Академический Документы
Профессиональный Документы
Культура Документы
Legal and notice information Copyright 201 Hewlett-Packard Development Company, L.P. 1 No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents
NAT configuration commands 1
address 1 display nat address-group 1 display nat all 2 display nat bound 4 display nat dns-map 5 display nat server 6 display nat static7 display nat statistics 9 nat address-group 10 nat dns-map 11 nat outbound 11 nat outbound static 14 nat server 14 nat static 17 nat static net-to-net 18 display natpt address-group 19 display natpt address-mapping 19 display natpt all 21 display natpt statistics 22 natpt address-group 23 natpt enable 24 natpt prefix 24 natpt turn-off tos 25 natpt turn-off traffic-class 26 natpt v4bound dynamic 26 natpt v4bound static 27 natpt v4bound static v6server 28 natpt v6bound dynamic 29 natpt v6bound static 29 reset natpt statistics 30
alg 31
Index 35
View
Address group view
Default level
2: System level
Parameters
start-address: Start IP address of the address group member. end-address: End IP address of the address group member. The end-address must not be lower than the start-address. If they are the same, the group member has only one IP address.
Description
Use the address command to add a member that specifies an address pool to the address group. The address pools of group members may not be consecutive. Use the undo address command to remove a group member from the address group. Note that: You cannot add/remove a group member to/from an address group when any IP address of the group member is being used or the address group is associated with an Access Control List (ACL). You can add up to 100 members to an address group. The address pools of group members must not overlap with each other or with other address pools.
Examples
# Create address group 2 and add two group members to it. Specify addresses 10.1.1.1 through 10.1.1.15 for one member and addresses 10.1.1.20 through 10.1.1.30 for the other.
<Sysname> system-view [Sysname] nat address-group 2 [Sysname-nat-address-group-2] address 10.1.1.1 10.1.1.15 [Sysname-nat-address-group-2] address 10.1.1.20 10.1.1.30
View
Any view
Default level
1: Monitor level
Parameters
group-number: NAT address group number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat address-group command to display the NAT address pool information. Related commands: nat address-group.
Examples
# Display the NAT address pool information.
<Sysname> display nat address-group NAT address-group information: There are currently 2 nat address-group(s) 1 2 : from : from 202.110.10.10 202.110.10.20 to 202.110.10.15 to 202.110.10.25
Description
NAT address pool information There are currently two NAT address groups. The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15
View
Any view
2
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat all command to display all NAT configuration information.
Examples
# Display all NAT configuration information.
<Sysname> display nat all NAT address-group information: There are currently 1 nat address-group(s) 1 : from 202.110.10.10 to 202.110.10.15
NAT bound information: There are currently 1 nat bound rule(s) Interface: GigabitEthernet0/1 Direction: outbound ACL: 2009 Address-group: 1 NO-PAT: N
NAT server in private network information: There are currently 1 internal server(s) Interface: GigabitEthernet0/2, Protocol: 6(tcp) Global: Local : 5.5.5.5 : 80(www) 192.1.1.1 : 80(www)
NAT static information: There are currently 1 NAT static configuration(s) single static: Local-IP Global-IP Local-VPN : 1.1.1.1 : 2.2.2.2 : ---
Description
NAT address pool information For description on the specific fields, see the display nat address-group command. Configuration information about internal address-to-external address translation. For description on the specific fields, see the display nat bound commands. Internal server information. For description on the specific fields, see the display nat server command. Information about static NAT. For description on the specific fields, see the display nat static command. Information about static NAT entries and interface(s) with static NAT enabled. For description on the specific fields, see the display nat static command.
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat bound command to display the NAT configuration information. Related commands: nat outbound.
Examples
# Display the NAT configuration information.
<Sysname> display nat bound NAT bound information: There are currently 3 nat bound rule(s) Interface:Vlan-interface10 Direction: outbound ACL: 2000 Address-group: 319 NO-PAT: Y
Interface:Vlan-interface10 Direction: outbound VPN-instance: vpn2 Out-interface: Vlan-interface200 Next-hop: 100.100.110.1 Status: Inactive Interface:Vlan-interface20 Direction: outbound VPN-instance: --Out-interface: --Next-hop: --Status: Inactive ACL: 2001 Address-group: --NO-PAT: N ACL: 3000 Address-group: 300 NO-PAT: N
Description
Display configured NAT address translation information The interface associated with a NAT address pool. Address translation direction: outbound ACL number Address group number. The field is displayed as null in Easy IP mode. Support for NO-PAT mode or not VPN where the NAT address pool belongs. The field is displayed as --- if it is not configured. The specified outbound interface. The field is displayed as --- if it is not configured. The specified next hop address. The field is displayed as --- if it is not configured. Current status of the configuration, which can be active or inactive.
View
Any view
Default level
1: Monitor level
5
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat dns-map command to display NAT DNS mapping configuration information. Related commands: nat dns-map.
Examples
# Display NAT DNS mapping configuration information.
<Sysname> display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: www.server.com Global-IP : 202.113.16.117
Description
NAT DNS mapping information There are two DNS mapping entries Domain name of the internal server External IP address of the internal server Public port number of the internal server Protocol type of the internal server
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat server command to display information about internal servers. Related commands: nat server.
Examples
# Display information about internal servers.
<Sysname> display nat server NAT server in private network information: There are currently 2 internal server(s) Interface: Vlan-interface10, Protocol: 6(tcp) Global: 100.100.120.120 : 21(ftp) Local : 192.168.100.100 : 21(ftp) Status: Inactive
Interface: Vlan-interface11, Protocol: 6(tcp) Global: 100.100.100.121 : 80(www) Local : 192.168.100.101 : 80(www) Status: Active vpn2
Description
Information about internal servers Internal server interface Protocol type External IP address and port number of a server, and the VPN that the external address belongs to. Internal network information of a server Current status of the configuration, which can be active or inactive.
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat static command to display static NAT entries and interface(s) with static NAT enabled. Related commands: nat static and nat outbound static.
Examples
# Display static NAT entries and interface(s) with static NAT enabled.
<Sysname> display nat static NAT static information: There are currently 2 NAT static configuration(s) net-to-net: Local-IP Global-IP Netmask Local-VPN Global-VPN single static: Local-IP Global-IP Local-VPN Global-VPN Interface Vlan-interface11 : 4.4.4.4 : 5.5.5.5 : --: --Direction out-static : 1.1.1.0 : 2.2.2.0 : 255.255.255.0 : vpn1 : vpn2
Description
Configuration information of static NAT Net-to-net static NAT One-to-one static NAT Internal IP address External IP address 8
Field
Netmask Local-VPN Global-VPN
Description
Network mask L3VPN that the internal IP address belongs to L3VPN that the external IP address belongs to
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display nat statistics command to display NAT statistics.
Examples
# Display NAT statistics.
<Sysname> display nat statistics total PAT session table count: 1 total NO-PAT session table count: 0 total SERVER session table count: 0 total STATIC session table count: 0 active PAT session table count: 1 active NO-PAT session table count: 0
Description
Number of PAT session entries Number of NO-PAT session entries Number of SERVER session entries Number of STATIC session entries Number of active PAT session entries
Field
active NO-PAT session table count
Description
Number of active NO-PAT session entries
nat address-group
Syntax
nat address-group group-number [ start-address end-address ] [ level level ] undo nat address-group group-number [ start-address end-address ] [ level level ]
View
System view
Default level
2: System level
Parameters
group-number: Index of the address pool. start-address: Start IP address of the address pool. end-address: End IP address of the address pool. The end-address cannot be smaller than the start-address. If they are the same, the address pool has only one IP address. level leve: Address pool level. The value of level is in range of 0 to 1. 0 represents low priority.
Description
Use the nat address-group command to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool. Without the start and end IP addresses specified, the command places you into the address group view. Use the undo nat address-group command to remove an address pool or address group. An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command. The address pools of group members may not be consecutive. Note that: You cannot remove an address pool or address group that has been associated with an ACL. Different address pools must not overlap. The address pools of group members must not overlap with each other or with other address pools. An address pool or address group is not needed in the case of Easy IP where the interfaces public IP address is used as the translated IP address.
Examples
# Configure an address pool numbered 1 that contains addresses 202.1 10.10.10 to 202.1 10.10.15.
<Sysname> system-view [Sysname] nat address-group 1 202.110.10.10 202.110.10.15
# Create address group 2 and add a group member that contains IP addresses 10.1.1.1 through 10.1.1.15 to it.
<Sysname> system-view
10
nat dns-map
Syntax
nat dns-map domain domain-name protocol pro-type ip global-ip port global-port undo nat dns-map domain domain-name
View
System view
Default level
2: System level
Parameters
domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits; besides, dashes (-) can be included. protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp. ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network. port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.
Description
Use the nat dns-map command to map the domain name to the public network information of an internal server. Use the undo nat dns-map command to remove a DNS mapping. Related commands: display nat dns-map.
Examples
# A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.1 12.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name.
<Sysname> system-view [Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port www
nat outbound
Syntax
nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ] undo nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ]
11
View
Interface view
Default level
2: System level
Parameters
acl-number: ACL number, in the range of 2000 to 3999. address-group group-number: Specifies an address pool for NAT. If no address pool is specified, the IP address of the interface will be used as the translated IP address, that is, Easy IP is enabled. vpn-instance vpn-instance-name: Specifies the L3VPN to which the addresses of the address pool belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With this option, inter-VPN access through NAT is supported. Without this option, the addresses in the address pool do not belong to any VPN. no-pat: Indicates that no many-to-many NAT is implemented. If this keyword is not configured, many-to-one NAT is implemented using the TCP/UDP port information. track vrrp virtual-router-id: Associates address translation on a specified outbound interface with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this argument specified, no VRRP group is associated.
Description
Use the nat outbound command or the nat outbound acl-number command to associate an ACL with the IP address of the interface and enable Easy IP. Use the nat outbound acl-number address-group group-number no-pat command to associate an ACL with an IP address pool for translation of only the IP address and enable many-to-many NAT. Use the nat outbound address-group group-number command or the nat outbound acl-number address-group group-number command to associate an ACL with an IP address pool for translation of both the IP address and port number and enable NAPT. Use the undo nat outbound command to remove an association. If the acl-number argument is specified, a packet matching the associated ACL will be serviced by NAT. If the acl-number argument is not specified, a packet whose source IP address is not the IP address of the outbound interface will be serviced by NAT. Note the following: You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to the external network. When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted; they will be aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected. You can also use the reset nat session command to clear all the NAT entries, but NAT service will be terminated and all users will have to reinitiate connections. You can make a proper choice as required. When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication. If a packet matches the specified next hop, the packet will be translated using an IP address in the address pool; if not, the packet will not be translated.
12
You can bind an ACL to only one address pool on an interface; an address pool can be bound to multiple ACLs. NAPT cannot translate connections from external hosts to internal hosts. With reverse address translation enabled, after NAT creates an entry for an internal host to access the Internet, NAT can use this entry to perform destination IP address translation for new connections from the Internet to the public IP address of the internal host. If an ACL is associated with the address pool where the public IP address of the internal host resides, the connections must match the ACL; otherwise, they cannot be translated. In stateful failover networking, make sure that you associate each address pool configured on an interface with one VRRP group only; otherwise, the system associates the address pool with the VRRP group having the highest group ID.
NOTE: For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address and VPN instance information in any two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in any two ACL rules are the same, a conflict occurs.
Examples
# Configure NAT for hosts on subnet 10.1 10.10.0/24. The NAT address pool contains addresses 202.1 10.10.10 through 202.1 10.10.12. Assume that interface GigabitEthernet 1/0 is connected to the Internet.
<Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255 [Sysname-acl-basic-2001] rule deny [Sysname-acl-basic-2001] quit [Sysname] nat address-group 1 202.110.10.10 202.110.10.12
# To use the IP address of the GigabitEthernet 0/1 interface for translation, do the following:
<Sysname> system-view [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound 2001
# To enable reverse address translation and use address pool 1, do the following:
<Sysname> system-view [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1 no-pat reversible
13
View
Interface view
Default level
2: System level
Parameters
track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this option specified, no VRRP group is associated.
Description
Use the nat outbound static command to enable static NAT on an interface, making the configured static NAT mappings take effect. Use the undo nat outbound static command to disable static NAT on the interface. Related commands: display nat static.
Examples
# Configure a one-to-one NAT mapping and enable static NAT on interface GigabitEthernet 0/1.
<Sysname> system-view [Sysname] nat static 192.168.1.1 2.2.2.2 [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound static
nat server
Syntax
nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] | current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] } undo nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] | current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] }
View
Interface view
Default level
2: System level
Parameters
index: Index of the internal server.
14
protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server. global-address: Public IP address for the internal server. current-interface: Uses the current interface address as the external IP address for the internal server. global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. Note that global-port2 must be greater than global-port1. local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. Note that local-address2 must be greater than local-address1 and that the number of addresses must match that of the specified ports. local-port: Port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20. You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on. You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.
global-port: Global port number for the internal server, in the range of 0 to 65535. local-address: Internal IP address of the internal server. vpn-instance local-name: Specifies the L3VPN to which the internal server belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this parameter, the internal server does no belong to any VPN. remote-host host-address: IP address of the remote host accessing the internal server. lease-duration lease-time: Valid time of the service provided by the internal server. The lease-time argument indicates the valid time, in the range of 0 to 4294967295, in seconds. The value 0 indicates that the service never expires. description string: Detailed information about the internal server. The string argument is a case-insensitive string of 1 to 256 characters. track vrrp virtual-router-id: Associates the internal server with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group to be associated. Without this option specified, no VRRP group is associated.
Description
Use the nat server command to define an internal server. Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port. Use the undo nat server command to remove the configuration. Note that: If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined. Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in an internal network or a VPN.
15
The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands. In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external network. The firewall supports using an interface address as the external IP address of an internal server, which is Easy IP. If you specify the current-interface keyword, the internal server uses the current primary IP address of the current interface. If you use interface { interface-type interface-number } to specify an interface, the interface must be an existing loopback interface and the current primary IP address of the loopback interface is used. It is strongly recommended that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the external address of another internal server; vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the external address of the internal server. In stateful failover networking, make sure that you associate the public address of an internal server on an interface with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID.
Related commands: display nat server. CAUTION: When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers.
Examples
# Allow external users to access the internal Web server 10.1 10.10.10 on the LAN through http://202.1 10.10.10:8080, and the internal FTP server 10.1 10.10.1 in VPN vrf10 through 1 ftp://202.1 10.10.10/. Assume that the interface GigabitEthernet 0/1 is connected to the external network.
<Sysname> system-view [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [Sysname-GigabitEthernet0/1] quit [Sysname] ip vpn-instance vrf10 [Sysname-vpn-instance] route-distinguisher 100:001 [Sysname-vpn-instance] vpn-target 100:1 export-extcommunity [Sysname-vpn-instance] vpn-target 100:1 import-extcommunity [Sysname-vpn-instance] quit [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10
# Allow external hosts to ping the host with an IP address of 10.1 10.10.12 in VPN vrf10 by using the ping 202.1 10.10.1 command. 1
<Sysname> system-view [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat 10.110.10.12 vpn-instance vrf10 server protocol icmp global 202.110.10.11 inside
16
# Allow external hosts to access the Telnet services of internal servers 10.1 10.10.1 to 10.1 10.10.100 in VPN vrf10 through the public address of 202.1 10.10.10 and port numbers from 1001 to 1 100. As a result, a user can telnet to 202.1 10.10.10:1001 to access 10.1 10.10.1, telnet to 202.1 10.10.10:1002 to access 10.1 10.10.2, and so on.
<Sysname> system-view [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10
nat static
Syntax
nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] undo nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ]
View
System view
Default level
2: System level
Parameters
local-ip: Internal IP address. vpn-instance local-name: Specifies the VPN to which the internal IP address belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal IP address does not belong to any VPN. global-ip: External IP address. vpn-instance global-name: Specifies the VPN to which the external IP address belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external IP address does not belong to any VPN.
Description
Use the nat static command to configure a one-to-one static NAT mapping. Use the undo nat static command to remove a one-to-one static NAT mapping. Related commands: display nat static.
17
Examples
# In system view, configure static NAT mapping between internal IP address 192.168.1.1 and external IP address 2.2.2.2.
<Sysname> system-view [Sysname] nat static 192.168.1.1 2.2.2.2
View
System view
Default level
2: System level
Parameters
local-start-address local-end-address: Internal network address range, which contains at most 255 IP addresses. local-network: Internal network address. vpn-instance local-name: Specifies the L3VPN to which the internal network belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal network does not belong to any VPN. global-network: External network address. vpn-instance global-name: Specifies the VPN to which the external network belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external network does not belong to any VPN. mask-length: Length of the network mask. mask: Network mask.
Description
Use the nat static net-to-net command to configure a net-to-net static NAT mapping. Use the undo nat static net-to-net command to remove a net-to-net static NAT mapping. The IP addresses of the internal network must be on the same network segment according to the mask length of the external network address. Related commands: display nat static.
Examples
# Configure a bidirectional static NAT mapping between internal network address 192.168.1.0 and external network address 2.2.2.0.
<Sysname> system-view [Sysname] nat static net-to-net 192.168.1.1 2.2.2.0
18
View
Any view
Default Level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display natpt address-group command to display the NAT-PT address pool configuration information.
Examples
# Display the NAT-PT address pool configuration information.
<Sysname> display natpt address-group NATPT IPv4 Address Pool Information: 1 : from 1.1.1.1 to 1.1.1.4
Description
Address pool number Start IP address in an address pool End IP address in an address pool
View
Any view
19
Default Level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display natpt address-mapping command to display the static and dynamic NAT-PT address mappings. The displayed information does not include the information about port translation through the NAPT-PT mechanism.
Examples
# Display the static and dynamic NAT-PT address mappings.
<Sysname> display natpt address-mapping NATPT address mapping(v6bound view): IPv4 Address 1.1.1.1 2.2.2.2 IPv6 Address 3001::0001 3001::0002 Type SOURCE DESTINATION
NATPT V6Server static mapping: IPv4Address 1.1.1.1^ 6 IPv6 Address 3001::0003^ 1270 Pro TCP
Description
Static and dynamic IPv4/IPv6 address mapping on the IPv6 side. IPv4 address IPv6 address Type of the mapping, which can be:
20
View
Any view
Default Level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display natpt all command to display all NAT-PT configuration information.
Examples
# Display all NAT-PT configuration information.
<Sysname> display natpt all IPv4 Address Pool Information: 1 : from 1.1.1.1 Address Mappings (V6toV4): IPv4 Address 1.1.1.1 2.2.2.2 IPv4Address 1.1.1.1^ 6 IPv6 Address 3001::0001 3001::0002 IPv6 Address 3001::0003^ 1270 Type SOURCE DESTINATION Pro TCP to 1.1.1.4
V4toV6 Information: No V4 Access Records Present V6toV4 Information: No V6 Access Records Present Prefix Information: Prefix 0064:: Statistics: Total Sessions: Hits: Misses: 0 0 0 0 /96 Interface NextHop
Expired Sessions: 0
21
Fragment Hits: Fragment Misses: Total Address Mapping: Total V6Server Mappings: 0 Enabled Interfaces: GigabitEthernet0/1
0 0 0 (static: 0 dynamic: 0 )
For the explanations to the information displayed above, see the descriptions of related commands.
View
Any view
Default Level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display natpt statistics command to display NAT-PT statistics information. The statistics information does not include information about port translation through the NAPT-PT mechanism. Related commands: reset natpt statistics.
Examples
# Display NAT-PT statistics information.
<Sysname> display natpt statistics NATPT Statistics: Total Sessions: Expired Sessions: Hits: Misses: 0 0 0 0 0 0 0 0 0 (static: 0 0 dynamic: 0 )
Total Fragment Sessions: Expired Fragment Sessions: Fragment Hits: Fragment Misses: Total Address Mapping: Total V6Server Mappings:
22
Description
Total number of sessions Number of expired sessions Number of times that a packet matches a NAT-PT session Number of times that a packet matches no NAT-PT sessions Total number of active fragment sessions Number of expired fragment sessions Number of times that a packet fragment matches a NAT-PT fragment session Number of times that a packet fragment matches no NAT-PT fragment sessions Number of static and dynamic mappings Number of V6Server mappings (address/port mappings) NAT-PT enabled interfaces
natpt address-group
Syntax
natpt address-group group-number start-ipv4-address end-ipv4-address undo natpt address-group group-number
View
System view
Default Level
2: System level
Parameters
group-number: Number of an address pool, in the range of 1 to 32. start-ipv4-address: Start IPv4 address in a pool. end-ipv4-address: End IPv4 address in a pool.
Description
Use the natpt address-group command to configure a NAT-PT address pool. Use the undo natpt address-group command to remove the specified NAT-PT address pool. Note that: If start-ipv4-address equals end-ipv4-address, only one address is available in the address pool. The execution of the undo natpt address-group command may affect some dynamic NAT-PT mappings. Currently, a NAT-PT address pool and an IPv4 NAT address pool do not share any address.
23
When there is only one address in the NAT-PT address pool, the address applies to only NAPT-PT. When there is more than one address in the NAT-PT address pool, the end ipv4 address is reserved for NAPT-PT. The number of addresses used for dynamic NAT-PT mapping is the number of configured addresses minus 1.
Examples
# Configure a NAT-PT address pool.
<Sysname> system-view [Sysname] natpt address-group 3 2.3.4.5 2.3.4.10
natpt enable
Syntax
natpt enable undo natpt enable
View
Interface view
Default Level
2: System level
Parameters
None
Description
Use the natpt enable command to enable the NAT-PT feature on an interface. Use the undo natpt enable command to disable the NAT-PT feature on an interface. By default, the NAT-PT feature is disabled on an interface. That is, no NAT-PT is implemented for packets received or sent on the interface. Note that: This command enables both NAT-PT and Address Family Translation (AFT). For more information about AFT, see VPN Configuration Guide. Do not configure NAT-PT and AFT on the same device.
Examples
# Enable the NAT-PT feature on an interface.
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0 [Sysname-GigabitEthernet0/1] natpt enable
natpt prefix
Syntax
natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ] undo natpt prefix natpt-prefix
24
View
System view
Default Level
2: System level
Parameters
natpt-prefix: Prefix of an IPv6 address, 96 bits in length. interface interface-type interface-number: Specifies the interface on which NAT-PT is enabled. If the interface is not specified or NAT-PT is not enabled, IPv6 packets are discarded. interface-type interface-number specifies the interface type and number. nexthop ipv4-address: Specifies the IPv4 address of the next hop. This option does not work on the firewall.
Description
Use the natpt prefix command to configure a NAT-PT prefix. Use the undo natpt prefix command to remove the configured NAT-PT prefix. Note that: A NAT-PT prefix must be different from the IPv6 address prefix of the receiving interface on the NAT-PT device. Otherwise, NAT-PT translation for a received packet with the prefix will result in packet loss. The execution of the undo natpt prefix command may affect the translation of some mappings. Therefore, use this command with caution.
Examples
# Configure a NAT-PT prefix in system view.
<Sysname> system-view [Sysname] natpt prefix 2001::
View
System view
Default Level
2: System level
Parameters
None
Description
Use the natpt turn-off tos command to set the ToS field in an IPv4 packet translated from an IPv6 packet to 0. Use the undo natpt turn-off tos command to restore the default.
25
By default, the value of the ToS field in an IPv4 packet translated from an IPv6 packet is the same as that of the Traffic Class field in the IPv6 packet.
Examples
# Set the ToS field in an IPv4 packet translated from an IPv6 packet to 0.
<Sysname> system-view [Sysname] natpt turn-off tos
View
System view
Default Level
2: System level
Parameters
None
Description
Use the natpt turn-off traffic-class command to set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0. Use the undo natpt turn-off traffic-class command to restore the default. By default, the value of the Traffic Class field in an IPv6 packet translated from an IPv4 packet is the same as that of the ToS field in the IPv4 packet.
Examples
# Set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0.
<Sysname> system-view [Sysname] natpt turn-off traffic-class
View
System view
Default Level
2: System level
Parameters
acl number acl-number: Specifies the IPv4 access control list (ACL) number, in the range of 2000 to 2999.
26
Description
Use the natpt v4bound dynamic command to configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts by associating an ACL with a NAT-PT prefix. Use the undo natpt v4bound dynamic command to remove the association. For a packet from an IPv4 host to an IPv6 host, if the source IPv4 address matches the specified ACL, the NAT-PT prefix will be added to translate the source IPv4 address into an IPv6 address. CAUTION: The natpt-prefix argument in the natpt v4bound dynamic command must be specified by the natpt prefix command in advance. Related commands: display natpt address-mapping.
Examples
# Configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts in system view. Use ACL 2000 to match IPv4 packets and add the NAT-PT prefix 2001:: to translate the source IPv4 address into an IPv6 address.
<Sysname> system-view [Sysname] natpt prefix 2001:: [Sysname] natpt v4bound dynamic acl number 2000 prefix 2001::
View
System view
Default Level
2: System level
Parameters
ipv4-address: IPv4 address to be mapped. ipv6-address: IPv6 address to which an IPv4 address is mapped.
Description
Use the natpt v4bound static command to configure a static IPv4/IPv6 address mapping on the IPv4 side. Use the undo natpt v4bound static command to remove a static IPv4/IPv6 address mapping on the IPv4 side. The ipv6-address prefix should be contained in the configured NAT-PT prefix. Related commands: display natpt address-mapping.
27
Examples
# Configure a static mapping between the IPv4 address 2.3.4.9 and the IPv6 address 2001::1 on the IPv4 side in system view.
<Sysname> system-view [Sysname] natpt v4bound static 2.3.4.9 2001::1
View
System view
Default Level
2: System level
Parameters
protocol protocol-type: Specifies the protocol type. The protocol-type argument can be: tcp: Specifies the TCP protocol. udp: Specifies the UDP protocol.
ipv4-address-destination: IPv4 address to which an IPv6 address is mapped. ipv4-port-number: IPv4 port number, in the range of 1 to 12287. ipv6-address-destination: Destination IPv6 address to be mapped. ipv6-port-number: IPv6 port number, in the range of 1 to 12287.
Description
Use the natpt v4bound static v6server command to configure a static NAPT-PT mapping for an IPv6 server. Use the undo natpt v4bound static v6server command to remove a static NAPT-PT mapping for an IPv6 server. Related commands: display natpt address-mapping.
Examples
# In system view, configure a static NAPT-PT mapping for an IPV6 server, in which the protocol type is TCP, the IPv4 address and port number are 2.3.4.5 and 80 respectively, and the IPv6 address and port number are 2001::1 and 80 respectively.
<Sysname> system-view [Sysname] natpt v4bound static v6server protocol tcp 2.3.4.5 80 2001::1 80
28
View
System view
Default Level
2: System level
Parameters
acl6 number acl6-number: Specifies the IPv6 ACL number. If the source IPv6 address of a packet sent from an IPv6 network to an IPv4 network matches this IPv6 ACL, the source IPv6 address is translated based on the command. The IPv6 ACL number ranges 2000 to 2999. prefix natpt-prefix: Specifies the NAT-PT prefix. If the destination IPv6 address of a packet sent from an IPv6 network to an IPv4 network is in this NAT-PT prefix, the source IPv6 address is translated based on the command. The NAT-PT prefix is 96 bits in length. address-group address-group: Specifies the number of the IPv4 address pool for the translation of the source IPv6 address. The IPv4 address pool number is in the range of 1 to 32. no-pat: Specifies no port address translation. If the no-pat keyword is not provided, port address translation will be performed. interface interface-type interface-number: Specifies the IPv4 address of the interface as the translated source IPv6 address. interface-type interface-number specifies the interface type and number.
Description
Use the natpt v6bound dynamic command to configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts. Use the undo natpt v6bound dynamic command to remove the dynamic mapping. Related commands: display natpt address-mapping.
Examples
# Configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts in system view. Translate the source address of an IPv6 packet that matches IPv6 ACL 2001 into an IPv4 address in address pool 1.
<Sysname> system-view [Sysname] natpt address-group 1 2.3.4.5 2.3.4.10 [Sysname] natpt v6bound dynamic acl6 number 2001 address-group 1
29
View
System view
Default Level
2: System level
Parameters
ipv6-address: IPv6 address to be mapped. ipv4-address: IPv4 address to which an IPv6 address is mapped.
Description
Use the natpt v6bound static command to configure a static IPv4/IPv6 address mapping on the IPv6 side. Use the undo natpt v6bound static command to remove a static IPv4/IPv6 address mapping on the IPv6 side. Related commands: display natpt address-mapping.
Examples
# Configure the static mapping between the IPv6 address 2001::1 and the IPv4 address 2.3.4.5 on the IPv6 side in system view.
<Sysname> system-view [Sysname] natpt v6bound static 2001::1 2.3.4.5
View
User view
Default Level
1: Monitor level
Parameters
None
Description
Use the reset natpt statistics command to clear all NAT-PT statistics information. Related commands: display natpt statistics.
Examples
# Clear all NAT-PT statistics information.
<Sysname> reset natpt statistics
30
View
System view
Default level
2: System level
Parameters
all: Enables ALG for all protocols. dns: Enables ALG for DNS. ftp: Enables ALG for FTP. gtp: Enables ALG for GTP. h323: Enables ALG for H.323. ils: Enables ALG for ILS. msn: Enables ALG for MSN. nbt: Enables ALG for NBT. pptp: Enables ALG for PPTP. qq: Enables ALG for QQ. rtsp: Enables ALG for RTSP. sccp: Enables ALG for SCCP. sip: Enables ALG for SIP. sqlnet: Enables ALG for SQLNET. tftp: Enables ALG for TFTP.
Description
Use the alg command to enable ALG for a specified protocol. Use the undo alg command to disable ALG for a specified protocol. By default, the ALG feature is enabled for all protocols.
Examples
# Enable ALG for FTP.
<Sysname> system-view [Sysname] alg ftp
31
32
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/wwalerts After registering, you will receive email notification of product enhancements, new driver versions, firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
HP.com http://www.hp.com HP Networking http://www.hp.com/go/networking HP manuals http://www.hp.com/support/manuals HP download drivers and software http://www.hp.com/support/downloads HP software depot http://www.software.hp.com
33
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * &<1-n> #
Description
Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk-marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk-marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Boldface >
Description
Window names, button names, field names, and menu items are in bold text. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention
WARNING CAUTION IMPORTANT NOTE TIP
Description
An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information.
Index
ADNRSW
A address,1 alg,31 D display nat address-group,1 display nat all,2 display nat bound,4 display nat dns-map,5 display nat server,6 display nat static,7 display nat statistics,9 display natpt address-group,19 display natpt address-mapping,19 display natpt all,21 display natpt statistics,22 Documents,33 N nat address-group,10 1 nat dns-map,1 1 nat outbound,1 nat outbound static,14 nat server,14 nat static,17 nat static net-to-net,18 natpt address-group,23 natpt enable,24 natpt prefix,24 natpt turn-off tos,25 natpt turn-off traffic-class,26 natpt v4bound dynamic,26 natpt v4bound static,27 natpt v4bound static v6server,28 natpt v6bound dynamic,29 natpt v6bound static,29 R reset natpt statistics,30 S Subscription service,33 W Websites,33
35