. See Table 12 for output description.
NAT outbound information	Outbound dynamic NAT configuration. See Table 10 for output description.
NAT internal server information	NAT Server configuration. See Table 11 for output description.
Static NAT mappings	Static NAT mappings. See Table 14 for output description.
NAT DNS mappings	NAT DNS mappings. See Table 5 for output description.
NAT logging	NAT logging configuration. See Table 8 for output description.
NAT hairpinning	NAT hairpin configuration. If NAT hairpin is not configured, this field is not displayed.
Totally n interfaces enabled NAT hairpinning	Number of interfaces with NAT hairpin enabled.
Interface	NAT hairpin-enabled interface.
Config status	Status of the NAT hairpin configuration: Active.
NAT mapping behavior	Mapping behavior mode of PAT: ·     Endpoint-Independent. ·     Address and Port-Dependent Mapping. ·     Connection-dependent. ·     Endpoint-Independent (TCP)—The mapping mode is endpoint-independent and only EIM entries for TCP connections are created. ·     Endpoint-Independent (TCP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for TCP connections are created. ·     Endpoint-Independent (UDP)—The mapping mode is endpoint-independent and only EIM entries for UDP connections are created. ·     Endpoint-Independent (UDP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for UDP connections are created.
ACL	ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).
Config status	Status of the NAT mapping behavior configuration: ·     Active—The configuration is taking effective. ·     Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status field displays Inactive.

 

display nat dns-map

Use display nat dns-map to display NAT DNS mapping configuration.

Syntax

display nat dns-map

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT DNS mapping configuration.

<Sysname> display nat dns-map

NAT DNS mapping information:

  Totally 2 NAT DNS mappings.

  Domain name  : www.server.com

  Global IP    : 6.6.6.6

  Global port  : 23

  Protocol     : TCP(6)

  Config status: Active

 

  Domain name  : www.service.com

  Global IP    : 10.1.1.1

  Global port  : 12

  Protocol     : TCP(6)

  Config status: Active

Table 5 Command output

Field	Description
NAT DNS mapping information	Information about the NAT DNS mappings.
Totally n NAT DNS mappings	Total number of NAT DNS mappings.
NAT DNS mapping information	Information about NAT DNS mappings.
Domain name	Domain name of the internal server.
Global IP	Public IP address of the internal server. ·     If Easy IP is configured, this field displays the IP address of the specified interface. ·     If you do not specify a public IP address, this field displays hyphens (---).
Global port	Public port number of the internal server.
Protocol	Protocol name and number of the internal server.
Config status	Status of the DNS mapping configuration: ·     Active—The configuration is taking effective. ·     Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status field displays Inactive.

 

Related commands

nat dns-map

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

display nat eim [ slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entries on all cards.

protocol: Specifies a protocol by its type.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip local-ip: Displays EIM entry information for a private IP address. The local-ip argument specifies a private IP address.

local-ip b4 ipv6-address: Displays EIM entry information for a B4 device IP address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-port local-port: Displays EIM entry information for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Displays EIM entry information for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Displays EIM entry information for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

Usage guidelines

EIM entries are created when PAT operates in EIM mode. An EIM entry is a three-tuple entry, and it records the mapping between a private address/port and a public address/port.

The EIM entry provides the following functions:

·     The same EIM entry applies to subsequent connections initiated from the same source IP and port.

·     The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.

If you do not specify the local-ip, local-port, global-ip, or global-port keyword, this command displays information about all EIM entries for ICMP, TCP, and UDP protocols.

Examples

# Display information about NAT EIM entries on the specified slot.

<Sysname> display nat eim slot 1

Slot 1:

Local  IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

DS-Lite tunnel peer: -

Local  VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

 

Local  IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

DS-Lite tunnel peer: -

Protocol: UDP(17)

Failover group name: -

 

Total entries found: 2

# Display information about NAT EIM entries for TCP on the specified slot.

<Sysname> display nat eim slot 1 cpu 0 protocol tcp

Slot 1:

Local  IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

DS-Lite tunnel peer: -

Local  VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

 

Total entries found: 1

Table 6 Command output

Field	Description
CPU	Number of the CPU.
DS-Lite tunnel peer	DS-Lite tunnel B4 address. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Protocol	Protocol name and number.
Failover group name	This field is not supported in the current software version. Failover group name. If no failover group is specified, this field displays a hyphen (-).
Total entries found	Total number of EIM entries.

 

Related commands

nat outbound

display nat eim statistics

Use display nat eim statistics to display NAT EIM entry statistics.

Syntax

display nat eim statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry statistics on all cards.

Usage guidelines

The NAT EIM entry statistics includes the following information:

·     The number of EIM entries.

·     The creation rate of EIM entries for TCP.

·     The creation rate of EIM entries for UDP.

Examples

# Display EIM entry statistics for the specified slot.

<Sysname> display nat eim statistics slot 2

EIM: Total EIM entries.

TCP: Total EIM entries for TCP.

UDP: Total EIM entries for UDP.

Rate: Creating rate of EIM entries.

TCP rate: Creating rate of EIM entries for TCP.

UDP rate: Creating rate of EIM entries for UDP.

Slot EIM       TCP       UDP       Rate          TCP rate      UDP rate

                                  (entries/s)   (entries/s)   (entries/s)

2    0         0         0         0             0             0

Table 7 Command output

Field	Description
Total EIM entries	Total number of EIM entries.
Total EIM entries for TCP	Total number of EIM entries for TCP.
Total EIM entries for UDP	Total number of EIM entries for UDP.
Creating rate of EIM entries	Creation rate of EIM entries.
Creating rate of EIM entries for TCP	Creation rate of EIM entries for TCP.
Creating rate of EIM entries for UDP	Creation rate of EIM entries for UDP.

 

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT logging configuration.

<Sysname> display nat log

NAT logging:

  Log enable               : Enabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Bandwidth-usage          : Enabled(Threshold: 90%)

Table 8 Command output

Field	Description
NAT logging	NAT logging configuration.
Log enable	Whether NAT logging is enabled. ·     Enabled—NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. ·     Disabled—NAT logging is disabled.
Flow-begin	Whether logging is enabled for NAT session establishment events.
Flow-end	Whether logging is enabled for NAT session removal events.
Flow-active	Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated.
Bandwidth-usage	This field is not supported in the current software version. Logging is enabled for the CGN card bandwidth usage. The Threshold field displays the threshold for the CGN card bandwidth usage, in percentage. The default threshold value is 90%.

 

Related commands

nat log enable

nat log flow-active

nat log flow-begin

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

display nat no-pat [ slot slot-number ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entries on all cards.

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

·     The same entry applies to subsequent connections initiated from the same source IP address.

·     The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Outbound NO-PAT address translations create NO-PAT tables.

Examples

# Display information about NO-PAT entries for the specified slot.

<Sysname> display nat no-pat slot 1

Slot 1:

Global  IP: 200.100.1.100

Local   IP: 192.168.100.100

Global VPN: vpn2

Local  VPN: vpn1

Reversible: N

Type      : Inbound

 

Local   IP: 192.168.100.200

Global  IP: 200.100.1.200

Reversible: Y

Type      : Outbound

 

Total entries found: 2

Table 9 Command output

Field	Description
Global  IP	Public IP address.
Local   IP	Private IP address.
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: ·     Y—Reverse address translation is allowed. ·     N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: ·     Inbound—A NO-PAT entry created during inbound dynamic NAT. ·     Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total entries found	Total number of NO-PAT entries.

 

Related commands

nat outbound

display nat outbound

Use display nat outbound to display information about outbound dynamic NAT.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about outbound dynamic NAT.

<Sysname> display nat outbound

NAT outbound information:

  Totally 2 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/0/1

    ACL: 2036         Address group: 1      Port-preserved: Y

    NO-PAT: N         Reversible: N

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/2

    ACL: 2037         Address group: 2      Port-preserved: N

    NO-PAT: Y         Reversible: Y

    VPN instance: vpn_nat

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/1

    DS-Lite B4 ACL: 2100         Address group: 0      Port-preserved: N

    NO-PAT: N         Reversible: N

    Config status: Active

Table 10 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT.
Totally n NAT outbound rules	Total number of outbound dynamic NAT rules.
Interface	Interface where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---).
DS-Lite B4 ACL	Number or name of the IPv6 ACL used by DS-Lite port block mapping.
Address group	Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---).
Port-preserved	Whether to try to preserve the port numbers for PAT.
NO-PAT	Whether NO-PAT is used: ·     Y—NO-PAT is used. ·     N—PAT is used.
Reversible	Whether reverse address translation is allowed: ·     Y—Reverse address translation is allowed. ·     N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Config status	Status of the outbound dynamic NAT configuration: ·     Active—The configuration is taking effective. ·     Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist or aren't effective: global VPN, interface IP address, address group, and ACL. ·     NAT address conflicts.

 

Related commands

nat outbound

display nat server

Use display nat server to display NAT server mappings.

Syntax

display nat server

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT server mappings.

<Sysname> display nat server

NAT internal server information:

  Totally 4 internal servers.

  Interface: Ten-GigabitEthernet3/0/3

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23

    Local IP/port : 192.168.10.15/23

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23-30

    Local IP/port : 192.168.10.15-192.168.10.22/23

    Global VPN    : vpn1

    Local VPN     : vpn3

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 255(Reserved)

    Global IP/port: 50.1.1.100/---

    Local IP/port : 192.168.10.150/---

    Global VPN    : vpn2

    Local VPN     : vpn4

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/5

    Protocol: 17(UDP)

    Global IP/port: 50.1.1.2/23

    Local IP/port : server group 1

                    1.1.1.1/21            (Connections: 10)

                    192.168.100.200/80    (Connections: 20)

    Global VPN    : vpn1

    Local VPN     : vpn10

    Config status : Active

Table 11 Command output

Field	Description
NAT internal server information	Information about NAT server mappings.
Totally n internal servers	Total number of NAT server mappings.
Interface	Interface where the NAT server mapping is configured.
Protocol	Protocol number and name of the internal server.
Global IP/port	Public IP address and port number of the internal server. ·     Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). ·     port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---).
Local IP/port	For common NAT server mappings, this field displays the private IP address and port number of the server. ·     Local IP—A single IP address or an IP address range. ·     port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT server mappings, this field displays the internal server group ID, IP address, port number, and number of connections of each member.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Config status		Status of the NAT server mapping configuration: ·     Active—The configuration is taking effective. ·     Inactive—The configuration is not taking effective.
Reasons for inactive status		Reasons why the NAT server mapping does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist or aren't effective: global VPN, interface IP address, server group, and ACL. ·     Server configuration conflicts. ·     NAT address conflicts.

 

Related commands

nat server

display nat server-group

Use display nat server-group to display internal server group configuration.

Syntax

display nat server-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of the internal server group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.

Examples

# Display configuration about all internal server groups.

<Sysname> display nat server-group

NAT server group information:

  Totally 3 NAT server groups.

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

  2                   ---                   ---         ---

  3                   192.168.0.26          69          100

# Display configuration about internal server group 1.

<Sysname> display nat server-group 1

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

Table 12 Command output

Field	Description
NAT server group information	Information about NAT server groups.
Totally n NAT server groups	Total number of NAT server groups.
Group Number	ID of the internal server group.
Inside IP	Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---).
Port	Private port number of a member in the internal server group. If no port number is specified, this field displays hyphens (---).
Weight	Weight of a member in the internal server group. If no weight value is specified, this field displays hyphens (---).

 

Related commands

nat server-group

display nat session

Use display nat session to display sessions that have been NATed.

Syntax

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Displays IPv4 unicast session entries for the specified protocol. If you do not specify a protocol, the command displays NAT session entries for all supported protocols. Supported IPv4 transport layer protocols include DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions on all cards.

brief: Display brief information about NAT sessions.

verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all NAT sessions.

Examples

# Display detailed information about NAT sessions for the specified slot.

<Sysname> display nat session slot 1 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/0/1

Responder:

  Source      IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.10/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/0/2

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 1

# Display brief information about NAT sessions for the specified slot.

<Sysname> display nat session slot 1 brief

Slot 1:

Protocol   Source IP/port      Destination IP/port    Global IP/port

TCP        10.2.1.58/2477      20.1.1.2/1025          30.2.4.9/226

Total sessions found: 1

Table 13 Command output

Field	Description
CPU	Number of the CPU.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/VLL ID	The fields identify the following information: ·     VPN instance—MPLS L3VPN instance to which the session belongs. ‌ ·     VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. ·     VLL ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or VLL ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Start time	Time when the session starts.
TTL	Remaining NAT session lifetime in seconds.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.
Source IP/port	Source IP address and port number of the initiator.
Destination IP/port	Destination IP address and port number of the initiator.
Global IP/port	Public IP address and port number.

 

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display static NAT mappings.

<Sysname> display nat static

Static NAT mappings:

  Totally 2 inbound static NAT mappings.

  Net-to-net:

    Global IP    : 1.1.1.1 - 1.1.1.255

    Local IP     : 2.2.2.0

    Netmask      : 255.255.255.0

    Global VPN   : vpn2

    Local VPN    : vpn1

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Global IP   : 5.5.5.5

    Local IP     : 4.4.4.4

    Global VPN   : vpn3

    Local VPN    : vpn4

    ACL          : 2001

    Reversible   : Y

    Config status: Active

 

Totally 2 outbound static NAT mappings.

  Net-to-net:

    Local IP     : 1.1.1.1 - 1.1.1.255

    Global IP    : 2.2.2.0

    Netmask      : 255.255.255.0

    Local VPN    : vpn1

    Global VPN   : vpn2

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Local IP     : 4.4.4.4

    Global IP    : 5.5.5.5

    Local VPN    : vpn4

    Global VPN   : vpn3

    ACL:         : 2000

    Reversible   : Y

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: Ten-GigabitEthernet3/0/2

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/3

    Config status: Active

Table 14 Command output

Field	Description
Static NAT mappings	Information about static NAT mappings.
Totally n inbound static NAT mappings	Total number of inbound static NAT mappings.
Totally n outbound static NAT mappings	Total number of outbound static NAT mappings.
Net-to-net	Net-to-net static NAT mapping.
IP-to-IP	One-to-one static NAT mapping.
Local IP	Private IP address or address range.
Global IP	Public IP address or address range.
Netmask	Network mask.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Reversible	Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed.
Interfaces enabled with static NAT	Interfaces that are enabled with static NAT.
Totally n interfaces enabled with static NAT	Total number of interfaces enabled with static NAT.
Interface	Interface enabled with static NAT.
Config status	Status of the static NAT mapping configuration: ·     Active—The configuration is taking effective. ·     Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist or aren't effective: local VPN, global VPN, and ACL. ·     NAT address conflicts.

 

Related commands

nat static enable

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ summary ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics on all cards.

Examples

# Display detailed information about all NAT statistics.

<Sysname> display nat statistics

Slot 0:

  Total session entries: 100

  Total EIM entries: 1

  Total inbound NO-PAT entries: 0

  Total outbound NO-PAT entries: 0

  Active static port block entries: 0

  Active dynamic port block entries: 0

  Total PAT entries: 0

Table 15 Command output

Field	Description
Total session entries	Number of NAT session entries.
Total EIM entries	Number of EIM entries.
Total inbound NO-PAT entries	Number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Number of outbound NO-PAT entries.
Active static port block entries	Number of static port block mappings that are in use.
Active dynamic port block entries	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.
Total PAT entries	Number of PAT entries.

 

# Display summary information about all NAT statistics.

<Sysname> display nat statistics summary

EIM: Total EIM entries.

SPB: Total static port block entries.

DPB: Total dynamic port block entries.

ASPB: Active static port block entries.

ADPB: Active dynamic port block entries.

Slot Sessions  EIM       SPB       DPB       ASPB      ADPB

0    100       1         10        15        0         0

Table 16 Command output

Field	Description
Sessions	Number of NAT session entries.
EIM	Number of EIM entries.
SPB	Number of static port block mappings.
DPB	Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. If the user-defined extended port block size is different from the pre-allocated port block size, the device calculates the number of dynamic port block mappings that can be created based on the port block size of 64.
ASPB	Number of static port block mappings in use.
ADPB	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.

 

inside ip

Use inside ip to add a member to an internal server group.

Use undo inside ip to remove a member from an internal server group.

Syntax

inside ip inside-ip port port-number [ weight weight-value ]

undo inside ip inside-ip port port-number

Default

No members exist in an internal server group.

Views

Internal server group view

Predefined user roles

network-admin

Parameters

inside-ip: Specifies the IP address of an internal server.

port port-number: Specifies the port number of an internal server, in the range of 1 to 65535.

weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.

Examples

# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30

Related commands

nat server-group

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.

Usage guidelines

A NAT address group can contain multiple address ranges added by using the address command. Dynamic NAT translates the source IP address of a packet to an IP address in the address group.

You cannot use the undo nat address-group command to delete a NAT address group in use.

Examples

# Create a NAT address group numbered 1.

<Sysname> system-view

[Sysname] nat address-group 1

Related commands

address

display nat address-group

display nat all

nat outbound

nat alg

Use nat alg to enable NAT ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }

Default

NAT ALG is disabled for all supported protocols except for FTP, ICMP error packets, and RTSP.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables NAT ALG for all supported protocols.

dns: Enables NAT ALG for DNS.

ftp: Enables NAT ALG for FTP.

H323: Enables NAT ALG for H323.

icmp-error: Enables NAT ALG for ICMP error packets.

ils: Enables NAT ALG for ILS.

mgcp: Enables NAT ALG for MGCP.

nbt: Enables NAT ALG for NBT.

pptp: Enables NAT ALG for PPTP.

rsh: Enables NAT ALG for RSH.

rtsp: Enables NAT ALG for RTSP.

sccp: Enables NAT ALG for SCCP.

sip: Enables NAT ALG for SIP.

sqlnet: Enables NAT ALG for SQLNET.

tftp: Enables NAT ALG for TFTP.

xdmcp: Enables NAT ALG for XDMCP.

Usage guidelines

NAT ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.

The nat alg h323 command fails if you have executed the nat mapping-behavior endpoint-independent tcp or nat mapping-behavior endpoint-independent udp command.

Examples

# Enable NAT ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat mapping-behavior endpoint-independent

nat dns-map

Use nat dns-map to configure a NAT DNS mapping.

Use undo nat dns-map to remove a NAT DNS mapping.

Syntax

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

undo nat dns-map domain domain-name

Default

No NAT DNS mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.

protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.

interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.

ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.

port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:

·     A number in the range of 1 to 65535.

·     A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.

Usage guidelines

NAT DNS mapping must cooperate with the NAT Server feature. NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

You can configure multiple NAT DNS mappings.

Examples

# Configure a NAT DNS mapping to map the domain name www.server.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345

Related commands

display nat all

display nat dns-map

nat server

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

Examples

# Enable NAT hairpin on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat hairpin enable

Related commands

display nat all

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

You must enable NAT logging before you enable NAT session logging.

The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

display nat all

display nat log

nat log flow-active

nat log flow-begin

nat log flow-end

nat log flow-active

Use nat log flow-active to enable logging for active NAT flows and set the logging interval.

Use undo nat log flow-active to disable logging for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.

Usage guidelines

Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

Related commands

display nat all

display nat log

nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT session establishment events.

Use undo nat log flow-begin to disable logging for NAT session establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT session establishment events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

Related commands

display nat all

display nat log

nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT session removal events.

Use undo nat log flow-end to disable logging for NAT session removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT session removal events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT session removal events.

<Sysname> system-view

[Sysname] nat log flow-end

Related commands

display nat all

display nat log

nat log enable

nat mapping-behavior endpoint-independent { tcp | udp } *

Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping mode for PAT.

Use undo nat mapping-behavior endpoint-independent to restore the default.

Syntax

nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *

undo nat mapping-behavior endpoint-independent

Default

Connection-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

Parameters

tcp: Creates EIM entries for TCP connections.

udp: Creates EIM entries for UDP connections.

tcp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for TCP connections. If you do not specify this keyword, only EIM entries are created.

udp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for UDP connections. If you do not specify this keyword, only EIM entries are created.

Usage guidelines

PAT supports the following types of NAT mappings:

·     Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.

·     Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.

The nat mapping-behavior endpoint-independent tcp or nat mapping-behavior endpoint-independent udp command cannot be configured in one of the following conditions:

For interface-based NAT, one or more of following commands have been configured on the device:

·     nat server.

·     nat static outbound.

·     nat static outbound net-to-net.

·     nat alg h323.

After you execute the nat mapping-behavior endpoint-independent command, EIM entries and five-tuple session entries are always created for ICMP connections.

The existing and newly configured dynamic NO-PAT rules do not take effect if you specify the Endpoint-Independent Mapping mode for outbound dynamic PAT rules.

Examples

# Apply the Endpoint-Independent Mapping mode and create EIM entries for TCP packet address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent tcp

Related commands

display nat eim

display nat eim statistics

nat outbound

nat server

nat static outbound

nat static outbound net-to-net

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for NAT. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network.

port-preserved: Tries to preserve port number for PAT.

Usage guidelines

Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.

Outbound dynamic NAT supports the following modes:

·     PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.

·     NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

If the Endpoint-Independent Mapping mode is used for outbound dynamic PAT rules, NO-PAT configurations do not take effect.

When you specify an ACL, follow these restrictions and guidelines:

·     An ACL can be used by only one outbound dynamic NAT rule on an interface.

·     If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.

·     If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

·     Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.

A user is not allowed to access a service on an internal server through different external addresses or external port numbers. When configuring load sharing NAT Server, the number of members cannot be less than the value N in one of the following situations:

·     A public address, N consecutive public port numbers, and one internal server group.

·     N consecutive public addresses, a public port number, and one internal server group.

The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1

[Sysname-Ten-GigabitEthernet3/0/1] quit

Or

# Configure an outbound NO-PAT rule on interface Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1 no-pat

[Sysname-Ten-GigabitEthernet3/0/1] quit

Or

# Enable Easy IP to use the IP address of Ten-GigabitEthernet 3/0/1 as the translated address.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet 3/0/1] nat outbound 2001

[Sysname-Ten-GigabitEthernet 3/0/1] quit

Or

# Configure an outbound NO-PAT rule on Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1 no-pat reversible

Related commands

address

display nat eim

display nat outbound

nat per-global-ip user-limit

Use nat per-global-ip user-limit to set the maximum number of VPN users sharing one single public address in PAT mode.

Use undo nat per-global-ip user-limit to restore the default.

Syntax

nat per-global-ip user-limit max-number

undo nat per-global-ip user-limit

Default

By default, the number of VPN users that can share one single public IP address is not limited.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of VPN users, in the range of 1 to 4096.

Usage guidelines

In PAT mode, multiple VPN users can share one single public IP address. If the number of VPN users exceeds the upper limit, the device fails to assign ports to users. New users cannot access the external network, and existing online users cannot initiate new connections. To prevent too many VPN users from using one single public IP address, you can perform this task to evenly distribute users among public IP addresses.

Examples

# Set the maximum number to 500 for VPN users sharing one single public IP address in PAT mode.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] nat per-global-ip user-limit 500

nat server

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a mapping.

Syntax

Common NAT server mapping:

·     A single public address with no or a single public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ]

undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

·     A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]

·     Consecutive public addresses with no single public port:

nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]

·     Consecutive public addresses with a single public port:

nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]

Load sharing NAT server mapping:

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]

Default

No NAT server mappings exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:

·     A number in the range of 1 to 255.

·     A protocol name of icmp, tcp, or udp.

global: Specifies the external network information that the server uses to provide services to the external network.

global-address: Specifies the public address of an internal server.

global-address1 global address2: Specifies a public IP address range, which can include a maximum of 256 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.

interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.

global-port1 global-port2: Specifies a public port number range, which can include a maximum of 256 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:

·     A number in the range of 1 to 65535. Both the start port and the end port support this format.

·     A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

inside: Specifies the internal information of the server.

local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.

local-port: Specifies the private port number. The private port number format can be one of the following:

·     A number in the range of 1 to 65535, excluding FTP port 20.

·     A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.

local-address: Specifies the private IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses of NAT server mappings belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the internal server does not belong to any VPN instance, do not specify this option.

server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for this argument is 0 to 65535.

acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.

Usage guidelines

You can configure the NAT server mapping to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

NAT server mappings are usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. To avoid incorrect operation of NAT and packet loss, do not specify the same IP address for the global-address argument and the local-address argument.

The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 17 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number
One public address and N consecutive public port numbers	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
N consecutive public addresses	One private address
	N consecutive private addresses
N consecutive public addresses and one public port number	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
One public address and one public port number	One internal server group
One public address and N consecutive public port numbers
N consecutive public addresses and one public port number
Public addresses matching an ACL	One private address
	One private address and one private port

 

The number of the nat server commands that can be configured on an interface varies by device model. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.

As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.

If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicting address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.

When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

·     One public address and N consecutive public port numbers are mapped to one internal server group.

·     N consecutive public addresses and one public port number are mapped to one internal server group.

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http

[Sysname-Ten-GigabitEthernet3/0/1] quit

# Allow external users to access the internal FTP server at 10.110.10.11 in the VPN instance vrf10 through ftp://202.110.10.10.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

[Sysname-Ten-GigabitEthernet3/0/1] quit

# Allow external hosts to ping the host at 10.110.10.12 in the VPN instance vrf10 by using the ping 202.110.10.11 command.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

[Sysname-Ten-GigabitEthernet3/0/1] quit

# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the VPN instance vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

Related commands

display nat all

display nat server

nat server-group

nat server-group

Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.

Use undo nat server-group to delete an internal server group.

Syntax

nat server-group group-id

undo nat server-group group-id

Default

No internal server groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the internal server group. The value range for this argument is 0 to 65535.

An internal server group can contain multiple members configured by the inside ip command.

Examples

# Create internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

display nat all

display nat server-group

inside ip

nat server

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface only after you enable static NAT on the interface.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat static enable

Related commands

display nat all

display nat static

nat static

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address.

Usage guidelines

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

When you specify an ACL, follow these restrictions and guidelines:

·     If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

·     If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.

·     If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001

Related commands

display nat all

display nat static

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.

global-network: Specifies a public network address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses.

Usage guidelines

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

·     If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

·     If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP addresses.

·     If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat static enable

port-single-alloc enable

Use port-single-alloc enable to enable the port-by-port allocation method.

Use undo port-single-alloc enable to restore the default.

Syntax

port-single-alloc enable

undo port-single-alloc enable

Default

By default, the port reuse allocation method is enabled.

Views

NAT address group view

Predefined user roles

network-admin

Usage guidelines

A session can be identified by a three-tuple (source IP address, source port number, and protocol type) or a five-tuple (source IP address, source port number, protocol type, destination IP address, and destination port number). Based on the three-tuple or five-tuple session, a port allocation for dynamic PAT can be one of the following modes:

·     Port reuse—Different sessions can share the same port number after NAT.

·     Port by port—Different sessions must use different NATed port numbers. This allocation method is suitable for users with few NAT services and port numbers required.

When you configure a port allocation method for dynamic PAT, you cannot switch it in one minute.

The port-single-alloc enable command and the port-block command are mutually exclusive.

Examples

# Enable the port-by-port allocation method for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-single-alloc enable

reset nat eim

Use reset nat eim to delete NAT EIM entries.

Syntax

reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command deletes NAT EIM entries of all protocol types.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip b4 ipv6-address: Deletes the EIM entry for a B4 device IPv6 address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-ip local-ip: Deletes the EIM entry for a private IP address. The local-ip argument specifies a private IP address.

local-port local-port: Deletes the EIM entry for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Deletes the EIM entry for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Deletes the EIM entry for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes NAT EIM entries on all cards.

Usage guidelines

If you do not specify the local-ip, local-port, global-ip, or global-port keyword, this command deletes all EIM entries for ICMP, TCP, and UDP protocols.

Examples

# Delete NAT EIM entries for the specified slot.

<Sysname> reset nat eimslot 1

Related commands

display nat session

display nat eim statistics

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

reset nat session [ protocol { tcp | udp } ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command clears NAT sessions of all protocol types.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions on all cards.

Examples

# Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 1

Related commands

display nat session