NAT Configuartion on the Firewall Configuartion

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Command Reference

Part number: 5998-2659

Document version: 6PW100-20110909

Legal and notice information

© Copyright 2011 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

i

Contents

NAT configuration commands ···································································································································· 1 address ······································································································································································1 display nat address-group·······································································································································1 display nat all ···························································································································································2 display nat bound ····················································································································································4 display nat dns-map·················································································································································5 display nat server ·····················································································································································6 display nat static·······················································································································································7 display nat statistics ·················································································································································9 nat address-group·················································································································································· 10 nat dns-map ··························································································································································· 11 nat outbound·························································································································································· 11 nat outbound static················································································································································ 14 nat server································································································································································ 14 nat static ································································································································································· 17 nat static net-to-net ················································································································································· 18

NAT-PT configuration commands······························································································································19 display natpt address-group································································································································· 19 display natpt address-mapping···························································································································· 19 display natpt all ····················································································································································· 21 display natpt statistics ··········································································································································· 22 natpt address-group ·············································································································································· 23 natpt enable ··························································································································································· 24 natpt prefix ····························································································································································· 24 natpt turn-off tos ····················································································································································· 25 natpt turn-off traffic-class ······································································································································· 26 natpt v4bound dynamic········································································································································ 26 natpt v4bound static·············································································································································· 27 natpt v4bound static v6server ······························································································································ 28 natpt v6bound dynamic········································································································································ 29 natpt v6bound static·············································································································································· 29 reset natpt statistics················································································································································ 30

ALG configuration commands···································································································································31 alg··········································································································································································· 31

Support and other resources ·····································································································································33 Contacting HP ································································································································································ 33

Subscription service ·············································································································································· 33 Related information························································································································································ 33

Documents ······························································································································································ 33 Websites································································································································································· 33

Conventions ···································································································································································· 34

Index ···········································································································································································35

1

NAT configuration commands

address Syntax

address start-address end-address

undo address start-address end-address

View

Address group view

Default level

2: System level

Parameters

start-address: Start IP address of the address group member.

end-address: End IP address of the address group member. The end-address must not be lower than the start-address. If they are the same, the group member has only one IP address.

Description

Use the address command to add a member that specifies an address pool to the address group. The address pools of group members may not be consecutive.

Use the undo address command to remove a group member from the address group.

Note that:

• You cannot add/remove a group member to/from an address group when any IP address of the group member is being used or the address group is associated with an Access Control List (ACL).

• You can add up to 100 members to an address group.

• The address pools of group members must not overlap with each other or with other address pools.

Related commands: display nat address-group and nat address-group.

Examples

# Create address group 2 and add two group members to it. Specify addresses 10.1.1.1 through 10.1.1.15 for one member and addresses 10.1.1.20 through 10.1.1.30 for the other. <Sysname> system-view

[Sysname] nat address-group 2

[Sysname-nat-address-group-2] address 10.1.1.1 10.1.1.15


display nat address-group Syntax

display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

2

View

Any view

Default level

1: Monitor level

Parameters

group-number: NAT address group number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat address-group command to display the NAT address pool information.

Related commands: nat address-group.

Examples

# Display the NAT address pool information. <Sysname> display nat address-group

NAT address-group information:

There are currently 2 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

2 : from 202.110.10.20 to 202.110.10.25

# Display the information of NAT address group 1. <Sysname> display nat address-group 1


1 : from 202.110.10.10 to 202.110.10.15

Table 1 Output description

Field Description

NAT address-group information NAT address pool information

There are currently 2 nat address-group(s) There are currently two NAT address groups.

1 : from 202.110.10.10 to 202.110.10.15 The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15

display nat all Syntax

display nat all [ | { begin | exclude | include } regular-expression ]

View

Any view

3

Default level

1: Monitor level

Parameters






Description

Use the display nat all command to display all NAT configuration information.

Examples

# Display all NAT configuration information. <Sysname> display nat all



1 : from 202.110.10.10 to 202.110.10.15

NAT bound information:

There are currently 1 nat bound rule(s)

Interface: GigabitEthernet0/1

Direction: outbound ACL: 2009 Address-group: 1 NO-PAT: N

NAT server in private network information:

There are currently 1 internal server(s)

Interface: GigabitEthernet0/2, Protocol: 6(tcp)

Global: 5.5.5.5 : 80(www)

Local : 192.1.1.1 : 80(www)

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 1.1.1.1

Global-IP : 2.2.2.2

Local-VPN : ---

NAT static enabled information:

Interface Direction

GigabitEthernet0/4 out-static

4


Field Description

NAT address-group information NAT address pool information


For description on the specific fields, see the display nat address-group command.

NAT bound information: Configuration information about internal address-to-external address translation. For description on the specific fields, see the display nat bound commands.

NAT server in private network information

Internal server information. For description on the specific fields, see the display nat server command.

NAT static information Information about static NAT. For description on the specific fields, see the display nat static command.

NAT static enabled information Information about static NAT entries and interface(s) with static NAT enabled. For description on the specific fields, see the display nat static command.

display nat bound Syntax

display nat bound [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters






Description

Use the display nat bound command to display the NAT configuration information.

Related commands: nat outbound.

Examples

# Display the NAT configuration information. <Sysname> display nat bound

NAT bound information:

There are currently 3 nat bound rule(s)

Interface:Vlan-interface10

Direction: outbound ACL: 2000 Address-group: 319 NO-PAT: Y

5

VPN-instance: vpn1

Out-interface: ---

Next-hop: 100.100.100.1

Status: Active


Direction: outbound ACL: 3000 Address-group: 300 NO-PAT: N

VPN-instance: vpn2

Out-interface: Vlan-interface200

Next-hop: 100.100.110.1

Status: Inactive


Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N

VPN-instance: ---

Out-interface: ---

Next-hop: ---

Status: Inactive


Field Description

NAT bound information: Display configured NAT address translation information

Interface The interface associated with a NAT address pool.

Direction Address translation direction: outbound

ACL ACL number

Address-group Address group number. The field is displayed as null in Easy IP mode.

NO-PAT Support for NO-PAT mode or not

VPN-instance VPN where the NAT address pool belongs. The field is displayed as “---” if it is not configured.

Output-interface The specified outbound interface. The field is displayed as “---” if it is not configured.

Next-hop The specified next hop address. The field is displayed as “---” if it is not configured.

Status Current status of the configuration, which can be active or inactive.

display nat dns-map Syntax

display nat dns-map [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

6

Parameters






Description

Use the display nat dns-map command to display NAT DNS mapping configuration information.

Related commands: nat dns-map.

Examples

# Display NAT DNS mapping configuration information. <Sysname> display nat dns-map

NAT DNS mapping information:

There are currently 2 NAT DNS mapping(s)

Domain-name: www.server.com

Global-IP : 202.113.16.117

Global-port: 80(www)

Protocol : 6(tcp)

Domain-name: ftp.server.com

Global-IP : 202.113.16.100

Global-port: 21(ftp)

Protocol : 6(tcp)


Field Description

NAT DNS mapping information NAT DNS mapping information

There are currently 2 DNS mapping(s) There are two DNS mapping entries

Domain-name Domain name of the internal server

Global-IP External IP address of the internal server

Global-port Public port number of the internal server

Protocol Protocol type of the internal server

display nat server Syntax

display nat server [ | { begin | exclude | include } regular-expression ]

View

Any view

7

Default level

1: Monitor level

Parameters






Description

Use the display nat server command to display information about internal servers.

Related commands: nat server.

Examples

# Display information about internal servers. <Sysname> display nat server

NAT server in private network information:

There are currently 2 internal server(s)

Interface: Vlan-interface10, Protocol: 6(tcp)

Global: 100.100.120.120 : 21(ftp)

Local : 192.168.100.100 : 21(ftp)

Status: Inactive

Interface: Vlan-interface11, Protocol: 6(tcp)

Global: 100.100.100.121 : 80(www)

Local : 192.168.100.101 : 80(www) vpn2

Status: Active


Field Description

Server in private network information Information about internal servers

Interface Internal server interface

Protocol Protocol type

Global External IP address and port number of a server, and the VPN that the external address belongs to.

Local Internal network information of a server

Status Current status of the configuration, which can be active or inactive.

display nat static Syntax

display nat static [ | { begin | exclude | include } regular-expression ]

8

View

Any view

Default level

1: Monitor level

Parameters






Description

Use the display nat static command to display static NAT entries and interface(s) with static NAT enabled.

Related commands: nat static and nat outbound static.

Examples

# Display static NAT entries and interface(s) with static NAT enabled. <Sysname> display nat static

NAT static information:

There are currently 2 NAT static configuration(s)

net-to-net:

Local-IP : 1.1.1.0

Global-IP : 2.2.2.0

Netmask : 255.255.255.0

Local-VPN : vpn1

Global-VPN : vpn2

single static:

Local-IP : 4.4.4.4

Global-IP : 5.5.5.5

Local-VPN : ---

Global-VPN : ---

NAT static enabled information:

Interface Direction

Vlan-interface11 out-static


Field Description

NAT static information Configuration information of static NAT

net-to-net Net-to-net static NAT

single static One-to-one static NAT

Local-IP Internal IP address

Global-IP External IP address

9

Field Description

Netmask Network mask

Local-VPN L3VPN that the internal IP address belongs to

Global-VPN L3VPN that the external IP address belongs to

display nat statistics Syntax

display nat statistics [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters






Description

Use the display nat statistics command to display NAT statistics.

Examples

# Display NAT statistics. <Sysname> display nat statistics

total PAT session table count: 1

total NO-PAT session table count: 0

total SERVER session table count: 0

total STATIC session table count: 0

active PAT session table count: 1

active NO-PAT session table count: 0


Field Description

total PAT session table count Number of PAT session entries

total NO-PAT session table count Number of NO-PAT session entries

total SERVER session table count Number of SERVER session entries

total STATIC session table count Number of STATIC session entries

active PAT session table count Number of active PAT session entries

10

Field Description

active NO-PAT session table count Number of active NO-PAT session entries

nat address-group Syntax

nat address-group group-number [ start-address end-address ] [ level level ]

undo nat address-group group-number [ start-address end-address ] [ level level ]

View

System view

Default level

2: System level

Parameters

group-number: Index of the address pool.

start-address: Start IP address of the address pool.

end-address: End IP address of the address pool. The end-address cannot be smaller than the start-address. If they are the same, the address pool has only one IP address.

level leve: Address pool level. The value of level is in range of 0 to 1. 0 represents low priority.

Description

Use the nat address-group command to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool. Without the start and end IP addresses specified, the command places you into the address group view.

Use the undo nat address-group command to remove an address pool or address group.

An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command. The address pools of group members may not be consecutive.

Note that:

• You cannot remove an address pool or address group that has been associated with an ACL.

• Different address pools must not overlap.

• The address pools of group members must not overlap with each other or with other address pools.

• An address pool or address group is not needed in the case of Easy IP where the interface’s public IP address is used as the translated IP address.

Related commands: address and display nat address-group.

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15. <Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

# Create address group 2 and add a group member that contains IP addresses 10.1.1.1 through 10.1.1.15 to it. <Sysname> system-view

11

[Sysname] nat address-group 2


nat dns-map Syntax

nat dns-map domain domain-name protocol pro-type ip global-ip port global-port

undo nat dns-map domain domain-name

View

System view

Default level

2: System level

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits; besides, dashes (-) can be included.

protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp.

ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network.

port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.

Description

Use the nat dns-map command to map the domain name to the public network information of an internal server.

Use the undo nat dns-map command to remove a DNS mapping.

Related commands: display nat dns-map.

Examples

# A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name. <Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port www

nat outbound Syntax

nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ]

undo nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ]

12

View

Interface view

Default level

2: System level

Parameters

acl-number: ACL number, in the range of 2000 to 3999.

address-group group-number: Specifies an address pool for NAT. If no address pool is specified, the IP address of the interface will be used as the translated IP address, that is, Easy IP is enabled.

vpn-instance vpn-instance-name: Specifies the L3VPN to which the addresses of the address pool belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With this option, inter-VPN access through NAT is supported. Without this option, the addresses in the address pool do not belong to any VPN.

no-pat: Indicates that no many-to-many NAT is implemented. If this keyword is not configured, many-to-one NAT is implemented using the TCP/UDP port information.

track vrrp virtual-router-id: Associates address translation on a specified outbound interface with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this argument specified, no VRRP group is associated.

Description

Use the nat outbound command or the nat outbound acl-number command to associate an ACL with the IP address of the interface and enable Easy IP.

Use the nat outbound acl-number address-group group-number no-pat command to associate an ACL with an IP address pool for translation of only the IP address and enable many-to-many NAT.

Use the nat outbound address-group group-number command or the nat outbound acl-number address-group group-number command to associate an ACL with an IP address pool for translation of both the IP address and port number and enable NAPT.

Use the undo nat outbound command to remove an association.

If the acl-number argument is specified, a packet matching the associated ACL will be serviced by NAT. If the acl-number argument is not specified, a packet whose source IP address is not the IP address of the outbound interface will be serviced by NAT.

Note the following:

• You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to the external network.

• When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted; they will be aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected. You can also use the reset nat session command to clear all the NAT entries, but NAT service will be terminated and all users will have to reinitiate connections. You can make a proper choice as required.

• When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication.

• If a packet matches the specified next hop, the packet will be translated using an IP address in the address pool; if not, the packet will not be translated.

13

• You can bind an ACL to only one address pool on an interface; an address pool can be bound to multiple ACLs.

• NAPT cannot translate connections from external hosts to internal hosts.

• With reverse address translation enabled, after NAT creates an entry for an internal host to access the Internet, NAT can use this entry to perform destination IP address translation for new connections from the Internet to the public IP address of the internal host. If an ACL is associated with the address pool where the public IP address of the internal host resides, the connections must match the ACL; otherwise, they cannot be translated.

• In stateful failover networking, make sure that you associate each address pool configured on an interface with one VRRP group only; otherwise, the system associates the address pool with the VRRP group having the highest group ID.

NOTE:

For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address and VPN instance information in any two ACL rules cannot be the same.For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information inany two ACL rules are the same, a conflict occurs.

Examples

# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses 202.110.10.10 through 202.110.10.12. Assume that interface GigabitEthernet 1/0 is connected to the Internet. <Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# To also translate TCP/UDP port information, do the following: [Sysname] interface GigabitEthernet 0/1

[Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1

# To ignore the TCP/UDP port information in translation, do the following: <Sysname> system-view

[Sysname] interface GigabitEthernet 0/1

[Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1 no-pat

# To use the IP address of the GigabitEthernet 0/1 interface for translation, do the following: <Sysname> system-view


[Sysname-GigabitEthernet0/1] nat outbound 2001

# To enable reverse address translation and use address pool 1, do the following: <Sysname> system-view


[Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1 no-pat reversible

14

nat outbound static Syntax

nat outbound static [ track vrrp virtual-router-id ]

undo nat outbound static [ track vrrp virtual-router-id ]

View

Interface view

Default level

2: System level

Parameters

track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this option specified, no VRRP group is associated.

Description

Use the nat outbound static command to enable static NAT on an interface, making the configured static NAT mappings take effect.

Use the undo nat outbound static command to disable static NAT on the interface.

Related commands: display nat static.

Examples

# Configure a one-to-one NAT mapping and enable static NAT on interface GigabitEthernet 0/1. <Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2


[Sysname-GigabitEthernet0/1] nat outbound static

nat server Syntax

nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] | current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] }

undo nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] | current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] }

View

Interface view

Default level

2: System level

Parameters

index: Index of the internal server.

15

protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server.

global-address: Public IP address for the internal server.

current-interface: Uses the current interface address as the external IP address for the internal server.

global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. Note that global-port2 must be greater than global-port1.

local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. Note that local-address2 must be greater than local-address1 and that the number of addresses must match that of the specified ports.

local-port: Port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20.

• You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on.

• You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.

global-port: Global port number for the internal server, in the range of 0 to 65535.

local-address: Internal IP address of the internal server.

vpn-instance local-name: Specifies the L3VPN to which the internal server belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this parameter, the internal server does no belong to any VPN.

remote-host host-address: IP address of the remote host accessing the internal server.

lease-duration lease-time: Valid time of the service provided by the internal server. The lease-time argument indicates the valid time, in the range of 0 to 4294967295, in seconds. The value 0 indicates that the service never expires.

description string: Detailed information about the internal server. The string argument is a case-insensitive string of 1 to 256 characters.

track vrrp virtual-router-id: Associates the internal server with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group to be associated. Without this option specified, no VRRP group is associated.

Description

Use the nat server command to define an internal server.

Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port.

Use the undo nat server command to remove the configuration.

Note that:

• If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined.

• Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in an internal network or a VPN.

16

• The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands.

• In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external network.

• The firewall supports using an interface address as the external IP address of an internal server, which is Easy IP. If you specify the current-interface keyword, the internal server uses the current primary IP address of the current interface. If you use interface { interface-type interface-number } to specify an interface, the interface must be an existing loopback interface and the current primary IP address of the loopback interface is used.

• It is strongly recommended that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the external address of another internal server; vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the external address of the internal server.

• In stateful failover networking, make sure that you associate the public address of an internal server on an interface with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID.

Related commands: display nat server.

CAUTION:

When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), youcan configure one-to-one NAT between an internal IP address and an external IP address only, but cannotspecify port numbers.

Examples

# Allow external users to access the internal Web server 10.110.10.10 on the LAN through http://202.110.10.10:8080, and the internal FTP server 10.110.10.11 in VPN vrf10 through ftp://202.110.10.10/. Assume that the interface GigabitEthernet 0/1 is connected to the external network. <Sysname> system-view


[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

[Sysname-GigabitEthernet0/1] quit

[Sysname] ip vpn-instance vrf10

[Sysname-vpn-instance] route-distinguisher 100:001

[Sysname-vpn-instance] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance] quit


[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

# Allow external hosts to ping the host with an IP address of 10.110.10.12 in VPN vrf10 by using the ping 202.110.10.11 command. <Sysname> system-view


[Sysname-GigabitEthernet0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

ftp://202.110.10.10/

17

# Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 in VPN vrf10 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can telnet to 202.110.10.10:1001 to access 10.110.10.1, telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on. <Sysname> system-view


[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Remove the Web server. <Sysname> system-view


[Sysname-GigabitEthernet0/1] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

# Remove the FTP server from VPN vrf10. <Sysname> system-view


[Sysname-GigabitEthernet0/1] undo nat server protocol tcp global 202.110.10.11 21 inside 10.110.10.11 ftp vpn-instance vrf10

nat static Syntax

nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ]

undo nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ]

View

System view

Default level

2: System level

Parameters

local-ip: Internal IP address.

vpn-instance local-name: Specifies the VPN to which the internal IP address belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal IP address does not belong to any VPN.

global-ip: External IP address.

vpn-instance global-name: Specifies the VPN to which the external IP address belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external IP address does not belong to any VPN.

Description

Use the nat static command to configure a one-to-one static NAT mapping.

Use the undo nat static command to remove a one-to-one static NAT mapping.


18

Examples

# In system view, configure static NAT mapping between internal IP address 192.168.1.1 and external IP address 2.2.2.2. <Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

nat static net-to-net Syntax

nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { netmask-length | netmask }

undo nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { netmask-length | netmask }

View

System view

Default level

2: System level

Parameters

local-start-address local-end-address: Internal network address range, which contains at most 255 IP addresses.

local-network: Internal network address.

vpn-instance local-name: Specifies the L3VPN to which the internal network belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal network does not belong to any VPN.

global-network: External network address.

vpn-instance global-name: Specifies the VPN to which the external network belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external network does not belong to any VPN.

mask-length: Length of the network mask.

mask: Network mask.

Description

Use the nat static net-to-net command to configure a net-to-net static NAT mapping.

Use the undo nat static net-to-net command to remove a net-to-net static NAT mapping.

The IP addresses of the internal network must be on the same network segment according to the mask length of the external network address.


Examples

# Configure a bidirectional static NAT mapping between internal network address 192.168.1.0 and external network address 2.2.2.0. <Sysname> system-view

[Sysname] nat static net-to-net 192.168.1.1 2.2.2.0

19

NAT-PT configuration commands

display natpt address-group Syntax

display natpt address-group [ | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters



exclude: Displays the lines that do not match the specified regular expression.



Description

Use the display natpt address-group command to display the NAT-PT address pool configuration information.

Examples

# Display the NAT-PT address pool configuration information. <Sysname> display natpt address-group

NATPT IPv4 Address Pool Information:

1 : from 1.1.1.1 to 1.1.1.4


Field Description

1 Address pool number

from 1.1.1.1 Start IP address in an address pool

to 1.1.1.4 End IP address in an address pool

display natpt address-mapping Syntax

display natpt address-mapping [ | { begin | exclude | include } regular-expression ]

View

Any view

20

Default Level

1: Monitor level

Parameters






Description

Use the display natpt address-mapping command to display the static and dynamic NAT-PT address mappings.

The displayed information does not include the information about port translation through the NAPT-PT mechanism.

Examples

# Display the static and dynamic NAT-PT address mappings. <Sysname> display natpt address-mapping

NATPT address mapping(v6bound view):

IPv4 Address IPv6 Address Type

1.1.1.1 3001::0001 SOURCE

2.2.2.2 3001::0002 DESTINATION

NATPT V6Server static mapping:

IPv4Address IPv6 Address Pro

1.1.1.1^ 6 3001::0003^ 1270 TCP


Field Description

NATPT address mapping (v6bound view) Static and dynamic IPv4/IPv6 address mapping on the IPv6 side.

IPv4 Address IPv4 address

IPv6 Address IPv6 address

Type

Type of the mapping, which can be: • SOURCE: Mapping created according to the configuration on the

IPv6 side • DESTINATION: Mapping created according to the configuration

on the IPv4 side

NATPT V6Server static mapping Displays the NAT-PT mapping of an IPv6 server.

IPv4Address IPv4 address and port number

IPv6 Address Corresponding IPv6 address and port number

Pro Protocol type

21

display natpt all Syntax

display natpt all [ | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters






Description

Use the display natpt all command to display all NAT-PT configuration information.

Examples

# Display all NAT-PT configuration information. <Sysname> display natpt all

IPv4 Address Pool Information:

1 : from 1.1.1.1 to 1.1.1.4

Address Mappings (V6toV4):

IPv4 Address IPv6 Address Type

1.1.1.1 3001::0001 SOURCE

2.2.2.2 3001::0002 DESTINATION

V6Server static mapping:

IPv4Address IPv6 Address Pro

1.1.1.1^ 6 3001::0003^ 1270 TCP

V4toV6 Information:

No V4 Access Records Present

V6toV4 Information:

No V6 Access Records Present

Prefix Information:

Prefix Interface NextHop

0064:: /96

Statistics:

Total Sessions: 0

Expired Sessions: 0

Hits: 0

Misses: 0

Total Fragment Sessions: 0

Expired Fragment Sessions: 0

22

Fragment Hits: 0

Fragment Misses: 0

Total Address Mapping: 0 (static: 0 dynamic: 0 )

Total V6Server Mappings: 0

Enabled Interfaces:

GigabitEthernet0/1

For the explanations to the information displayed above, see the descriptions of related commands.

display natpt statistics Syntax

display natpt statistics [ | { begin | exclude | include } regular-expression ]

View

Any view

Default Level

1: Monitor level

Parameters






Description

Use the display natpt statistics command to display NAT-PT statistics information.

The statistics information does not include information about port translation through the NAPT-PT mechanism.

Related commands: reset natpt statistics.

Examples

# Display NAT-PT statistics information. <Sysname> display natpt statistics

NATPT Statistics:

Total Sessions: 0

Expired Sessions: 0

Hits: 0

Misses: 0

Total Fragment Sessions: 0

Expired Fragment Sessions: 0

Fragment Hits: 0

Fragment Misses: 0

Total Address Mapping: 0 (static: 0 dynamic: 0 )

Total V6Server Mappings: 0

23

NATPT Interfaces:

GigabitEthernet0/1


Field Description

Total Sessions Total number of sessions

Expired Sessions Number of expired sessions

Hits Number of times that a packet matches a NAT-PT session

Misses Number of times that a packet matches no NAT-PT sessions

Total Fragment Sessions Total number of active fragment sessions

Expired Fragment Sessions Number of expired fragment sessions

Fragment Hits Number of times that a packet fragment matches a NAT-PT fragment session

Fragment Misses Number of times that a packet fragment matches no NAT-PT fragment sessions

Total Address Mapping Number of static and dynamic mappings

Total V6Server Mappings Number of V6Server mappings (address/port mappings)

NATPT Interfaces NAT-PT enabled interfaces

natpt address-group Syntax

natpt address-group group-number start-ipv4-address end-ipv4-address

undo natpt address-group group-number

View

System view

Default Level

2: System level

Parameters

group-number: Number of an address pool, in the range of 1 to 32.

start-ipv4-address: Start IPv4 address in a pool.

end-ipv4-address: End IPv4 address in a pool.

Description

Use the natpt address-group command to configure a NAT-PT address pool.

Use the undo natpt address-group command to remove the specified NAT-PT address pool.

Note that:

• If start-ipv4-address equals end-ipv4-address, only one address is available in the address pool.

• The execution of the undo natpt address-group command may affect some dynamic NAT-PT mappings.

• Currently, a NAT-PT address pool and an IPv4 NAT address pool do not share any address.

24

• When there is only one address in the NAT-PT address pool, the address applies to only NAPT-PT. When there is more than one address in the NAT-PT address pool, the end ipv4 address is reserved for NAPT-PT. The number of addresses used for dynamic NAT-PT mapping is the number of configured addresses minus 1.

Related commands: display natpt address-group.

Examples

# Configure a NAT-PT address pool. <Sysname> system-view

[Sysname] natpt address-group 3 2.3.4.5 2.3.4.10

natpt enable Syntax

natpt enable

undo natpt enable

View

Interface view

Default Level

2: System level

Parameters

None

Description

Use the natpt enable command to enable the NAT-PT feature on an interface.

Use the undo natpt enable command to disable the NAT-PT feature on an interface.

By default, the NAT-PT feature is disabled on an interface. That is, no NAT-PT is implemented for packets received or sent on the interface.

Note that:

• This command enables both NAT-PT and Address Family Translation (AFT). For more information about AFT, see VPN Configuration Guide.

• Do not configure NAT-PT and AFT on the same device.

Examples

# Enable the NAT-PT feature on an interface. <Sysname> system-view


[Sysname-GigabitEthernet0/1] natpt enable

natpt prefix Syntax

natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ]

undo natpt prefix natpt-prefix

25

View

System view

Default Level

2: System level

Parameters

natpt-prefix: Prefix of an IPv6 address, 96 bits in length.

interface interface-type interface-number: Specifies the interface on which NAT-PT is enabled. If the interface is not specified or NAT-PT is not enabled, IPv6 packets are discarded. interface-type interface-number specifies the interface type and number.

nexthop ipv4-address: Specifies the IPv4 address of the next hop. This option does not work on the firewall.

Description

Use the natpt prefix command to configure a NAT-PT prefix.

Use the undo natpt prefix command to remove the configured NAT-PT prefix.

Note that:

• A NAT-PT prefix must be different from the IPv6 address prefix of the receiving interface on the NAT-PT device. Otherwise, NAT-PT translation for a received packet with the prefix will result in packet loss.

• The execution of the undo natpt prefix command may affect the translation of some mappings. Therefore, use this command with caution.

Examples

# Configure a NAT-PT prefix in system view. <Sysname> system-view

[Sysname] natpt prefix 2001::

natpt turn-off tos Syntax

natpt turn-off tos

undo natpt turn-off tos

View

System view

Default Level

2: System level

Parameters

None

Description

Use the natpt turn-off tos command to set the ToS field in an IPv4 packet translated from an IPv6 packet to 0.

Use the undo natpt turn-off tos command to restore the default.

26

By default, the value of the ToS field in an IPv4 packet translated from an IPv6 packet is the same as that of the Traffic Class field in the IPv6 packet.

Examples

# Set the ToS field in an IPv4 packet translated from an IPv6 packet to 0. <Sysname> system-view

[Sysname] natpt turn-off tos

natpt turn-off traffic-class Syntax

natpt turn-off traffic-class

undo natpt turn-off traffic-class

View

System view

Default Level

2: System level

Parameters

None

Description

Use the natpt turn-off traffic-class command to set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0.

Use the undo natpt turn-off traffic-class command to restore the default.

By default, the value of the Traffic Class field in an IPv6 packet translated from an IPv4 packet is the same as that of the ToS field in the IPv4 packet.

Examples

# Set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0. <Sysname> system-view

[Sysname] natpt turn-off traffic-class

natpt v4bound dynamic Syntax

natpt v4bound dynamic acl number acl-number prefix natpt-prefix

undo natpt v4bound dynamic acl number acl-number

View

System view

Default Level

2: System level

Parameters

acl number acl-number: Specifies the IPv4 access control list (ACL) number, in the range of 2000 to 2999.

27

prefix natpt-prefix: Specifies the NAT-PT prefix, which is 96 bits in length.

Description

Use the natpt v4bound dynamic command to configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts by associating an ACL with a NAT-PT prefix.

Use the undo natpt v4bound dynamic command to remove the association.

For a packet from an IPv4 host to an IPv6 host, if the source IPv4 address matches the specified ACL, the NAT-PT prefix will be added to translate the source IPv4 address into an IPv6 address.

CAUTION:

The natpt-prefix argument in the natpt v4bound dynamic command must be specified by the natpt prefixcommand in advance.

Related commands: display natpt address-mapping.

Examples

# Configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts in system view. Use ACL 2000 to match IPv4 packets and add the NAT-PT prefix 2001:: to translate the source IPv4 address into an IPv6 address. <Sysname> system-view

[Sysname] natpt prefix 2001::

[Sysname] natpt v4bound dynamic acl number 2000 prefix 2001::

natpt v4bound static Syntax

natpt v4bound static ipv4-address ipv6-address

undo natpt v4bound static ipv4-address ipv6-address

View

System view

Default Level

2: System level

Parameters

ipv4-address: IPv4 address to be mapped.

ipv6-address: IPv6 address to which an IPv4 address is mapped.

Description

Use the natpt v4bound static command to configure a static IPv4/IPv6 address mapping on the IPv4 side.

Use the undo natpt v4bound static command to remove a static IPv4/IPv6 address mapping on the IPv4 side.

The ipv6-address prefix should be contained in the configured NAT-PT prefix.


28

Examples

# Configure a static mapping between the IPv4 address 2.3.4.9 and the IPv6 address 2001::1 on the IPv4 side in system view. <Sysname> system-view

[Sysname] natpt v4bound static 2.3.4.9 2001::1

natpt v4bound static v6server Syntax

natpt v4bound static v6server protocol protocol-type ipv4-address-destination ipv4-port-number ipv6-address-destination ipv6-port-number

undo natpt v4bound static v6server protocol protocol-type ipv4-address-destination ipv4-port-number ipv6-address-destination ipv6-port-number

View

System view

Default Level

2: System level

Parameters

protocol protocol-type: Specifies the protocol type. The protocol-type argument can be:

• tcp: Specifies the TCP protocol.

• udp: Specifies the UDP protocol.

ipv4-address-destination: IPv4 address to which an IPv6 address is mapped.

ipv4-port-number: IPv4 port number, in the range of 1 to 12287.

ipv6-address-destination: Destination IPv6 address to be mapped.

ipv6-port-number: IPv6 port number, in the range of 1 to 12287.

Description

Use the natpt v4bound static v6server command to configure a static NAPT-PT mapping for an IPv6 server.

Use the undo natpt v4bound static v6server command to remove a static NAPT-PT mapping for an IPv6 server.


Examples

# In system view, configure a static NAPT-PT mapping for an IPV6 server, in which the protocol type is TCP, the IPv4 address and port number are 2.3.4.5 and 80 respectively, and the IPv6 address and port number are 2001::1 and 80 respectively. <Sysname> system-view

[Sysname] natpt v4bound static v6server protocol tcp 2.3.4.5 80 2001::1 80

29

natpt v6bound dynamic Syntax

natpt v6bound dynamic { acl6 number acl6-number | prefix natpt-prefix } { address-group address-group [ no-pat ] | interface interface-type interface-number }

undo natpt v6bound dynamic { acl6 number acl6-number | prefix natpt-prefix }

View

System view

Default Level

2: System level

Parameters

acl6 number acl6-number: Specifies the IPv6 ACL number. If the source IPv6 address of a packet sent from an IPv6 network to an IPv4 network matches this IPv6 ACL, the source IPv6 address is translated based on the command. The IPv6 ACL number ranges 2000 to 2999.

prefix natpt-prefix: Specifies the NAT-PT prefix. If the destination IPv6 address of a packet sent from an IPv6 network to an IPv4 network is in this NAT-PT prefix, the source IPv6 address is translated based on the command. The NAT-PT prefix is 96 bits in length.

address-group address-group: Specifies the number of the IPv4 address pool for the translation of the source IPv6 address. The IPv4 address pool number is in the range of 1 to 32.

no-pat: Specifies no port address translation. If the no-pat keyword is not provided, port address translation will be performed.

interface interface-type interface-number: Specifies the IPv4 address of the interface as the translated source IPv6 address. interface-type interface-number specifies the interface type and number.

Description

Use the natpt v6bound dynamic command to configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts.

Use the undo natpt v6bound dynamic command to remove the dynamic mapping.


Examples

# Configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts in system view. Translate the source address of an IPv6 packet that matches IPv6 ACL 2001 into an IPv4 address in address pool 1. <Sysname> system-view

[Sysname] natpt address-group 1 2.3.4.5 2.3.4.10

[Sysname] natpt v6bound dynamic acl6 number 2001 address-group 1

natpt v6bound static Syntax

natpt v6bound static ipv6-address ipv4-address

undo natpt v6bound static ipv6-address ipv4-address

30

View

System view

Default Level

2: System level

Parameters

ipv6-address: IPv6 address to be mapped.

ipv4-address: IPv4 address to which an IPv6 address is mapped.

Description

Use the natpt v6bound static command to configure a static IPv4/IPv6 address mapping on the IPv6 side.

Use the undo natpt v6bound static command to remove a static IPv4/IPv6 address mapping on the IPv6 side.


Examples

# Configure the static mapping between the IPv6 address 2001::1 and the IPv4 address 2.3.4.5 on the IPv6 side in system view. <Sysname> system-view

[Sysname] natpt v6bound static 2001::1 2.3.4.5

reset natpt statistics Syntax

reset natpt statistics

View

User view

Default Level

1: Monitor level

Parameters

None

Description

Use the reset natpt statistics command to clear all NAT-PT statistics information.

Related commands: display natpt statistics.

Examples

# Clear all NAT-PT statistics information. <Sysname> reset natpt statistics

31

ALG configuration commands

alg Syntax

alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp }

undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp }

View

System view

Default level

2: System level

Parameters

all: Enables ALG for all protocols.

dns: Enables ALG for DNS.

ftp: Enables ALG for FTP.

gtp: Enables ALG for GTP.

h323: Enables ALG for H.323.

ils: Enables ALG for ILS.

msn: Enables ALG for MSN.

nbt: Enables ALG for NBT.

pptp: Enables ALG for PPTP.

qq: Enables ALG for QQ.

rtsp: Enables ALG for RTSP.

sccp: Enables ALG for SCCP.

sip: Enables ALG for SIP.

sqlnet: Enables ALG for SQLNET.

tftp: Enables ALG for TFTP.

Description

Use the alg command to enable ALG for a specified protocol.

Use the undo alg command to disable ALG for a specified protocol.

By default, the ALG feature is enabled for all protocols.

Examples

# Enable ALG for FTP. <Sysname> system-view

[Sysname] alg ftp

32

# Disable ALG for DNS. <Sysname> system-view

[Sysname] undo alg dns

33

Support and other resources

Contacting HP For worldwide technical support information, see the HP support website:

http://www.hp.com/support

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website:

http://www.hp.com/go/wwalerts

After registering, you will receive email notification of product enhancements, new driver versions, firmware updates, and other product resources.

Related information

Documents To find related documents, browse to the Manuals page of the HP Business Support Center website:

http://www.hp.com/support/manuals

• For related documentation, navigate to the Networking section, and select a networking category.

• For a complete list of acronyms and their definitions, see HP A-Series Acronyms.

Websites • HP.com http://www.hp.com

• HP Networking http://www.hp.com/go/networking

• HP manuals http://www.hp.com/support/manuals

• HP download drivers and software http://www.hp.com/support/downloads

• HP software depot http://www.software.hp.com

http://www.hp.com/support

http://www.hp.com/go/wwalerts


http://www.hp.com/

http://www.hp.com/go/networking


http://www.hp.com/support/downloads

http://www.software.hp.com/

34

Conventions This section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.

{ x | y | ... } * Asterisk-marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.

[ x | y | ... ] * Asterisk-marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions


Boldface Window names, button names, field names, and menu items are in bold text. For example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols


WARNING An alert that calls attention to important information that if not understood or followed can result in personal injury.

CAUTION An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

35

Index

A D N R S W A

address,1 alg,31

D

display nat address-group,1 display nat all,2 display nat bound,4 display nat dns-map,5 display nat server,6 display nat static,7 display nat statistics,9 display natpt address-group,19 display natpt address-mapping,19 display natpt all,21 display natpt statistics,22 Documents,33

N

nat address-group,10 nat dns-map,11 nat outbound,11

nat outbound static,14 nat server,14 nat static,17 nat static net-to-net,18 natpt address-group,23 natpt enable,24 natpt prefix,24 natpt turn-off tos,25 natpt turn-off traffic-class,26 natpt v4bound dynamic,26 natpt v4bound static,27 natpt v4bound static v6server,28 natpt v6bound dynamic,29 natpt v6bound static,29

R

reset natpt statistics,30

S

Subscription service,33

W

Websites,33