- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-NAT commands | 397.57 KB |
NAT commands
address
Use address to add an address range to a NAT address group.
Use undo address to remove an address range from a NAT address group.
Syntax
address start-address end-address
undo address start-address end-address
Default
No address ranges exist.
Views
NAT address group view
Predefined user roles
network-admin
Parameters
start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. Each address range can contain a maximum of 65536 addresses.
Usage guidelines
A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.
When you execute this command in a NAT address group, follow these restrictions and guidelines:
· You can add multiple address ranges to a NAT address group. Make sure the address ranges do not overlap in the NAT address group.
· All NAT address groups can contain a maximum of 65536 address ranges.
· If the NAT address group has been used by a NAT rule, you cannot use the undo address command to delete addresses from the group.
Examples
# Add two address ranges to an address group.
<Sysname> system-view
[Sysname] nat address-group 2
[Sysname-address-group-2] address 10.1.1.1 10.1.1.15
[Sysname-address-group-2] address 10.1.1.20 10.1.1.30
Related commands
nat address-group
display nat address-group
Use display nat address-group to display NAT address group information.
Syntax
display nat address-group [ group-id ] [ resource-usage [ verbose ] ]
Views
Predefined user roles
network-admin
network-operator
Parameters
group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays information about all NAT address groups.
resource-usage: Displays the resource usage of a NAT address group. If you do not specify this keyword, the command displays only configuration information about the NAT address group.
verbose: Displays the overall resource usage of a NAT address group and the resource usage of each group member. If you do not specify this keyword, the command displays only the overall resource usage of the NAT address group.
Usage guidelines
The resource usage of a NAT address group includes the following information:
· Address usage—Ratio of the number of used IP addresses to the total number of IP addresses. The used IP addresses are public IP addresses that have been assigned to users for address translation.
· Port usage—Ratio of the number of assigned ports to the total number of ports. If you set the maximum number of VPN users sharing one single public address in PAT mode by using the nat per-global-ip user-limit command, the port usage might be different. This is normal and needs no actions.
Examples
# Display configuration information about all NAT address groups.
<Sysname> display nat address-group
NAT address group information:
Totally 8 NAT address groups.
Address group name/ID: group1/1
Port range: 1024-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Address group name/ID: group2/2
Port range: 1024-65535
Address information:
Start address End address
202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
Address group name/ID: group3/3
Port range: 1024-65535
Address information:
Start address End address
202.110.10.40 202.110.10.50
Table 1 Command output
Field |
Description |
Totally n NAT address groups |
Total number of parent NAT address groups. |
Address group name/ID |
Name and ID of the NAT address group. |
Port range |
Port range for public IP addresses. |
Port block size |
Number of ports in a port block. This field is not displayed if the port block size is not set. |
Extended block number |
Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set. |
Extended block size |
Number of ports in each extended port block. This field is not displayed if the extended port block size is not set. |
Port-single-alloc |
Port-by-port allocation method. This field is not displayed if this method is not set. |
TCP port limit |
Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set. |
UDP port limit |
Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set. |
ICMP port limit |
Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set. |
Port limit in total |
Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set. |
Instance name/ID |
Name and ID of the NAT instance bound to the NAT address group. |
Totally n sub NAT address groups |
Number of child address groups generated by the parent NAT address group. |
Address group name/ID |
Name and ID of the NAT address group. |
Address information |
Information about the address ranges in the address group. |
Start address |
Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---). |
End address |
End IP address of an address range. If you do not specify an end address for the range, this field displays three hyphens (---). |
# Display configuration information about NAT address group 1.
<Sysname> display nat address-group 1
Address group name/ID: group1/1
Port range: 1024-65535
Instance name/ID: nat1/1
Address information:
Start address End address
202.110.10.10 202.110.10.15
Table 2 Command output
Field |
Description |
Address group name/ID |
Name and ID of the NAT address group. |
Instance name/ID |
Name and ID of the NAT instance. |
Address information |
Information about the address ranges in the address group. |
Start address |
Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---). |
End address |
End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---). |
# Display the total resource usage of all NAT address groups and resource usage of each group member.
<Sysname> display nat address-group resource-usage verbose
NAT address group information:
Totally 2 NAT address groups.
Address group name/ID: group2/2
Port range: 1024-1000
IP usage: 100%
Port usage: 50%
Port usage of group members:
Start address End address Port usage
202.110.10.10 202.110.10.15 50%
202.110.10.20 202.110.10.25 50%
Address group name/ID: group3/3
Port range: 1024-65535
IP usage: 0%
Port usage: 50%
Port usage of group members:
Start address End address Port usage
10.1.1.1 10.1.1.10 0%
Field |
Description |
Totally n NAT address groups |
Total number of NAT address groups. |
Address group name/ID |
Name and ID of the NAT address group. |
Port range |
Port range for public IP addresses. |
Port block size |
Number of ports in a port block. This field is not displayed if the port block size is not set. |
Extended block number |
Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set. |
Extended block size |
Number of ports in each extended port block. This field is not displayed if the extended port block size is not set. |
TCP port limit |
Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set. |
UDP port limit |
Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set. |
ICMP port limit |
Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set. |
Port limit in total |
Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set. |
Instance name/ID |
Name and ID of the NAT instance. |
IP usage |
Address usage of the NAT address group. |
Port usage |
Port usage of the NAT address group. |
Port usage of group members |
Port usage of the address ranges in the address group. |
Start address |
Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---). |
End address |
End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---). |
Related commands
nat address-group
display nat all
Use display nat all to display all NAT configuration information.
Syntax
display nat all
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display all NAT configuration information.
<Sysname> display nat all
NAT address group information:
Totally 5 NAT address groups.
Address group name/ID: 1/1
Port range: 1024-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Address group name/ID: 2/2
Port range: 1024-65535
Address information:
Start address End address
202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
Address group name/ID: 3/3
Port range: 1024-65535
Address information:
Start address End address
202.110.10.40 202.110.10.50
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: Ten-GigabitEthernet3/0/2
ACL: 2036 Address group: 1 Port-preserved: Y
NO-PAT: N Reversible: N
Config status: Active
Interface: Ten-GigabitEthernet3/0/2
ACL: 2037 Address group: 1 Port-preserved: N
NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Config status: Active
NAT internal server information:
Totally 4 internal servers.
Interface: Ten-GigabitEthernet3/0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
ACL : 2000
Config status : Active
Interface: Ten-GigabitEthernet3/0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Config status : Active
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 2.2.2.1 – 2.2.2.255
Local IP : 1.1.1.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Config status: Active
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn1
Global VPN : vpn2
ACL: : 2001
Reversible : Y
Config status: Active
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: Ten-GigabitEthernet3/0/4
Config status: Active
Interface: Ten-GigabitEthernet3/0/6
Config status: Active
NAT DNS mappings:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : 10.1.1.1
Global port : 12
Protocol : TCP(6)
Config status: Active
NAT logging:
Log enable : Enabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Port-alloc-fail : Enabled
Port-block-alloc-fail : Disabled
Port-usage : Disabled
Port-block-usage : Enabled(40%)
NAT hairpinning:
Totally 2 interfaces enabled with NAT hairpinning.
Interface: Ten-GigabitEthernet3/0/4
Config status: Active
Interface: Ten-GigabitEthernet3/0/6
Config status: Active
NAT mapping behavior:
Mapping mode : Connection-dependent
The output shows all NAT configuration information. Table 4 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.
Field |
Description |
NAT address group information |
Information about the NAT address group. See Table 3 for output description. |
NAT server group information |
Information about the internal server group. See Table 12 for output description. |
NAT outbound information |
Outbound dynamic NAT configuration. See Table 10 for output description. |
NAT internal server information |
NAT Server configuration. See Table 11 for output description. |
Static NAT mappings |
Static NAT mappings. See Table 14 for output description. |
NAT DNS mappings |
NAT DNS mappings. See Table 5 for output description. |
NAT logging |
NAT logging configuration. See Table 8 for output description. |
NAT hairpinning |
NAT hairpin configuration. If NAT hairpin is not configured, this field is not displayed. |
Totally n interfaces enabled NAT hairpinning |
Number of interfaces with NAT hairpin enabled. |
Interface |
NAT hairpin-enabled interface. |
Config status |
Status of the NAT hairpin configuration: Active. |
NAT mapping behavior |
Mapping behavior mode of PAT: · Endpoint-Independent. · Address and Port-Dependent Mapping. · Connection-dependent. · Endpoint-Independent (TCP)—The mapping mode is endpoint-independent and only EIM entries for TCP connections are created. · Endpoint-Independent (TCP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for TCP connections are created. · Endpoint-Independent (UDP)—The mapping mode is endpoint-independent and only EIM entries for UDP connections are created. · Endpoint-Independent (UDP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for UDP connections are created. |
ACL |
ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---). |
Config status |
Status of the NAT mapping behavior configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective. |
Reasons for inactive status |
Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status field displays Inactive. |
display nat dns-map
Use display nat dns-map to display NAT DNS mapping configuration.
Syntax
display nat dns-map
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display NAT DNS mapping configuration.
<Sysname> display nat dns-map
NAT DNS mapping information:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : 10.1.1.1
Global port : 12
Protocol : TCP(6)
Config status: Active
Field |
Description |
NAT DNS mapping information |
Information about the NAT DNS mappings. |
Totally n NAT DNS mappings |
Total number of NAT DNS mappings. |
NAT DNS mapping information |
Information about NAT DNS mappings. |
Domain name |
Domain name of the internal server. |
Global IP |
Public IP address of the internal server. · If Easy IP is configured, this field displays the IP address of the specified interface. · If you do not specify a public IP address, this field displays hyphens (---). |
Global port |
Public port number of the internal server. |
Protocol |
Protocol name and number of the internal server. |
Config status |
Status of the DNS mapping configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective. |
Reasons for inactive status |
Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status field displays Inactive. |
Related commands
nat dns-map
display nat eim
Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.
Syntax
display nat eim [ slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entries on all cards.
protocol: Specifies a protocol by its type.
icmp: Specifies the ICMP protocol.
tcp: Specifies the TCP protocol.
udp: Specifies the UDP protocol.
local-ip local-ip: Displays EIM entry information for a private IP address. The local-ip argument specifies a private IP address.
local-ip b4 ipv6-address: Displays EIM entry information for a B4 device IP address. The ipv6-address argument specifies the IPv6 address of a B4 device.
local-port local-port: Displays EIM entry information for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.
global-ip global-ip: Displays EIM entry information for a public IP address. The global-ip argument specifies a public IP address.
global-port global-port: Displays EIM entry information for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.
Usage guidelines
EIM entries are created when PAT operates in EIM mode. An EIM entry is a three-tuple entry, and it records the mapping between a private address/port and a public address/port.
The EIM entry provides the following functions:
· The same EIM entry applies to subsequent connections initiated from the same source IP and port.
· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.
If you do not specify the local-ip, local-port, global-ip, or global-port keyword, this command displays information about all EIM entries for ICMP, TCP, and UDP protocols.
Examples
# Display information about NAT EIM entries on the specified slot.
<Sysname> display nat eim slot 1
Slot 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
DS-Lite tunnel peer: -
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Failover group name: -
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
DS-Lite tunnel peer: -
Protocol: UDP(17)
Failover group name: -
Total entries found: 2
# Display information about NAT EIM entries for TCP on the specified slot.
<Sysname> display nat eim slot 1 cpu 0 protocol tcp
Slot 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
DS-Lite tunnel peer: -
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Failover group name: -
Total entries found: 1
Table 6 Command output
Field |
Description |
CPU |
Number of the CPU. |
DS-Lite tunnel peer |
DS-Lite tunnel B4 address. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-). |
Local VPN |
MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed. |
Protocol |
Protocol name and number. |
Failover group name |
This field is not supported in the current software version. Failover group name. If no failover group is specified, this field displays a hyphen (-). |
Total entries found |
Total number of EIM entries. |
Related commands
nat outbound
display nat eim statistics
Use display nat eim statistics to display NAT EIM entry statistics.
Syntax
display nat eim statistics [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry statistics on all cards.
Usage guidelines
The NAT EIM entry statistics includes the following information:
· The number of EIM entries.
· The creation rate of EIM entries for TCP.
· The creation rate of EIM entries for UDP.
Examples
# Display EIM entry statistics for the specified slot.
<Sysname> display nat eim statistics slot 2
EIM: Total EIM entries.
TCP: Total EIM entries for TCP.
UDP: Total EIM entries for UDP.
Rate: Creating rate of EIM entries.
TCP rate: Creating rate of EIM entries for TCP.
UDP rate: Creating rate of EIM entries for UDP.
Slot EIM TCP UDP Rate TCP rate UDP rate
(entries/s) (entries/s) (entries/s)
2 0 0 0 0 0 0
Table 7 Command output
Field |
Description |
Total EIM entries |
Total number of EIM entries. |
Total EIM entries for TCP |
Total number of EIM entries for TCP. |
Total EIM entries for UDP |
Total number of EIM entries for UDP. |
Creating rate of EIM entries |
Creation rate of EIM entries. |
Creating rate of EIM entries for TCP |
Creation rate of EIM entries for TCP. |
Creating rate of EIM entries for UDP |
Creation rate of EIM entries for UDP. |
display nat log
Use display nat log to display NAT logging configuration.
Syntax
display nat log
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display NAT logging configuration.
<Sysname> display nat log
NAT logging:
Log enable : Enabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Bandwidth-usage : Enabled(Threshold: 90%)
Field |
Description |
NAT logging |
NAT logging configuration. |
Log enable |
Whether NAT logging is enabled. · Enabled—NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. · Disabled—NAT logging is disabled. |
Flow-begin |
Whether logging is enabled for NAT session establishment events. |
Flow-end |
Whether logging is enabled for NAT session removal events. |
Flow-active |
Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated. |
Bandwidth-usage |
This field is not supported in the current software version. Logging is enabled for the CGN card bandwidth usage. The Threshold field displays the threshold for the CGN card bandwidth usage, in percentage. The default threshold value is 90%. |
nat log enable
nat log flow-active
nat log flow-begin
display nat no-pat
Use display nat no-pat command to display information about NAT NO-PAT entries.
Syntax
display nat no-pat [ slot slot-number ]
Views
Any view
Default user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entries on all cards.
Usage guidelines
A NO-PAT entry records the mapping between a private address and a public address.
The NO-PAT entry provides the following functions:
· The same entry applies to subsequent connections initiated from the same source IP address.
· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.
Outbound NO-PAT address translations create NO-PAT tables.
Examples
# Display information about NO-PAT entries for the specified slot.
<Sysname> display nat no-pat slot 1
Slot 1:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
Table 9 Command output
Field |
Description |
Global IP |
Public IP address. |
Local IP |
Private IP address. |
Local VPN |
MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed. |
Reversible |
Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed. |
Type |
Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT. |
Total entries found |
Total number of NO-PAT entries. |
Related commands
nat outbound
display nat outbound
Use display nat outbound to display information about outbound dynamic NAT.
Syntax
display nat outbound
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about outbound dynamic NAT.
<Sysname> display nat outbound
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: Ten-GigabitEthernet3/0/1
ACL: 2036 Address group: 1 Port-preserved: Y
NO-PAT: N Reversible: N
Config status: Active
Interface: Ten-GigabitEthernet3/0/2
ACL: 2037 Address group: 2 Port-preserved: N
NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Config status: Active
Interface: Ten-GigabitEthernet3/0/1
DS-Lite B4 ACL: 2100 Address group: 0 Port-preserved: N
NO-PAT: N Reversible: N
Config status: Active
Field |
Description |
NAT outbound information |
Information about outbound dynamic NAT. |
Totally n NAT outbound rules |
Total number of outbound dynamic NAT rules. |
Interface |
Interface where the outbound dynamic NAT rule is configured. |
ACL |
IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---). |
DS-Lite B4 ACL |
Number or name of the IPv6 ACL used by DS-Lite port block mapping. |
Address group |
Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---). |
Port-preserved |
Whether to try to preserve the port numbers for PAT. |
NO-PAT |
Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used. |
Reversible |
Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed. |
VPN instance |
MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed. |
Config status |
Status of the outbound dynamic NAT configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective. |
Reasons for inactive status |
Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: global VPN, interface IP address, address group, and ACL. · NAT address conflicts. |
Related commands
nat outbound
display nat server
Use display nat server to display NAT server mappings.
Syntax
display nat server
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display NAT server mappings.
<Sysname> display nat server
NAT internal server information:
Totally 4 internal servers.
Interface: Ten-GigabitEthernet3/0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
Config status : Active
Interface: Ten-GigabitEthernet3/0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Config status : Active
Interface: Ten-GigabitEthernet3/0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
Config status : Active
Interface: Ten-GigabitEthernet3/0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
1.1.1.1/21 (Connections: 10)
192.168.100.200/80 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn10
Config status : Active
Field |
Description |
|
NAT internal server information |
Information about NAT server mappings. |
|
Totally n internal servers |
Total number of NAT server mappings. |
|
Interface |
Interface where the NAT server mapping is configured. |
|
Protocol |
Protocol number and name of the internal server. |
|
Global IP/port |
Public IP address and port number of the internal server. · Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). |
|
Local IP/port |
For common NAT server mappings, this field displays the private IP address and port number of the server. · Local IP—A single IP address or an IP address range. · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT server mappings, this field displays the internal server group ID, IP address, port number, and number of connections of each member. |
|
Global VPN |
MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed. |
|
Local VPN |
MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed. |
|
ACL |
ACL number or name. If no ACL is specified, this field is not displayed. |
|
Config status |
Status of the NAT server mapping configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective. |
|
Reasons for inactive status |
Reasons why the NAT server mapping does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: global VPN, interface IP address, server group, and ACL. · Server configuration conflicts. · NAT address conflicts. |
|
nat server
display nat server-group
Use display nat server-group to display internal server group configuration.
Syntax
display nat server-group [ group-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-id: Specifies the ID of the internal server group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.
Examples
# Display configuration about all internal server groups.
<Sysname> display nat server-group
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
# Display configuration about internal server group 1.
<Sysname> display nat server-group 1
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
Field |
Description |
NAT server group information |
Information about NAT server groups. |
Totally n NAT server groups |
Total number of NAT server groups. |
Group Number |
ID of the internal server group. |
Inside IP |
Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---). |
Port |
Private port number of a member in the internal server group. If no port number is specified, this field displays hyphens (---). |
Weight |
Weight of a member in the internal server group. If no weight value is specified, this field displays hyphens (---). |
Related commands
nat server-group
display nat session
Use display nat session to display sessions that have been NATed.
Syntax
display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number ] [ brief | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.
destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.
protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Displays IPv4 unicast session entries for the specified protocol. If you do not specify a protocol, the command displays NAT session entries for all supported protocols. Supported IPv4 transport layer protocols include DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions on all cards.
brief: Display brief information about NAT sessions.
verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.
Usage guidelines
If you do not specify any parameters, this command displays detailed information about all NAT sessions.
Examples
# Display detailed information about NAT sessions for the specified slot.
<Sysname> display nat session slot 1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/1
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: TCP(6)
Inbound interface: Ten-GigabitEthernet3/0/2
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# Display brief information about NAT sessions for the specified slot.
<Sysname> display nat session slot 1 brief
Slot 1:
Protocol Source IP/port Destination IP/port Global IP/port
TCP 10.2.1.58/2477 20.1.1.2/1025 30.2.4.9/226
Total sessions found: 1
Table 13 Command output
Field |
Description |
CPU |
Number of the CPU. |
Source IP/port |
Source IP address and port number. |
Destination IP/port |
Destination IP address and port number. |
DS-Lite tunnel peer |
Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-). |
VPN instance/VLAN ID/VLL ID |
The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · VLL ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or VLL ID is specified, a hyphen (-) is displayed for the related field. |
Protocol |
Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
Inbound interface |
Input interface. |
State |
NAT session status. |
Application |
Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports. |
Start time |
Time when the session starts. |
TTL |
Remaining NAT session lifetime in seconds. |
Initiator->Responder |
Number of packets and packet bytes from the initiator to the responder. |
Responder->Initiator |
Number of packets and packet bytes from the responder to the initiator. |
Total sessions found |
Total number of sessions. |
Source IP/port |
Source IP address and port number of the initiator. |
Destination IP/port |
Destination IP address and port number of the initiator. |
Global IP/port |
Public IP address and port number. |
reset nat session
display nat static
Use display nat static to display static NAT mappings.
Syntax
display nat static
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display static NAT mappings.
<Sysname> display nat static
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 1.1.1.1 - 1.1.1.255
Local IP : 2.2.2.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Config status: Active
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn4
Global VPN : vpn3
ACL: : 2000
Reversible : Y
Config status: Active
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: Ten-GigabitEthernet3/0/2
Config status: Active
Interface: Ten-GigabitEthernet3/0/3
Config status: Active
Field |
Description |
Static NAT mappings |
Information about static NAT mappings. |
Totally n inbound static NAT mappings |
Total number of inbound static NAT mappings. |
Totally n outbound static NAT mappings |
Total number of outbound static NAT mappings. |
Net-to-net |
Net-to-net static NAT mapping. |
IP-to-IP |
One-to-one static NAT mapping. |
Local IP |
Private IP address or address range. |
Global IP |
Public IP address or address range. |
Netmask |
Network mask. |
Local VPN |
MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed. |
ACL |
ACL number or name. If no ACL is specified, this field is not displayed. |
Reversible |
Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed. |
Interfaces enabled with static NAT |
Interfaces that are enabled with static NAT. |
Totally n interfaces enabled with static NAT |
Total number of interfaces enabled with static NAT. |
Interface |
Interface enabled with static NAT. |
Config status |
Status of the static NAT mapping configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective. |
Reasons for inactive status |
Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: local VPN, global VPN, and ACL. · NAT address conflicts. |
Related commands
nat static enable
display nat statistics
Use display nat statistics to display NAT statistics.
Syntax
display nat statistics [ summary ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics on all cards.
Examples
# Display detailed information about all NAT statistics.
<Sysname> display nat statistics
Slot 0:
Total session entries: 100
Total EIM entries: 1
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Active static port block entries: 0
Active dynamic port block entries: 0
Total PAT entries: 0
Table 15 Command output
Field |
Description |
Total session entries |
Number of NAT session entries. |
Total EIM entries |
Number of EIM entries. |
Total inbound NO-PAT entries |
Number of inbound NO-PAT entries. |
Total outbound NO-PAT entries |
Number of outbound NO-PAT entries. |
Active static port block entries |
Number of static port block mappings that are in use. |
Active dynamic port block entries |
Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks. |
Total PAT entries |
Number of PAT entries. |
# Display summary information about all NAT statistics.
<Sysname> display nat statistics summary
EIM: Total EIM entries.
SPB: Total static port block entries.
DPB: Total dynamic port block entries.
ASPB: Active static port block entries.
ADPB: Active dynamic port block entries.
Slot Sessions EIM SPB DPB ASPB ADPB
0 100 1 10 15 0 0
Table 16 Command output
Field |
Description |
Sessions |
Number of NAT session entries. |
EIM |
Number of EIM entries. |
SPB |
Number of static port block mappings. |
DPB |
Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. If the user-defined extended port block size is different from the pre-allocated port block size, the device calculates the number of dynamic port block mappings that can be created based on the port block size of 64. |
ASPB |
Number of static port block mappings in use. |
ADPB |
Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks. |
inside ip
Use inside ip to add a member to an internal server group.
Use undo inside ip to remove a member from an internal server group.
Syntax
inside ip inside-ip port port-number [ weight weight-value ]
undo inside ip inside-ip port port-number
Default
No members exist in an internal server group.
Views
Internal server group view
Predefined user roles
network-admin
Parameters
inside-ip: Specifies the IP address of an internal server.
port port-number: Specifies the port number of an internal server, in the range of 1 to 65535.
weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.
Examples
# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.
<Sysname> system-view
[Sysname] nat server-group 1
[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30
nat server-group
nat address-group
Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.
Use undo nat address-group to delete a NAT address group.
Syntax
nat address-group group-id
undo nat address-group group-id
Default
No NAT address groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.
Usage guidelines
A NAT address group can contain multiple address ranges added by using the address command. Dynamic NAT translates the source IP address of a packet to an IP address in the address group.
You cannot use the undo nat address-group command to delete a NAT address group in use.
Examples
# Create a NAT address group numbered 1.
<Sysname> system-view
[Sysname] nat address-group 1
address
display nat address-group
display nat all
nat outbound
nat alg
Use nat alg to enable NAT ALG for the specified or all supported protocols.
Use undo nat alg to disable NAT ALG for the specified or all supported protocols.
Syntax
nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }
undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }
Default
NAT ALG is disabled for all supported protocols except for FTP, ICMP error packets, and RTSP.
Views
System view
Predefined user roles
network-admin
Parameters
all: Enables NAT ALG for all supported protocols.
dns: Enables NAT ALG for DNS.
ftp: Enables NAT ALG for FTP.
H323: Enables NAT ALG for H323.
icmp-error: Enables NAT ALG for ICMP error packets.
ils: Enables NAT ALG for ILS.
mgcp: Enables NAT ALG for MGCP.
nbt: Enables NAT ALG for NBT.
pptp: Enables NAT ALG for PPTP.
rsh: Enables NAT ALG for RSH.
rtsp: Enables NAT ALG for RTSP.
sccp: Enables NAT ALG for SCCP.
sip: Enables NAT ALG for SIP.
sqlnet: Enables NAT ALG for SQLNET.
tftp: Enables NAT ALG for TFTP.
xdmcp: Enables NAT ALG for XDMCP.
Usage guidelines
NAT ALG translates address or port information in the application layer payload to ensure connection establishment.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.
The nat alg h323 command fails if you have executed the nat mapping-behavior endpoint-independent tcp or nat mapping-behavior endpoint-independent udp command.
Examples
# Enable NAT ALG for FTP.
<Sysname> system-view
[Sysname] nat alg ftp
Related commands
display nat all
nat mapping-behavior endpoint-independent
nat dns-map
Use nat dns-map to configure a NAT DNS mapping.
Use undo nat dns-map to remove a NAT DNS mapping.
Syntax
nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port
undo nat dns-map domain domain-name
Default
No NAT DNS mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.
protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.
interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.
ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.
port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:
· A number in the range of 1 to 65535.
· A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.
Usage guidelines
NAT DNS mapping must cooperate with the NAT Server feature. NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.
You can configure multiple NAT DNS mappings.
Examples
# Configure a NAT DNS mapping to map the domain name www.server.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.
<Sysname> system-view
[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345
Related commands
display nat all
display nat dns-map
nat server
nat hairpin enable
Use nat hairpin enable to enable NAT hairpin.
Use undo nat hairpin enable to disable NAT hairpin.
Syntax
nat hairpin enable
undo nat hairpin enable
Default
NAT hairpin is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.
Examples
# Enable NAT hairpin on Ten-GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat hairpin enable
Related commands
display nat all
nat log enable
Use nat log enable to enable NAT logging.
Use undo nat log enable to disable NAT logging.
Syntax
nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat log enable
Default
NAT logging is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
acl: Specifies an ACL.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
You must enable NAT logging before you enable NAT session logging.
The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.
Examples
# Enable NAT logging.
<Sysname> system-view
[Sysname] nat log enable
Related commands
display nat all
display nat log
nat log flow-active
nat log flow-begin
nat log flow-end
nat log flow-active
Use nat log flow-active to enable logging for active NAT flows and set the logging interval.
Use undo nat log flow-active to disable logging for active NAT flows.
Syntax
nat log flow-active time-value
undo nat log flow-active
Default
Logging for active NAT flows is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.
Usage guidelines
Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.
This command takes effect only after you use the nat log enable command to enable NAT logging.
Examples
# Enable logging for active NAT flows and set the logging interval to 10 minutes.
<Sysname> system-view
[Sysname] nat log flow-active 10
Related commands
display nat all
display nat log
nat log enable
nat log flow-begin
Use nat log flow-begin to enable logging for NAT session establishment events.
Use undo nat log flow-begin to disable logging for NAT session establishment events.
Syntax
nat log flow-begin
undo nat log flow-begin
Default
Logging for NAT session establishment events is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only after you use the nat log enable command to enable NAT logging.
Examples
# Enable logging for NAT session establishment events.
<Sysname> system-view
[Sysname] nat log flow-begin
Related commands
display nat all
display nat log
nat log enable
nat log flow-end
Use nat log flow-end to enable logging for NAT session removal events.
Use undo nat log flow-end to disable logging for NAT session removal events.
Syntax
nat log flow-end
undo nat log flow-end
Default
Logging for NAT session removal events is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only after you use the nat log enable command to enable NAT logging.
Examples
# Enable logging for NAT session removal events.
<Sysname> system-view
[Sysname] nat log flow-end
Related commands
display nat all
display nat log
nat log enable
nat mapping-behavior endpoint-independent { tcp | udp } *
Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping mode for PAT.
Use undo nat mapping-behavior endpoint-independent to restore the default.
Syntax
nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *
undo nat mapping-behavior endpoint-independent
Default
Connection-Dependent Mapping applies.
Views
System view
Predefined user roles
network-admin
Parameters
tcp: Creates EIM entries for TCP connections.
udp: Creates EIM entries for UDP connections.
tcp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for TCP connections. If you do not specify this keyword, only EIM entries are created.
udp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for UDP connections. If you do not specify this keyword, only EIM entries are created.
Usage guidelines
PAT supports the following types of NAT mappings:
· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.
· Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.
The nat mapping-behavior endpoint-independent tcp or nat mapping-behavior endpoint-independent udp command cannot be configured in one of the following conditions:
For interface-based NAT, one or more of following commands have been configured on the device:
· nat server.
· nat static outbound.
· nat static outbound net-to-net.
· nat alg h323.
After you execute the nat mapping-behavior endpoint-independent command, EIM entries and five-tuple session entries are always created for ICMP connections.
The existing and newly configured dynamic NO-PAT rules do not take effect if you specify the Endpoint-Independent Mapping mode for outbound dynamic PAT rules.
Examples
# Apply the Endpoint-Independent Mapping mode and create EIM entries for TCP packet address translation.
<Sysname> system-view
[Sysname] nat mapping-behavior endpoint-independent tcp
Related commands
display nat eim
display nat eim statistics
nat outbound
nat server
nat static outbound
nat static outbound net-to-net
nat outbound
Use nat outbound to configure an outbound dynamic NAT rule.
Use undo nat outbound to delete an outbound dynamic NAT rule.
Syntax
NO-PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
Default
No outbound dynamic NAT rules exist.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
address-group group-id: Specifies an address group for NAT. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.
no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.
reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network.
port-preserved: Tries to preserve port number for PAT.
Usage guidelines
Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.
Outbound dynamic NAT supports the following modes:
· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.
· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.
If the Endpoint-Independent Mapping mode is used for outbound dynamic PAT rules, NO-PAT configurations do not take effect.
When you specify an ACL, follow these restrictions and guidelines:
· An ACL can be used by only one outbound dynamic NAT rule on an interface.
· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.
· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.
· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.
A user is not allowed to access a service on an internal server through different external addresses or external port numbers. When configuring load sharing NAT Server, the number of members cannot be less than the value N in one of the following situations:
· A public address, N consecutive public port numbers, and one internal server group.
· N consecutive public addresses, a public port number, and one internal server group.
The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Sysname-acl-ipv4-basic-2001] rule deny
[Sysname-acl-ipv4-basic-2001] quit
# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10 202.110.10.12
[Sysname-address-group-1] quit
# Configure an outbound dynamic PAT rule on interface Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1
[Sysname-Ten-GigabitEthernet3/0/1] quit
Or
# Configure an outbound NO-PAT rule on interface Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1 no-pat
[Sysname-Ten-GigabitEthernet3/0/1] quit
Or
# Enable Easy IP to use the IP address of Ten-GigabitEthernet 3/0/1 as the translated address.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet 3/0/1] nat outbound 2001
[Sysname-Ten-GigabitEthernet 3/0/1] quit
Or
# Configure an outbound NO-PAT rule on Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1 no-pat reversible
Related commands
address
display nat eim
display nat outbound
nat per-global-ip user-limit
Use nat per-global-ip user-limit to set the maximum number of VPN users sharing one single public address in PAT mode.
Use undo nat per-global-ip user-limit to restore the default.
Syntax
nat per-global-ip user-limit max-number
undo nat per-global-ip user-limit
Default
By default, the number of VPN users that can share one single public IP address is not limited.
Views
NAT address group view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of VPN users, in the range of 1 to 4096.
Usage guidelines
In PAT mode, multiple VPN users can share one single public IP address. If the number of VPN users exceeds the upper limit, the device fails to assign ports to users. New users cannot access the external network, and existing online users cannot initiate new connections. To prevent too many VPN users from using one single public IP address, you can perform this task to evenly distribute users among public IP addresses.
Examples
# Set the maximum number to 500 for VPN users sharing one single public IP address in PAT mode.
<Sysname> system-view
[Sysname] nat address-group 1
[Sysname-address-group-1] nat per-global-ip user-limit 500
nat server
Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.
Use undo nat server to delete a mapping.
Syntax
Common NAT server mapping:
· A single public address with no or a single public port:
nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ]
undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]
· A single public address with consecutive public ports:
nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]
· Consecutive public addresses with no single public port:
nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]
· Consecutive public addresses with a single public port:
nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]
Load sharing NAT server mapping:
nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]
Default
No NAT server mappings exist.
Views
Interface view
Predefined user roles
network-admin
Parameters
protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:
· A number in the range of 1 to 255.
· A protocol name of icmp, tcp, or udp.
global: Specifies the external network information that the server uses to provide services to the external network.
global-address: Specifies the public address of an internal server.
global-address1 global address2: Specifies a public IP address range, which can include a maximum of 256 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.
interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.
global-port1 global-port2: Specifies a public port number range, which can include a maximum of 256 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:
· A number in the range of 1 to 65535. Both the start port and the end port support this format.
· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.
inside: Specifies the internal information of the server.
local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.
local-port: Specifies the private port number. The private port number format can be one of the following:
· A number in the range of 1 to 65535, excluding FTP port 20.
· A protocol name, a string of 1 to 15 characters. For example, http and telnet.
global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.
local-address: Specifies the private IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses of NAT server mappings belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the internal server does not belong to any VPN instance, do not specify this option.
server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for this argument is 0 to 65535.
acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.
Usage guidelines
You can configure the NAT server mapping to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.
NAT server mappings are usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. To avoid incorrect operation of NAT and packet loss, do not specify the same IP address for the global-address argument and the local-address argument.
The following table describes the address-port mappings between an external network and an internal network for NAT Server.
Table 17 Address-port mappings for NAT Server
External network |
Internal network |
One public address |
One private address |
One public address and one public port number |
One private address and one private port number |
One public address and N consecutive public port numbers |
One private address and one private port number |
N consecutive private addresses and one private port number |
|
One private address and N consecutive private port numbers |
|
N consecutive public addresses |
One private address |
N consecutive private addresses |
|
N consecutive public addresses and one public port number |
One private address and one private port number |
N consecutive private addresses and one private port number |
|
One private address and N consecutive private port numbers |
|
One public address and one public port number |
One internal server group |
One public address and N consecutive public port numbers |
|
N consecutive public addresses and one public port number |
|
Public addresses matching an ACL |
One private address |
One private address and one private port |
The number of the nat server commands that can be configured on an interface varies by device model. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.
As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.
If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicting address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.
When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:
· One public address and N consecutive public port numbers are mapped to one internal server group.
· N consecutive public addresses and one public port number are mapped to one internal server group.
The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http
[Sysname-Ten-GigabitEthernet3/0/1] quit
# Allow external users to access the internal FTP server at 10.110.10.11 in the VPN instance vrf10 through ftp://202.110.10.10.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10
[Sysname-Ten-GigabitEthernet3/0/1] quit
# Allow external hosts to ping the host at 10.110.10.12 in the VPN instance vrf10 by using the ping 202.110.10.11 command.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10
[Sysname-Ten-GigabitEthernet3/0/1] quit
# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the VPN instance vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10
Related commands
display nat all
display nat server
nat server-group
nat server-group
Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.
Use undo nat server-group to delete an internal server group.
Syntax
nat server-group group-id
undo nat server-group group-id
Default
No internal server groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-id: Assigns an ID to the internal server group. The value range for this argument is 0 to 65535.
An internal server group can contain multiple members configured by the inside ip command.
Examples
# Create internal server group 1.
<Sysname> system-view
[Sysname] nat server-group 1
Related commands
display nat all
display nat server-group
inside ip
nat server
nat static enable
Use nat static enable to enable static NAT on an interface.
Use undo nat static enable to disable static NAT on an interface.
Syntax
nat static enable
undo nat static enable
Default
Static NAT is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Static NAT mappings take effect on an interface only after you enable static NAT on the interface.
Examples
# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on Ten-GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] nat static outbound 192.168.1.1 2.2.2.2
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] nat static enable
display nat all
display nat static
nat static
nat static outbound
Use nat static outbound to configure a one-to-one mapping for outbound static NAT.
Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.
Syntax
nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]
undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
local-ip: Specifies a private IP address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.
global-ip: Specifies a public IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.
ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address.
Usage guidelines
When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.
· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] nat static outbound 192.168.1.1 2.2.2.2
# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001
Related commands
display nat all
display nat static
nat static enable
nat static outbound net-to-net
Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.
Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.
Syntax
nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]
undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
global-network: Specifies a public network address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.
mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.
mask: Specifies the mask of the public network address.
acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.
ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses.
Usage guidelines
Specify a private network through a start address and an end address, and a public network through a public address and a mask.
When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.
The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP addresses.
· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Examples
# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.
<Sysname> system-view
[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24
# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001
Related commands
display nat all
display nat static
nat static enable
port-single-alloc enable
Use port-single-alloc enable to enable the port-by-port allocation method.
Use undo port-single-alloc enable to restore the default.
Syntax
port-single-alloc enable
undo port-single-alloc enable
Default
By default, the port reuse allocation method is enabled.
Views
NAT address group view
Predefined user roles
network-admin
Usage guidelines
A session can be identified by a three-tuple (source IP address, source port number, and protocol type) or a five-tuple (source IP address, source port number, protocol type, destination IP address, and destination port number). Based on the three-tuple or five-tuple session, a port allocation for dynamic PAT can be one of the following modes:
· Port reuse—Different sessions can share the same port number after NAT.
· Port by port—Different sessions must use different NATed port numbers. This allocation method is suitable for users with few NAT services and port numbers required.
When you configure a port allocation method for dynamic PAT, you cannot switch it in one minute.
The port-single-alloc enable command and the port-block command are mutually exclusive.
Examples
# Enable the port-by-port allocation method for NAT address group 1.
<Sysname> system-view
[Sysname] nat address-group 1
[Sysname-address-group-1] port-single-alloc enable
reset nat eim
Use reset nat eim to delete NAT EIM entries.
Syntax
reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol by its type. If you do not specify this keyword, the command deletes NAT EIM entries of all protocol types.
icmp: Specifies the ICMP protocol.
tcp: Specifies the TCP protocol.
udp: Specifies the UDP protocol.
local-ip b4 ipv6-address: Deletes the EIM entry for a B4 device IPv6 address. The ipv6-address argument specifies the IPv6 address of a B4 device.
local-ip local-ip: Deletes the EIM entry for a private IP address. The local-ip argument specifies a private IP address.
local-port local-port: Deletes the EIM entry for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.
global-ip global-ip: Deletes the EIM entry for a public IP address. The global-ip argument specifies a public IP address.
global-port global-port: Deletes the EIM entry for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes NAT EIM entries on all cards.
Usage guidelines
If you do not specify the local-ip, local-port, global-ip, or global-port keyword, this command deletes all EIM entries for ICMP, TCP, and UDP protocols.
Examples
# Delete NAT EIM entries for the specified slot.
<Sysname> reset nat eimslot 1
Related commands
display nat session
display nat eim statistics
reset nat session
Use reset nat session to clear NAT sessions.
Syntax
reset nat session [ protocol { tcp | udp } ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
protocol: Specifies a protocol by its type. If you do not specify this keyword, the command clears NAT sessions of all protocol types.
tcp: Specifies the TCP protocol.
udp: Specifies the UDP protocol.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions on all cards.
Examples
# Clear NAT sessions for the specified slot.
<Sysname> reset nat session slot 1
Related commands
display nat session