Page is loading ...
Command Manual – NAT
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 NAT Configuration Commands..................................................................................1-1
1.1 NAT Configuration Commands..........................................................................................1-1
1.1.1 display nat address-group.......................................................................................1-1
1.1.2 display nat aging-time.............................................................................................1-1
1.1.3 display nat all...........................................................................................................1-2
1.1.4 display nat auto-reset-session ................................................................................1-3
1.1.5 display nat blacklist .................................................................................................1-4
1.1.6 display nat outbound...............................................................................................1-5
1.1.7 display nat server....................................................................................................1-6
1.1.8 display nat static......................................................................................................1-7
1.1.9 display nat statistics ................................................................................................1-7
1.1.10 display nat vpn limit...............................................................................................1-8
1.1.11 nat address-group.................................................................................................1-9
1.1.12 nat aging-time......................................................................................................1-11
1.1.13 nat auto-reset-session.........................................................................................1-11
1.1.14 nat blacklist start .................................................................................................1-12
1.1.15 nat blacklist mode ...............................................................................................1-13
1.1.16 nat blacklist limit amount.....................................................................................1-14
1.1.17 nat blacklist limit rate...........................................................................................1-15
1.1.18 nat blacklist limit rate source...............................................................................1-16
1.1.19 nat outbound .......................................................................................................1-18
1.1.20 nat server ............................................................................................................1-21
1.1.21 nat static..............................................................................................................1-24
1.1.22 nat vpn limit.........................................................................................................1-27
1.1.23 reset nat session.................................................................................................1-28
1.2 NAT Security Logging Configuration Commands............................................................1-28
1.2.1 display ip userlog export .......................................................................................1-28
1.2.2 ip userlog nat.........................................................................................................1-29
1.2.3 ip userlog nat active-time......................................................................................1-30
1.2.4 ip userlog nat export host......................................................................................1-31
1.2.5 ip userlog nat export source-ip.............................................................................. 1-31
1.2.6 ip userlog nat export version.................................................................................1-32
1.2.7 ip userlog nat mode flow-begin.............................................................................1-32
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-1
Chapter 1 NAT Configuration Commands
Note:
The line processing units (LPU) mentioned in this chapter refer to LSB1NATB0.
1.1 NAT Configuration Commands
1.1.1 display nat address-group
Syntax
display nat address-group [ group-number ]
View
Any view
Parameters
group-number: Group number of an address pool, in the range 0 to 319.
Description
Use the display nat address-group command to display the configuration of the
address pool.
Examples
# Display the configuration of the address pool.
<H3C> display nat address-group
NAT address-group information:
0 : [address-group] 1.1.1.1 ---- 1.1.1.2
[description] teacher
[slot] 5
1 : [address-group] 2.2.2.2 ---- 2.2.2.3
--2 entries found--
1.1.2 display nat aging-time
Syntax
display nat aging-time
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-2
View
Any view
Parameters
None
Description
Use the display nat aging-time command to display the aging time of a NAT entry.
Examples
# View the aging times of the NAT entries of various protocols.
<H3C> display nat aging-time
NAT aging-time value information:
alg ---- aging-time value is 120 (seconds)
ftp ---- aging-time value is 7200 (seconds)
h.323 ---- aging-time value is 600 (seconds)
ils ---- aging-time value is 600 (seconds)
The slot 5 NP-Timer configuration:
Selection of NP-Timer is : Slow-Timer
Fast-Timer : 1 seconds
Slow-Timer: 300 seconds
1.1.3 display nat all
Syntax
display nat all
View
Any view
Parameters
None
Description
Use the display nat all command to display all the configurations about NAT.
Examples
# Display all the configurations about NAT.
<H3C> display nat all
NAT address-group information:
No address-groups have been configured
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-3
--0 entry found--
NAT outbound information:
No interfaces have been configured for NAT
--0 entry found--
Server in private network information:
No internal servers have been configured
--0 entry found--
Static NAT information:
No static NAT has been configured
--0 entry found--
NAT aging-time value information:
alg ---- aging-time value is 120 (seconds)
ftp ---- aging-time value is 7200 (seconds)
h.323 ---- aging-time value is 600 (seconds)
ils ---- aging-time value is 600 (seconds)
The slot 5 NP-Timer configuration:
Selection of NP-Timer is : Slow-Timer
Fast-Timer : 1 seconds
Slow-Timer: 300 seconds
There are no configuration of vpn limit
1.1.4 display nat auto-reset-session
Syntax
display nat auto-reset-session
View
Any view
Parameters
None
Description
Use the display nat auto-reset-session command to display the status of the NAT
session table auto-reset function.
Examples
# Display the status of the NAT session table auto-reset function.
<H3C> display nat auto-reset-session
Reset NAT session table automatically when interface becomes up or down.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-4
1.1.5 display nat blacklist
Syntax
display nat blacklist { all | [ vpn-instance vpn-name ] ip [ ip-address ] slot slot-no }
View
Any view
Parameters
all: Displays all blacklist configurations.
vpn-instance vpn-name: Specifies the VPN that the user configured in the blacklist
belongs to.
ip ip-address: IP address configured in the blacklist.
slot slot-no: Specifies the slot where the NAT service board resides.
Description
Use the display nat blacklist command to display the blacklist configurations and
operation states.
Use the display nat blacklist all command to display all the configurations of the
blacklist.
Use the display nat blacklist vpn-instance vpn-name ip ip-address slot slot-no
command to display the blacklist configurations and operation states for an IP address
in a VPN.
Examples
# Display all the configurations of the blacklist.
<H3C> display nat blacklist all
Blacklist function global configuration:
Blacklist function is started.
Connection amount control is enabled.
Connection set-up rate control is enabled.
Amount control limit: 500 sessions.
Rate control limit: 250 session/s.
Special rate control limit: 250 session/s.
Global Committed Burst Size is 150
Special IP Committed Burst Size is 150
Altogether 1 IP addresses have special configuration:
Control limit configuration of VPN vpn1 IP 100.0.0.3:
Amount control limit: 500 sessions.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-5
Rate control limit uses special configuration.
# Display the blacklist configurations and operation states for IP address 100.0.0.3 in
VPN1.
<H3C> display nat blacklist vpn-instance vpn1 ip 100.0.0.3 slot 4
Blacklist function global configuration:
Blacklist function is started.
Connection amount control is enabled.
Connection set-up rate control is enabled.
Amount control limit: 500 sessions.
Rate control limit: 250 session/s.
Special rate control limit: 250 session/s.
Global Committed Burst Size is 150
Special IP Committed Burst Size is 150
Control limit configuration of VPN vpn1 IP 100.0.0.3: Amount control limit:
500 sessions.
Rate control limit uses special configuration.
Blacklist running statistics of IP 100.0.0.3:
Amount of connection already set up: 0 sessions.
IP 100.0.0.3 is not in the blacklist!
1.1.6 display nat outbound
Syntax
display nat outbound
View
Any view
Parameters
None
Description
Use the display nat outbound command to display the information about all mapping
entries of NAT Outbound.
Examples
# Display the information about all mapping entries of NAT Outbound.
<H3C> display nat outbound
NAT outbound information:
Vlan-interface2 : [acl] 2000
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-6
[address-group] 1
[type] pat
[slot] 5
Vlan-interface3 : [acl] 2000
[address-group] 0 -- teacher
[type] no-pat
[slot] 5
Vlan-interface4 : [acl] 2001
[address-group] interface
[type] pat
[slot] 5
--3 entries found--
1.1.7 display nat server
Syntax
display nat server
View
Any view
Parameters
None
Description
Use the display nat server command to display information about all the internal
servers.
Examples
# Display information about all the internal servers.
<H3C> display nat server
Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1,
[global] 23.23.23.23: 80(www) [local] 100.0.0.23: 80(www)
Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1,
[global] 23.23.23.23: 8000 [local] 100.0.0.23: 21(ftp)
Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1,
[global] 23.23.23.1: 8000 [local] 100.0.0.3: 21(ftp)
Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1,
[global] 23.23.23.2: 0(any) [local] 100.0.0.4: 0(any)
--4 entries found—
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-7
1.1.8 display nat static
Syntax
display nat static
View
Any view
Parameters
None
Description
Use the display nat static command to display all static address translation entries.
Examples
# Display all static address translation entries.
<H3C> display nat static
Static NAT information:
Vlan-interface24 : [global-address] 24.2.1.1
[inside-address] 192.168.2.1
[slot] 5
Vlan-interface25 : [global-address] 25.2.1.1 ---- 25.2.1.10
[inside-address] 192.168.3.1 ---- 192.168.3.10
[slot] 5
--2 entry found--
1.1.9 display nat statistics
Syntax
display nat statistics slot slot-no
View
Any view
Parameters
slot-no: Number of the slot in which the NAT service board currently functioning
resides.
Description
Use the display nat statistics command to display the statistics of the current NAT
information.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-8
Examples
# Display the statistics of the current NAT information.
<H3C> display nat statistics slot 3
Running information in slot 3:
active PAT session table count in CPU:0
active PAT session table count in NP:1
active NO-PAT session table count:0
active SERVER session table count:3
active STATIC NAT session table count: 11
Table 1-1 Description on the filed of the display nat statistics slot command
Field Description
Running information in slot Slot information
active PAT session table count in CPU Number of NAPT entries in CPU
active PAT session table count in NP Number of NAPT entries in NP
active NO-PAT session table count Number of NAT entries in CPU
active SERVER session table count
Number of user-configured internal
server entries
active STATIC NAT session table count
Number of static address translation
entries
Note:
In PTA mode, hardware of S9500 series switches creates a positive stream and a
reversed stream (which is used for reversed PAT) when creating a stream. However,
the NAT log exports the positive stream only.
1.1.10 display nat vpn limit
Syntax
display nat vpn limit { all | public | vpn-instance vpn-name }
View
System view
Parameters
all: Queries the maximum number of users and connections of all the VPNs.
public: Queries the maximum number of users and connections of the public network.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-9
vpn-instance: Queries the maximum number of users and connections of the specified
VPN.
vpn-name: Name of a VPN instance.
Description
Use the display nat vpn limit command to display the maximum number of users and
connections of all the VPNs or the specified VPN of NAT.
Examples
# Display the maximum number of users and connections of all the VPNs of NAT.
<H3C> display nat vpn limit all
The slot 4 nat state of public:
The max user count is 1000.
The current user count is 0.
The available user count is 1000.
The max connection count is 10000.
The current connection count is 0.
The available connection count is 10000.
The slot 4 nat state of vpn-instance vpn1:
The max user count is 1000.
The current user count is 0.
The available user count is 1000.
The max connection count is 10000.
The current connection count is 0.
The available connection count is 10000
1.1.11 nat address-group
Syntax
nat address-group group-number { { start-addr end-addr [ description text ] } |
description text }
undo nat address-group group-number
View
System view
Parameters
group-number: Group number of an address pool.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-10
start-addr: Starting IP address of an address pool.
end-addr: Ending IP address of an address pool.
text: A description string of 1 to 31 characters.
Description
Use the nat address-group command to configure an address pool.
Use the undo nat address-group command to delete an address pool.
An address pool is a group of some external IP addresses. If start-addr and end-addr
are the same, there is only one address.
z To created an address pool, use the nat address-group group-number start-addr
end-addr [ description text ] command.
z To modify the description character string of an address pool, use the nat
address-group group-number description text command.
Caution:
z The number of addresses included in an address pool (the number of the public
addresses in an address pool) must not exceed 256.
z You cannot configure network segment addresses and broadcast addresses as
addresses in an address pool.
z The IP addresses configured in the NAT address pool must not be the same with the
IP addresses in the internal network.
z You cannot delete an address pool that is associated to an ACL.
z When NAPT is enabled, there cannot be more than 32 addresses in an address
pool.
Examples
# Configure address pool 1 with addresses from 202.110.10.10 to 202.110.10.15.
<H3C> system-view
[H3C] nat address-group 1 202.110.10.10 202.110.10.15
# Configure address pool 2 with addresses 203.110.10.10 to 203.110.10.110, and the
description character string is teacher.
<H3C> system-view
[H3C] nat address-group 2 203.110.10.10 203.110.10.110 description teacher
# Modify the description character string of address group 2 to teacher&student.
<H3C> system-view
[H3C] nat address-group 2 description teacher&student
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-11
1.1.12 nat aging-time
Syntax
nat aging-time alg time-value
undo nat aging-time alg
View
System view
Parameters
alg time-value: Aging time of NAT entries requiring application level gateway (ALG)
processing in seconds.
Note:
As for the NO-PAT method, the aging time cannot be set and it adopts fast aging time.
Description
Use the nat aging-time command to set the aging time for NAT entries.
Use the undo nat aging-time command to restore the default value of the aging time
for NAT.
By default, the aging time of NAT entries for application level gateway (ALG) is 120
seconds, that for FTP is 7200 seconds.
Examples
# Set the aging time of NAT entries requiring ALG processing to 245 seconds.
<H3C> system-view
[H3C] nat aging-time alg 245
1.1.13 nat auto-reset-session
Syntax
nat auto-reset-session
undo nat auto-reset-session
View
System view
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-12
Parameters
None
Description
Use the nat auto-reset-session command to enable the NAT session table auto-reset
function when a NAT enabled VLAN interface goes up or down.
Use the undo nat auto-reset-session command to disable the function.
By default, the NAT session table auto-reset function is disabled.
After you execute this command, the NAT session table is reset only when a
NAT-enabled VLAN interface goes up or down.
This function is typically used in link backup networks. When the active link is down, the
corresponding NAT session table is cleared. Then, NAT configured on the backup link
performs address translation for packets.
Because all NAT session tables are cleared when a NAT enabled VLAN interface goes
up or down, you are not recommended to enable this function in a common network.
Examples
# Enable the NAT session table auto-reset function when the VLAN interface goes up
or down.
<H3C> system-view
[H3C] nat auto-reset-session
1.1.14 nat blacklist start
Syntax
nat blacklist start
undo nat blacklist start
View
System view
Parameters
start: Starts the blacklist function for the whole system.
Description
Use the nat blacklist command to set the properties relevant to the blacklist.
Use the undo nat blacklist command to disable a certain property or a certain
function.
The blacklist function is disabled by default.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-13
Examples
# Enable the blacklist function for the whole system.
<H3C> system-view
[H3C] nat blacklist start
1.1.15 nat blacklist mode
Syntax
nat blacklist mode { amount | rate | all }
undo nat blacklist mode { amount | rate | all }
View
System view
Parameters
mode: Sets the control mode.
amount: Controls the amount of user connections only.
rate: Controls the rate of user link set-up only.
all: Controls both the amount of user connections and the rate of user link set-up
Note that the connection here refers to the address mapping relationship set up during
NAT. The rate of link set-up means the rate of setting up such connections, namely, the
times of setting up connections per second.
Note:
The connection here refers to the address mapping relationship set up during NAT. The
rate of link set-up means the rate of setting up such connections
Description
Use the nat blacklist mode command to set the control mode of the blacklist function.
You can select to control the number of user connections, the rate of link set-up or both.
Use the undo nat blacklist mode command to disable the configured control mode of
the blacklist function.
Examples
# Select to control the number of user connections.
<H3C> system-view
[H3C] nat blacklist mode amount
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-14
1.1.16 nat blacklist limit amount
Syntax
nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ] max-amount
undo nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ]
View
System view
Parameters
vpn-instance vpn-name: Name of a VPN instance. When this argument is specified,
the IP address configured in the blacklist is the IP address in VPN.
user-ip: IP address of the specified user.
max-amount: Upper threshold value for the total number of NAT connections that a
user can set up, in the range of 20 to 20,000. The max-amount argument is 500 by
default.
Description
Use the nat blacklist limit amount command to set the threshold value for the user
connections.
Use the undo nat blacklist limit amount command to restore the threshold value for
the user connections to the default value.
z If the source keyword is not specified, this configuration is effective for the global
users.
z If the source keyword is not specified, this configuration is effective for the users
of the specified source IP address.
Caution:
During the system running, if the reset nat session command is not executed after you
have configured the number of global user connections, the number of connections
exceeding the upper limit cannot be deleted directly until the stream is aged.
Examples
# Set the threshold value for the number of global connections.
<H3C> system-view
[H3C] nat blacklist limit amount 2222
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-15
# Set the threshold value for the number of connections to the IP address 1.1.1.1.
<H3C> system-view
[H3C] nat blacklist limit amount source 1.1.1.1 2222
# Set the threshold value for the number of connections to the IP address 100.0.0.1 in
the private network VPN1.
<H3C> system-view
[H3C] nat blacklist limit amount vpn-instance vpn1 source 100.0.0.1 2222
1.1.17 nat blacklist limit rate
Syntax
nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs burst-size ]
undo nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs
burst-size ]
View
System view
Parameters
cir cir-value: Sets the threshold value in sessions per second for committed information
rate (CIR ) which refers to the average rate on a port for a long time. The value ranges
from 20 to 262,144, with a default value of 250.
cbs burst-size: Sets the threshold value for Conformed Burst Size (CBS ) which
determines the maximum burst size before part of the traffic exceeds CIR, in the range
of [ cir-value, 90*cir-value] in bits. Its default value is 375 bits.
ebs burst-size: Sets the threshold value for Extended Burst Size (EBS) which
determines the maximum burst size before all the traffic exceeds CIR, in the range of [ 0,
90*cir-value] in bits. It must be no bigger than the value specified by cbs burst-size. Its
default value is 0.
Description
Use the nat blacklist limit rate command to set the threshold value for the rate of link
set-up, namely, the times of setting up connections. The user who exceeds the
threshold value will not be displayed in the blacklist.
Use the undo blacklist limit rate command to restore the threshold value for the rate
of link set-up to the default value.
In the commands above:
z If the source ip keyword is not specified, this configuration is effective for default
users.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-16
z If the source ip keyword is not specified, this configuration is effective for the
users of the specified source IP address only.
z If you do not use the nat blacklist limit rate command, the system will adopt the
default value of the cir-value, cbs burst-size, and ebs burst-size, that is, 250, 375,
and 0 respectively.
z If you use the nat blacklist limit rate command to configure the cir-value
argument only, the value of the cbs burst-size is cir-value*1.5, and the value of the
ebs burst-size is 0.
Caution:
z You can set the threshold value for the maximum number of connections of the
specified IP address to any value within the value range. However, the threshold
value for the maximum rate of link set-up of all the specified source IP addresses
must be the same.
z During the system running, you must execute the reset nat session command
once after you modify the blacklist configuration (except the blacklist configuration
for the specified source IP address).
z When there are multiple LPUs in a device, each LPU maintains its own blacklist
information independently. However, the commands to configure the blacklist are
effective for all the blacklist-feature-enabled LPUs at the same time.
Examples
# Set the threshold value for the default rate of link set-up.
<H3C> system-view
[H3C] nat blacklist limit rate cir 20 cbs 1799 ebs 40
# Set the special threshold value for the rate of link set-up
<H3C> system-view
[H3C] nat blacklist limit rate source ip cir 20 cbs 1799 ebs 40
1.1.18 nat blacklist limit rate source
Syntax
nat blacklist limit rate [ vpn-instance vpn-name] source ip-address
undo nat blacklist limit rate [ vpn-instance vpn-name] source ip-address
View
System view
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-17
Parameters
vpn-instance vpn-name: Name of a VPN instance. When this argument is specified,
the IP address configured in the blacklist is the IP address in VPN.
source ip-address: IP address of the specified user.
Description
Use the nat blacklist limit rate source ip-address command to set the IP for the user
who needs a special control mode for the rate of link set-up. For relevant information,
see the nat blacklist limit rate source ip command in
1.1.17 “nat blacklist limit rate”.
Use the undo nat blacklist limit rate source ip-address command to disable the user
IP address setting.
Caution:
z You can set the threshold value for the maximum number of connections of the
specified IP address to any value within the value range. However, the threshold
value for the maximum rate of link set-up of all the specified source IP addresses
must be the same.
z During the system running, you must execute the reset nat session command
once after you modify the blacklist configuration (except the blacklist configuration
for the specified source IP address).
z When there are multiple LPUs in a device, each LPU maintains its own blacklist
information independently. However, the commands to configure the blacklist are
effective for all the blacklist-feature-enabled LPUs at the same time.
Examples
# Use the special threshold value to control the rate of link set-up of the user 2.2.2.2.
<H3C> system-view
[H3C] nat blacklist limit rate source 2.2.2.2
# Use the special threshold value to control the rate of link set-up of the user 200.0.0.1
in the private network VPN1.
<H3C> system-view
[H3C] nat blacklist limit rate vpn-instance vpn1 source 200.0.0.1
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-18
1.1.19 nat outbound
Syntax
nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-no
undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot
slot-no
View
VLAN interface view
Parameters
address-group: Configure the NAT by using the address pool. If you do not specify the
address pool, the IP address of the interface is used as the translated address, that is,
the Easy IP feature.
no-pat: Specifies that only IP addresses included in data packets are translated while
the port number information is left unused.
acl-number: ACL number, in the range 2,000 to 3,999.
group-number: Address pool number, in the range 0 to 319.
slot-no: Number of the slot where the NAT LPU resides.
Description
Use the nat outbound command to associate an ACL with an address pool.
Use the undo nat outbound command to delete the corresponding NAT rule.
After the association, the addresses meeting the criteria of acl-number can use address
pool group-number for NAT. The NAT LPU in which the address pool resides is
specified for NAT. All the address translations using this address pool are processed on
this NAT LPU.
After configuring the association between the ACL and the address pool, the eligible
source address of a data packet will be translated by either selecting an address from
the address pool or using the IP address of the interface directly. Multiple NAT
associations can be configured on a VLAN interface, which is normally connected to
the ISP and acts as the egress of the internal network. You may use the corresponding
undo command to delete a NAT association.
If you do not specify any value for the address-group keyword, the Easy IP feature is
implemented for NAT, and the IP address of the interface is used as the translated
address.
Command Manual – NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands
1-19
Note:
z As for the ACL associated with an address pool, only the source VPN, source IP
address, and the destination IP address fields in it are used. They are also used to
tell whether or not two rules conflict.
z Do not execute the undo nat outbound command too often after the configuration
is stable.
Caution:
Address translation is performed on the NAT LPU. Because packets sent from a private
network will not be delivered to the NAT LPU by default, you need to reference QACLs
on the receiving interface to redirect those packets to the NAT LPU. For details, refer to
the traffic-redirect command in QoS Commands of the QoS ACL Volume. You do not
need to configure the DIP in the response packet sent from the public network because
it is an address from the address pool.
Examples
# Allow hosts on the network segment 192.168.1.0/24 in VPN1 and VPN2 and the
network segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to
202.110.10.12. Suppose VLAN interface 2 is connected to the ISP.
<H3C> system-view
[H3C] acl number 3000
[H3C-acl-adv-3000] rule permit ip source 10.110.10.0 0.0.0.255
[H3C-acl-adv-3000] rule permit ip vpn-instance VPN1 source 192.168.1.0
0.0.0.255
[H3C-acl-adv-3000] rule permit ip vpn-instance VPN2 source 192.168.1.0
0.0.0.255
[H3C-acl-adv-3000] quit
# Configure the address pool.
[H3C] nat address-group 1 202.110.10.10 202.110.10.12
# Configure NAT binding on NAT LPU 3, allowing packets that match ACL 3000 to be
processed by NAT. The address will be translated into one of address pool 1.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat outbound 3000 address-group 1 slot 3
# Configure to use one-to-one NAT (do not use TCP/UDP port information for NAT).
[H3C-Vlan-interface2] nat outbound 3000 address-group 1 no-pat slot 3
/
