Contents

NAT commands· 1

Generic NAT commands· 1

address· 1

display nat address-group· 2

display nat all 4

display nat dns-map· 11

display nat eim·· 12

display nat eim statistics· 15

display nat log· 16

display nat no-pat 17

display nat outbound· 18

display nat server 20

display nat session· 22

display nat static· 24

display nat statistics· 27

nat address-group· 27

nat address-group-usage enable· 29

nat address-group-usage threshold· 30

nat alg· 30

nat dns-map· 32

nat log enable· 33

nat log flow-active· 34

nat log flow-begin· 35

nat log flow-end· 36

nat log format user-mac· 36

nat mapping-behavior endpoint-independent { tcp | udp } * 37

nat outbound· 38

nat static enable· 41

nat static outbound· 42

nat static outbound net-to-net 44

reset nat eim·· 47

reset nat session· 48

snmp-agent trap enable nat 48

Interface-based NAT commands· 49

display nat address-group resource-usage· 49

display nat server-group· 53

inside ip· 54

nat hairpin enable· 54

nat hardware-mode enable· 55

nat hardware-mode port-alloc· 58

nat hardware-mode server-limit 59

nat hardware-mode user-limit 59

nat server 60

nat server-group· 66

nat static inbound· 66

nat static inbound net-to-net 68

 

NAT commands

Generic NAT commands

address

Use address to add an address range to a NAT address group.

Use undo address to remove an address range from a NAT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. Each address range can contain a maximum of 65536 addresses.

Usage guidelines

Application scenarios

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

Restrictions and guidelines

When you execute this command in a NAT address group, follow these restrictions and guidelines:

·     You can add multiple address ranges to a NAT address group. Make sure the address ranges do not overlap in the NAT address group.

·     The device supports a maximum of 65536 address ranges in total for all NAT address groups.

·     If the NAT address group has been used by a NAT rule, you cannot use the undo address command to delete addresses from the group.

Examples

# Add two address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

global-ip-pool

nat address-group

display nat address-group

Use display nat address-group to display NAT address group configuration.

Syntax

display nat address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays the configuration for all NAT address groups.

Examples

# Display configuration information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

  Totally 8 NAT address groups.

  Address group name/ID: group1/1

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

 

  Address group name/ID: group2/2

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.20         202.110.10.25

      202.110.10.30         202.110.10.35

 

  Address group name/ID: group3/3

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.40         202.110.10.50

Table 1 Command output

Field	Description
Totally n NAT address groups	Total number of parent NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
Address group name/ID	Name and ID of the NAT address group.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays three hyphens (---).
Config status	Status of the NAT address group configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist: address, and VPN instance ·     The following items don't exist: address ·     The following items don't exist: VPN instance

 

# Display configuration for NAT address group 1.

<Sysname> display nat address-group 1

  Address group name/ID: group1/1

    VPN instance: vpn1

    Port range: 1024-65535

    Instance name/ID: -

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

    Config status: Active

Table 2 Command output

Field	Description
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---).
Config status	Status of the NAT address group configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. Possible reasons: ·     The following items don't exist: address, and VPN instance ·     The following items don't exist: address ·     The following items don't exist: VPN instance

 

Related commands

nat address-group

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT hardware mode : Disabled

 

NAT address group information:

  Totally 6 NAT address groups.

  Address group name/ID: 1/1

    VPN instance: vpn1

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

    Config status: Active

 

  Address group name/ID: 2/2

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.20         202.110.10.25

      202.110.10.30         202.110.10.35

    Config status: Active

 

  Address group name/ID: 3/3

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.40         202.110.10.50

    Config status: Active

 

  Address group name/ID: 4/4

    Port range: 10001-65535

    Port block size: 500

    Extended block number: 1

    Address information:

      Start address         End address

      202.110.10.60         202.110.10.65

    Config status: Active

 

  Address group name/ID: 5/5

    Port range: 10001-65535

    Port block size: 6400

    Extended block number: 1

    Extended block size: 64

    TCP port limit: 1000

    UDP port limit: 2000

    ICMP port limit: 3000

    Port limit in total: 6000

    Address information:

      Start address         End address

      202.110.10.70         202.110.10.75

    Config status: Active

 

  Address group name/ID: 6/6

    Port range: 1024-65535

    Address information:

      Start address         End address

      ---                   ---

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist: address

 

NAT server group information:

  Totally 3 NAT server groups.

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

  2                   ---                   ---         ---

  3                   192.168.0.26          69          100

 

NAT outbound information:

  Totally 2 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/0/2

    ACL: 2036         Address group: 1      Port-preserved: Y

    NO-PAT: N         Reversible: N

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/2

    ACL: 2037         Address group: 1      Port-preserved: N

    NO-PAT: Y         Reversible: Y

    VPN instance: vpn_nat

    Config status: Active

 

NAT internal server information:

  Totally 4 internal servers.

  Interface: Ten-GigabitEthernet3/0/3

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23

    Local IP/port : 192.168.10.15/23

    ACL           : 2000

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23-30

    Local IP/port : 192.168.10.15-192.168.10.22/23

    Global VPN    : vpn1

    Local VPN     : vpn3

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 255(Reserved)

    Global IP/port: 50.1.1.100/---

    Local IP/port : 192.168.10.150/---

    Global VPN    : vpn2

    Local VPN     : vpn4

    ACL           : 3000

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/5

    Protocol: 17(UDP)

    Global IP/port: 50.1.1.2/23

    Local IP/port : server group 1

                    192.168.0.26/23       (Connections: 10)

                    192.168.0.27/23       (Connections: 20)

    Global VPN    : vpn1

    Local VPN     : vpn3

    Config status : Active

 

Static NAT mappings:

  Totally 2 inbound static NAT mappings.

  Net-to-net:

    Global IP    : 2.2.2.1 – 2.2.2.255

    Local IP     : 1.1.1.0

    Netmask      : 255.255.255.0

    Global VPN   : vpn2

    Local VPN    : vpn1

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Global IP    : 5.5.5.5

    Local IP     : 4.4.4.4

    Global VPN   : vpn3

    Local VPN    : vpn4

    ACL          : 2001

    Reversible   : Y

    Config status: Active

 

  Totally 2 outbound static NAT mappings.

  Net-to-net:

    Local IP     : 1.1.1.1 - 1.1.1.255

    Global IP    : 2.2.2.0

    Netmask      : 255.255.255.0

    Local VPN    : vpn1

    Global VPN   : vpn2

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Local IP     : 4.4.4.4

    Global IP    : 5.5.5.5

    Local VPN    : vpn1

    Global VPN   : vpn2

    ACL:         : 2001

    Reversible   : Y

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: Ten-GigabitEthernet3/0/4

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/6

    Config status: Active

 

NAT DNS mappings:

  Totally 2 NAT DNS mappings.

  Domain name  : www.example.com

  Global IP    : 6.6.6.6

  Global port  : 23

  Protocol     : TCP(6)

  Config status: Active

 

  Domain name  : service.example.com

  Global IP    : 10.1.1.1

  Global port  : 12

  Protocol     : TCP(6)

  Config status: Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(90%)

  Address-group-usage      : Enabled(Threshold: 90%)

  Bandwidth-usage          : Enabled(Threshold: 90%)

 

NAT hairpinning:

  Totally 2 interfaces enabled with NAT hairpinning.

  Interface: Ten-GigabitEthernet3/0/4

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/6

    Config status: Active

 

NAT mapping behavior:

  Mapping mode : Endpoint-Independent (TCP-5-Tuple)

  ACL          : 2050

  Config status: Active

 

NAT ALG:

  DNS        : Disabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

 

NAT port block group information:

  Totally 3 NAT port block groups.

  Port block group 1:

    Port range: 1024-65535

    Block size: 256

    TCP port limit: 1000

    UDP port limit: 2000

    ICMP port limit: 3000

    Port limit in total: 6000

    Local IP address information:

      Start address        End address          VPN instance

      172.16.1.1           172.16.1.254         ---

      192.168.1.1          192.168.1.254        ---

      192.168.3.1          192.168.3.254        ---

    Global IP pool information:

      Start address        End address

      201.1.1.1            201.1.1.10

      201.1.1.21           201.1.1.25

 

  Port block group 2:

    Port range: 10001-30000

    Block size: 500

    Local IP address information:

      Start address        End address          VPN instance

      10.1.1.1             10.1.10.255          ---

    Global IP pool information:

      Start address        End address

      202.10.10.101        202.10.10.120

 

  Port block group 3:

    Port range: 1024-65535

    Block size: 256

    Local IP address information:

      Start address        End address          VPN instance

      ---                  ---                  ---

    Global IP pool information:

      Start address        End address

      ---                  ---

 

NAT outbound port block group information:

  Totally 2 outbound port block group items.

  Interface: Ten-GigabitEthernet3/0/2

    Port-block-group: 2

    Config status   : Active

 

  Interface: Ten-GigabitEthernet3/0/2

    Port-block-group: 10

    Config status   : Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: port block group.

 

NAT Agency ALG:

  FTP        : Enabled

  ICMP-ERROR : Enabled

  SIP        : Disabled

 

The output shows all NAT configuration information. Table 3 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.

Table 3 Command output

Field	Description
NAT hardware mode	Enabling status of hardware NAT: ·     Enabled. ·     Disabled.
NAT address group information	Information about the NAT address group. For the output description, see the display nat address-group command.
NAT server group information	Information about the internal server group. For the output description, see the display nat server-group command.
NAT outbound information	Outbound dynamic NAT configuration. For the output description, see the display nat outbound command.
NAT internal server information	NAT Server configuration. For the output description, see the display nat server command.
Static NAT mappings	Static NAT mappings. For the output description, see the display nat static command.
NAT DNS mappings	NAT DNS mappings. For the output description, see the display nat dns-map command.
NAT logging	NAT logging configuration. For the output description, see the display nat log command.
NAT hairpinning	NAT hairpin configuration. If NAT hairpin is not configured, this field is not displayed.
Totally n interfaces enabled NAT hairpinning	Number of interfaces with NAT hairpin enabled.
Interface	NAT hairpin-enabled interface.
Config status	Status of the NAT hairpin configuration: Active.
NAT mapping behavior	Mapping behavior mode of PAT: ·     Connection-dependent. ·     Endpoint-Independent (TCP)—The mapping mode is endpoint-independent and only EIM entries for TCP connections are created. ·     Endpoint-Independent (TCP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for TCP connections are created. ·     Endpoint-Independent (UDP)—The mapping mode is endpoint-independent and only EIM entries for UDP connections are created. ·     Endpoint-Independent (UDP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for UDP connections are created.
ACL	ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).
Config status	Status of the NAT mapping behavior configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status field displays Inactive.
NAT ALG	NAT ALG configuration for different protocols.

 

display nat dns-map

Use display nat dns-map to display NAT DNS mapping configuration.

Syntax

display nat dns-map

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT DNS mapping configuration.

<Sysname> display nat dns-map

NAT DNS mapping information:

  Totally 2 NAT DNS mappings.

  Domain name  : www.example.com

  Global IP    : 6.6.6.6

  Global port  : 23

  Protocol     : TCP(6)

  Config status: Active

 

  Domain name  : service.example.com

  Global IP    : 10.1.1.1

  Global port  : 12

  Protocol     : TCP(6)

  Config status: Active

Table 4 Command output

Field	Description
NAT DNS mapping information	Information about the NAT DNS mappings.
Totally n NAT DNS mappings	Total number of NAT DNS mappings.
NAT DNS mapping information	Information about NAT DNS mappings.
Domain name	Domain name of the internal server.
Global IP	Public IP address of the internal server. ·     If Easy IP is configured, this field displays the IP address of the specified interface. ·     If you do not specify a public IP address, this field displays hyphens (---).
Global port	Public port number of the internal server.
Protocol	Protocol name and number of the internal server.
Config status	Status of the DNS mapping configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status field displays Inactive.

 

Related commands

nat dns-map

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

display nat eim [ slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ local-vpn local-vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entries on all cards. ‌

protocol: Specifies a protocol by its type.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip local-ip: Displays EIM entry information for a private IP address. The local-ip argument specifies a private IP address.

local-ip b4 ipv6-address: Displays EIM entry information for a B4 device IP address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-port local-port: Displays EIM entry information for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Displays EIM entry information for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Displays EIM entry information for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

local-vpn vpn-instance-name: Displays information about EIM entries that contain the specified MPLS L3VPN instance to which private users belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must be the VPN instance carried in the packets sent from the private users to the public network, which corresponds to Local VPN for address translation.

Usage guidelines

EIM entries are created when PAT operates in EIM mode. An EIM entry is a three-tuple (source IP address, source port number, and protocol type) entry, and it records the mapping between a private address/port and a public address/port.

The EIM entry provides the following functions:

·     The same EIM entry applies to subsequent connections initiated from the same source IP and port.

·     The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.

If you do not specify the local-ip, local-port, global-ip, vpn-instance, or global-port keyword, this command displays information about all EIM entries for ICMP, TCP, and UDP protocols.

Examples

# ‌‌Display information about all NAT EIM entries on the specified slot.

<Sysname> display nat eim slot 0

Slot 0:

Local  IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Local  VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

 

Local  IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Protocol: UDP(17)

Failover group name: -

 

Total entries found: 2

# ‌‌Display information about NAT EIM entries for TCP on the specified slot.

<Sysname> display nat eim slot 1 protocol tcp

Slot 0:

Local  IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Local  VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

 

Total entries found: 1

# ‌‌Display information about NAT EIM entries for VPN instance vpn1 to which private users belong on the specified slot.

<Sysname> display nat eim local-vpn vpn1

Slot 0:

Local  IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Local  VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

 

Total entries found: 1

Table 5 Command output

Field	Description
Local  IP/port	Private IP address and port number.
Global IP/port	Public IP address and port number after address translation of the private IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	This field is not supported in the current software version. DS-Lite tunnel B4 address. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Protocol	Protocol name and number.
Failover group name	This field is not supported in the current software version. Failover group name. If no failover group is specified, this field displays a hyphen (-).
Total entries found	Total number of EIM entries.

 

Related commands

nat mapping-behavior

nat outbound

display nat eim statistics

Use display nat eim statistics to display NAT EIM entry statistics.

Syntax

display nat eim statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry statistics on all cards. ‌

Usage guidelines

The NAT EIM entry statistics includes the following information:

·     The number of EIM entries.

·     The creation rate of EIM entries for TCP.

·     The creation rate of EIM entries for UDP.

Examples

# ‌‌Display EIM entry statistics for the specified slot.

<Sysname> display nat eim statistics slot 0

EIM: Total EIM entries.

TCP: Total EIM entries for TCP.

UDP: Total EIM entries for UDP.

Rate: Creating rate of EIM entries.

TCP rate: Creating rate of EIM entries for TCP.

UDP rate: Creating rate of EIM entries for UDP.

Slot EIM       TCP       UDP       Rate          TCP rate      UDP rate

                                  (entries/s)   (entries/s)   (entries/s)

0    0         0         0         0             0             0

 

Table 6 Command output

Field	Description
Total EIM entries	Total number of EIM entries.
Total EIM entries for TCP	Total number of EIM entries for TCP.
Total EIM entries for UDP	Total number of EIM entries for UDP.
Creating rate of EIM entries	Creation rate of EIM entries.
Creating rate of EIM entries for TCP	Creation rate of EIM entries for TCP.
Creating rate of EIM entries for UDP	Creation rate of EIM entries for UDP.

 

Related commands

nat mapping-behavior

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT logging configuration. (Interface-based NAT.)

<Sysname> display nat log

NAT logging:

  Log enable               : Disabled

  Log format user-mac      : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Address-group-usage      : Enabled(Threshold: 90%)

Table 7 Command output

Field	Description
NAT logging	NAT logging configuration.
Log enable	Whether NAT logging is enabled. ·     Enabled—NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. ·     Disabled—NAT logging is disabled.
Log format user-mac	Whether configuring the system logs to carry the MAC addresses of online users in a NAT+BRAS scenario is enabled.
Flow-begin	Whether logging is enabled for NAT session establishment events.
Flow-end	Whether logging is enabled for NAT session removal events.
Flow-active	Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated.
Address-group-usage	Whether logging is enabled for resource usage in address groups. If logging for resource usage in address groups is enabled, this field also displays the usage threshold in percentage.

 

Related commands

nat log enable

nat log flow-active

nat log flow-begin

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

display nat no-pat [ slot slot-number ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entries on all cards. ‌

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

·     The same entry applies to subsequent connections initiated from the same source IP address.

·     The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Outbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.

Examples

# ‌‌Display information about NO-PAT entries for the specified slot.

<Sysname> display nat no-pat slot 0

Slot 0:

Global  IP: 200.100.1.100

Local   IP: 192.168.100.100

Global VPN: vpn2

Local  VPN: vpn1

Reversible: N

Type      : Inbound

 

Local   IP: 192.168.100.200

Global  IP: 200.100.1.200

Reversible: Y

Type      : Outbound

 

Total entries found: 2

Table 8 Command output

Field	Description
Global  IP	Public IP address.
Local   IP	Private IP address.
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: ·     Y—Reverse address translation is allowed. ·     N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: ·     Inbound—A NO-PAT entry created during inbound dynamic NAT. ·     Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total entries found	Total number of NO-PAT entries.

 

Related commands

nat outbound

display nat outbound

Use display nat outbound to display information about outbound dynamic NAT.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# ‌‌Display information about outbound dynamic NAT.

<Sysname> display nat outbound

NAT outbound information:

  Totally 2 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/0/1

    ACL: 2036         Address group: 1      Port-preserved: Y

    NO-PAT: N         Reversible: N

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/2

    ACL: 2037         Address group: 2      Port-preserved: N

    NO-PAT: Y         Reversible: Y

    VPN instance: vpn_nat

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/1

    NO-PAT: N         Reversible: N

    Config status: Active

Table 9 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT.
Totally n NAT outbound rules	Total number of outbound dynamic NAT rules.
Interface	Interface where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---).
Address group	Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---).
Port-preserved	Whether to try to preserve the port numbers for PAT.
NO-PAT	Whether NO-PAT is used: ·     Y—NO-PAT is used. ·     N—PAT is used.
Reversible	Whether reverse address translation is allowed: ·     Y—Reverse address translation is allowed. ·     N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Config status	Status of the outbound dynamic NAT configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist or aren't effective: global VPN, interface IP address, address group, and ACL. ·     NAT address conflicts.

 

Related commands

nat outbound

display nat server

Use display nat server to display NAT server mappings.

Syntax

display nat server

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# ‌‌Display NAT server mappings.

<Sysname> display nat server

NAT internal server information:

  Totally 4 internal servers.

  Interface: Ten-GigabitEthernet3/0/3

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23

    Local IP/port : 192.168.10.15/23

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 6(TCP)

    Global IP/port: 50.1.1.1/23-30

    Local IP/port : 192.168.10.15-192.168.10.22/23

    Global VPN    : vpn1

    Local VPN     : vpn3

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/4

    Protocol: 255(Reserved)

    Global IP/port: 50.1.1.100/---

    Local IP/port : 192.168.10.150/---

    Global VPN    : vpn2

    Local VPN     : vpn4

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/0/5

    Protocol: 17(UDP)

    Global IP/port: 50.1.1.2/23

    Local IP/port : server group 1

                    1.1.1.1/21            (Connections: 10)

                    192.168.100.200/80    (Connections: 20)

    Global VPN    : vpn1

    Local VPN     : vpn10

    Config status : Active

Table 10 Command output

Field	Description
NAT internal server information	Information about NAT server mappings.
Totally n internal servers	Total number of NAT server mappings.
Interface	Interface where the NAT server mapping is configured.
Protocol	Protocol number and name of the internal server.
Global IP/port	Public IP address and port number of the internal server. ·     Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). ·     port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---).
Local IP/port	For common NAT server mappings, this field displays the private IP address and port number of the server. ·     Local IP—A single IP address or an IP address range. ·     port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT server mappings, this field displays the internal server group ID, IP address, port number, and number of connections of each member.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Config status		Status of the NAT server mapping configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status		Reasons why the NAT server mapping does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist or aren't effective: local VPN, global VPN, interface IP address, server group, and ACL—The MPLS L3VPN instance to which the private IP addresses belong, MPLS L3VPN instance to which the public IP addresses belong, interface IP addresses, server group, or ACL does not exist or is not effective. ·     Server configuration conflicts—A NAT server configuration conflict has occurred. ·     NAT address conflicts—A NAT address conflict has occurred.

 

Related commands

nat server

display nat session

Use display nat session to display sessions that have been NATed.

Syntax

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Displays IPv4 unicast session entries for the specified protocol. If you do not specify a protocol, the command displays NAT session entries for all supported protocols. Supported IPv4 transport layer protocols include DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions on all cards. ‌

brief: Display brief information about NAT sessions.

verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all NAT sessions.

Examples

# ‌‌Display detailed information about NAT sessions for the specified slot.

<Sysname> display nat session slot 0 verbose

Slot 0:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/0/1

Responder:

  Source      IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.10/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/0/2

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36

Role: Standby

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 1

# ‌‌Display brief information about NAT sessions for the specified slot.

<Sysname> display nat session slot 0 brief

Slot 0:

Protocol   Source IP/port      Destination IP/port    Global IP/port

TCP        10.2.1.58/2477      20.1.1.2/1025          30.2.4.9/226

Total sessions found: 1

Table 11 Command output

Field	Description
CPU	Number of the CPU.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	This field is not supported in the current software version. Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/VLL ID	The fields identify the following information: ·     VPN instance—MPLS L3VPN instance to which the session belongs. ·     VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. ·     VLL ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or VLL ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Start time	Time when the session starts.
TTL	Remaining NAT session lifetime in seconds.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.
Source IP/port	Source IP address and port number of the initiator.
Destination IP/port	Destination IP address and port number of the initiator.
Global IP/port	Public IP address and port number.

 

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# ‌‌Display static NAT mappings.

<Sysname> display nat static

Static NAT mappings:

  Totally 2 inbound static NAT mappings.

  Net-to-net:

    Global IP    : 1.1.1.1 - 1.1.1.255

    Local IP     : 2.2.2.0

    Netmask      : 255.255.255.0

    Global VPN   : vpn2

    Local VPN    : vpn1

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Global IP   : 5.5.5.5

    Local IP     : 4.4.4.4

    Global VPN   : vpn3

    Local VPN    : vpn4

    ACL          : 2001

    Reversible   : Y

    Config status: Active

 

Totally 2 outbound static NAT mappings.

  Net-to-net:

    Local IP     : 1.1.1.1 - 1.1.1.255

    Global IP    : 2.2.2.0

    Netmask      : 255.255.255.0

    Local VPN    : vpn1

    Global VPN   : vpn2

    ACL          : 2000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Local IP     : 4.4.4.4

    Global IP    : 5.5.5.5

    Local VPN    : vpn4

    Global VPN   : vpn3

    ACL:         : 2000

    Reversible   : Y

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: Ten-GigabitEthernet3/0/2

    Config status: Active

 

  Interface: Ten-GigabitEthernet3/0/3

    Config status: Active

Table 12 Command output

Field	Description
Static NAT mappings	Information about static NAT mappings.
Totally n inbound static NAT mappings	Total number of inbound static NAT mappings.
Totally n outbound static NAT mappings	Total number of outbound static NAT mappings.
Net-to-net	Net-to-net static NAT mapping.
IP-to-IP	One-to-one static NAT mapping.
Local IP	Private IP address or address range.
Global IP	Public IP address or address range.
Netmask	Network mask.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Reversible	Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed.
Interfaces enabled with static NAT	Interfaces that are enabled with static NAT.
Totally n interfaces enabled with static NAT	Total number of interfaces enabled with static NAT.
Interface	Interface enabled with static NAT.
Packet type ignore	Whether the NAT device checks the protocol packet type when TCP, ICMP, or SCTP packet exchanges trigger the creation of session entries. ·     If this field displays Y, the NAT device does not check the protocol packet type. ·     If this field is not displayed, the NAT device checks the protocol packet type.
Config status	Status of the static NAT mapping configuration: ·     Active—The configuration is taking effect. ·     Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist or aren't effective: local VPN, global VPN, and ACL—The MPLS L3VPN instance to which the private IP addresses belong, MPLS L3VPN instance to which the public IP addresses belong, or ACL does not exist or is not effective. ·     NAT address conflicts—A NAT address conflict occurred.

 

Related commands

nat static

nat static net-to-net

nat static enable

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ summary ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics on all cards. ‌

Examples

# Display detailed information about all NAT statistics.

<Sysname> display nat statistics

Slot 0:

  Total session entries: 100

  Total EIM entries: 1

  Total inbound NO-PAT entries: 0

  Total outbound NO-PAT entries: 0

  Total PAT entries: 0

Table 13 Command output

Field	Description
Total session entries	Number of NAT session entries.
Total EIM entries	Number of EIM entries.
Total inbound NO-PAT entries	Number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Number of outbound NO-PAT entries.
Total PAT entries	Number of PAT entries.

 

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id [ vpn-instance vpn-instance-name ]

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create an address group for the public network, do not specify this option.

Usage guidelines

Application scenarios

A NAT address group can contain multiple address ranges.. Dynamic NAT translates the source IP address of a packet to an IP address in the address group.

For interface-based NAT, you can only use the address command to add address ranges to an address group.

Recommended configuration

In scenarios where public address resources are limited and users in different VPNs must be assigned with the same public addresses, you can bind different address groups that contain overlapping address ranges to different VPN instances.

Route advertisement

After you specify an address group for address translation, NAT advertises host routes for all addresses in the address group to the public network or VPN instance.

·     If the address group is not bound to a VPN instance, the advertised host routes belong to the public network.

·     If the address group is bound to a VPN instance, the advertised host routes belong to the VPN instance.

Restrictions and guidelines

You can configure multiple address groups for the public network or a VPN instance. However, you must make sure they do not contain overlapping address ranges.

When you delete or edit a NAT address group, follow these restrictions and guidelines:

·     You cannot use the undo nat address-group command to delete a NAT address group in use.

·     You cannot repeat the nat address-group command to change the VPN instance bound to a NAT address group. To change the VPN instance, first execute the undo nat address-group command to delete the NAT address group. Then, execute the nat address-group command to re-create the NAT address group and bind it to a new VPN instance.

·     You can bind a NAT address group to a VPN instance when you perform either of the following tasks, but not both:

¡     Execute the nat address-group command to create the address group.

¡     Execute the nat inbound or nat outbound command to specify the address group for inbound or outbound dynamic NAT, respectively.

If the NAT address group has been bound to a VPN instance when you perform either of the tasks, you cannot specify a VPN instance for it.

Examples

# Create a NAT address group numbered 1.

<Sysname> system-view

[Sysname] nat address-group 1

Related commands

address

display nat address-group

display nat all

nat outbound

nat address-group-usage enable

Use nat address-group-usage enable to enable logging for resource usage in NAT address groups.

Use undo nat address-group-usage enable to disable logging for resource usage in NAT address groups.

Syntax

nat address-group-usage enable

undo nat address-group-usage enable

Default

Logging for resource usage in NAT address groups is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, logging for resource usage in NAT address groups is enabled. A log is generated when the resource usage in a NAT address group reaches or exceeds 90%. Disable this feature when the device outputs too many log messages or such logs are not of interest.

Examples

# Disable logging for resource usage in NAT address groups.

<Sysname> system-view

[Sysname] undo nat address-group-usage enable

Related commands

display nat all

display nat log

nat address-group-usage threshold

nat address-group-usage threshold

Use nat address-group-usage threshold to set the threshold for resource usage in NAT address groups.

Use undo nat address-group-usage threshold to restore the default.

Syntax

nat address-group-usage threshold threshold-value

undo nat address-group-usage threshold

Default

The threshold for resource usage in NAT address groups is 90%.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies a threshold in percentage. The value range is 40 to 100.

Usage guidelines

Operating mechanism

The device generates a log in the following scenarios:

·     The device reports a threshold violation event when the resource usage in a NAT address group reaches or exceeds the threshold.

·     The device reports a resource usage recovery event when the resource usage in a NAT address group drops below 87.5% of the threshold.

Restrictions and guidelines

This command takes effect only after you enable both NAT logging and logging for resource usage in NAT address groups.

Examples

# Set the threshold for resource usage in NAT address groups to 80%.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat address-group-usage enable

[Sysname] nat address-group-usage threshold 80

Related commands

nat log enable

nat alg

Use nat alg to enable NAT ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }

Default

NAT ALG is disabled for all supported protocols except for FTP, ICMP error packets, and RTSP.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables NAT ALG for all supported protocols.

dns: Enables NAT ALG for DNS.

ftp: Enables NAT ALG for FTP.

H323: Enables NAT ALG for H323.

icmp-error: Enables NAT ALG for ICMP error packets.

ils: Enables NAT ALG for ILS.

mgcp: Enables NAT ALG for MGCP.

nbt: Enables NAT ALG for NBT.

pptp: Enables NAT ALG for PPTP.

rsh: Enables NAT ALG for RSH.

rtsp: Enables NAT ALG for RTSP.

sccp: Enables NAT ALG for SCCP.

sip: Enables NAT ALG for SIP.

sqlnet: Enables NAT ALG for SQLNET.

tftp: Enables NAT ALG for TFTP.

xdmcp: Enables NAT ALG for XDMCP.

Usage guidelines

Operating mechanism

NAT ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.

Restrictions and guidelines

After you execute the nat alg h323 command, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view, you cannot execute the nat alg h323 command.

Examples

# Enable NAT ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat mapping-behavior endpoint-independent { tcp | udp } *

nat dns-map

Use nat dns-map to configure a NAT DNS mapping.

Use undo nat dns-map to remove a NAT DNS mapping.

Syntax

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

undo nat dns-map domain domain-name

Default

No NAT DNS mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, example.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.

protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.

interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.

ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.

port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:

·     A number in the range of 1 to 65535.

·     A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.

Usage guidelines

Application scenarios

NAT DNS mapping must cooperate with the NAT Server feature.

Operating mechanism

NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

You can configure multiple NAT DNS mappings.

Examples

# Configure a NAT DNS mapping to map the domain name www.example.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.

<Sysname> system-view

[Sysname] nat dns-map domain www.example.com protocol tcp ip 202.112.0.1 port 12345

Related commands

display nat all

display nat dns-map

nat server

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

You must enable NAT logging before you enable the following features: NAT session logging (logging for active NAT flows, NAT flow establishment events, and NAT flow removal events), NAT444 user logging, NAT444 alarm logging, and logging for resource usage in NAT address groups.

The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

display nat all

display nat log

nat address-group-usage threshold

nat log flow-active

nat log flow-begin

nat log flow-end

nat log format user-mac

nat log flow-active

Use nat log flow-active to enable logging for active NAT flows and set the logging interval.

Use undo nat log flow-active to disable logging for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.

Usage guidelines

Application scenarios

Active NAT flows are NAT sessions that last for a long time or undeleted EIM entries. To periodically record the connection state of active NAT flows, enable this feature.

Operating mechanism

The logging feature helps track active NAT flows by periodically logging the active NAT flows.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

If you specify an ACL when you execute the nat log enable command, only flows matching the permit rule might trigger active NAT flow logs. If you do not specify any ACL when you execute the nat log enable command, all flows processed by NAT might trigger active NAT flow logs.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log flow-active 10

Related commands

display nat all

display nat log

nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT flow (NAT session or EIM entry) establishment events.

Use undo nat log flow-begin to disable logging for NAT flow establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT flow establishment events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

If you specify an ACL when you execute the nat log enable command, only flows matching the permit rule might trigger NAT flow establishment logs. If you do not specify any ACL when you execute the nat log enable command, all flows processed by NAT might trigger NAT flow establishment logs.

Examples

# Enable logging for NAT flow establishment events.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log flow-begin

Related commands

display nat all

display nat log

nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT flow removal events.

Use undo nat log flow-end to disable logging for NAT flow removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT flow removal events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

If you specify an ACL when you execute the nat log enable command, only flows matching the permit rule might trigger NAT flow removal logs. If you do not specify any ACL when you execute the nat log enable command, all flows processed by NAT might trigger NAT flow removal logs.

Examples

# Enable logging for NAT flow removal events.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log flow-end

Related commands

display nat all

display nat log

nat log enable

nat log format user-mac

Use nat log format user-mac to configure the system logs to carry the MAC addresses of online users in a NAT+BRAS scenario.

Use undo nat log format user-mac to restore the default.

Syntax

nat log format user-mac

undo nat log format user-mac

Default

The system logs do not carry the MAC addresses of online users in a NAT+BRAS scenario.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you configure this command, the system logs controlled by the following commands will carry the MAC addresses of online users in a NAT+BRAS scenario:

·     nat log port-block port-usage threshold

·     nat log port-alloc-fail

Examples

# Configure the system logs to carry the MAC addresses of online users in a NAT+BRAS scenario.

<Sysname> system-view

[Sysname] nat log format user-mac

Related commands

display nat log

nat log enable

nat log port-block port-usage threshold

nat log port-alloc-fail

nat mapping-behavior endpoint-independent { tcp | udp } *

Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping mode for PAT.

Use undo nat mapping-behavior endpoint-independent to restore the default.

Syntax

nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *

undo nat mapping-behavior endpoint-independent

Default

Connection-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

Parameters

tcp: Creates EIM entries for TCP connections.

udp: Creates EIM entries for UDP connections.

tcp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for TCP connections. If you do not specify this keyword, only EIM entries are created.

udp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for UDP connections. If you do not specify this keyword, only EIM entries are created.

Usage guidelines

PAT supports the following types of NAT mappings:

·     Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.

·     Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.

When you specify the EIM mode for PAT, follow these restrictions and guidelines:

·     For interface-based NAT, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view if any one of the following commands has been executed on the device:

¡     nat static outbound.

¡     nat static outbound net-to-net.

¡     nat alg h323.

·     For interface-based NAT, you cannot execute the nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } * command in system view if load sharing NAT server mappings have been configured on the device.

After you execute the nat mapping-behavior endpoint-independent command, EIM entries and five-tuple session entries are always created for ICMP connections.

The existing and newly configured dynamic NO-PAT rules do not take effect if you specify the Endpoint-Independent Mapping mode for outbound dynamic PAT rules.

Examples

# Apply the Endpoint-Independent Mapping mode and create EIM entries for TCP packet address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent tcp

Related commands

display nat eim

display nat eim statistics

nat outbound

nat server (interface-based NAT)

nat static outbound

nat static outbound net-to-net

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for NAT. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

port-preserved: Tries to preserve port number for PAT.

Usage guidelines

Application scenarios

For outbound dynamic NAT, address mappings between the private and public networks are dynamically generated during connection establishment. Use outbound dynamic NAT in scenarios where a large number of internal users need to access the external network.

Operating mechanism

Outbound dynamic NAT supports the following modes:

·     PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.

·     NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Restrictions and guidelines

When you specify a NAT address group, follow these restrictions and guidelines:

·     An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

·     You can bind a NAT address group to a VPN instance when you execute the nat address-group or nat outbound command, but not both. If you have bound a NAT address group to a VPN instance by using one command, you cannot bind it to a VPN instance when you execute the other command.

If you specify the EIM mode for PAT by executing the nat mapping-behavior endpoint-independent command in system view, NO-PAT configurations do not take effect.

When you specify an ACL, follow these restrictions and guidelines:

·     After you enable hardware NAT, the ACL can only filter packets by IP address, port number, protocol type, and VPN.

·     An ACL can be used by only one outbound dynamic NAT rule on an interface or in a NAT instance.

·     If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.

·     If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

·     Outbound dynamic NAT rules with ACLs configured on an interface or in a NAT instance take precedence over those without ACLs. The device matches packets against ACLs based on either the ACL names or ACL numbers. ACL names take precedence over ACL numbers.

¡     ACL names—The device matches packets based on the alphabetical order of the ACL names.

¡     ACL numbers—A higher ACL number indicates higher priority.

·     After you enable hardware NAT, an ACL rule can only match packets based on the IP address, port, protocol, and VPN instance.

When you add outbound dynamic NAT rules, follow these restrictions and guidelines:

·     An ACL uniquely identifies an outbound dynamic NAT rule. If an outbound dynamic NAT rule does not reference an ACL, it permits all packets to pass. You cannot edit an outbound dynamic NAT rule by repeating this command. For example, you cannot repeat this command to change the PAT mode to NO-PAT mode. To edit a rule, use the undo nat outbound command to delete the rule first, and then execute the nat outbound command.

·     You can repeat this command to configure multiple outbound dynamic NAT rules with different ACLs specified on an interface or in a NAT instance.

The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1

[Sysname-Ten-GigabitEthernet3/0/1] quit

Or

# Configure an outbound NO-PAT rule on interface Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1 no-pat

[Sysname-Ten-GigabitEthernet3/0/1] quit

Or

# Enable Easy IP to use the IP address of Ten-GigabitEthernet 3/0/1 as the translated address.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet 3/0/1] nat outbound 2001

[Sysname-Ten-GigabitEthernet 3/0/1] quit

Or

# Configure an outbound NO-PAT rule on Ten-GigabitEthernet 3/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat outbound 2001 address-group 1 no-pat reversible

Related commands

address

display nat eim

display nat outbound

nat mapping-behavior

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface only after you enable static NAT on the interface.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat static enable

Related commands

display nat all

display nat static

nat static

nat static net-to-net

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ failover-group group-name ] [ packet-type-ignore ]

undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For more information about failover groups, see High Availability Configuration Guide. For the configuration to be successfully deployed, do not specify this option after you enable hardware NAT.

packet-type-ignore: Ignores the protocol packet type when the device creates session entries for TCP, ICMP, or SCTP. If you do not specify this keyword, the NAT device checks the protocol packet type and creates session entries for only protocol packets that pass the check. For example, the NAT device creates session entries for TCP packets only when the packet type is SYN or ACK.

Usage guidelines

Operating mechanism

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

Recommended configuration

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

In an asymmetric routing scenario, if a session contains different types of protocol packets that are forwarded by different NAT devices, protocol packets of some types might be discarded. As a result, session status cannot be updated through protocol packet exchanges, causing abnormal service traffic forwarding. To avoid such an issue, specify the packet-type-ignore keyword when you use this command.

Restrictions and guidelines

When you specify an ACL, follow these restrictions and guidelines:

·     If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

·     If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.

·     If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

After you execute the nat static outbound command, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view, you cannot execute the nat static outbound command.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001

Related commands

display nat all

display nat static

nat mapping-behavior endpoint-independent { tcp | udp } *

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ failover-group group-name ]

undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.

global-network: Specifies a public network address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses. For the configuration to take effect, specify a CGN-type failover group. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For the configuration to take effect, specify a failover group of the default type. To deploy configuration successfully, do not specify this option after you enable hardware NAT. For more information about failover groups, see High Availability Configuration Guide.

Usage guidelines

Operating mechanism

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

Recommended configuration

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Restrictions and guidelines

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

·     If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

·     If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP addresses.

·     If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

After you execute the nat static outbound net-to-net command, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view, you cannot execute the nat static outbound net-to-net command.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat mapping-behavior endpoint-independent { tcp | udp } *

nat static enable

reset nat eim

Use reset nat eim to delete NAT EIM entries.

Syntax

reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ local-vpn local-vpn-instance-name ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command deletes NAT EIM entries of all protocol types.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip b4 ipv6-address: Deletes the EIM entry for a B4 device IPv6 address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-ip local-ip: Deletes the EIM entry for a private IP address. The local-ip argument specifies a private IP address.

local-port local-port: Deletes the EIM entry for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Deletes the EIM entry for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Deletes the EIM entry for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

local-vpn vpn-instance-name: Deletes EIM entries that contain the specified MPLS L3VPN instance to which private users belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must be the VPN instance carried in the packets sent from the private users to the public network, which corresponds to Local VPN for address translation.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes NAT EIM entries on all cards. ‌

Usage guidelines

If you do not specify the local-ip, local-port, global-ip, local-vpn, or global-port keyword, this command deletes all EIM entries for ICMP, TCP, and UDP protocols.

Examples

# ‌‌Delete all NAT EIM entries for the specified slot.

<Sysname> reset nat eimslot 0

Related commands

display nat session

display nat eim statistics

nat mapping-behavior

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

reset nat session [ protocol { tcp | udp } ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command clears NAT sessions of all protocol types.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions on all cards. ‌

Examples

# ‌‌Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 0

Related commands

display nat session

snmp-agent trap enable nat

Use snmp-agent trap enable nat to enable SNMP notifications for NAT.

Use undo snmp-agent trap enable nat to disable SNMP notifications for NAT.

Syntax

snmp-agent trap enable nat [  address-group-usage ]

undo snmp-agent trap enable nat [ address-group-alloc-fail | address-group-usage | port-alloc-fail | port-usage ]

Default

SNMP notifications are enabled for NAT.

Views

System view

Predefined user roles

network-admin

Parameters

address-group-usage: Enables SNMP notifications for the resource usage in a NAT address group.

Usage guidelines

The device generates an SNMP notification in the following scenarios:

If SNMP notifications are enabled for the address group resource usage:

·     The device reports a threshold violation event when the address group resource usage reaches or exceeds the threshold.

·     The device reports a threshold recovery event when the address group resource usage drops below 87.5% of the threshold from a threshold crossing value.

To set the threshold for address group resource usage, execute the nat address-group-usage threshold command.

For the notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

To enable or disable all SNMP notifications for NAT, do not specify any parameters.

Examples

# Enable all SNMP notifications for NAT.

<Sysname> system-view

[Sysname] snmp-agent trap enable nat

Related commands

nat address-group-usage threshold

nat log port-block port-usage threshold

Interface-based NAT commands

display nat address-group resource-usage

Use display nat address-group resource-usage to display the NAT address group resource usage.

Syntax

display nat address-group [ group-id ] resource-usage [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 4294967295. If you do not specify this argument, the command displays the address usage of all NAT address groups.

verbose: Displays the overall resource usage of a NAT address group and the resource usage of each group member. If you do not specify this keyword, the command displays only the overall resource usage of the NAT address group.

Usage guidelines

The resource usage of a NAT address group includes the following information:

·     Address usage—Ratio of the number of used IP addresses to the total number of IP addresses. The used IP addresses are public IP addresses that have been assigned to users for address translation.

·     Port usage—Ratio of the number of assigned ports to the total number of ports. If you set the maximum number of VPN users sharing one single public address in PAT mode by using the nat per-global-ip user-limit command, the port usage might be different. This is normal and needs no actions.

Examples

# Display the address resource usage of NAT address group 1.

<Sysname> display nat address-group 1 resource-usage

  Address group name/ID: group1/1

    VPN instance: vpn1

    Port range: 1024-10000

    Nat per-global-ip user-limit:4096

    Port-single-alloc

    Total IP addresses: 12

    Used IP addresses: 12

    IP usage: 100%

    Port usage: 12%

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

      202.110.10.20         202.110.10.25

    Config status: Active

Table 14 Command output

Field	Description
Totally n NAT address groups	Total number of NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
Nat per-global-ip user-limit	Maximum number of VPN users sharing one single public address in PAT mode.
Port-single-alloc	Port-by-port allocation method. This field is not displayed if this method is not set.
Total IP addresses	Total number of IP addresses that the NAT address group contains. This field displays 0 if no failover group is bound to the NAT address group.
Used IP addresses	Total number of IP addresses that the NAT address group has used. This field displays 0 if no failover group is bound to the NAT address group.
IP usage	Address usage of the NAT address group. The value is displayed as follows: ·     If the address usage is greater than 0% but less than 1%, this field displays 1%. ·     If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. This field displays 0 if no failover group is bound to the NAT address group.
Port usage	Port usage of the NAT address group. The value is displayed as follows: ·     If the port usage is greater than 0% but less than 1%, this field displays 1%. ·     If the port usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. This field displays 0 if no failover group is bound to the NAT address group.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays three hyphens (---).
Config status	Status of the NAT address group: ·     Active—The NAT address group is taking effect. ·     Inactive—The NAT address group is not taking effect.
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: ·     The following items don't exist: address, and VPN instance ·     The following items don't exist: address ·     The following items don't exist: VPN instance

 

# Display the overall resource usage of all NAT address groups and the resource usage of each group member.

<Sysname> display nat address-group resource-usage verbose

NAT address group information:

  Totally 1 NAT address groups.

  Address group name/ID: 1/1

    Port range: 1000-1020

    Total IP addresses: 51

    Used IP addresses: 1

    IP usage: 1%

    Port usage: 1%

    Port usage of group members:

      Start address         End address         Port usage

      110.1.1.1             110.1.1.1           100%

      111.1.1.1             111.1.1.50          0%

    Config status: Active

Table 15 Command output

Field	Description
Totally n NAT address groups	Total number of NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
IP usage	Address usage of the NAT address group. The value is displayed as follows: ·     If the address usage is greater than 0% but less than 1%, this field displays 1%. ·     If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. ·     This field displays 0 if no failover group is bound to the NAT address group.
Port usage	Port usage of the NAT address group. The value is displayed as follows: ·     If the address usage is greater than 0% but less than 1%, this field displays 1%. ·     If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. ·     This field displays 0 if no failover group is bound to the NAT address group.
Port usage of group members	Port usage of the address ranges in the address group. This field displays 0 if no failover group is bound to the NAT address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---).
Config status	Status of the NAT address group: ·     Active—The NAT address group is taking effect. ·     Inactive—The NAT address group is not taking effect.
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. Possible reasons: ·     The following items don't exist: address, and VPN instance ·     The following items don't exist: address ·     The following items don't exist: VPN instance

 

Related commands

nat address-group

display nat server-group

Use display nat server-group to display internal server group configuration.

Syntax

display nat server-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of the internal server group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.

Examples

# Display configuration about all internal server groups.

<Sysname> display nat server-group

NAT server group information:

  Totally 3 NAT server groups.

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

  2                   ---                   ---         ---

  3                   192.168.0.26          69          100

# Display configuration about internal server group 1.

<Sysname> display nat server-group 1

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

Table 16 Command output

Field	Description
NAT server group information	Information about NAT server groups.
Totally n NAT server groups	Total number of NAT server groups.
Group Number	ID of the internal server group.
Inside IP	Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---).
Port	Private port number of a member in the internal server group. If no port number is specified, this field displays hyphens (---).
Weight	Weight of a member in the internal server group. If no weight value is specified, this field displays hyphens (---).

 

Related commands

nat server-group

inside ip

Use inside ip to add a member to an internal server group.

Use undo inside ip to remove a member from an internal server group.

Syntax

inside ip inside-ip port port-number [ weight weight-value ]

undo inside ip inside-ip port port-number

Default

No members exist in an internal server group.

Views

Internal server group view

Predefined user roles

network-admin

Parameters

inside-ip: Specifies the IP address of an internal server. You can add a maximum of 16 members to an internal server group.

port port-number: Specifies the port number of an internal server, in the range of 1 to 65535.

weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.

Examples

# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30

Related commands

nat server-group

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is enabled, and cannot be disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

Restrictions and guidelines

After you enable hardware NAT by using the nat hardware-mode enable command, the device automatically enables NAT hairpin on all interfaces. You cannot enable or disable NAT hairpin on interfaces by using the nat hairpin enable or undo nat hairpin enable command, respectively. If you enable NAT hairpin on interfaces first, the device automatically deletes configuration for the nat hairpin enable command once hardware NAT is enabled.

Examples

# Enable NAT hairpin on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat hairpin enable

Related commands

display nat all

nat hardware-mode enable

nat hardware-mode enable

Use nat hardware-mode enable to enable hardware NAT.

Use undo nat hardware-mode enable to disable hardware NAT.

Syntax

nat hardware-mode enable

undo nat hardware-mode enable

Default

Hardware NAT is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

For software NAT, the CPU processes NAT services. Software NAT has high requirements for CPU performance.

For hardware NAT, the hardware chip processes NAT services. Hardware NAT transfers the features that consume CPU performance to the hardware chip for processing, so that the CPU can timely process other important tasks. Hardware NAT performance is not limited by the CPU performance.

Recommended configuration

Hardware NAT is provided by the hardware chip of an interface card, which is applicable to scenarios that have high requirements for NAT processing performance. In the current software version, hardware NAT supports few commands, and only interface-based NAT supports hardware NAT.

Enable hardware NAT on the device in scenarios that meet the following conditions:

·     The device is installed with an interface card that supports hardware NAT.

·     The commands supported by hardware NAT can meet service requirements.

·     The scenarios have high requirements for NAT processing performance.

As a best practice, do not enable hardware NAT in other scenarios.

Prerequisites

When you use the hardware chip of an interface card for processing NAT services, redirect traffic to the interface card as follows:

·     To redirect traffic from the public network to the private network, use the nat service command and specify the interface card.

·     To redirect traffic from the private network to the public network, configure a QoS policy to redirect traffic to the interface card specified in the nat service command.

Restrictions and guidelines

Hardware NAT supports the following commands:

·     nat address-group

·     address

·     nat alg

·     nat hairpin enable

·     nat log enable

·     nat log flow-begin

·     nat log flow-end

·     nat outbound

·     nat server

·     nat service

·     nat static enable

·     nat static inbound

·     nat static inbound net-to-net

·     nat static outbound

·     nat static outbound net-to-net

For information about support for the parameters in a command, see the corresponding command in this document.

After you enable hardware NAT and complete NAT settings, you can use the following commands to display and verify the configuration. To clear NAT sessions, execute the reset command in user view.

·     display nat address-group

·     display nat all

·     display nat log

·     display nat outbound

·     display nat server

·     display nat session

·     display nat static

·     display nat statistics

·     reset nat session

When you enable or disable hardware NAT, follow these restrictions and guidelines:

·     After you execute the nat hardware-mode enable command, the device automatically deletes configuration not supported by hardware NAT.

·     If you execute the nat hardware-mode enable command and then execute the undo nat hardware-mode enable command, the device does not restore the deleted configuration.

·     When you enable or disable hardware NAT, the device automatically deletes all the existing session entries and relation entries.

Examples

# Enable hardware NAT.

<Sysname> system-view

[Sysname] nat hardware-mode enable

Related commands

address

display nat address-group

display nat all

display nat log

display nat outbound

display nat server

display nat session

display nat static

display nat statistics

nat address-group

nat alg

nat hairpin enable

nat log enable

nat log flow-begin

nat log flow-end

nat outbound

nat server

nat service

nat static enable

nat static inbound

nat static inbound net-to-net

nat static outbound

nat static outbound net-to-net

reset nat session

nat hardware-mode port-alloc

Use nat hardware-mode port-alloc to set the maximum number of attempts for hardware NAT to allocate ports in PAT mode.

Use undo nat hardware-mode port-alloc to restore the default.

Syntax

nat hardware-mode port-alloc number

undo nat hardware-mode port-alloc

Default

Hardware NAT attempts to allocate ports in PAT mode up to three times.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of attempts for hardware NAT to allocate ports. The value range is 3 to 255.

Usage guidelines

Application scenarios

When the device enabled with hardware NAT allocates ports, a conflict in five-tuple after NAT or a port collision causes port allocation failure. In this case, the NAT device automatically attempts to allocate another available port to the private user. Use this command to set the maximum number of attempts for hardware NAT to allocate ports.

Recommended configuration

More port collisions indicate greater network delay and processing workload, affecting network performance. As a best practice, use the default setting. To change the maximum number of attempts for hardware NAT to allocate ports, contact H3C Support to make sure the specified maximum number can meet service expectations.

Restrictions and guidelines

This command takes effect only after you enable hardware NAT by using the nat hardware-mode enable command.

Examples

# Set the maximum number of attempts to 10 for hardware NAT to allocate ports in PAT mode.

<Sysname> system-view

[Sysname] nat hardware-mode enable

[Sysname] nat hardware-mode port-alloc 10

Related commands

nat hardware-mode enable

nat hardware-mode server-limit

Use nat hardware-mode server-limit to set the maximum number of sessions that all public users can establish to access internal servers for hardware NAT.

Use undo nat hardware-mode server-limit to restore the default.

Syntax

nat hardware-mode server-limit number

undo nat hardware-mode server-limit

Default

All public users can establish up to 262144 sessions to access internal servers for hardware NAT.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of sessions that all public users can establish to access internal servers for hardware NAT. The value range is 1 to 1048575.

Usage guidelines

Application scenarios

Too many sessions established by public users to access internal servers consume a large number of device session resources. As a result, other users cannot establish new sessions. Use this command to set the maximum number of sessions that all public users can establish to access internal servers.

Recommended configuration

As a best practice, use the default setting. To change the maximum number of sessions that all public users can establish to access internal servers for hardware NAT, contact H3C Support to make sure the specified maximum number can meet service expectations.

Restrictions and guidelines

This command takes effect only after you enable hardware NAT by using the nat hardware-mode enable command.

Examples

# Set the maximum number of sessions that all public users can establish to access internal servers for hardware NAT to 30000.

<Sysname> system-view

[Sysname] nat hardware-mode enable

[Sysname] nat hardware-mode server-limit 30000

Related commands

nat hardware-mode enable

nat hardware-mode user-limit

Use nat hardware-mode user-limit to set the maximum number of sessions that can be established per user for hardware NAT.

Use undo nat hardware-mode user-limit to restore the default.

Syntax

nat hardware-mode user-limit number

undo nat hardware-mode user-limit

Default

A user can establish up to 1024 sessions for hardware NAT.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of sessions that can be established per user for hardware NAT, in the range of 1 to 65535.

Usage guidelines

Application scenarios

Too many sessions established by a single user consume a large number of device port resources and session resources. As a result, other users cannot establish new connections to access the external network. Use this command to set the maximum number of sessions that can be established per user.

Recommended configuration

As a best practice, use the default setting. To change the maximum number of sessions that can be established per user for hardware NAT, contact H3C Support to make sure the specified maximum number can meet service expectations.

Restrictions and guidelines

This command takes effect only after you enable hardware NAT by using the nat hardware-mode enable command.

Examples

# Set the maximum number of sessions that can be established per user for hardware NAT to 5000.

<Sysname> system-view

[Sysname] nat hardware-mode enable

[Sysname] nat hardware-mode user-limit 5000

Related commands

nat hardware-mode enable

nat server

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a mapping.

Syntax

Common NAT server mapping:

·     A single public address with no or a single public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ failover-group group-name ]

undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

·     A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]

·     Consecutive public addresses with no single public port:

nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]

·     Consecutive public addresses with a single public port:

nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]

Load sharing NAT server mapping:

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]

ACL-based NAT server mapping:

nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ failover-group group-name ]

undo nat server global { ipv4-acl-number | name ipv4-acl-name }

Default

No NAT server mappings exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:

·     A number in the range of 1 to 255.

·     A protocol name of icmp, tcp, or udp.

global: Specifies the external network information that the server uses to provide services to the external network.

global-address: Specifies the public address of an internal server.

global-address1 global address2: Specifies a public IP address range, which can include a maximum of 10000 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.

interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.

global-port: Specifies the public port number. The public port number format can be one of the following:

·     A number in the range of 1 to 65535.

·     A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port1 global-port2: Specifies a public port number range, which can include a maximum of 256 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:

·     A number in the range of 1 to 65535. Both the start port and the end port support this format.

·     A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

inside: Specifies the internal information of the server.

local-address: Specifies the private IP address of an internal server.

local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.

local-port: Specifies the private port number. The private port number format can be one of the following:

·     A number in the range of 1 to 65535, excluding FTP port 20.

·     A protocol name, a string of 1 to 15 characters. For example, http and telnet.

local-port1 local-port2: Specifies a private port number range, which can include a maximum of 256 ports. The local-port1 argument specifies the start port, and the local-port2 argument specifies the end port that must be greater than the start port. The private port number format can be one of the following:

·     A number in the range of 1 to 65535. Both the start port and the end port support this format.

·     A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses of NAT server mappings belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the internal server does not belong to any VPN instance, do not specify this option.

server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for this argument is 0 to 65535. This option is not supported by hardware NAT.

acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping. This keyword is not supported by hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For the configuration to take effect, specify a failover group of the default type. For more information about failover groups, see High Availability Configuration Guide. To deploy configuration successfully, do not specify this option after you enable hardware NAT.

Usage guidelines

Application scenarios

You can configure the NAT server mapping to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

Operating mechanism

NAT server mappings are usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port.

The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 17 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number
One public address and N consecutive public port numbers	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
N consecutive public addresses	One private address
	N consecutive private addresses
N consecutive public addresses and one public port number	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
One public address and one public port number	One internal server group
One public address and N consecutive public port numbers
N consecutive public addresses and one public port number
Public addresses matching an ACL	One private address
	One private address and one private port

 

Recommended configuration (internal servers using Easy IP)

As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.

If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicting address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.

Recommended configuration (load shared internal servers)

When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

·     One public address and N consecutive public port numbers are mapped to one internal server group.

·     N consecutive public addresses and one public port number are mapped to one internal server group.

Recommended configuration (VPN networks)

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Restrictions and guidelines

The number of the nat server commands that can be configured on an interface varies by device model. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.

When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. To avoid incorrect operation of NAT and packet loss, do not specify the same IP address for the global-address argument and the local-address argument.

After you configure load sharing NAT server mappings, you cannot execute the nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } * command in system view, you cannot configure load sharing NAT server mappings.

For ACL-based NAT server mappings, the device matches packets against ACLs based on either the ACL names or ACL numbers. ACL names take precedence over ACL numbers.

·     ACL names—The device matches packets based on the alphabetical order of the ACL names.

·     ACL numbers—A higher ACL number indicates higher priority.

Examples

# Allow external users to access the internal Web server at 10.110.10.10 through https://202.110.10.10:8080.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 https

[Sysname-Ten-GigabitEthernet3/0/1] quit

# Allow external users to access the internal FTP server at 10.110.10.11 in the VPN instance vrf10 through ftp://202.110.10.10.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

[Sysname-Ten-GigabitEthernet3/0/1] quit

# Allow external hosts to ping the host at 10.110.10.12 in the VPN instance vrf10 by using the ping 202.110.10.11 command.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

[Sysname-Ten-GigabitEthernet3/0/1] quit

# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the VPN instance vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Configure ACL-based NAT Server to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] nat server global 3000 inside 10.0.0.172

Related commands

display nat all

display nat server

nat mapping-behavior endpoint-independent { tcp | udp } *

nat server-group

nat server-group

Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.

Use undo nat server-group to delete an internal server group.

Syntax

nat server-group group-id

undo nat server-group group-id

Default

No internal server groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the internal server group. The value range for this argument is 0 to 65535.

An internal server group can contain multiple members configured by the inside ip command.

Examples

# Create internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

display nat all

display nat server-group

inside ip

nat server

nat static inbound

Use nat static inbound to configure a one-to-one mapping for inbound static NAT.

Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.

Syntax

nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ packet-type-ignore ]

undo nat static inbound global-ip [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP address. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

packet-type-ignore: Ignores the protocol packet type when the device creates session entries for TCP, ICMP, or SCTP. If you do not specify this keyword, the NAT device checks the protocol packet type and creates session entries for only protocol packets that pass the check. For example, the NAT device creates session entries for TCP packets only when the packet type is SYN or ACK.

Usage guidelines

Application scenarios

For address translation from a public IP address to a private IP address, configure inbound one-to-one static NAT.

·     When the destination IP address of a packet from the private network to the public network matches the local-ip, the destination IP address is translated into the global-ip.

·     When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip.

Recommended configuration

In an asymmetric routing scenario, if a session contains different types of protocol packets that are forwarded by different NAT devices, protocol packets of some types might be discarded. As a result, session status cannot be updated through protocol packet exchanges, causing abnormal service traffic forwarding. To avoid such an issue, specify the packet-type-ignore keyword when you use this command.

Restrictions and guidelines

When you specify an ACL, follow these restrictions and guidelines:

·     If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

·     If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the internal network to the private IP address.

·     If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net

Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.

Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.

Syntax

nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-start-address global-end-address: Specifies a public address range which can contain a maximum of 256 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

local-network: Specifies a private network address.

mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.

mask: Specifies the mask of the private network address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private network address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private network address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP addresses. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

Usage guidelines

Application scenarios

For address translation from a public network to a private network, configure inbound net-to-net static NAT.

Operating mechanism

·     When the destination IP address of a packet from the private network matches the private address range, the destination IP address is translated into a public address in the public address range.

·     When the source IP address of a packet from the public network matches the public address range, the source IP address is translated into a private address in the private address range.

Restrictions and guidelines

Specify a public network through a start address and an end address, and a private network through a private address and a mask.

The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

·     If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

·     If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the internal network to the private IP addresses.

·     If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡     Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡     Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.

<Sysname> system-view

[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24

Related commands

display nat all

display nat static

nat static enable