Table of Contents

Related Documents

01-NAT commands

Title	Size	Download
01-NAT commands	278.75 KB

NAT commands

The product does not support configuring NAT in IRF or M-LAG scenarios.

address

Use address to add an address range to a NAT address group.

Use undo address to remove an address range from a NAT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. Each address range can contain a maximum of 128 addresses.

Usage guidelines

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

You can repeat this command to add multiple address ranges to a NAT address group. Make sure the address ranges do not overlap in the NAT address group. The device supports a maximum of 128 address ranges in total for all NAT address groups.

Examples

# Add two address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

nat address-group

display nat address-group

Use display nat address-group to display NAT address group information.

Syntax

display nat address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify the group-id argument, this command displays information about all NAT address groups.

Examples

# Display information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

Totally 5 NAT address groups.

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Address group 2:

Port range: 1-65535

Address information:

Start address End address

202.110.10.20 202.110.10.25

202.110.10.30 202.110.10.35

Address group 3:

Port range: 1024-65535

Address information:

Start address End address

202.110.10.40 202.110.10.50

Address group 4:

Port range: 10001-65535

Port block size: 500

Extended block number: 1

Address information:

Start address End address

202.110.10.60 202.110.10.65

Address group 6:

Port range: 1-65535

Address information:

Start address End address

--- ---

# Display information about NAT address group 1.

<Sysname> display nat address-group 1

Address group 1:

Port range: 1-65535

Address information:

Start address End address

202.110.10.10 202.110.10.15

Table 1 Command output

Field	Description
NAT address group information	Information about the NAT address group
Totally n NAT address groups	Total number of NAT address groups.
Address group	ID of the NAT address group.
VRID	Virtual router ID (VRRP group number). If no VRRP group is specified, this field is not displayed.
Port range	This field is not supported in the current software version. Port range for public IP addresses.
Block size	This field is not supported in the current software version. Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	This field is not supported in the current software version. Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Address information	Information about the IP addresses in the address group.
Start address	Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---).

Related commands

nat address-group

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address group information:

Totally 3 NAT address groups.

Address group 10:

Port range: 1024-65535

Port block size: 200

Address information:

Start address End address

200.20.1.1 200.20.1.10

Address group 11:

Port range: 1-65535

Address information:

Start address End address

202.38.1.1 202.38.1.110

Address group 12:

Port range: 1-65535

Address information:

Start address End address

202.38.2.1 202.38.2.10

NAT inbound information:

Totally 1 NAT inbound rules.

Interface: Vlan-interface10

ACL: 2001 Address group: 12 Add route: N

NO-PAT: N Reversible: N

Config status: Active

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: Vlan-interface10

ACL: 2000 Address group: 11 Port-preserved: N

NO-PAT: N Reversible: N

Config status: Active

Interface: Vlan-interface10

ACL: --- Address group: 10 Port-preserved: N

NO-PAT: Y Reversible: N

Config status: Active

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 200.11.1.1 - 200.11.1.10

Local IP : 3.1.1.0

Netmask : 255.255.255.240

Config status: Active

IP-to-IP:

Global IP : 200.10.1.1

Local IP : 2.1.1.1

Config status: Active

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 192.168.1.1 - 192.168.1.10

Global IP : 202.1.1.0

Netmask : 255.255.255.240

Config status: Active

IP-to-IP:

Local IP : 1.1.1.1

Global IP : 200.1.1.1

Config status: Active

Interfaces enabled with static NAT:

Totally 1 interfaces enabled with static NAT.

Interface: Vlan-interface10

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Disabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(90%)

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---

Config status: Active

The output shows all NAT configuration information. Table 2 describes only the fields for the output of the related commands.

Table 2 Command output

Field	Description
NAT address group information	Information about the NAT address group. See Table 1 for output description.
NAT inbound information:	Inbound dynamic NAT configuration. See Table 3 for output description.
NAT outbound information	Outbound dynamic NAT configuration. See Table 5 for output description.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
NAT mapping behavior	This field is not supported in the current software version. Mapping behavior mode of PAT: · Endpoint-Independent. · Address and Port-Dependent Mapping.
ACL	ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).
Config status	This field is not supported in the current software version. Status of the NAT mapping behavior configuration: · Active—The configuration is taking effect. · Inactive—The configuration is not taking effect.
Reasons for inactive status	This field is not supported in the current software version. Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status field displays Inactive.

‌

display nat inbound

Use display nat inbound to display inbound dynamic NAT configuration.

Syntax

display nat inbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display inbound dynamic NAT configuration.

<Sysname> display nat inbound

NAT inbound information:

Totally 2 NAT inbound rules.

Interface: Twenty-FiveGigE1/0/2

ACL: 2038 Address group: 2 Add route: Y

NO-PAT: Y Reversible: N

Rule name: ruleinbound1

Priority: 1000

Config status: Active

Interface: Twenty-FiveGigE1/0/3

ACL: 2037 Address group: 1 Add route: Y

NO-PAT: Y Reversible: N

Rule name: ruleinbound2

Priority: 1000

Config status: Active

Table 3 Command output

Field	Description
NAT inbound information	Information about inbound dynamic NAT configuration.
Totally n NAT inbound rules	Total number of inbound dynamic NAT rules.
Interface	Interface where the inbound dynamic NAT rule is configured.
ACL	ACL number or name.
Address group	NAT address group used by the inbound dynamic NAT rule.
Add route	Whether to add a route when a packet matches the inbound dynamic NAT rule: · Y—Adds a route. · N—Does not add a route.
NO-PAT	Whether NO-PAT or PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
Config status	Status of the inbound dynamic NAT configuration: · Active—The configuration is taking effect. · Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the inbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive.

Related commands

nat inbound

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

display nat no-pat [ slot slot-number ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NO-PAT entry information for all member devices.

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

· The same entry applies to subsequent connections initiated from the same source IP address.

· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Outbound and inbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.

Examples

# Display information about NO-PAT entries.

<Sysname> display nat no-pat

Slot 1:

Global IP: 200.100.1.100

Local IP: 192.168.100.100

Reversible: N

Type : Inbound

Local IP: 192.168.100.200

Global IP: 200.100.1.200

Reversible: Y

Type : Outbound

Total entries found: 2

Table 4 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total entries found	Total number of NO-PAT entries.

Related commands

nat inbound

nat outbound

display nat outbound

Use display nat outbound to display outbound dynamic NAT configuration.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display outbound dynamic NAT configuration.

<Sysname> display nat outbound

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: Vlan-interface10

ACL: 2036 Address group: 1 Port-preserved: Y

NO-PAT: N Reversible: N

Rule name: ruleoutbound1

Priority: 1000

Config status: Active

Interface: Vlan-interface20

ACL: 2037 Address group: 10 Port-preserved: N

NO-PAT: Y Reversible: Y

Rule name: ruleoutbound2

Priority: 1000

Config status: Active

Table 5 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT configuration.
Totally n NAT outbound rules	Total number of outbound dynamic NAT rules.
Interface	Interface where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT configuration, this field displays hyphens (---).
Address group	Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---).
Port-preserved	Whether to try to preserve the port numbers for PAT.
NO-PAT	Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Configuration mode	Configuration method of the device. · This field displays NETCONF (action) if the device is configured by using a NETCONF action operation. Only the SmartMC network supports this configuration method. · This field is not displayed if the device is configured by using other methods.
Rule name	Name of the NAT rule.
Priority	Priority of the NAT rule.
Config status	Status of the outbound dynamic NAT configuration: · Active—The configuration is taking effect. · Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: interface IP address, address group, and ACL. · NAT address conflicts.

Related commands

nat outbound

display nat session

Use display nat session to display NAT sessions.

Syntax

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT sessions for all member devices.

brief: Display brief information about NAT sessions.

verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all NAT sessions.

Examples

# Display detailed information about NAT sessions.

<Sysname> display nat session verbose

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: Vlan-interface10

Source security zone: SrcZone

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.10/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: Vlan-interface20

Source security zone: DestZone

State: TCP_SYN_SENT

Application: SSH

Start time: 2023-06-29 15:12:28

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

# Display brief information about NAT sessions.

<Sysname> display nat session brief

Slot 1:

Protocol Source IP/port Destination IP/port Global IP/port

TCP 10.2.1.58/2477 20.1.1.2/1025 30.2.4.9/226

Total sessions found: 1

Table 6 Command output

Field	Description
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	This field is not supported in the current software version. Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/VLL ID	The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. ‌ · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · VLL ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or VLL ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: Raw IP, TCP, or UDP.
Inbound interface	Input interface.
Source security zone	Security zone to which the input interface belongs. If the input interface does not belong to any security zone, this field displays a hyphen (-).
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Start time	Time when the session starts.
TTL	Remaining NAT session lifetime in seconds.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.
Source IP/port	Source IP address and port number of the initiator.
Destination IP/port	Destination IP address and port number of the initiator.
Global IP/port	Public IP address and port number.

Related commands

reset nat session

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ summary ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT statistics for all member devices.

Examples

# Display detailed information about NAT statistics.

<Sysname> display nat statistics

Slot 1:

Total session entries: 100

Total EIM entries: 0

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 0

Total dynamic port block entries: 0

Active static port block entries: 0

Active dynamic port block entries: 0

Table 7 Command output

Field	Description
Total session entries	Number of NAT session entries.
Total EIM entries	Number of EIM entries.
Total inbound NO-PAT entries	Number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Number of outbound NO-PAT entries.
Total static port block entries	This field is not supported in the current software version. Number of static port block mappings.
Total dynamic port block entries	This field is not supported in the current software version. Number of dynamic port block mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.
Active static port block entries	This field is not supported in the current software version. Number of static port block mappings that are in use.
Active dynamic port block entries	This field is not supported in the current software version. Number of dynamic port block mappings that have been created. It equals the number of dynamically assigned port blocks.

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.

Usage guidelines

A NAT address group can contain multiple address ranges added by using the address command.

Examples

# Create a NAT address group numbered 1.

<Sysname> system-view

[Sysname] nat address-group 1

Related commands

address

display nat address-group

display nat all

nat inbound

nat outbound

nat inbound

Use nat inbound to configure an inbound dynamic NAT rule.

Use undo nat inbound to delete an inbound dynamic NAT rule.

Syntax

nat inbound { ipv4-acl-number | name ipv4-acl-name } address-group group-id [ no-pat [ reversible ] [ add-route ] ] [ rule rule-name ] [ priority priority ]

undo nat inbound { ipv4-acl-number | name ipv4-acl-name }

Default

No inbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for address translation. The value range for the group-id argument is 0 to 65535.

no-pat: Uses NO-PAT for inbound NAT. If you do not specify this keyword, PAT is used. PAT supports only TCP and UDP packets.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the internal network to the external network.

add-route: Automatically adds a route to the source address after translation. The output interface is the NAT interface and the next hop is the source address before translation.

rule rule-name: Specifies a name for the rule, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the rule does not have a name.

priority priority: Specifies a priority for the rule, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the rule has the lowest priority among the same type of NAT rules.

Usage guidelines

Inbound dynamic NAT translates the source IP addresses of incoming packets permitted by the ACL into IP addresses in the address group.

Inbound dynamic NAT supports the PAT and NO-PAT modes.

· PAT—Performs both IP address translation and port translation.

· NO-PAT—Performs only IP address translation.

The NO-PAT mode supports reverse address translation. Reverse address translation uses ACL reverse matching to identify packets to be translated. ACL reverse matching works as follows:

· Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

· Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Inbound dynamic NAT typically cooperates with one of the following to implement bidirectional NAT:

· Outbound dynamic NAT (the nat outbound command).

· NAT Server (the nat server command).

· Outbound static NAT (the nat static command).

An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat inbound command in both PAT and NO-PAT modes.

Do not specify the add-route keyword if the subnets where the internal and external networks reside overlap. For other network scenarios:

· If you specify the add-route keyword, the device automatically adds a route to the source address after translation for a packet. To avoid communication failure caused by ARP resolution failure, configure a route on the device in the following condition:

To ensure successful communication, when the device receives a packet in which the source address and its input interface address belong to different network segments, it typically performs ARP resolution on the source address to obtain its corresponding MAC address. However, if ARP resolution fails, the packet cannot reach its destination, causing communication failure.

To resolve such an issue, configure a static route on the device. Configure the destination address of the static route as the source address of the packet and the next hop address as the peer device address in the target network. The 32-bit host route (with a mask of 255.255.255.255) makes sure all packets sent to the source address can be forwarded to the correct next hop, which does not need ARP resolution. The configuration avoids ARP resolution failure in communication between different network segments and ensures network stability and communication reliability.

· If you do not specify the add-route keyword, you must manually add the route. As a best practice, add routes manually because automatic route adding is slow.

An ACL can be used by only one inbound dynamic NAT rule on an interface.

You can configure multiple inbound dynamic NAT rules on an interface.

If the inbound dynamic NAT rules have the same priority value, the device uses the following rules to determine their match order:

· NAT rules with named ACLs have higher priorities than NAT rules with numbered ACLs.

· NAT rules with named ACLs are matched in alphanumeric order of their ACL names.

· NAT rules with numbered ACLs are matched in descending order of their ACL numbers.

Examples

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an inbound NO-PAT rule on interface Twenty-FiveGigE 1/0/1. NAT translates the source addresses of incoming packets into the addresses in address group 1, and automatically adds routes for translated packets. Set the rule name to abc, and the priority to 0.

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat inbound 2001 address-group 1 no-pat add-route rule abc priority 0

Related commands

display nat all

display nat inbound

display nat no-pat

nat inbound rule move

Use nat inbound rule move to change the priority of an inbound dynamic NAT rule.

Syntax

nat inbound rule move nat-rule-name1 { after | before } nat-rule-name2

Default

The priority of a rule is determined by its location on the rule list. A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

Interface view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of the rule be moved.

after: Moves the rule nat-rule-name1 to the line after the rule nat-rule-name2 (called the reference rule). The priority value of the reference rule does not change. The priority value of the moved rule equals the priority value of the reference rule plus one.

before: Moves the rule nat-rule-name1 to the line before the rule nat-rule-name2. The priority value of the reference rule does not change. The priority value of the moved rule equals the priority value of the reference rule minus one.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

This command is applicable only to named inbound dynamic NAT rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the inbound dynamic NAT rule abc to the line before the rule def.

<Sysname> system-view

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat inbound rule move abc before def

Related commands

nat inbound

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id no-pat [ reversible ] [ rule rule-name ] [ priority priority ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ port-preserved ] [ rule rule-name ] [ priority priority ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for NAT. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP and UDP packets.

port-preserved: Tries to preserve port number for PAT.

Usage guidelines

Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.

Outbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation.

· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

When you specify a NAT address group, follow these restrictions and guidelines:

· An address group cannot be used by both the nat inbound and nat outbound commands.

· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

When you specify an ACL, follow these restrictions and guidelines:

· An ACL can be used by only one outbound dynamic NAT rule on an interface.

· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.

· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.

If the ACL-based outbound dynamic NAT rules have the same priority value, the device uses the following rules to determine their match order:

· NAT rules with named ACLs have higher priorities than NAT rules with numbered ACLs.

· NAT rules with named ACLs are matched in alphanumeric order of their ACL names.

· NAT rules with numbered ACLs are matched in descending order of their ACL numbers.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on Twenty-FiveGigE 1/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat outbound 2001 address-group 1

[Sysname-Twenty-FiveGigE1/0/1] quit

# Configure an outbound NO-PAT rule on Twenty-FiveGigE 1/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat outbound 2001 address-group 1 no-pat

[Sysname-Twenty-FiveGigE1/0/1] quit

# Enable Easy IP to use the IP address of Twenty-FiveGigE 1/0/1 as the translated address.

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat outbound 2001

[Sysname-Twenty-FiveGigE1/0/1] quit

# Configure an outbound NO-PAT rule on Twenty-FiveGigE 1/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat outbound 2001 address-group 1 no-pat reversible

Related commands

display nat outbound

nat outbound rule move

Use nat outbound rule move to change the priority of an outbound dynamic NAT rule.

Syntax

nat outbound rule move nat-rule-name1 { after | before } nat-rule-name2

Default

The priority of a rule is determined by its location on the rule list. A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

Interface view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

This command is applicable only to named outbound dynamic NAT rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the outbound dynamic NAT rule abc to the line before the rule def.

<Sysname> system-view

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat outbound rule move abc before def

Related commands

nat outbound

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on interface Twenty-FiveGigE 1/0/1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] nat static enable

Related commands

display nat all

display nat static

nat static

nat static inbound

Use nat static inbound to configure a one-to-one mapping for inbound static NAT.

Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.

Syntax

nat static inbound global-ip local-ip [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ]

undo nat static inbound global-ip local-ip

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-ip: Specifies a public IP address.

local-ip: Specifies a private IP address.

acl: Specifies an ACL to identify packets for address translation.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP address.

rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.

priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.

Usage guidelines

When the source IP address of a packet from the external network to the internal network matches the global-ip, the source IP address is translated into the local-ip. When the destination IP address of a packet from the internal network to the external network matches the local-ip, the destination IP address is translated into the global-ip.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the internal network to the private IP address.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

If the ACL-based inbound one-to-one static mappings have the same priority value, the device uses the following rules to determine their match order:

· Mappings with named ACLs have higher priorities than mappings with numbered ACLs.

· Mappings with named ACLs are matched in alphanumeric order of their ACL names.

· Mappings with numbered ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net

Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.

Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.

Syntax

nat static inbound net-to-net global-start-address global-end-address local local-network { mask-length | mask } [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ]

undo nat static inbound net-to-net global-start-address global-end-address local local-network { mask-length | mask }

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-start-address global-end-address: Specifies a public address range which can contain a maximum of 256 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.

local-network: Specifies a private network address.

mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.

mask: Specifies the mask of the private network address.

acl: Specifies an ACL to identify packets for address translation.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP addresses.

Usage guidelines

Specify a public network through a start address and an end address, and a private network through a private address and a mask.

When the source address of a packet from the external network matches the public address range, the source address is translated into a private address in the private address range. When the destination address of a packet from the internal network matches the private address range, the destination address is translated into a public address in the public address range.

The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

If the ACL-based inbound net-to-net static mappings have the same priority value, the device uses the following rules to determine their match order:

· Mappings with named ACLs have higher priorities than mappings with numbered ACLs.

· Mappings with named ACLs are matched in alphanumeric order of their ACL names.

· Mappings with numbered ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an inbound static NAT between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.

<Sysname> system-view

[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net rule move

Use nat static inbound net-to-net rule move to change the priority of an inbound net-to-net static NAT rule.

Syntax

nat static inbound net-to-net rule move nat-rule-name1 { after | before } nat-rule-name2

Default

An inbound net-to-net static NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

System view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

after: Moves the rule nat-rule-name1 to the line after the rule nat-rule-name2 (called the reference rule). The priority value of the reference rule is not changed. The priority value of the moved rule equals the priority value of the reference rule plus one.

before: Moves the rule nat-rule-name1 to the line before the rule nat-rule-name2. The priority value of the reference rule is not changed. The priority value of the moved rule equals the priority value of the reference rule minus one.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Examples

# Move the inbound net-to-net static NAT rule abc to the line before the inbound net-to-net static NAT rule def.

<Sysname> system-view

[Sysname] nat static inbound net-to-net rule move abc before def

Related commands

nat static inbound net-to-net

nat static inbound rule move

Use nat static inbound rule move to change the priority of an inbound one-to-one static NAT rule.

Syntax

nat static inbound rule move nat-rule-name1 { after | before } nat-rule-name2

Default

The priority of a rule is determined by its location on the rule list. A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

System view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Examples

# Move the inbound one-to-one static NAT rule abc to the line before the inbound one-to-one static NAT rule def.

<Sysname> system-view

[Sysname] nat static inbound rule move abc before def

Related commands

nat static inbound

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ]

undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify packets for address translation.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address.

Usage guidelines

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

If the ACL-based outbound one-to-one static mappings have the same priority value, the device uses the following rules to determine their match order:

· Mappings with named ACLs have higher priorities than mappings with numbered ACLs.

· Mappings with named ACLs are matched in alphanumeric order of their ACL names.

· Mappings with numbered ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001

Related commands

display nat all

display nat static

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address global global-network { mask-length | mask } [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ]

undo nat static outbound net-to-net local-start-address local-end-address global global-network { mask-length | mask }

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

global-network: Specifies a public network address.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

acl: Specifies an ACL to identify packets for address translation.

ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses.

Usage guidelines

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

If the ACL-based outbound net-to-net static mappings have the same priority value, the device uses the following rules to determine their match order:

· Mappings with named ACLs have higher priorities than mappings with numbered ACLs.

· Mappings with named ACLs are matched in alphanumeric order of their ACL names.

· Mappings with numbered ACLs are matched in descending order of their ACL numbers.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat static enable

nat static outbound net-to-net rule move

Use nat static outbound net-to-net rule move to change the priority of an outbound net-to-net static NAT rule.

Syntax

nat static outbound net-to-net rule move nat-rule-name1 { after | before } nat-rule-name2

Default

An outbound net-to-net static NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

System view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Examples

# Move the outbound net-to-net static NAT rule abc to the line before the outbound net-to-net static NAT rule def.

<Sysname> system-view

[Sysname] nat static outbound net-to-net rule move abc before def

Related commands

nat static outbound net-to-net

nat static outbound rule move

Use nat static outbound rule move to change the priority of an outbound one-to-one static NAT rule.

Syntax

nat static outbound rule move nat-rule-name1 { after | before } nat-rule-name2

Default

The priority of a rule is determined by its location on the rule list. A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Views

System view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of the NAT rule to be moved.

nat-rule-name2: Specifies the name of the NAT rule as a reference rule for the NAT rule to be moved.

Usage guidelines

This command is applicable only to named outbound one-to-one static NAT rules.

A NAT rule appearing earlier on the rule list has a higher priority for packet matching.

Examples

# Move the outbound one-to-one static NAT rule abc to the line before the outbound one-to-one static NAT rule def.

<Sysname> system-view

[Sysname] nat static outbound rule move abc before def

Related commands

nat static outbound

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

reset nat session [ protocol { tcp | udp } ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command clears NAT sessions of all protocol types.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears NAT sessions for all member devices.

Examples

# Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 1

Related commands

display nat session

15-NAT and IPv6 Transition Technologies Command Reference

display nat no-pat

display nat session

nat address-group

nat inbound

nat outbound

nat outbound rule move

nat static enable

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us