HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Transcription

1 HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Command Reference Part number: Document version: 6PW

2 Legal and notice information Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents NAT configuration commands 1 address 1 display nat address-group 1 display nat all 2 display nat bound 4 display nat dns-map 5 display nat server 6 display nat static 7 display nat statistics 9 nat address-group 10 nat dns-map 11 nat outbound 11 nat outbound static 14 nat server 14 nat static 17 nat static net-to-net 18 NAT-PT configuration commands 19 display natpt address-group 19 display natpt address-mapping 19 display natpt all 21 display natpt statistics 22 natpt address-group 23 natpt enable 24 natpt prefix 24 natpt turn-off tos 25 natpt turn-off traffic-class 26 natpt v4bound dynamic 26 natpt v4bound static 27 natpt v4bound static v6server 28 natpt v6bound dynamic 29 natpt v6bound static 29 reset natpt statistics 30 ALG configuration commands 31 alg 31 Support and other resources 33 Contacting HP 33 Subscription service 33 Related information 33 Documents 33 Websites 33 Conventions 34 Index 35 i

4 NAT configuration commands address Default level address start-address end-address undo address start-address end-address Address group view 2: System level start-address: Start IP address of the address group member. end-address: End IP address of the address group member. The end-address must not be lower than the start-address. If they are the same, the group member has only one IP address. Use the address command to add a member that specifies an address pool to the address group. The address pools of group members may not be consecutive. Use the undo address command to remove a group member from the address group. Note that: You cannot add/remove a group member to/from an address group when any IP address of the group member is being used or the address group is associated with an Access Control List (ACL). You can add up to 100 members to an address group. The address pools of group members must not overlap with each other or with other address pools. Related commands: display nat address-group and nat address-group. # Create address group 2 and add two group members to it. Specify addresses through for one member and addresses through for the other. [Sysname] nat address-group 2 [Sysname-nat-address-group-2] address [Sysname-nat-address-group-2] address display nat address-group display nat address-group [ group-number ] [ { begin exclude include } regular-expression ] 1

5 Default level Any view 1: Monitor level group-number: NAT address group number. : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat address-group command to display the NAT address pool information. Related commands: nat address-group. # Display the NAT address pool information. <Sysname> display nat address-group NAT address-group information: There are currently 2 nat address-group(s) 1 : from to : from to # Display the information of NAT address group 1. <Sysname> display nat address-group 1 NAT address-group information: 1 : from to Table 1 Output description Field NAT address-group information There are currently 2 nat address-group(s) 1 : from to NAT address pool information There are currently two NAT address groups. The range of IP addresses in address pool 1 is from to display nat all display nat all [ { begin exclude include } regular-expression ] Any view 2

6 Default level 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat all command to display all NAT configuration information. # Display all NAT configuration information. <Sysname> display nat all NAT address-group information: There are currently 1 nat address-group(s) 1 : from to NAT bound information: There are currently 1 nat bound rule(s) Interface: GigabitEthernet0/1 Direction: outbound ACL: 2009 Address-group: 1 NO-PAT: N NAT server in private network information: There are currently 1 internal server(s) Interface: GigabitEthernet0/2, Protocol: 6(tcp) Global: : 80(www) Local : : 80(www) NAT static information: There are currently 1 NAT static configuration(s) single static: Local-IP : Global-IP : Local-VPN : --- NAT static enabled information: Interface GigabitEthernet0/4 Direction out-static 3

7 Table 2 Output description Field NAT address-group information There are currently 1 nat address-group(s) NAT bound information: NAT server in private network information NAT static information NAT static enabled information NAT address pool information For description on the specific fields, see the display nat address-group command. Configuration information about internal address-to-external address translation. For description on the specific fields, see the display nat bound commands. Internal server information. For description on the specific fields, see the display nat server command. Information about static NAT. For description on the specific fields, see the display nat static command. Information about static NAT entries and interface(s) with static NAT enabled. For description on the specific fields, see the display nat static command. display nat bound Any view Default level display nat bound [ { begin exclude include } regular-expression ] 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat bound command to display the NAT configuration information. Related commands: nat outbound. # Display the NAT configuration information. <Sysname> display nat bound NAT bound information: There are currently 3 nat bound rule(s) Interface:Vlan-interface10 Direction: outbound ACL: 2000 Address-group: 319 NO-PAT: Y 4

8 VPN-instance: vpn1 Out-interface: --- Next-hop: Status: Active Interface:Vlan-interface10 Direction: outbound ACL: 3000 Address-group: 300 NO-PAT: N VPN-instance: vpn2 Out-interface: Vlan-interface200 Next-hop: Status: Inactive Interface:Vlan-interface20 Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N VPN-instance: --- Out-interface: --- Next-hop: --- Status: Inactive Table 3 Output description Field NAT bound information: Interface Direction ACL Address-group NO-PAT VPN-instance Output-interface Next-hop Status Display configured NAT address translation information The interface associated with a NAT address pool. Address translation direction: outbound ACL number Address group number. The field is displayed as null in Easy IP mode. Support for NO-PAT mode or not VPN where the NAT address pool belongs. The field is displayed as --- if it is not configured. The specified outbound interface. The field is displayed as --- if it is not configured. The specified next hop address. The field is displayed as --- if it is not configured. Current status of the configuration, which can be active or inactive. display nat dns-map display nat dns-map [ { begin exclude include } regular-expression ] Any view Default level 1: Monitor level 5

9 : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat dns-map command to display NAT DNS mapping configuration information. Related commands: nat dns-map. # Display NAT DNS mapping configuration information. <Sysname> display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: Global-IP : Global-port: 80(www) Protocol : 6(tcp) Domain-name: ftp.server.com Global-IP : Global-port: 21(ftp) Protocol : 6(tcp) Table 4 Output description Field NAT DNS mapping information There are currently 2 DNS mapping(s) Domain-name Global-IP Global-port Protocol NAT DNS mapping information There are two DNS mapping entries Domain name of the internal server External IP address of the internal server Public port number of the internal server Protocol type of the internal server display nat server display nat server [ { begin exclude include } regular-expression ] Any view 6

10 Default level 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat server command to display information about internal servers. Related commands: nat server. # Display information about internal servers. <Sysname> display nat server NAT server in private network information: There are currently 2 internal server(s) Interface: Vlan-interface10, Protocol: 6(tcp) Global: : 21(ftp) Local : : 21(ftp) Status: Inactive Interface: Vlan-interface11, Protocol: 6(tcp) Global: : 80(www) Local : : 80(www) Status: Active Table 5 Output description vpn2 Field Server in private network information Interface Protocol Global Local Status Information about internal servers Internal server interface Protocol type External IP address and port number of a server, and the VPN that the external address belongs to. Internal network information of a server Current status of the configuration, which can be active or inactive. display nat static display nat static [ { begin exclude include } regular-expression ] 7

11 Default level Any view 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat static command to display static NAT entries and interface(s) with static NAT enabled. Related commands: nat static and nat outbound static. # Display static NAT entries and interface(s) with static NAT enabled. <Sysname> display nat static NAT static information: There are currently 2 NAT static configuration(s) net-to-net: Local-IP : Global-IP : Netmask : Local-VPN : vpn1 Global-VPN : vpn2 single static: Local-IP : Global-IP : Local-VPN : --- Global-VPN : --- NAT static enabled information: Interface Direction Vlan-interface11 out-static Table 6 Output description Field NAT static information net-to-net single static Local-IP Global-IP Configuration information of static NAT Net-to-net static NAT One-to-one static NAT Internal IP address External IP address 8

12 Field Netmask Local-VPN Global-VPN Network mask L3VPN that the internal IP address belongs to L3VPN that the external IP address belongs to display nat statistics Default level display nat statistics [ { begin exclude include } regular-expression ] Any view 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display nat statistics command to display NAT statistics. # Display NAT statistics. <Sysname> display nat statistics total PAT session table count: 1 total NO-PAT session table count: 0 total SERVER session table count: 0 total STATIC session table count: 0 active PAT session table count: 1 active NO-PAT session table count: 0 Table 7 Output description Field total PAT session table count total NO-PAT session table count total SERVER session table count total STATIC session table count active PAT session table count Number of PAT session entries Number of NO-PAT session entries Number of SERVER session entries Number of STATIC session entries Number of active PAT session entries 9

13 Field active NO-PAT session table count Number of active NO-PAT session entries nat address-group Default level nat address-group group-number [ start-address end-address ] [ level level ] undo nat address-group group-number [ start-address end-address ] [ level level ] System view 2: System level group-number: Index of the address pool. start-address: Start IP address of the address pool. end-address: End IP address of the address pool. The end-address cannot be smaller than the start-address. If they are the same, the address pool has only one IP address. level leve: Address pool level. The value of level is in range of 0 to 1. 0 represents low priority. Use the nat address-group command to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool. Without the start and end IP addresses specified, the command places you into the address group view. Use the undo nat address-group command to remove an address pool or address group. An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command. The address pools of group members may not be consecutive. Note that: You cannot remove an address pool or address group that has been associated with an ACL. Different address pools must not overlap. The address pools of group members must not overlap with each other or with other address pools. An address pool or address group is not needed in the case of Easy IP where the interface s public IP address is used as the translated IP address. Related commands: address and display nat address-group. # Configure an address pool numbered 1 that contains addresses to [Sysname] nat address-group # Create address group 2 and add a group member that contains IP addresses through to it. 10

14 [Sysname] nat address-group 2 [Sysname-nat-address-group-2] address nat dns-map nat dns-map domain domain-name protocol pro-type ip global-ip port global-port undo nat dns-map domain domain-name System view Default level 2: System level domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits; besides, dashes (-) can be included. protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp. ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network. port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to Use the nat dns-map command to map the domain name to the public network information of an internal server. Use the undo nat dns-map command to remove a DNS mapping. Related commands: display nat dns-map. # A company provides Web service to external users. The domain name of the internal server is and the public IP address is Configure a DNS mapping, so that internal users can access the Web server using its domain name. [Sysname] nat dns-map domain protocol tcp ip port www nat outbound nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ] undo nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ] 11

15 Default level Interface view 2: System level acl-number: ACL number, in the range of 2000 to address-group group-number: Specifies an address pool for NAT. If no address pool is specified, the IP address of the interface will be used as the translated IP address, that is, Easy IP is enabled. vpn-instance vpn-instance-name: Specifies the L3VPN to which the addresses of the address pool belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With this option, inter-vpn access through NAT is supported. Without this option, the addresses in the address pool do not belong to any VPN. no-pat: Indicates that no many-to-many NAT is implemented. If this keyword is not configured, many-to-one NAT is implemented using the TCP/UDP port information. track vrrp virtual-router-id: Associates address translation on a specified outbound interface with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this argument specified, no VRRP group is associated. Use the nat outbound command or the nat outbound acl-number command to associate an ACL with the IP address of the interface and enable Easy IP. Use the nat outbound acl-number address-group group-number no-pat command to associate an ACL with an IP address pool for translation of only the IP address and enable many-to-many NAT. Use the nat outbound address-group group-number command or the nat outbound acl-number address-group group-number command to associate an ACL with an IP address pool for translation of both the IP address and port number and enable NAPT. Use the undo nat outbound command to remove an association. If the acl-number argument is specified, a packet matching the associated ACL will be serviced by NAT. If the acl-number argument is not specified, a packet whose source IP address is not the IP address of the outbound interface will be serviced by NAT. Note the following: You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to the external network. When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted; they will be aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected. You can also use the reset nat session command to clear all the NAT entries, but NAT service will be terminated and all users will have to reinitiate connections. You can make a proper choice as required. When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication. If a packet matches the specified next hop, the packet will be translated using an IP address in the address pool; if not, the packet will not be translated. 12

16 You can bind an ACL to only one address pool on an interface; an address pool can be bound to multiple ACLs. NAPT cannot translate connections from external hosts to internal hosts. With reverse address translation enabled, after NAT creates an entry for an internal host to access the Internet, NAT can use this entry to perform destination IP address translation for new connections from the Internet to the public IP address of the internal host. If an ACL is associated with the address pool where the public IP address of the internal host resides, the connections must match the ACL; otherwise, they cannot be translated. In stateful failover networking, make sure that you associate each address pool configured on an interface with one VRRP group only; otherwise, the system associates the address pool with the VRRP group having the highest group ID. NOTE: For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address and VPN instance information in any two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in any two ACL rules are the same, a conflict occurs. # Configure NAT for hosts on subnet /24. The NAT address pool contains addresses through Assume that interface GigabitEthernet 1/0 is connected to the Internet. [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source [Sysname-acl-basic-2001] rule deny [Sysname-acl-basic-2001] quit [Sysname] nat address-group # To also translate TCP/UDP port information, do the following: [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1 # To ignore the TCP/UDP port information in translation, do the following: [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1 no-pat # To use the IP address of the GigabitEthernet 0/1 interface for translation, do the following: [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound 2001 # To enable reverse address translation and use address pool 1, do the following: [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1 no-pat reversible 13

17 nat outbound static Default level nat outbound static [ track vrrp virtual-router-id ] undo nat outbound static [ track vrrp virtual-router-id ] Interface view 2: System level track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this option specified, no VRRP group is associated. Use the nat outbound static command to enable static NAT on an interface, making the configured static NAT mappings take effect. Use the undo nat outbound static command to disable static NAT on the interface. Related commands: display nat static. nat server # Configure a one-to-one NAT mapping and enable static NAT on interface GigabitEthernet 0/1. [Sysname] nat static [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat outbound static nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] } undo nat server index protocol pro-type global { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] } Interface view Default level 2: System level index: Index of the internal server. 14

18 protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server. global-address: Public IP address for the internal server. current-interface: Uses the current interface address as the external IP address for the internal server. global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. Note that global-port2 must be greater than global-port1. local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. Note that local-address2 must be greater than local-address1 and that the number of addresses must match that of the specified ports. local-port: Port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20. You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on. You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address. global-port: Global port number for the internal server, in the range of 0 to local-address: Internal IP address of the internal server. vpn-instance local-name: Specifies the L3VPN to which the internal server belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this parameter, the internal server does no belong to any VPN. remote-host host-address: IP address of the remote host accessing the internal server. lease-duration lease-time: Valid time of the service provided by the internal server. The lease-time argument indicates the valid time, in the range of 0 to , in seconds. The value 0 indicates that the service never expires. description string: Detailed information about the internal server. The string argument is a case-insensitive string of 1 to 256 characters. track vrrp virtual-router-id: Associates the internal server with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group to be associated. Without this option specified, no VRRP group is associated. Use the nat server command to define an internal server. Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port. Use the undo nat server command to remove the configuration. Note that: If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined. Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in an internal network or a VPN. 15

19 The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands. In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external network. The firewall supports using an interface address as the external IP address of an internal server, which is Easy IP. If you specify the current-interface keyword, the internal server uses the current primary IP address of the current interface. If you use interface { interface-type interface-number } to specify an interface, the interface must be an existing loopback interface and the current primary IP address of the loopback interface is used. It is strongly recommended that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the external address of another internal server; vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the external address of the internal server. In stateful failover networking, make sure that you associate the public address of an internal server on an interface with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID. Related commands: display nat server. CAUTION: When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers. # Allow external users to access the internal Web server on the LAN through and the internal FTP server in VPN vrf10 through ftp:// /. Assume that the interface GigabitEthernet 0/1 is connected to the external network. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global inside www [Sysname-GigabitEthernet0/1] quit [Sysname] ip vpn-instance vrf10 [Sysname-vpn-instance] route-distinguisher 100:001 [Sysname-vpn-instance] vpn-target 100:1 export-extcommunity [Sysname-vpn-instance] vpn-target 100:1 import-extcommunity [Sysname-vpn-instance] quit [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global inside vpn-instance vrf10 # Allow external hosts to ping the host with an IP address of in VPN vrf10 by using the ping command. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol icmp global inside vpn-instance vrf10 16

20 nat static # Allow external hosts to access the Telnet services of internal servers to in VPN vrf10 through the public address of and port numbers from 1001 to As a result, a user can telnet to :1001 to access , telnet to :1002 to access , and so on. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global inside telnet vpn-instance vrf10 # Remove the Web server. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] undo nat server protocol tcp global inside www # Remove the FTP server from VPN vrf10. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] undo nat server protocol tcp global inside ftp vpn-instance vrf10 nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] undo nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] System view Default level 2: System level local-ip: Internal IP address. vpn-instance local-name: Specifies the VPN to which the internal IP address belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal IP address does not belong to any VPN. global-ip: External IP address. vpn-instance global-name: Specifies the VPN to which the external IP address belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external IP address does not belong to any VPN. Use the nat static command to configure a one-to-one static NAT mapping. Use the undo nat static command to remove a one-to-one static NAT mapping. Related commands: display nat static. 17

21 # In system view, configure static NAT mapping between internal IP address and external IP address [Sysname] nat static nat static net-to-net nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { netmask-length netmask } undo nat static net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { netmask-length netmask } System view Default level 2: System level local-start-address local-end-address: Internal network address range, which contains at most 255 IP addresses. local-network: Internal network address. vpn-instance local-name: Specifies the L3VPN to which the internal network belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal network does not belong to any VPN. global-network: External network address. vpn-instance global-name: Specifies the VPN to which the external network belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external network does not belong to any VPN. mask-length: Length of the network mask. mask: Network mask. Use the nat static net-to-net command to configure a net-to-net static NAT mapping. Use the undo nat static net-to-net command to remove a net-to-net static NAT mapping. The IP addresses of the internal network must be on the same network segment according to the mask length of the external network address. Related commands: display nat static. # Configure a bidirectional static NAT mapping between internal network address and external network address [Sysname] nat static net-to-net

22 NAT-PT configuration commands display natpt address-group Default Level display natpt address-group [ { begin exclude include } regular-expression ] Any view 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display natpt address-group command to display the NAT-PT address pool configuration information. # Display the NAT-PT address pool configuration information. <Sysname> display natpt address-group NATPT IPv4 Address Pool Information: 1 : from to Table 8 Output description Field 1 Address pool number from to Start IP address in an address pool End IP address in an address pool display natpt address-mapping display natpt address-mapping [ { begin exclude include } regular-expression ] Any view 19

23 Default Level 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display natpt address-mapping command to display the static and dynamic NAT-PT address mappings. The displayed information does not include the information about port translation through the NAPT-PT mechanism. # Display the static and dynamic NAT-PT address mappings. <Sysname> display natpt address-mapping NATPT address mapping(v6bound view): IPv4 Address IPv6 Address Type ::0001 SOURCE ::0002 DESTINATION NATPT V6Server static mapping: IPv4Address IPv6 Address Pro ^ ::0003^ 1270 TCP Table 9 Output description Field NATPT address mapping (v6bound view) IPv4 Address IPv6 Address Type NATPT V6Server static mapping IPv4Address IPv6 Address Pro Static and dynamic IPv4/IPv6 address mapping on the IPv6 side. IPv4 address IPv6 address Type of the mapping, which can be: SOURCE: Mapping created according to the configuration on the IPv6 side DESTINATION: Mapping created according to the configuration on the IPv4 side Displays the NAT-PT mapping of an IPv6 server. IPv4 address and port number Corresponding IPv6 address and port number Protocol type 20

24 display natpt all Default Level display natpt all [ { begin exclude include } regular-expression ] Any view 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display natpt all command to display all NAT-PT configuration information. # Display all NAT-PT configuration information. <Sysname> display natpt all IPv4 Address Pool Information: 1 : from to Address Mappings (V6toV4): IPv4 Address IPv6 Address Type ::0001 SOURCE ::0002 DESTINATION V6Server static mapping: IPv4Address IPv6 Address Pro ^ ::0003^ 1270 TCP V4toV6 Information: No V4 Access Records Present V6toV4 Information: No V6 Access Records Present Prefix Information: Prefix Interface NextHop 0064:: /96 Statistics: Total Sessions: 0 Expired Sessions: 0 Hits: 0 Misses: 0 Total Fragment Sessions: 0 Expired Fragment Sessions: 0 21

25 Fragment Hits: 0 Fragment Misses: 0 Total Address Mapping: 0 (static: 0 dynamic: 0 ) Total V6Server Mappings: 0 Enabled Interfaces: GigabitEthernet0/1 For the explanations to the information displayed above, see the descriptions of related commands. display natpt statistics Any view Default Level display natpt statistics [ { begin exclude include } regular-expression ] 1: Monitor level : Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Use the display natpt statistics command to display NAT-PT statistics information. The statistics information does not include information about port translation through the NAPT-PT mechanism. Related commands: reset natpt statistics. # Display NAT-PT statistics information. <Sysname> display natpt statistics NATPT Statistics: Total Sessions: 0 Expired Sessions: 0 Hits: 0 Misses: 0 Total Fragment Sessions: 0 Expired Fragment Sessions: 0 Fragment Hits: 0 Fragment Misses: 0 Total Address Mapping: 0 (static: 0 dynamic: 0 ) Total V6Server Mappings: 0 22

26 NATPT Interfaces: GigabitEthernet0/1 Table 10 Output description Field Total Sessions Expired Sessions Hits Misses Total Fragment Sessions Expired Fragment Sessions Fragment Hits Fragment Misses Total Address Mapping Total V6Server Mappings NATPT Interfaces Total number of sessions Number of expired sessions Number of times that a packet matches a NAT-PT session Number of times that a packet matches no NAT-PT sessions Total number of active fragment sessions Number of expired fragment sessions Number of times that a packet fragment matches a NAT-PT fragment session Number of times that a packet fragment matches no NAT-PT fragment sessions Number of static and dynamic mappings Number of V6Server mappings (address/port mappings) NAT-PT enabled interfaces natpt address-group natpt address-group group-number start-ipv4-address end-ipv4-address undo natpt address-group group-number System view Default Level 2: System level group-number: Number of an address pool, in the range of 1 to 32. start-ipv4-address: Start IPv4 address in a pool. end-ipv4-address: End IPv4 address in a pool. Use the natpt address-group command to configure a NAT-PT address pool. Use the undo natpt address-group command to remove the specified NAT-PT address pool. Note that: If start-ipv4-address equals end-ipv4-address, only one address is available in the address pool. The execution of the undo natpt address-group command may affect some dynamic NAT-PT mappings. Currently, a NAT-PT address pool and an IPv4 NAT address pool do not share any address. 23

27 When there is only one address in the NAT-PT address pool, the address applies to only NAPT-PT. When there is more than one address in the NAT-PT address pool, the end ipv4 address is reserved for NAPT-PT. The number of addresses used for dynamic NAT-PT mapping is the number of configured addresses minus 1. Related commands: display natpt address-group. # Configure a NAT-PT address pool. [Sysname] natpt address-group natpt enable natpt enable undo natpt enable Interface view Default Level 2: System level None Use the natpt enable command to enable the NAT-PT feature on an interface. Use the undo natpt enable command to disable the NAT-PT feature on an interface. By default, the NAT-PT feature is disabled on an interface. That is, no NAT-PT is implemented for packets received or sent on the interface. Note that: This command enables both NAT-PT and Address Family Translation (AFT). For more information about AFT, see VPN Configuration Guide. Do not configure NAT-PT and AFT on the same device. # Enable the NAT-PT feature on an interface. [Sysname] interface GigabitEthernet 1/0 [Sysname-GigabitEthernet0/1] natpt enable natpt prefix natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ] undo natpt prefix natpt-prefix 24

28 Default Level System view 2: System level natpt-prefix: Prefix of an IPv6 address, 96 bits in length. interface interface-type interface-number: Specifies the interface on which NAT-PT is enabled. If the interface is not specified or NAT-PT is not enabled, IPv6 packets are discarded. interface-type interface-number specifies the interface type and number. nexthop ipv4-address: Specifies the IPv4 address of the next hop. This option does not work on the firewall. Use the natpt prefix command to configure a NAT-PT prefix. Use the undo natpt prefix command to remove the configured NAT-PT prefix. Note that: A NAT-PT prefix must be different from the IPv6 address prefix of the receiving interface on the NAT-PT device. Otherwise, NAT-PT translation for a received packet with the prefix will result in packet loss. The execution of the undo natpt prefix command may affect the translation of some mappings. Therefore, use this command with caution. # Configure a NAT-PT prefix in system view. [Sysname] natpt prefix 2001:: natpt turn-off tos natpt turn-off tos undo natpt turn-off tos System view Default Level 2: System level None Use the natpt turn-off tos command to set the ToS field in an IPv4 packet translated from an IPv6 packet to 0. Use the undo natpt turn-off tos command to restore the default. 25

29 By default, the value of the ToS field in an IPv4 packet translated from an IPv6 packet is the same as that of the Traffic Class field in the IPv6 packet. # Set the ToS field in an IPv4 packet translated from an IPv6 packet to 0. [Sysname] natpt turn-off tos natpt turn-off traffic-class natpt turn-off traffic-class undo natpt turn-off traffic-class System view Default Level 2: System level None Use the natpt turn-off traffic-class command to set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0. Use the undo natpt turn-off traffic-class command to restore the default. By default, the value of the Traffic Class field in an IPv6 packet translated from an IPv4 packet is the same as that of the ToS field in the IPv4 packet. # Set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0. [Sysname] natpt turn-off traffic-class natpt v4bound dynamic natpt v4bound dynamic acl number acl-number prefix natpt-prefix undo natpt v4bound dynamic acl number acl-number System view Default Level 2: System level acl number acl-number: Specifies the IPv4 access control list (ACL) number, in the range of 2000 to

30 prefix natpt-prefix: Specifies the NAT-PT prefix, which is 96 bits in length. Use the natpt v4bound dynamic command to configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts by associating an ACL with a NAT-PT prefix. Use the undo natpt v4bound dynamic command to remove the association. For a packet from an IPv4 host to an IPv6 host, if the source IPv4 address matches the specified ACL, the NAT-PT prefix will be added to translate the source IPv4 address into an IPv6 address. CAUTION: The natpt-prefix argument in the natpt v4bound dynamic command must be specified by the natpt prefix command in advance. Related commands: display natpt address-mapping. # Configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts in system view. Use ACL 2000 to match IPv4 packets and add the NAT-PT prefix 2001:: to translate the source IPv4 address into an IPv6 address. [Sysname] natpt prefix 2001:: [Sysname] natpt v4bound dynamic acl number 2000 prefix 2001:: natpt v4bound static natpt v4bound static ipv4-address ipv6-address undo natpt v4bound static ipv4-address ipv6-address System view Default Level 2: System level ipv4-address: IPv4 address to be mapped. ipv6-address: IPv6 address to which an IPv4 address is mapped. Use the natpt v4bound static command to configure a static IPv4/IPv6 address mapping on the IPv4 side. Use the undo natpt v4bound static command to remove a static IPv4/IPv6 address mapping on the IPv4 side. The ipv6-address prefix should be contained in the configured NAT-PT prefix. Related commands: display natpt address-mapping. 27

31 # Configure a static mapping between the IPv4 address and the IPv6 address 2001::1 on the IPv4 side in system view. [Sysname] natpt v4bound static ::1 natpt v4bound static v6server natpt v4bound static v6server protocol protocol-type ipv4-address-destination ipv4-port-number ipv6-address-destination ipv6-port-number undo natpt v4bound static v6server protocol protocol-type ipv4-address-destination ipv4-port-number ipv6-address-destination ipv6-port-number System view Default Level 2: System level protocol protocol-type: Specifies the protocol type. The protocol-type argument can be: tcp: Specifies the TCP protocol. udp: Specifies the UDP protocol. ipv4-address-destination: IPv4 address to which an IPv6 address is mapped. ipv4-port-number: IPv4 port number, in the range of 1 to ipv6-address-destination: Destination IPv6 address to be mapped. ipv6-port-number: IPv6 port number, in the range of 1 to Use the natpt v4bound static v6server command to configure a static NAPT-PT mapping for an IPv6 server. Use the undo natpt v4bound static v6server command to remove a static NAPT-PT mapping for an IPv6 server. Related commands: display natpt address-mapping. # In system view, configure a static NAPT-PT mapping for an IPV6 server, in which the protocol type is TCP, the IPv4 address and port number are and 80 respectively, and the IPv6 address and port number are 2001::1 and 80 respectively. [Sysname] natpt v4bound static v6server protocol tcp ::

32 natpt v6bound dynamic Default Level natpt v6bound dynamic { acl6 number acl6-number prefix natpt-prefix } { address-group address-group [ no-pat ] interface interface-type interface-number } undo natpt v6bound dynamic { acl6 number acl6-number prefix natpt-prefix } System view 2: System level acl6 number acl6-number: Specifies the IPv6 ACL number. If the source IPv6 address of a packet sent from an IPv6 network to an IPv4 network matches this IPv6 ACL, the source IPv6 address is translated based on the command. The IPv6 ACL number ranges 2000 to prefix natpt-prefix: Specifies the NAT-PT prefix. If the destination IPv6 address of a packet sent from an IPv6 network to an IPv4 network is in this NAT-PT prefix, the source IPv6 address is translated based on the command. The NAT-PT prefix is 96 bits in length. address-group address-group: Specifies the number of the IPv4 address pool for the translation of the source IPv6 address. The IPv4 address pool number is in the range of 1 to 32. no-pat: Specifies no port address translation. If the no-pat keyword is not provided, port address translation will be performed. interface interface-type interface-number: Specifies the IPv4 address of the interface as the translated source IPv6 address. interface-type interface-number specifies the interface type and number. Use the natpt v6bound dynamic command to configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts. Use the undo natpt v6bound dynamic command to remove the dynamic mapping. Related commands: display natpt address-mapping. # Configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts in system view. Translate the source address of an IPv6 packet that matches IPv6 ACL 2001 into an IPv4 address in address pool 1. [Sysname] natpt address-group [Sysname] natpt v6bound dynamic acl6 number 2001 address-group 1 natpt v6bound static natpt v6bound static ipv6-address ipv4-address undo natpt v6bound static ipv6-address ipv4-address 29