Table of Contents

Related Documents

03-NAT commands

Title	Size	Download
03-NAT commands	326.18 KB

NAT commands

address

Use address to add an address range to a NAT address group.

Use undo address to remove an address range from a NAT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. An address range can contain a maximum of 256 addresses.

Usage guidelines

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

For a NAT address group, make sure the address ranges do not overlap.

Examples

# Add two address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

nat address-group

display nat address-group

Use display nat address-group to display NAT address group information.

Syntax

display nat address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify the group-id argument, this command displays information about all NAT address groups.

Examples

# Display information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

Totally 5 NAT address groups.

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Address group 2:

Port range: 1-65535

Address information:

Start address End address

202.110.10.20 202.110.10.25

202.110.10.30 202.110.10.35

Address group 3:

Port range: 1024-65535

Address information:

Start address End address

202.110.10.40 202.110.10.50

Address group 4:

Port range: 10001-65535

Port block size: 500

Extended block number: 1

Address information:

Start address End address

202.110.10.60 202.110.10.65

Address group 6:

Port range: 1-65535

Address information:

Start address End address

--- ---

# Display information about NAT address group 1.

<Sysname> display nat address-group 1

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Table 1 Command output

Field	Description
Address group	ID of the NAT address group.
Port range	Port range for public IP addresses.
Block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Address information	Information about the IP addresses in the address group.
Start address	Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---).

Related commands

nat address-group

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address group information:

Totally 1 NAT address groups.

Address group 0:

Port range: 1024-65535

Port block size: 300

Extended block number: 1

Address information:

Start address End address

202.38.1.2 202.38.1.3

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: Vlan-interface300

ACL: 2000 Address group: 0 Port-preserved: N

NO-PAT: N Reversible: N

Config status: Active

Interface: Vlan-interface301

ACL: 3002 Address group: 0 Port-preserved: N

NO-PAT: N Reversible: N

Config status: Active

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 202.100.1.1 - 202.100.1.255

Local IP : 192.168.1.0

Netmask : 255.255.255.0

Config status: Active

Local flow-table status: Inactive

IP-to-IP:

Global IP : 5.5.5.5

Local IP : 4.4.4.4

ACL : 3000

Reversible : Y

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Local flow-table status: Inactive

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 192.168.1.1 - 192.168.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

ACL : 3002

Config status: Active

Local flow-table status: Inactive

IP-to-IP:

Local IP : 10.110.10.8

Global IP : 202.38.1.100

Config status: Active

Local flow-table status: Inactive

Interfaces enabled with static NAT:

Totally 1 interfaces enabled with static NAT.

Interface: Vlan-interface200

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

Static NAT load balancing: Disabled

The output shows all NAT configuration information. Table 2 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.

Table 2 Command output

Field	Description
NAT address group information	Information about the NAT address group. See Table 1 for output description.
NAT inbound information:	Inbound dynamic NAT configuration. See Table 4 for output description.
NAT outbound information	Outbound dynamic NAT configuration. See Table 7 for output description.
Static NAT mappings	Static NAT mappings. See Table 10 for output description.
NAT logging	NAT logging configuration. See Table 5 for output description.
NAT hairpinning	NAT hairpin configuration.
Totally n interfaces enabled NAT hairpinning	Number of interfaces with NAT hairpin enabled.
Interface	NAT hairpin-enabled interface.
Config status	Status of the NAT hairpin configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
NAT mapping behavior	Mapping behavior mode of PAT: Endpoint-Independent or Address and Port-Dependent.
ACL	ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).
Config status	Status of the NAT mapping behavior configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status field displays Inactive.
NAT ALG	NAT ALG configuration for different protocols.
Static NAT load balancing	This field is not supported in the current software version. Enabling status of load sharing for static NAT on NAT service engines: · Enabled. · Disabled.

‌

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

display nat eim [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays EIM entry information for all member devices.

Usage guidelines

EIM entries are created when PAT operates in EIM mode. An EIM entry is a 3-tuple entry, and it records the mapping between a private address/port and a public address/port.

The EIM entry provides the following functions:

· The same EIM entry applies to subsequent connections initiated from the same source IP and port.

· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.

Examples

# Display information about EIM entries for the specified slot.

<Sysname> display nat eim slot 1

Slot 1:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Local IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

Protocol: UDP(17)

Total entries found: 2

Table 3 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Protocol	Protocol name and number.
Total entries found	Total number of EIM entries.

Related commands

nat mapping-behavior

nat outbound

display nat inbound

Use display nat inbound to display inbound dynamic NAT configuration.

Syntax

display nat inbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display inbound dynamic NAT configuration.

<Sysname> display nat inbound

NAT inbound information:

Totally 2 NAT inbound rules.

Interface: GigabitEthernet1/0/2

ACL: 2038 Address group: 2 Add route: Y

NO-PAT: Y Reversible: N

VPN instance: vpn1

Service card: ---

Config status: Active

Interface: GigabitEthernet1/0/3

ACL: 2037 Address group: 1 Add route: Y

NO-PAT: Y Reversible: N

VPN instance: vpn2

Service card: ---

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: local VPN, and ACL.

Service card not specified.

Table 4 Command output

Field	Description
NAT inbound information	Information about inbound dynamic NAT configuration.
Interface	Interface where the inbound dynamic NAT rule is configured.
ACL	ACL number or name.
Address group	NAT address group used by the inbound dynamic NAT rule.
Add route	Whether to add a route when a packet matches the inbound dynamic NAT rule: · Y—Adds a route. · N—Does not add a route.
NO-PAT	Whether NO-PAT or PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Config status	Status of the inbound dynamic NAT configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the inbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive.

Related commands

nat inbound

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT logging configuration.

<Sysname> display nat log

NAT logging:

Log enable : Enabled(ACL 2000)

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Enabled(10 minutes)

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

Table 5 Command output

Field	Description
NAT logging	NAT logging configuration.
Log enable	Whether NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name.
Flow-begin	Whether logging is enabled for NAT session establishment events.
Flow-end	Whether logging is enabled for NAT session removal events.
Flow-active	Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated.
Port-block-assign	Whether logging is enabled for NAT444 port block assignment.
Port-block-withdraw	Whether logging is enabled for NAT444 port block withdrawal.
Alarm	Whether logging is enabled for NAT444 alarms.

Related commands

nat log enable

nat log flow-active

nat log flow-begin

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

display nat no-pat [ slot slot-number ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NO-PAT entry information for all member devices.

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

· The same entry applies to subsequent connections initiated from the same source IP address.

· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Outbound and inbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.

Examples

# Display information about NO-PAT entries for the specified slot.

<Sysname> display nat no-pat slot 1

Slot 1:

Global IP: 200.100.1.100

Local IP: 192.168.100.100

Global VPN: vpn2

Local VPN: vpn1

Reversible: N

Type : Inbound

Local IP: 192.168.100.200

Global IP: 200.100.1.200

Reversible: Y

Type : Outbound

Total entries found: 2

Table 6 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total entries found	Total number of NO-PAT entries.

Related commands

nat inbound

nat outbound

display nat outbound

Use display nat outbound to display information about outbound dynamic NAT.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about outbound dynamic NAT.

<Sysname> display nat outbound

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: Vlan-interface200

ACL: 2036 Address group: 1 Port-preserved: Y

NO-PAT: N Reversible: N

Config status: Active

Interface: Vlan-interface201

ACL: 2037 Address group: 2 Port-preserved: N

NO-PAT: Y Reversible: Y

Config status: Active

Table 7 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT.
Interface	Interface where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---).
Address group	Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---).
Port-preserved	Whether to try to preserve the port numbers for PAT.
NO-PAT	Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Config status	Status of the outbound dynamic NAT configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive.

Related commands

nat outbound

display nat port-block

Use display nat port-block to display NAT port block mappings.

Syntax

display nat port-block dynamic [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays dynamic NAT port block mappings.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT port block mappings for all member devices.

Examples

# Display dynamic NAT port block mappings.

<Sysname> display nat port-block dynamic slot 1

Slot 1:

Local VPN Local IP Global IP Port block Connections

--- 101.1.1.12 192.168.135.201 10001-11024 1

Total entries found: 1

Table 8 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field displays hyphens (---).
Local IP	Private IP address.
DS-Lite B4 addr	This field is not supported in the current software version. IPv6 address of the DS-Lite B4 element.
Global IP	Public IP address.
Port block	Port block defined by a start port number and an end port number.
Connections	Number of connections established by using the ports in the port block.

‌

display nat session

Use display nat session to display NAT sessions.

Syntax

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT sessions for all member devices.

verbose: Displays detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays all NAT sessions.

Examples

# Display detailed information about NAT sessions.

<Sysname> display nat session verbose

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: Vlan-interface100

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.10/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: Vlan-interface200

State: TCP_SYN_SENT

Application: SSH

Start time: 2022-05-11 10:06:55 TTL: 28s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

Table 9 Command output

Field	Description
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	This field is not supported in the current software version. Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/VLL ID	The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · VLL ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or VLL ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
Source security zone	Security zone to which the input interface belongs. If the input interface does not belong to any security zone, this field displays a hyphen (-).
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Start time	Time when the session starts.
TTL	Remaining NAT session lifetime in seconds.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display static NAT mappings.

<Sysname> display nat static

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 202.100.1.1 - 202.100.1.255

Local IP : 192.168.1.0

Netmask : 255.255.255.0

Config status: Active

IP-to-IP:

Global IP : 5.5.5.5

Local IP : 4.4.4.4

ACL : 3000

Reversible : Y

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: ACL.

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 192.168.1.1 - 192.168.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

ACL : 3002

Config status: Active

IP-to-IP:

Local IP : 10.110.10.8

Global IP : 202.38.1.100

Config status: Active

Local flow-table status: Inactive

Interfaces enabled with static NAT:

Totally 1 interfaces enabled with static NAT.

Interface: Vlan-interface200

Config status: Active

Table 10 Command output

Field	Description
Static NAT mappings	Information about static NAT mapping configuration.
Totally n inbound static NAT mappings	Total number of inbound static NAT mappings.
Totally n outbound static NAT mappings	Total number of outbound static NAT mappings.
Net-to-net	Net-to-net static NAT mapping.
IP-to-IP	One-to-one static NAT mapping.
Local IP	Private IP address or address range.
Global IP	Public IP address or address range.
Netmask	Network mask.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Reversible	Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed.
Interfaces enabled with static NAT	Interfaces on which static NAT is enabled.
Totally n interfaces enabled with static NAT	Total number of interfaces where static NAT is enabled.
Interface	Interface on which static NAT is enabled.
Config status	Status of the static NAT mapping configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status field displays Inactive.

Related commands

nat static

nat static net-to-net

nat static enable

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT statistics for all member devices.

Examples

# Display detailed information about NAT statistics.

<Sysname> display nat statistics

Slot 1:

Total session entries: 100

Total EIM entries: 1

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total dynamic port block entries: 15

Active dynamic port block entries: 0

Table 11 Command output

Field	Description
Total session entries	Total number of NAT session entries.
Total EIM entries	Total number of EIM entries.
Total inbound NO-PAT entries	Total number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Total number of outbound NO-PAT entries.
Total dynamic port block entries	Total number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.
Active dynamic port block entries	Total number of dynamic NAT port block mappings that have been created. It equals the number of dynamically assigned port blocks.

# Display NAT statistics summary.

<Sysname> display nat statistics summary

EIM: Total EIM entries.

SPB: Total static port block entries.

DPB: Total dynamic port block entries.

ASPB: Active static port block entries.

ADPB: Active dynamic port block entries.

Slot Sessions EIM SPB DPB ASPB ADPB

2 0 0 0 1572720 0 0

Table 12 Command output

Field	Description
Sessions	Number of NAT session entries.
EIM	Number of EIM entries.
SPB	Number of static port block mappings.
DPB	Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.
ASPB	Number of static port block mappings in use.
ADPB	Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.

‌

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies the ID of a NAT address group, in the range of 0 to 65535.

Usage guidelines

A NAT address group can contain multiple address ranges by using the address command. Dynamic NAT translates the source IP address of a packet into an IP address in the address group.

Examples

# Create a NAT address group numbered 1.

<Sysname> system-view

[Sysname] nat address-group 1

Related commands

address

display nat address-group

display nat all

nat inbound

nat outbound

nat alg

Use nat alg to enable NAT ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }

Default

NAT ALG for all supported protocols is enabled.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables NAT ALG for all supported protocols.

dns: Enables NAT ALG for DNS.

ftp: Enables NAT ALG for FTP.

H323: Enables NAT ALG for H.323.

icmp-error: Enables NAT ALG for ICMP error packets.

ils: Enables NAT ALG for ILS.

mgcp: Enables NAT ALG for MGCP.

nbt: Enables NAT ALG for NBT.

pptp: Enables NAT ALG for PPTP.

rsh: Enables NAT ALG for RSH.

rtsp: Enables NAT ALG for RTSP.

sccp: Enables NAT ALG for SCCP.

sip: Enables NAT ALG for SIP.

sqlnet: Enables NAT ALG for SQLNET.

tftp: Enables NAT ALG for TFTP.

xdmcp: Enables NAT ALG for XDMCP.

Usage guidelines

NAT ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.

Examples

# Enable NAT ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with outbound dynamic NAT or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

Examples

# Enable NAT hairpin on interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat hairpin enable

Related commands

display nat all

nat inbound

Use nat inbound to configure an inbound dynamic NAT rule.

Use undo nat inbound to delete an inbound dynamic NAT rule.

Syntax

nat inbound { ipv4-acl-number | name ipv4-acl-name } address-group group-id [ vpn-instance vpn-instance-name ] [ no-pat [ reversible ] [ add-route ] ]

undo nat inbound { ipv4-acl-number | name ipv4-acl-name }

Default

No inbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for address translation. The value range for the group-id argument is 0 to 65535.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.

no-pat: Uses NO-PAT for inbound NAT. If you do not specify this keyword, PAT is used. PAT supports only TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the internal network to the external network.

add-route: Automatically adds a route to the source address after translation. The output interface is the NAT interface and the next hop is the source address before translation.

Usage guidelines

Inbound dynamic NAT translates the source IP addresses of incoming packets permitted by the ACL into IP addresses in the address group.

Inbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation.

· NO-PAT—Performs only IP address translation.

The NO-PAT mode supports reverse address translation. Reverse address translation uses ACL reverse matching to identify packets to be translated. ACL reverse matching works as follows:

· Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

· Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Inbound dynamic NAT typically cooperates with one of the following to implement bidirectional NAT:

· Outbound dynamic NAT (the nat outbound command).

· NAT Server (the nat server command).

· Outbound static NAT (the nat static command).

An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat inbound command in both PAT and NO-PAT modes.

Do not specify the add-route keyword if the subnets where the internal and external networks reside overlap. For other network scenarios:

· If you specify the add-route keyword, the device automatically adds a route to the source address after translation for a packet. The destination address is the NATed address in the NAT address group, the output interface is the interface where the command is executed, and the next hop is the source address before translation.

· If you do not specify the add-route keyword, you must manually add the route. As a best practice, add routes manually because automatic route adding is slow.

When you specify an ACL, follow these restrictions and guidelines:

· An ACL can be used by only one inbound dynamic NAT rule on an interface.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

· If you specify the vpn-instance keyword for an ACL rule, the rule takes effect only on VPN packets. If you do not specify the vpn-instance keyword for an ACL rule, the rule takes effect only on public network packets.

You can configure multiple inbound dynamic NAT rules on an interface.

The vpn-instance parameter is required if you deploy inbound dynamic NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 in VPN vpn10 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit vpn-instance vpn10 source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Configure the MPLS L3VPN instance named vpn10.

[Sysname] ip vpn-instance vpn10

[Sysname-vpn-instance-vpn10] route-distinguisher 100:001

[Sysname-vpn-instance-vpn10] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance-vpn10] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance-vpn10] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an inbound NO-PAT rule on interface GigabitEthernet 1/0/1. NAT translates the source addresses of incoming packets into the addresses in address group 1, and automatically adds routes for translated packets.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat inbound 2001 address-group 1 vpn-instance vpn10 no-pat add-route

Related commands

display nat all

display nat inbound

display nat no-pat

nat log alarm

Use nat log alarm to enable NAT444 alarm logging.

Use undo nat log alarm to disable NAT444 alarm logging.

Syntax

nat log alarm

undo nat log alarm

Default

NAT alarm logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

NAT444 alarm logging monitors the usage of NAT444 resources, including public IP addresses, port blocks, and ports in a port block. If NAT444 resources are exhausted, the NAT444 gateway cannot translate packets and drops them.

The NAT444 gateway generates alarm logs in the following situations:

· The ports in the selected port block of a static NAT444 mapping are all occupied.

· The ports in the selected port blocks (including extended ones) of a dynamic NAT444 mapping are all occupied.

· The public IP addresses and port blocks for dynamic NAT444 are all assigned.

Enable NAT logging before you enable NAT444 alarm logging.

Examples

# Enable NAT444 alarm logging.

<Sysname> system-view

[Sysname] nat log alarm

Related commands

display nat all

display nat log

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

You must enable NAT logging before you enable NAT session logging, NAT444 user logging (including port block assignment and withdrawal logging), or NAT444 alarm logging.

When you specify an ACL, follow these restrictions and guidelines:

· The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

display nat all

display nat log

nat log alarm

nat log flow-active

nat log flow-begin

nat log flow-end

nat log port-block-assign

nat log port-block-withdraw

nat log flow-active

Use nat log flow-active to enable logging for active NAT flows and set the logging interval.

Use undo nat log flow-active to disable logging for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.

Usage guidelines

Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.

Logging for active NAT flows takes effect only after you enable NAT logging.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

Related commands

display nat all

display nat log

nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT session establishment events.

Use undo nat log flow-begin to disable logging for NAT session establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT session establishment events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Logging for NAT session establishment events takes effect only after you enable NAT logging.

Examples

# Enable logging for NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

Related commands

display nat all

display nat log

nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT session removal events.

Use undo nat log flow-end to disable logging for NAT session removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT session removal events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Logging for NAT session removal events takes effect only after you enable NAT logging.

Examples

# Enable logging for NAT session removal events.

<Sysname> system-view

[Sysname] nat log flow-end

Related commands

display nat all

display nat log

nat log enable

nat log port-block-assign

Use nat log port-block-assign to enable NAT444 user logging for port block assignment.

Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.

Syntax

nat log port-block-assign

undo nat log port-block-assign

Default

NAT444 user logging is disabled for port block assignment.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For static port block mappings, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.

For dynamic port block mappings, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block assignment.

<Sysname> system-view

[Sysname] nat log port-block-assign

Related commands

display nat all

display nat log

nat log enable

nat log port-block-withdraw

Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.

Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.

Syntax

nat log port-block-withdraw

undo nat log port-block-withdraw

Default

NAT444 user logging is disabled for port block withdrawal.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For static port block mappings, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.

For dynamic port block mappings, the NAT444 gateway generates a user log when all the following conditions are met:

· The port blocks (including the extended ones) assigned to the private IP address are withdrawn.

· The corresponding mapping entry is deleted.

Enable NAT logging before you enable NAT444 user logging for port block withdrawal.

Examples

# Enable NAT444 user logging for port block withdrawal.

<Sysname> system-view

[Sysname] nat log port-block-withdraw

Related commands

display nat all

display nat log

nat log enable

nat mapping-behavior

Use nat mapping-behavior to configure the mapping behavior mode for PAT.

Use undo nat mapping-behavior to restore the default.

Syntax

nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat mapping-behavior endpoint-independent

Default

Address and Port-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL to define the applicable scope of Endpoint-Independent Mapping.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

PAT supports the following NAT mappings modes:

· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.

· Address and Port-Dependent Mapping—Uses different IP and port mappings for packets with the same source IP and port to different destination IP addresses and ports. APDM allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

This command takes effect only on outbound PAT. Address and Port-Dependent Mapping always applies to inbound PAT.

When you specify an ACL, follow these restrictions and guidelines:

· If you specify an ACL, Endpoint-Independent Mapping applies to packets that are permitted by the ACL. If you do not specify an ACL, Endpoint-Independent Mapping applies to all packets.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

Examples

# Apply the Endpoint-Independent Mapping mode to all packets for address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent

# Apply the Endpoint-Independent Mapping mode to FTP and HTTP packets, and the Address and Port-Dependent Mapping mode to other packets for address translation.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80

[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 21

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] nat mapping-behavior endpoint-independent acl 3000

Related commands

nat outbound

display nat eim

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for NAT. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic NAT port block mapping.

Usage guidelines

Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.

Outbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.

· NO-PAT—Performs only IP address translation. The dynamic NAT444 rule does not support this mode. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

When you specify a NAT address group, follow these restrictions and guidelines:

· An address group cannot be used by both the nat inbound and nat outbound commands.

· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

· When port block parameters are specified in the NAT address group, this command configures a dynamic NAT port block mapping. Packets matching the ACL permit rule are processed by dynamic NAT444.

When you specify an ACL, follow these restrictions and guidelines:

· An ACL can be used by only one outbound dynamic NAT rule on an interface.

· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

The vpn-instance parameter is required if you deploy outbound dynamic NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on VLAN-interface 100 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] nat outbound 2001 address-group 1

[Sysname-Vlan-interface100] quit

# Configure an outbound NO-PAT rule on VLAN-interface 100 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] nat outbound 2001 address-group 1 no-pat

[Sysname-Vlan-interface100] quit

# Enable Easy IP to use the IP address of VLAN-interface 100 as the translated address.

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] nat outbound 2001

[Sysname-Vlan-interface100] quit

# Configure an outbound NO-PAT rule on VLAN-interface 100 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] nat outbound 2001 address-group 1 no-pat reversible

Related commands

display nat eim

display nat outbound

nat mapping-behavior

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on Vlan-interface 100.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] nat static enable

Related commands

display nat all

display nat static

nat static

nat static net-to-net

nat static inbound

Use nat static inbound to configure a one-to-one mapping for inbound static NAT.

Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.

Syntax

nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static inbound global-ip [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP address.

Usage guidelines

When the source IP address of a packet from the external network to the internal network matches the global-ip, the source IP address is translated into the local-ip. When the destination IP address of a packet from the internal network to the external network matches the local-ip, the destination IP address is translated into the global-ip.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the internal network to the private IP address.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net

Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.

Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.

Syntax

nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-start-address global-end-address: Specifies a public address range which can contain a maximum of 256 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

local-network: Specifies a private network address.

mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.

mask: Specifies the mask of the private network address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private network address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private network address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP addresses.

Usage guidelines

Specify a public network through a start address and an end address, and a private network through a private address and a mask.

When the source address of a packet from the external network matches the public address range, the source address is translated into a private address in the private address range. When the destination address of a packet from the internal network matches the private address range, the destination address is translated into a public address in the public address range.

The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.

<Sysname> system-view

[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24

Related commands

display nat all

display nat static

nat static enable

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip global-ip

undo nat static outbound local-ip

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

global-ip: Specifies a public IP address.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

Usage guidelines

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

Related commands

display nat all

display nat static

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.

global-network: Specifies a public network address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access.

ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses.

Usage guidelines

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP addresses.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

· If the ACL does not exist or does not contain a rule, the ACL cannot match any packet.

Static NAT takes precedence over dynamic NAT when they are both configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT in VPN networks. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat static enable

port-range

Use port-range to specify a port range for public IP addresses.

Use undo port-range to restore the default.

Syntax

port-range start-port-number end-port-number

undo port-range

Default

The port range for public IP addresses is 1 to 65535.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number. As a best practice, set the start port number to be equal to or larger than 1024 to avoid an application protocol identification error.

Usage guidelines

The port range must include all ports that public IP addresses use for address translation.

Examples

# Specify the port range as 1024 to 65535 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-range 1024 65535

Related commands

nat address-group

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

reset nat session [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears NAT sessions for all member devices.

Examples

# Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 1

Related commands

display nat session

11-Network Management and Monitoring Command Reference

nat log flow-active

nat static enable

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us