07 nat commands

Command Manual NAT H3C S9500 Series Routing Switches Table of Contents

i

Table of Contents

Chapter 1 NAT Configuration Commands .................................................................................. 1-1 1.1 NAT Configuration Commands.......................................................................................... 1-1

1.1.1 display nat address-group....................................................................................... 1-1 1.1.2 display nat aging-time ............................................................................................. 1-1 1.1.3 display nat all........................................................................................................... 1-2 1.1.4 display nat auto-reset-session ................................................................................ 1-3 1.1.5 display nat blacklist ................................................................................................. 1-4 1.1.6 display nat outbound ............................................................................................... 1-5 1.1.7 display nat server .................................................................................................... 1-6 1.1.8 display nat static...................................................................................................... 1-7 1.1.9 display nat statistics ................................................................................................ 1-7 1.1.10 display nat vpn limit ............................................................................................... 1-8 1.1.11 nat address-group ................................................................................................. 1-9 1.1.12 nat aging-time...................................................................................................... 1-11 1.1.13 nat auto-reset-session......................................................................................... 1-11 1.1.14 nat blacklist start ................................................................................................. 1-12 1.1.15 nat blacklist mode ............................................................................................... 1-13 1.1.16 nat blacklist limit amount ..................................................................................... 1-14 1.1.17 nat blacklist limit rate........................................................................................... 1-15 1.1.18 nat blacklist limit rate source ............................................................................... 1-16 1.1.19 nat outbound ....................................................................................................... 1-18 1.1.20 nat server ............................................................................................................ 1-21 1.1.21 nat static .............................................................................................................. 1-24 1.1.22 nat vpn limit ......................................................................................................... 1-27 1.1.23 reset nat session ................................................................................................. 1-28

1.2 NAT Security Logging Configuration Commands............................................................ 1-28 1.2.1 display ip userlog export ....................................................................................... 1-28 1.2.2 ip userlog nat......................................................................................................... 1-29 1.2.3 ip userlog nat active-time ...................................................................................... 1-30 1.2.4 ip userlog nat export host...................................................................................... 1-31 1.2.5 ip userlog nat export source-ip.............................................................................. 1-31 1.2.6 ip userlog nat export version ................................................................................. 1-32 1.2.7 ip userlog nat mode flow-begin ............................................................................. 1-32

Command Manual NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands

1-1

Chapter 1 NAT Configuration Commands

Note: The line processing units (LPU) mentioned in this chapter refer to LSB1NATB0.

1.1 NAT Configuration Commands

1.1.1 display nat address-group

Syntax

display nat address-group [ group-number ]

View

Any view

Parameters

group-number: Group number of an address pool, in the range 0 to 319.

Description

Use the display nat address-group command to display the configuration of the address pool.

Examples

# Display the configuration of the address pool.

display nat address-group NAT address-group information: 0 : [address-group] 1.1.1.1 ---- 1.1.1.2 [description] teacher [slot] 5 1 : [address-group] 2.2.2.2 ---- 2.2.2.3 --2 entries found--

1.1.2 display nat aging-time

Syntax

display nat aging-time


1-2

View

Any view

Parameters

None

Description

Use the display nat aging-time command to display the aging time of a NAT entry.

Examples

# View the aging times of the NAT entries of various protocols.

display nat aging-time NAT aging-time value information: alg ---- aging-time value is 120 (seconds) ftp ---- aging-time value is 7200 (seconds) h.323 ---- aging-time value is 600 (seconds) ils ---- aging-time value is 600 (seconds) The slot 5 NP-Timer configuration: Selection of NP-Timer is : Slow-Timer Fast-Timer : 1 seconds Slow-Timer: 300 seconds

1.1.3 display nat all

Syntax

display nat all

View

Any view

Parameters

None

Description

Use the display nat all command to display all the configurations about NAT.

Examples

# Display all the configurations about NAT.

display nat all NAT address-group information: No address-groups have been configured


1-3

--0 entry found-- NAT outbound information: No interfaces have been configured for NAT --0 entry found-- Server in private network information: No internal servers have been configured --0 entry found-- Static NAT information: No static NAT has been configured --0 entry found-- NAT aging-time value information: alg ---- aging-time value is 120 (seconds) ftp ---- aging-time value is 7200 (seconds) h.323 ---- aging-time value is 600 (seconds) ils ---- aging-time value is 600 (seconds) The slot 5 NP-Timer configuration: Selection of NP-Timer is : Slow-Timer Fast-Timer : 1 seconds Slow-Timer: 300 seconds There are no configuration of vpn limit

1.1.4 display nat auto-reset-session

Syntax

display nat auto-reset-session

View

Any view

Parameters

None

Description

Use the display nat auto-reset-session command to display the status of the NAT session table auto-reset function.

Examples

# Display the status of the NAT session table auto-reset function.

display nat auto-reset-session Reset NAT session table automatically when interface becomes up or down.


1-4

1.1.5 display nat blacklist

Syntax

display nat blacklist { all | [ vpn-instance vpn-name ] ip [ ip-address ] slot slot-no }

View

Any view

Parameters

all: Displays all blacklist configurations.

vpn-instance vpn-name: Specifies the VPN that the user configured in the blacklist belongs to.

ip ip-address: IP address configured in the blacklist.

slot slot-no: Specifies the slot where the NAT service board resides.

Description

Use the display nat blacklist command to display the blacklist configurations and operation states.

Use the display nat blacklist all command to display all the configurations of the blacklist.

Use the display nat blacklist vpn-instance vpn-name ip ip-address slot slot-no command to display the blacklist configurations and operation states for an IP address in a VPN.

Examples

# Display all the configurations of the blacklist.

display nat blacklist all Blacklist function global configuration: Blacklist function is started. Connection amount control is enabled. Connection set-up rate control is enabled. Amount control limit: 500 sessions. Rate control limit: 250 session/s. Special rate control limit: 250 session/s. Global Committed Burst Size is 150 Special IP Committed Burst Size is 150 Altogether 1 IP addresses have special configuration: Control limit configuration of VPN vpn1 IP 100.0.0.3: Amount control limit: 500 sessions.


1-5

Rate control limit uses special configuration.

# Display the blacklist configurations and operation states for IP address 100.0.0.3 in VPN1.

display nat blacklist vpn-instance vpn1 ip 100.0.0.3 slot 4 Blacklist function global configuration: Blacklist function is started. Connection amount control is enabled. Connection set-up rate control is enabled. Amount control limit: 500 sessions. Rate control limit: 250 session/s. Special rate control limit: 250 session/s. Global Committed Burst Size is 150 Special IP Committed Burst Size is 150 Control limit configuration of VPN vpn1 IP 100.0.0.3: Amount control limit: 500 sessions. Rate control limit uses special configuration. Blacklist running statistics of IP 100.0.0.3: Amount of connection already set up: 0 sessions. IP 100.0.0.3 is not in the blacklist!

1.1.6 display nat outbound

Syntax

display nat outbound

View

Any view

Parameters

None

Description

Use the display nat outbound command to display the information about all mapping entries of NAT Outbound.

Examples

# Display the information about all mapping entries of NAT Outbound.

display nat outbound NAT outbound information: Vlan-interface2 : [acl] 2000


1-6

[address-group] 1 [type] pat [slot] 5 Vlan-interface3 : [acl] 2000 [address-group] 0 -- teacher [type] no-pat [slot] 5 Vlan-interface4 : [acl] 2001 [address-group] interface [type] pat [slot] 5 --3 entries found--

1.1.7 display nat server

Syntax

display nat server

View

Any view

Parameters

None

Description

Use the display nat server command to display information about all the internal servers.

Examples

# Display information about all the internal servers.

display nat server Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1, [global] 23.23.23.23: 80(www) [local] 100.0.0.23: 80(www) Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1, [global] 23.23.23.23: 8000 [local] 100.0.0.23: 21(ftp) Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1, [global] 23.23.23.1: 8000 [local] 100.0.0.3: 21(ftp) Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1, [global] 23.23.23.2: 0(any) [local] 100.0.0.4: 0(any) --4 entries found


1-7

1.1.8 display nat static

Syntax

display nat static

View

Any view

Parameters

None

Description

Use the display nat static command to display all static address translation entries.

Examples

# Display all static address translation entries.

display nat static Static NAT information: Vlan-interface24 : [global-address] 24.2.1.1 [inside-address] 192.168.2.1 [slot] 5 Vlan-interface25 : [global-address] 25.2.1.1 ---- 25.2.1.10 [inside-address] 192.168.3.1 ---- 192.168.3.10 [slot] 5 --2 entry found--

1.1.9 display nat statistics

Syntax

display nat statistics slot slot-no

View

Any view

Parameters

slot-no: Number of the slot in which the NAT service board currently functioning resides.

Description

Use the display nat statistics command to display the statistics of the current NAT information.


1-8

Examples

# Display the statistics of the current NAT information.

display nat statistics slot 3 Running information in slot 3: active PAT session table count in CPU:0 active PAT session table count in NP:1 active NO-PAT session table count:0 active SERVER session table count:3 active STATIC NAT session table count: 11

Table 1-1 Description on the filed of the display nat statistics slot command

Field Description

Running information in slot Slot information

active PAT session table count in CPU Number of NAPT entries in CPU

active PAT session table count in NP Number of NAPT entries in NP

active NO-PAT session table count Number of NAT entries in CPU

active SERVER session table count Number of user-configured internal server entries

active STATIC NAT session table count Number of static address translation entries

Note: In PTA mode, hardware of S9500 series switches creates a positive stream and a reversed stream (which is used for reversed PAT) when creating a stream. However, the NAT log exports the positive stream only.

1.1.10 display nat vpn limit

Syntax

display nat vpn limit { all | public | vpn-instance vpn-name }

View

System view

Parameters

all: Queries the maximum number of users and connections of all the VPNs.

public: Queries the maximum number of users and connections of the public network.


1-9

vpn-instance: Queries the maximum number of users and connections of the specified VPN.

vpn-name: Name of a VPN instance.

Description

Use the display nat vpn limit command to display the maximum number of users and connections of all the VPNs or the specified VPN of NAT.

Examples

# Display the maximum number of users and connections of all the VPNs of NAT.

display nat vpn limit all The slot 4 nat state of public: The max user count is 1000. The current user count is 0. The available user count is 1000. The max connection count is 10000. The current connection count is 0. The available connection count is 10000. The slot 4 nat state of vpn-instance vpn1: The max user count is 1000. The current user count is 0. The available user count is 1000. The max connection count is 10000. The current connection count is 0. The available connection count is 10000

1.1.11 nat address-group

Syntax

nat address-group group-number { { start-addr end-addr [ description text ] } | description text }

undo nat address-group group-number

View

System view

Parameters

group-number: Group number of an address pool.


1-10

start-addr: Starting IP address of an address pool.

end-addr: Ending IP address of an address pool.

text: A description string of 1 to 31 characters.

Description

Use the nat address-group command to configure an address pool.

Use the undo nat address-group command to delete an address pool.

An address pool is a group of some external IP addresses. If start-addr and end-addr are the same, there is only one address.

z To created an address pool, use the nat address-group group-number start-addr end-addr [ description text ] command.

z To modify the description character string of an address pool, use the nat address-group group-number description text command.

Caution:

z The number of addresses included in an address pool (the number of the public addresses in an address pool) must not exceed 256.

z You cannot configure network segment addresses and broadcast addresses as addresses in an address pool.

z The IP addresses configured in the NAT address pool must not be the same with the IP addresses in the internal network.

z You cannot delete an address pool that is associated to an ACL. z When NAPT is enabled, there cannot be more than 32 addresses in an address

pool.

Examples

# Configure address pool 1 with addresses from 202.110.10.10 to 202.110.10.15.

system-view [H3C] nat address-group 1 202.110.10.10 202.110.10.15

# Configure address pool 2 with addresses 203.110.10.10 to 203.110.10.110, and the description character string is teacher.

system-view [H3C] nat address-group 2 203.110.10.10 203.110.10.110 description teacher

# Modify the description character string of address group 2 to teacher&student.

system-view [H3C] nat address-group 2 description teacher&student


1-11

1.1.12 nat aging-time

Syntax

nat aging-time alg time-value

undo nat aging-time alg

View

System view

Parameters

alg time-value: Aging time of NAT entries requiring application level gateway (ALG) processing in seconds.

Note: As for the NO-PAT method, the aging time cannot be set and it adopts fast aging time.

Description

Use the nat aging-time command to set the aging time for NAT entries.

Use the undo nat aging-time command to restore the default value of the aging time for NAT.

By default, the aging time of NAT entries for application level gateway (ALG) is 120 seconds, that for FTP is 7200 seconds.

Examples

# Set the aging time of NAT entries requiring ALG processing to 245 seconds.

system-view [H3C] nat aging-time alg 245

1.1.13 nat auto-reset-session

Syntax

nat auto-reset-session

undo nat auto-reset-session

View

System view


1-12

Parameters

None

Description

Use the nat auto-reset-session command to enable the NAT session table auto-reset function when a NAT enabled VLAN interface goes up or down.

Use the undo nat auto-reset-session command to disable the function.

By default, the NAT session table auto-reset function is disabled.

After you execute this command, the NAT session table is reset only when a NAT-enabled VLAN interface goes up or down.

This function is typically used in link backup networks. When the active link is down, the corresponding NAT session table is cleared. Then, NAT configured on the backup link performs address translation for packets.

Because all NAT session tables are cleared when a NAT enabled VLAN interface goes up or down, you are not recommended to enable this function in a common network.

Examples

# Enable the NAT session table auto-reset function when the VLAN interface goes up or down.

system-view [H3C] nat auto-reset-session

1.1.14 nat blacklist start

Syntax

nat blacklist start

undo nat blacklist start

View

System view

Parameters

start: Starts the blacklist function for the whole system.

Description

Use the nat blacklist command to set the properties relevant to the blacklist.

Use the undo nat blacklist command to disable a certain property or a certain function.

The blacklist function is disabled by default.


1-13

Examples

# Enable the blacklist function for the whole system.

system-view [H3C] nat blacklist start

1.1.15 nat blacklist mode

Syntax

nat blacklist mode { amount | rate | all }

undo nat blacklist mode { amount | rate | all }

View

System view

Parameters

mode: Sets the control mode.

amount: Controls the amount of user connections only.

rate: Controls the rate of user link set-up only.

all: Controls both the amount of user connections and the rate of user link set-up

Note that the connection here refers to the address mapping relationship set up during NAT. The rate of link set-up means the rate of setting up such connections, namely, the times of setting up connections per second.

Note: The connection here refers to the address mapping relationship set up during NAT. The rate of link set-up means the rate of setting up such connections

Description

Use the nat blacklist mode command to set the control mode of the blacklist function. You can select to control the number of user connections, the rate of link set-up or both.

Use the undo nat blacklist mode command to disable the configured control mode of the blacklist function.

Examples

# Select to control the number of user connections.

system-view [H3C] nat blacklist mode amount


1-14

1.1.16 nat blacklist limit amount

Syntax

nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ] max-amount

undo nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ]

View

System view

Parameters

vpn-instance vpn-name: Name of a VPN instance. When this argument is specified, the IP address configured in the blacklist is the IP address in VPN.

user-ip: IP address of the specified user.

max-amount: Upper threshold value for the total number of NAT connections that a user can set up, in the range of 20 to 20,000. The max-amount argument is 500 by default.

Description

Use the nat blacklist limit amount command to set the threshold value for the user connections.

Use the undo nat blacklist limit amount command to restore the threshold value for the user connections to the default value.

z If the source keyword is not specified, this configuration is effective for the global users.

z If the source keyword is not specified, this configuration is effective for the users of the specified source IP address.

Caution:

During the system running, if the reset nat session command is not executed after you have configured the number of global user connections, the number of connections exceeding the upper limit cannot be deleted directly until the stream is aged.

Examples

# Set the threshold value for the number of global connections.

system-view [H3C] nat blacklist limit amount 2222


1-15

# Set the threshold value for the number of connections to the IP address 1.1.1.1.

system-view [H3C] nat blacklist limit amount source 1.1.1.1 2222

# Set the threshold value for the number of connections to the IP address 100.0.0.1 in the private network VPN1.

system-view [H3C] nat blacklist limit amount vpn-instance vpn1 source 100.0.0.1 2222

1.1.17 nat blacklist limit rate

Syntax

nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs burst-size ]

undo nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs burst-size ]

View

System view

Parameters

cir cir-value: Sets the threshold value in sessions per second for committed information rate (CIR ) which refers to the average rate on a port for a long time. The value ranges from 20 to 262,144, with a default value of 250.

cbs burst-size: Sets the threshold value for Conformed Burst Size (CBS ) which determines the maximum burst size before part of the traffic exceeds CIR, in the range of [ cir-value, 90*cir-value] in bits. Its default value is 375 bits.

ebs burst-size: Sets the threshold value for Extended Burst Size (EBS) which determines the maximum burst size before all the traffic exceeds CIR, in the range of [ 0, 90*cir-value] in bits. It must be no bigger than the value specified by cbs burst-size. Its default value is 0.

Description

Use the nat blacklist limit rate command to set the threshold value for the rate of link set-up, namely, the times of setting up connections. The user who exceeds the threshold value will not be displayed in the blacklist.

Use the undo blacklist limit rate command to restore the threshold value for the rate of link set-up to the default value.

In the commands above:

z If the source ip keyword is not specified, this configuration is effective for default users.


1-16

z If the source ip keyword is not specified, this configuration is effective for the users of the specified source IP address only.

z If you do not use the nat blacklist limit rate command, the system will adopt the default value of the cir-value, cbs burst-size, and ebs burst-size, that is, 250, 375, and 0 respectively.

z If you use the nat blacklist limit rate command to configure the cir-value argument only, the value of the cbs burst-size is cir-value*1.5, and the value of the ebs burst-size is 0.

Caution:

z You can set the threshold value for the maximum number of connections of the specified IP address to any value within the value range. However, the threshold value for the maximum rate of link set-up of all the specified source IP addresses must be the same.

z During the system running, you must execute the reset nat session command once after you modify the blacklist configuration (except the blacklist configuration for the specified source IP address).

z When there are multiple LPUs in a device, each LPU maintains its own blacklist information independently. However, the commands to configure the blacklist are effective for all the blacklist-feature-enabled LPUs at the same time.

Examples

# Set the threshold value for the default rate of link set-up.

system-view [H3C] nat blacklist limit rate cir 20 cbs 1799 ebs 40

# Set the special threshold value for the rate of link set-up

system-view [H3C] nat blacklist limit rate source ip cir 20 cbs 1799 ebs 40

1.1.18 nat blacklist limit rate source

Syntax

nat blacklist limit rate [ vpn-instance vpn-name] source ip-address

undo nat blacklist limit rate [ vpn-instance vpn-name] source ip-address

View

System view


1-17

Parameters

vpn-instance vpn-name: Name of a VPN instance. When this argument is specified, the IP address configured in the blacklist is the IP address in VPN.

source ip-address: IP address of the specified user.

Description

Use the nat blacklist limit rate source ip-address command to set the IP for the user who needs a special control mode for the rate of link set-up. For relevant information, see the nat blacklist limit rate source ip command in 1.1.17 nat blacklist limit rate.

Use the undo nat blacklist limit rate source ip-address command to disable the user IP address setting.

Caution:

z You can set the threshold value for the maximum number of connections of the specified IP address to any value within the value range. However, the threshold value for the maximum rate of link set-up of all the specified source IP addresses must be the same.

z During the system running, you must execute the reset nat session command once after you modify the blacklist configuration (except the blacklist configuration for the specified source IP address).

z When there are multiple LPUs in a device, each LPU maintains its own blacklist information independently. However, the commands to configure the blacklist are effective for all the blacklist-feature-enabled LPUs at the same time.

Examples

# Use the special threshold value to control the rate of link set-up of the user 2.2.2.2.

system-view [H3C] nat blacklist limit rate source 2.2.2.2

# Use the special threshold value to control the rate of link set-up of the user 200.0.0.1 in the private network VPN1.

system-view [H3C] nat blacklist limit rate vpn-instance vpn1 source 200.0.0.1


1-18

1.1.19 nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-no

undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-no

View

VLAN interface view

Parameters

address-group: Configure the NAT by using the address pool. If you do not specify the address pool, the IP address of the interface is used as the translated address, that is, the Easy IP feature.

no-pat: Specifies that only IP addresses included in data packets are translated while the port number information is left unused.

acl-number: ACL number, in the range 2,000 to 3,999.

group-number: Address pool number, in the range 0 to 319.

slot-no: Number of the slot where the NAT LPU resides.

Description

Use the nat outbound command to associate an ACL with an address pool.

Use the undo nat outbound command to delete the corresponding NAT rule.

After the association, the addresses meeting the criteria of acl-number can use address pool group-number for NAT. The NAT LPU in which the address pool resides is specified for NAT. All the address translations using this address pool are processed on this NAT LPU.

After configuring the association between the ACL and the address pool, the eligible source address of a data packet will be translated by either selecting an address from the address pool or using the IP address of the interface directly. Multiple NAT associations can be configured on a VLAN interface, which is normally connected to the ISP and acts as the egress of the internal network. You may use the corresponding undo command to delete a NAT association.

If you do not specify any value for the address-group keyword, the Easy IP feature is implemented for NAT, and the IP address of the interface is used as the translated address.


1-19

Note: z As for the ACL associated with an address pool, only the source VPN, source IP

address, and the destination IP address fields in it are used. They are also used to tell whether or not two rules conflict.

z Do not execute the undo nat outbound command too often after the configuration is stable.

Caution:

Address translation is performed on the NAT LPU. Because packets sent from a private network will not be delivered to the NAT LPU by default, you need to reference QACLs on the receiving interface to redirect those packets to the NAT LPU. For details, refer to the traffic-redirect command in QoS Commands of the QoS ACL Volume. You do not need to configure the DIP in the response packet sent from the public network because it is an address from the address pool.

Examples

# Allow hosts on the network segment 192.168.1.0/24 in VPN1 and VPN2 and the network segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to 202.110.10.12. Suppose VLAN interface 2 is connected to the ISP.

system-view [H3C] acl number 3000 [H3C-acl-adv-3000] rule permit ip source 10.110.10.0 0.0.0.255 [H3C-acl-adv-3000] rule permit ip vpn-instance VPN1 source 192.168.1.0 0.0.0.255 [H3C-acl-adv-3000] rule permit ip vpn-instance VPN2 source 192.168.1.0 0.0.0.255 [H3C-acl-adv-3000] quit

# Configure the address pool.

[H3C] nat address-group 1 202.110.10.10 202.110.10.12

# Configure NAT binding on NAT LPU 3, allowing packets that match ACL 3000 to be processed by NAT. The address will be translated into one of address pool 1.

[H3C] interface Vlan-interface 2 [H3C-Vlan-interface2] nat outbound 3000 address-group 1 slot 3

# Configure to use one-to-one NAT (do not use TCP/UDP port information for NAT).

[H3C-Vlan-interface2] nat outbound 3000 address-group 1 no-pat slot 3


1-20

# Perform the following configuration to use the IP address of VLAN-interface 2 directly.

[H3C-Vlan-interface2] nat outbound 3000 slot 3

# Configure ACLs for packet redirection. You are recommended to configure two ACLs, namely, ACL 4000 and ACL 3001. ACL 4000 allows packets with VLAN ID 192 and DMAC being the MAC address of VLAN-interface 192 (000f-e23f-3294) to pass (only Layer 3 packets need to be redirected to the NAT LPU for translation, while protocol and Layer 2 packets do not need to be redirected). ACL 3001 allows the packets with source IP address 10.110.10.0/24 to pass. The ID of the VLAN on the private network side is 192.

[H3C] acl number 4000 [H3C-acl-link-4000] rule permit ingress 192 egress 000f-e23f-3294 0-0-0 [H3C-acl-link-4000] quit [H3C] acl number 3001 [H3C-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255 [H3C-acl-adv-3001] quit

# Customize a flow template, and then apply it to Ethernet 4/1/1. The interface card is located in slot 4. For details about flow template, refer to Defining and Applying Flow Template in ACL Configuration of the QoS ACL Volume.

[H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1 [H3C-Ethernet4/1/1] flow-template user-defined

# Reference the ACLs to redirect the packets that needs to be translated to the NAT LPU. Ethernet 4/1/1 is the inbound interface on the private network side and the VLAN ID is 192.

[H3C] interface Ethernet4/1/1 [H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 link-group 4000 rule 0 slot 3 designated-vlan 192

Caution:

You need to bind VPN 1 to VLAN 192 on the private network side before referencing the ACLs for packet redirection.

# The configuration of VPN 2 is similar to that of VPN 1.


1-21

1.1.20 nat server

Syntax

nat server protocol { tcp | udp } global global-addr global-port inside [ vpn-name ] host-addr host-port slot slot-no

undo nat server protocol { tcp | udp } global global-addr global-port inside [ vpn-name ] host-addr host-port slot slot-no

nat server protocol { tcp | udp } global global-addr global-port1 global-port2 inside [ vpn-name ] host-addr1 host-addr2 host-port slot slot-no

undo nat server protocol { tcp | udp } global global-addr global-port1 global-port2 inside [ vpn-name ] host-addr1 host-addr2 host-port slot slot-no

nat server protocol { icmp | tcp | udp } global global-addr inside [ vpn-name ] host-addr slot slot-no

undo nat server protocol { icmp | tcp | udp } global global-addr inside [ vpn-name ] host-addr slot slot-no

View

VLAN interface view

Parameters

global-addr: Servers public IP address by which external devices can access servers.

global-port: External service port numbers of servers. When TCP or UDP is selected as the protocol type, the external devices can access the services provided by servers through the external service ports.

host-addr: IP address of the server on the internal LAN.

host-port: Service port number provided by the server, in the range from 0 to 12287. A value of 0 indicates the server can provide any type of services. You can use a keyword to indicate a frequently used port number. For example, you can use www for WWW service port number 80, ftp for ftp service port number 21, and any for 0.

Note that the global-port argument must be any when the host-port argument is any, indicating an AnyServer is configured. Otherwise, this configuration does not take effect.

global-port1 global-port2: Specifies a scope of external service port numbers that corresponds to the address range of internal hosts. global-port2 must be bigger than global-port1, and the corresponding host-port cannot be 0.

vpn-name: Name of the VPN of the internal server private network side. If this argument is not specified, the private network side does not belong to any VPN.

Note that IP addresses cannot be used as vpn-name. If you use IP addresses as VPN names, the CLI treats them as IP addresses uniformly.


1-22

host-addr1 host-addr2: Specifies an address scope of internal hosts that corresponds to the address range of external service port numbers. host-addr2 must be bigger than host-addr1. The number of the address scope must be the same as the number of external service ports.

slot-no: Specifies number of the slot in which the NAT service board resides.

Description

Use the nat server command to define mapping relationships from public addresses and external service port numbers to internal addresses and internal service port numbers.

After the configuration, by using the address and port number defined by the global-addr and the global-port parameters, you can access the internal server with the address and port number specified by the host-addr and host-port parameters.

Use the undo nat server command to cancel the mapping table.

The keywords icmp, tcp and udp are the protocol types carried by IP, which can be represented by 1, 6 and 17 respectively. You can select only one protocol type in a command. If no port is specified in the command, an AnyServer is configured.

An AnyServer is used to define mapping relationship between a public address and the internal address of a server of the specified protocol type. Through this mapping, hosts on the public network and private network can access each other.


1-23

Caution:

z Up to 256 internal server translation commands can be configured for a VLAN interface.

z One command can be used to configure up to 128 internal servers. z Up to 4,096 internal TCP and UDP servers can be configured for a VLAN interface. z Only the same NAT LPU can be configured for a VLAN interface. z Up to 1,024 internal server translation commands are supported by the system. z Up to 512 AnyServers are supported by the system. z The public address of an AnyServer cannot conflict with any interface public IP

addresses or other public addresses used by NAT; the private address of the AnyServer cannot conflict with those configured in the static address translation entries or those of the servers of the same protocol.

z Do not execute the undo nat server command too often after the configuration is stable.

z Address translation is performed on the NAT LPU. Because packets sent from the private network will not be delivered to the NAT LPU by default, you need to reference QACLs on the receiving interface to redirect those packets to the NAT LPU. You do not need to specify the DIP in the response packet sent from the public network because it is the public network address corresponding to the internal server.

z IP addresses cannot be used as vpn-name. If you use IP addresses as VPN names, the CLI treats them as IP addresses uniformly.

The interface configured with this command should be connected to the ISP and acts as the egress of the internal network.

Examples

# Specify the IP address of the internal WWW server in the LAN VPN1 as 10.110.10.10, the IP address of the internal FTP server as 10.110.10.11, and allow external hosts to access the WWW server and FTP server by http://202.110.10.10:8080 and ftp://202.110.10.10 respectively. Specify the IP address of the internal server providing TCP and UDP services as 10.110.10.12 and the corresponding external address as 202.110.10.12. Suppose that VLAN-interface 2 is connected to the ISP.

system-view [H3C] interface Vlan-interface 2 [H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 8080 inside VPN1 10.110.10.10 www slot 3 [H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 ftp inside VPN1 10.110.10.10 ftp slot 3


1-24

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.12 any inside VPN1 10.110.10.12 any slot 3 [H3C-Vlan-interface2] nat server protocol udp global 202.110.10.12 any inside VPN1 10.110.10.12 any slot 3

# Configure ACLs for packet redirection. You are recommended to configure two ACLs: ACL 4000 and ACL 3001. ACL 4000 allows packets with VLAN ID 192 and DMAC being the MAC address of VLAN-interface 192 to pass (only Layer 3 packets need to be redirected to the NAT LPU for translation, while protocol and Layer 2 packets do not need to be redirected). ACL 3001 is used to redirect packets that need to be translated to the NAT LPU. The ID of the VLAN on the private network side is 192.

[H3C] acl number 4000 [H3C-acl-link-4000] rule permit ingress 192 egress 000f-e23f-3294 0-0-0 [H3C-acl-link-4000] quit [H3C] acl number 3001 [H3C-acl-adv-3001] rule permit ip source 10.110.10.0 0.0.0.255 [H3C-acl-adv-3001] quit

# Customize a flow template, and then apply the flow template to Ethernet 4/1/1. The interface card is located in slot 4.

[H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1 [H3C-Ethernet4/1/1] flow-template user-defined

# Reference the ACLs to redirect the packets that needs to be translated to the NAT LPU. Ethernet 4/1/1 is the inbound interface on the private network side, and the VLAN ID is 192.

[H3C] interface Ethernet4/1/1 [H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 link-group 4000 rule 0 slot 3 designated-vlan 192

Caution:

You need to bind VPN 1 to VLAN 192 on the private network side before referencing the ACLs for packet redirection.

1.1.21 nat static

Syntax

nat static global global-addr inside [ vpn-name ] host-addr slot slot-no


1-25

undo nat static global global-addr inside [ vpn-name ] host-addr slot slot-no

nat static global global-addr1 global-addr2 inside [ vpn-name ] host-addr1 host-addr2 slot slot-no

undo nat static global global-addr1 global-addr2 inside [ vpn-name ] host-addr1 host-addr2 slot slot-no

View

VLAN interface view

Parameters

global-addr: Public network address.

global-addr1 global-addr2: A group of public network addresses.

host-addr: Private network address.

host-addr1 host-addr2: A group of private network addresses.

vpn-name: VPN name of the private network address. If this argument is not specified, the private network address does not belong to any VPN.

slot-no: Number of the slot where the NAT service board is located.

Description

Use the nat static command to create static NAT mappings between public network addresses and private network addresses.

After executing this command, the source IP address of a packet sent from an internal host will be translated into the public network address specified by the global-addr argument. External users can also access the TCP, UDP and ICMP services provided by the internal hosts through the specified public network address.

Use the undo nat static command to remove the static NAT mappings.


1-26

Caution:

z Up to 1,024 static address translation commands are supported by the system. z Up to 4,096 static NAT mappings are supported by the system. z NAT configuration for a VLAN can only be made on the same NAT LPU. z Do not remove static NAT entries too often if they operate normally. z Address translation is performed on the NAT LPU. Because packets sent from the

private network will not be delivered to the NAT LPU by default, you need to reference QACLs on the receiving interface to redirect those packets to the NAT LPU. You do not need to make specific NAT configuration for response packets from the public network because their destination public IP addresses are recorded in NAT entries.

z The public network address in a static NAT entry should globally unique. z IP addresses cannot be used as VPN names. If you use IP addresses as VPN

names, the CLI treats them as IP addresses.

Examples

# Create a static mapping between the IP address 10.110.10.10 of a host in VPN 1 and public network address 202.110.10.10. Suppose that VLAN-interface 2 is connected to the ISP.

system-view [H3C] interface Vlan-interface 2 [H3C-Vlan-interface2] nat static global 202.110.10.10 inside VPN1 10.110.10.10 slot 3

# Configure ACL 3001.

[H3C] acl number 3001 [H3C-acl-adv-3001] rule permit ip source 10.110.10.10 0.0.0.0 [H3C-acl-adv-3001] quit

# Reference ACL 3001 to redirect packets that are to be serviced by NAT to the NAT board. Ethernet 4/1/1 is connected to the private network, and 192 is the corresponding VLAN ID.

[H3C] interface Ethernet4/1/1 [H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 slot 3 designated-vlan 192


1-27

Caution:

You need to configure QACL redirection after binding VLAN 192 to the VPN.

1.1.22 nat vpn limit

Syntax

nat vpn limit [ vpn-instance vpn-name ] user-limit flow-limit

undo nat vpn limit [ vpn-instance vpn-name ]

View

System view

Parameters

vpn-instance vpn-name: Name of a VPN instance. If this argument is not specified, it limits the number of users and connections in the non-VPN private network side.

user-limit: Maximum number of users in a VPN translated by NAT. The sum of the maximum user numbers configured in VPNs cannot exceed 8,192.

flow-limit: Maximum number of unidirectional connections in a VPN translated by NAT. The sum of the maximum connection numbers configured in VPNs cannot exceed 1,257,291.

Description

Use the nat vpn limit command to configure the maximum numbers of users and connections in the specified VPN. You must configure this command before configuring NAT bindings and blacklists. Because NP need not set up streams for NAT translation in the NO-PAT mode, this command is effective only for NAT translation in the PAT mode.

Use the undo nat vpn limit command to disable the configured maximum numbers of users and connections in the specified VPN.

The maximum number of connections configured in the blacklist is limited by the maximum number of connections in the VPN. If the number of streams established in the VPN has reached the upper limit, you cannot create new connections any more.


1-28

Note: The maximum numbers of users and connections in a VPN does not apply to the NO-PAT mode.

Examples

# Configure the maximum numbers of users and connections in a VPN. .

system-view [H3C] nat vpn limit vpn-instance test 5000 5500

1.1.23 reset nat session

Syntax

reset nat session slot slot-no

View

User view

Parameters

slot slot-no: Number of the slot where the NAT LPU resides.

Description

Use the reset nat session command to clear NAT mapping tables from the memory and NP.

Examples

# Clear the NAT mapping table established by the NAT LPU in slot 3.

reset nat session slot 3

1.2 NAT Security Logging Configuration Commands

1.2.1 display ip userlog export

Syntax

display ip userlog export slot slot-no

View

Any view


1-29

Parameters

slot-no: Number of the slot where the LPU resides.

Description

Use the display ip userlog export command to display configurations and statistics of system logging.

Examples

# Display configurations of NAT logging.

display ip userlog export slot 3 NAT: IP userlog export is not enabled Version 1 export is enabled Export logs to 0.0.0.0 (Port: 0) Export using source address 0.0.0.0 IP userlog flowbegin mode is not enabled IP userlog active time: 0 minutes 0 logs exported in 0 udp datagrams 0 logs in 0 udp datagrams failed to output 0 entries buffered currently

1.2.2 ip userlog nat

Syntax

ip userlog nat acl acl-number

undo ip userlog nat

View

System view

Parameters

acl-number: ACL number, in the range of 2000 to 3999.

Description

Use the ip userlog nat acl command to enable NAT logging and configure NAT logging rules, which defines the packets to be logged.

Use the undo ip userlog nat command to disable the NAT logging function.

By default, NAT logging is disabled for each NAT LPU.


1-30

Caution:

The ACL for NAT logging supports the SIP and DIP fields only.

Examples

# Employ ACL 2000 as the logging rule, and enable NAT logging.

system-view [H3C] ip userlog nat slot 3 acl 2000

1.2.3 ip userlog nat active-time

Syntax

ip userlog nat active-time minutes

undo ip userlog nat active-time

View

System view

Parameters

minutes: Time duration of an active NAT connection before a log record is created for it, ranging from 10 to 120, in minutes. The default time duration is 0, which indicates that this function is disabled.

Description

Use the ip userlog nat active-time command to set the time duration of an active NAT connection before a log record is created for it.

Use the undo ip userlog nat active-time command to cancel the threshold configured for logging.

If the NAT process performs logging only when a NAT connection is deleted, some connections may be active for a long time without being logged. Devices can record this type of connection regularly after this command is configured.

Examples

# Set the active time of a connection after which a NAT log record is created to 30 minutes.

system-view [H3C] ip userlog nat active-time 30


1-31

1.2.4 ip userlog nat export host

Syntax

ip userlog nat export host ip-address udp-port

undo ip userlog nat export host

View

System view

Parameters

ip-address: IP address of the log server, that is, the destination IP address for log packets.

udp-port: UDP port number of the log server, that is, the destination port number for log packets. The valid range is from 0 to 65,535. By default, it is 0.

Description

Use the ip userlog nat export host command to set the address and port number of the destination server of log packets.

Use the undo ip userlog nat export host command to remove the configuration.

Examples

# Set the destination address and UDP port number of log packets to 169.254.1.1 and 200 respectively.

system-view [H3C] ip userlog nat export host 169.254.1.1 200

1.2.5 ip userlog nat export source-ip

Syntax

ip userlog nat export source-ip src-address

undo ip userlog nat export source-ip

View

System view

Parameters

src-address: Source IP address of the log packets, which is 0.0.0.0 by default.

Description

Use the ip userlog nat export source-ip command to set the source IP address of log packets.


1-32

Use the undo ip userlog nat export source-ip command to restore the default source IP address of log packets.

Examples

# Set the source IP address of log packets to 169.254.1.1.

system-view [H3C] ip userlog nat export source-ip 169.254.1.1

1.2.6 ip userlog nat export version

Syntax

ip userlog nat export version version-number

undo ip userlog nat export version

View

System view

Parameters

version-number: Version of the output log packets. It is 1 by default. It can only be 1 currently.

Description

Use the ip userlog nat export version command to set the version of log packets.

Use the undo ip userlog nat export version command to restore the default version of log packets.

Examples

# Set the version of the log packets to 1.

system-view [H3C] ip userlog nat export version 1

1.2.7 ip userlog nat mode flow-begin

Syntax

ip userlog nat mode flow-begin

undo ip userlog nat mode flow-begin

View

System view


1-33

Parameters

None

Description

Use the ip userlog nat mode flow-begin command to enable the NAT server logging when an NAT connection is established and deleted.

Use the undo ip userlog nat mode flow-begin command to restore the default logging mode.

Use the corresponding commands to select the logging mode. There are two options:

z Perform logging only when a NAT connection is deleted. z Perform logging when a NAT connection is established or deleted.

By default, the NAT server performs logging only when a NAT connection is deleted.

Examples

# Configure to make the NAT server log when a connection is established and deleted.

system-view [H3C] ip userlog nat mode flow-begin

Chapter 1 NAT Configuration Commands1.1 NAT Configuration Commands1.1.1 display nat address-group1.1.2 display nat aging-time1.1.3 display nat all1.1.4 display nat auto-reset-session1.1.5 display nat blacklist1.1.6 display nat outbound1.1.7 display nat server1.1.8 display nat static1.1.9 display nat statistics1.1.10 display nat vpn limit1.1.11 nat address-group1.1.12 nat aging-time1.1.13 nat auto-reset-session1.1.14 nat blacklist start1.1.15 nat blacklist mode1.1.16 nat blacklist limit amount1.1.17 nat blacklist limit rate1.1.18 nat blacklist limit rate source1.1.19 nat outbound1.1.20 nat server1.1.21 nat static1.1.22 nat vpn limit1.1.23 reset nat session

1.2 NAT Security Logging Configuration Commands1.2.1 display ip userlog export1.2.2 ip userlog nat1.2.3 ip userlog nat active-time1.2.4 ip userlog nat export host1.2.5 ip userlog nat export source-ip1.2.6 ip userlog nat export version1.2.7 ip userlog nat mode flow-begin

07 nat commands

Documents