Chapter 1 NAT Configuration Commands .................................................................................. 1-1

Command Manual NAT
H3C S9500 Series Routing Switches
Table of Contents
Table of Contents
Chapter 1 NAT Configuration Commands .................................................................................. 1-1
1.1 NAT Configuration Commands.......................................................................................... 1-1
1.1.1 display nat address-group....................................................................................... 1-1
1.1.2 display nat aging-time ............................................................................................. 1-1
1.1.3 display nat all........................................................................................................... 1-2
1.1.4 display nat auto-reset-session ................................................................................ 1-3
1.1.5 display nat blacklist ................................................................................................. 1-4
1.1.6 display nat outbound ............................................................................................... 1-5
1.1.7 display nat server .................................................................................................... 1-6
1.1.8 display nat static...................................................................................................... 1-7
1.1.9 display nat statistics ................................................................................................ 1-7
1.1.10 display nat vpn limit............................................................................................... 1-8
1.1.11 nat address-group ................................................................................................. 1-9
1.1.12 nat aging-time...................................................................................................... 1-11
1.1.13 nat auto-reset-session......................................................................................... 1-11
1.1.14 nat blacklist start ................................................................................................. 1-12
1.1.15 nat blacklist mode ............................................................................................... 1-13
1.1.16 nat blacklist limit amount ..................................................................................... 1-14
1.1.17 nat blacklist limit rate........................................................................................... 1-15
1.1.18 nat blacklist limit rate source ............................................................................... 1-16
1.1.19 nat outbound ....................................................................................................... 1-18
1.1.20 nat server ............................................................................................................ 1-21
1.1.21 nat static .............................................................................................................. 1-24
1.1.22 nat vpn limit ......................................................................................................... 1-27
1.1.23 reset nat session ................................................................................................. 1-28
1.2 NAT Security Logging Configuration Commands............................................................ 1-28
1.2.1 display ip userlog export ....................................................................................... 1-28
1.2.2 ip userlog nat......................................................................................................... 1-29
1.2.3 ip userlog nat active-time ...................................................................................... 1-30
1.2.4 ip userlog nat export host...................................................................................... 1-31
1.2.5 ip userlog nat export source-ip.............................................................................. 1-31
1.2.6 ip userlog nat export version ................................................................................. 1-32
1.2.7 ip userlog nat mode flow-begin ............................................................................. 1-32
Command Manual NAT

Chapter 1 NAT Configuration Commands
Note:
The line processing units (LPU) mentioned in this chapter refer to LSB1NATB0.
1.1 NAT Configuration Commands

1.1.1 display nat address-group
Syntax
display nat address-group [ group-number ]
View
Any view
Parameters
group-number: Group number of an address pool, in the range 0 to 319.
Description
Use the display nat address-group command to display the configuration of the
address pool.
Examples
# Display the configuration of the address pool.
<H3C> display nat address-group
NAT address-group information:
0
: [address-group]
1.1.1.1 ----
1.1.1.2
2.2.2.2 ----
2.2.2.3
[description] teacher
[slot] 5
1
: [address-group]
--2 entries found--
1.1.2 display nat aging-time

Syntax
display nat aging-time
1-1
Command Manual NAT

View
Any view
Parameters
None
Description
Use the display nat aging-time command to display the aging time of a NAT entry.
Examples
# View the aging times of the NAT entries of various protocols.
<H3C> display nat aging-time
NAT aging-time value information:
alg
---- aging-time value is
120 (seconds)
ftp
7200 (seconds)
h.323 ---- aging-time value is
600 (seconds)
ils
600 (seconds)
The slot 5 NP-Timer configuration:

Selection of NP-Timer is : Slow-Timer
Fast-Timer : 1 seconds
Slow-Timer: 300 seconds
1.1.3 display nat all

Syntax
display nat all
View
Any view
Parameters
None
Description
Use the display nat all command to display all the configurations about NAT.
Examples
# Display all the configurations about NAT.
<H3C> display nat all
NAT address-group information:
No address-groups have been configured
1-2
Command Manual NAT

--0 entry found-NAT outbound information:

No interfaces have been configured for NAT
--0 entry found-Server in private network information:
No internal servers have been configured
--0 entry found-Static NAT information:
No static NAT has been configured
--0 entry found-NAT aging-time value information:
alg
120 (seconds)
ftp
7200 (seconds)
h.323 ---- aging-time value is
600 (seconds)
ils
600 (seconds)
The slot 5 NP-Timer configuration:

Selection of NP-Timer is : Slow-Timer
Fast-Timer : 1 seconds
Slow-Timer: 300 seconds
There are no configuration of vpn limit
1.1.4 display nat auto-reset-session

Syntax
display nat auto-reset-session
View
Any view
Parameters
None
Description
Use the display nat auto-reset-session command to display the status of the NAT
session table auto-reset function.
Examples
# Display the status of the NAT session table auto-reset function.
<H3C> display nat auto-reset-session
Reset NAT session table automatically when interface becomes up or down.
1-3
Command Manual NAT

1.1.5 display nat blacklist

Syntax
display nat blacklist { all | [ vpn-instance vpn-name ] ip [ ip-address ] slot slot-no }
View
Any view
Parameters
all: Displays all blacklist configurations.
vpn-instance vpn-name: Specifies the VPN that the user configured in the blacklist
belongs to.
ip ip-address: IP address configured in the blacklist.
slot slot-no: Specifies the slot where the NAT service board resides.
Description
Use the display nat blacklist command to display the blacklist configurations and
operation states.
Use the display nat blacklist all command to display all the configurations of the
blacklist.
Use the display nat blacklist vpn-instance vpn-name ip ip-address slot slot-no
command to display the blacklist configurations and operation states for an IP address
in a VPN.
Examples
# Display all the configurations of the blacklist.
<H3C> display nat blacklist all
Blacklist function global configuration:
Blacklist function is started.
Connection amount control is enabled.
Connection set-up rate control is enabled.
Amount control limit: 500 sessions.
Rate control limit: 250 session/s.
Special rate control limit: 250 session/s.
Global Committed Burst Size is 150

Special IP Committed Burst Size is 150
Altogether 1 IP addresses have special configuration:
Control limit configuration of VPN vpn1 IP 100.0.0.3:

1-4
Command Manual NAT

Rate control limit uses special configuration.
# Display the blacklist configurations and operation states for IP address 100.0.0.3 in
VPN1.
<H3C> display nat blacklist vpn-instance vpn1 ip 100.0.0.3 slot 4
Blacklist function global configuration:
Blacklist function is started.
Connection amount control is enabled.
Connection set-up rate control is enabled.
Rate control limit: 250 session/s.
Special rate control limit: 250 session/s.
Global Committed Burst Size is 150

Special IP Committed Burst Size is 150
Control limit configuration of VPN vpn1 IP 100.0.0.3: Amount control limit:

500 sessions.
Rate control limit uses special configuration.
Blacklist running statistics of IP 100.0.0.3:
Amount of connection already set up: 0 sessions.
IP 100.0.0.3 is not in the blacklist!
1.1.6 display nat outbound

Syntax
display nat outbound
View
Any view
Parameters
None
Description
Use the display nat outbound command to display the information about all mapping
entries of NAT Outbound.
Examples
# Display the information about all mapping entries of NAT Outbound.
<H3C> display nat outbound
NAT outbound information:
Vlan-interface2
: [acl] 2000
1-5
Command Manual NAT


[address-group] 1
[type] pat
[slot] 5
Vlan-interface3
: [acl] 2000
[address-group] 0
-- teacher
[type] no-pat
[slot] 5
Vlan-interface4
: [acl] 2001
[address-group] interface
[type] pat
[slot] 5
--3 entries found--
1.1.7 display nat server

Syntax
display nat server
View
Any view
Parameters
None
Description
Use the display nat server command to display information about all the internal
servers.
Examples
# Display information about all the internal servers.
<H3C> display nat server
Slot:4, Interface:Vlan-interface2, Protocol:6(tcp), in VPN vpn1,
[global]
23.23.23.23:
80(www)
[local]
100.0.0.23:
80(www)

[global]
23.23.23.23:
8000
[local]
100.0.0.23:
21(ftp)

[global]
23.23.23.1:
8000
[local]
100.0.0.3:
21(ftp)

[global]
23.23.23.2:
0(any)
--4 entries found
1-6
[local]
100.0.0.4:
0(any)
Command Manual NAT

1.1.8 display nat static

Syntax
display nat static
View
Any view
Parameters
None
Description
Use the display nat static command to display all static address translation entries.
Examples
# Display all static address translation entries.
<H3C> display nat static
Static NAT information:
Vlan-interface24
: [global-address]
24.2.1.1
[inside-address]
192.168.2.1
[slot] 5
Vlan-interface25
: [global-address]
[inside-address]
25.2.1.1 ----
25.2.1.10
192.168.3.1 ----
192.168.3.10
[slot] 5
--2 entry found--
1.1.9 display nat statistics

Syntax
display nat statistics slot slot-no
View
Any view
Parameters
slot-no: Number of the slot in which the NAT service board currently functioning
resides.
Description
Use the display nat statistics command to display the statistics of the current NAT
information.
1-7
Command Manual NAT

Examples
# Display the statistics of the current NAT information.
<H3C> display nat statistics slot 3
Running information in slot 3:
active PAT session table count in CPU:0
active PAT session table count in NP:1
active NO-PAT session table count:0
active SERVER session table count:3
active STATIC NAT session table count: 11
Table 1-1 Description on the filed of the display nat statistics slot command
Field
Description
Running information in slot
Slot information
active PAT session table count in CPU
Number of NAPT entries in CPU
active PAT session table count in NP
Number of NAPT entries in NP
active NO-PAT session table count
Number of NAT entries in CPU
active SERVER session table count
Number of user-configured internal

server entries
active STATIC NAT session table count
Number of static address translation

entries
Note:
In PTA mode, hardware of S9500 series switches creates a positive stream and a
reversed stream (which is used for reversed PAT) when creating a stream. However,
the NAT log exports the positive stream only.
1.1.10 display nat vpn limit

Syntax
display nat vpn limit { all | public | vpn-instance vpn-name }
View
System view
Parameters
all: Queries the maximum number of users and connections of all the VPNs.
public: Queries the maximum number of users and connections of the public network.
1-8
Command Manual NAT

vpn-instance: Queries the maximum number of users and connections of the specified
VPN.
vpn-name: Name of a VPN instance.
Description
Use the display nat vpn limit command to display the maximum number of users and
connections of all the VPNs or the specified VPN of NAT.
Examples
# Display the maximum number of users and connections of all the VPNs of NAT.
<H3C> display nat vpn limit all
The slot 4 nat state of public:
The max user count is 1000.
The current user count is 0.
The available user count is 1000.
The max connection count is 10000.

The current connection count is 0.
The available connection count is 10000.
The slot 4 nat state of vpn-instance vpn1:

The max user count is 1000.
The current user count is 0.
The available user count is 1000.
The max connection count is 10000.

The current connection count is 0.
The available connection count is 10000
1.1.11 nat address-group

Syntax
nat address-group group-number { { start-addr end-addr [ description text ] } |
description text }
undo nat address-group group-number
View
System view
Parameters
group-number: Group number of an address pool.
1-9
Command Manual NAT

start-addr: Starting IP address of an address pool.

end-addr: Ending IP address of an address pool.
text: A description string of 1 to 31 characters.
Description
Use the nat address-group command to configure an address pool.
Use the undo nat address-group command to delete an address pool.
An address pool is a group of some external IP addresses. If start-addr and end-addr
are the same, there is only one address.
z
To created an address pool, use the nat address-group group-number start-addr

end-addr [ description text ] command.
To modify the description character string of an address pool, use the nat
address-group group-number description text command.
Caution:
z
The number of addresses included in an address pool (the number of the public
addresses in an address pool) must not exceed 256.
You cannot configure network segment addresses and broadcast addresses as

addresses in an address pool.
The IP addresses configured in the NAT address pool must not be the same with the
IP addresses in the internal network.
You cannot delete an address pool that is associated to an ACL.
When NAPT is enabled, there cannot be more than 32 addresses in an address

pool.
Examples
# Configure address pool 1 with addresses from 202.110.10.10 to 202.110.10.15.
<H3C> system-view
[H3C] nat address-group 1 202.110.10.10 202.110.10.15
# Configure address pool 2 with addresses 203.110.10.10 to 203.110.10.110, and the

description character string is teacher.
<H3C> system-view
[H3C] nat address-group 2 203.110.10.10 203.110.10.110 description teacher
# Modify the description character string of address group 2 to teacher&student.

<H3C> system-view
[H3C] nat address-group 2 description teacher&student
1-10
Command Manual NAT

1.1.12 nat aging-time

Syntax
nat aging-time alg time-value
undo nat aging-time alg
View
System view
Parameters
alg time-value: Aging time of NAT entries requiring application level gateway (ALG)
processing in seconds.
Note:
As for the NO-PAT method, the aging time cannot be set and it adopts fast aging time.
Description
Use the nat aging-time command to set the aging time for NAT entries.
Use the undo nat aging-time command to restore the default value of the aging time
for NAT.
By default, the aging time of NAT entries for application level gateway (ALG) is 120
seconds, that for FTP is 7200 seconds.
Examples
# Set the aging time of NAT entries requiring ALG processing to 245 seconds.
<H3C> system-view
[H3C] nat aging-time alg 245
1.1.13 nat auto-reset-session

Syntax
nat auto-reset-session
undo nat auto-reset-session
View
System view
1-11
Command Manual NAT

Parameters
None
Description
Use the nat auto-reset-session command to enable the NAT session table auto-reset
function when a NAT enabled VLAN interface goes up or down.
Use the undo nat auto-reset-session command to disable the function.
By default, the NAT session table auto-reset function is disabled.
After you execute this command, the NAT session table is reset only when a
NAT-enabled VLAN interface goes up or down.
This function is typically used in link backup networks. When the active link is down, the
corresponding NAT session table is cleared. Then, NAT configured on the backup link
performs address translation for packets.
Because all NAT session tables are cleared when a NAT enabled VLAN interface goes
up or down, you are not recommended to enable this function in a common network.
Examples
# Enable the NAT session table auto-reset function when the VLAN interface goes up
or down.
<H3C> system-view
[H3C] nat auto-reset-session
1.1.14 nat blacklist start

Syntax
nat blacklist start
undo nat blacklist start
View
System view
Parameters
start: Starts the blacklist function for the whole system.
Description
Use the nat blacklist command to set the properties relevant to the blacklist.
Use the undo nat blacklist command to disable a certain property or a certain
function.
The blacklist function is disabled by default.
1-12
Command Manual NAT

Examples
# Enable the blacklist function for the whole system.
<H3C> system-view
[H3C] nat blacklist start
1.1.15 nat blacklist mode

Syntax
nat blacklist mode { amount | rate | all }
undo nat blacklist mode { amount | rate | all }
View
System view
Parameters
mode: Sets the control mode.
amount: Controls the amount of user connections only.
rate: Controls the rate of user link set-up only.
all: Controls both the amount of user connections and the rate of user link set-up
Note that the connection here refers to the address mapping relationship set up during
NAT. The rate of link set-up means the rate of setting up such connections, namely, the
times of setting up connections per second.
Note:
The connection here refers to the address mapping relationship set up during NAT. The
rate of link set-up means the rate of setting up such connections
Description
Use the nat blacklist mode command to set the control mode of the blacklist function.
You can select to control the number of user connections, the rate of link set-up or both.
Use the undo nat blacklist mode command to disable the configured control mode of
the blacklist function.
Examples
# Select to control the number of user connections.
<H3C> system-view
[H3C] nat blacklist mode amount
1-13
Command Manual NAT

1.1.16 nat blacklist limit amount

Syntax
nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ] max-amount
undo nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ]
View
System view
Parameters
vpn-instance vpn-name: Name of a VPN instance. When this argument is specified,
the IP address configured in the blacklist is the IP address in VPN.
user-ip: IP address of the specified user.
max-amount: Upper threshold value for the total number of NAT connections that a
user can set up, in the range of 20 to 20,000. The max-amount argument is 500 by
default.
Description
Use the nat blacklist limit amount command to set the threshold value for the user
connections.
Use the undo nat blacklist limit amount command to restore the threshold value for
the user connections to the default value.
z
If the source keyword is not specified, this configuration is effective for the global
users.
If the source keyword is not specified, this configuration is effective for the users
of the specified source IP address.
Caution:
During the system running, if the reset nat session command is not executed after you
have configured the number of global user connections, the number of connections
exceeding the upper limit cannot be deleted directly until the stream is aged.
Examples
# Set the threshold value for the number of global connections.
<H3C> system-view
[H3C] nat blacklist limit amount 2222
1-14
Command Manual NAT

# Set the threshold value for the number of connections to the IP address 1.1.1.1.
<H3C> system-view
[H3C] nat blacklist limit amount source 1.1.1.1 2222
# Set the threshold value for the number of connections to the IP address 100.0.0.1 in
the private network VPN1.
<H3C> system-view
[H3C] nat blacklist limit amount vpn-instance vpn1 source 100.0.0.1 2222
1.1.17 nat blacklist limit rate

Syntax
nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs burst-size ]
undo nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs
burst-size ]
View
System view
Parameters
cir cir-value: Sets the threshold value in sessions per second for committed information
rate (CIR ) which refers to the average rate on a port for a long time. The value ranges
from 20 to 262,144, with a default value of 250.
cbs burst-size: Sets the threshold value for Conformed Burst Size (CBS ) which
determines the maximum burst size before part of the traffic exceeds CIR, in the range
of [ cir-value, 90*cir-value] in bits. Its default value is 375 bits.
ebs burst-size: Sets the threshold value for Extended Burst Size (EBS) which
determines the maximum burst size before all the traffic exceeds CIR, in the range of [ 0,
90*cir-value] in bits. It must be no bigger than the value specified by cbs burst-size. Its
default value is 0.
Description
Use the nat blacklist limit rate command to set the threshold value for the rate of link
set-up, namely, the times of setting up connections. The user who exceeds the
threshold value will not be displayed in the blacklist.
Use the undo blacklist limit rate command to restore the threshold value for the rate
of link set-up to the default value.
In the commands above:
z
If the source ip keyword is not specified, this configuration is effective for default
users.
1-15
Command Manual NAT

z
If the source ip keyword is not specified, this configuration is effective for the
users of the specified source IP address only.
If you do not use the nat blacklist limit rate command, the system will adopt the
default value of the cir-value, cbs burst-size, and ebs burst-size, that is, 250, 375,
and 0 respectively.
If you use the nat blacklist limit rate command to configure the cir-value
argument only, the value of the cbs burst-size is cir-value*1.5, and the value of the
ebs burst-size is 0.
Caution:
z
You can set the threshold value for the maximum number of connections of the
specified IP address to any value within the value range. However, the threshold
value for the maximum rate of link set-up of all the specified source IP addresses
must be the same.
During the system running, you must execute the reset nat session command
once after you modify the blacklist configuration (except the blacklist configuration
for the specified source IP address).
When there are multiple LPUs in a device, each LPU maintains its own blacklist
information independently. However, the commands to configure the blacklist are
effective for all the blacklist-feature-enabled LPUs at the same time.
Examples
# Set the threshold value for the default rate of link set-up.
<H3C> system-view
[H3C] nat blacklist limit rate cir 20 cbs 1799 ebs 40
# Set the special threshold value for the rate of link set-up
<H3C> system-view
[H3C] nat blacklist limit rate source ip cir 20 cbs 1799 ebs 40
1.1.18 nat blacklist limit rate source

Syntax
nat blacklist limit rate [ vpn-instance vpn-name] source ip-address
undo nat blacklist limit rate [ vpn-instance vpn-name] source ip-address
View
System view
1-16
Command Manual NAT

Parameters
vpn-instance vpn-name: Name of a VPN instance. When this argument is specified,
the IP address configured in the blacklist is the IP address in VPN.
source ip-address: IP address of the specified user.
Description
Use the nat blacklist limit rate source ip-address command to set the IP for the user
who needs a special control mode for the rate of link set-up. For relevant information,
see the nat blacklist limit rate source ip command in 1.1.17 nat blacklist limit rate.
Use the undo nat blacklist limit rate source ip-address command to disable the user
IP address setting.
Caution:
z
You can set the threshold value for the maximum number of connections of the
specified IP address to any value within the value range. However, the threshold
value for the maximum rate of link set-up of all the specified source IP addresses
must be the same.
During the system running, you must execute the reset nat session command
once after you modify the blacklist configuration (except the blacklist configuration
for the specified source IP address).
When there are multiple LPUs in a device, each LPU maintains its own blacklist
information independently. However, the commands to configure the blacklist are
effective for all the blacklist-feature-enabled LPUs at the same time.
Examples
# Use the special threshold value to control the rate of link set-up of the user 2.2.2.2.
<H3C> system-view
[H3C] nat blacklist limit rate source 2.2.2.2
# Use the special threshold value to control the rate of link set-up of the user 200.0.0.1
in the private network VPN1.
<H3C> system-view
[H3C] nat blacklist limit rate vpn-instance vpn1 source 200.0.0.1
1-17
Command Manual NAT

1.1.19 nat outbound

Syntax
nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-no
undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot
slot-no
View
VLAN interface view
Parameters
address-group: Configure the NAT by using the address pool. If you do not specify the
address pool, the IP address of the interface is used as the translated address, that is,
the Easy IP feature.
no-pat: Specifies that only IP addresses included in data packets are translated while
the port number information is left unused.
acl-number: ACL number, in the range 2,000 to 3,999.
group-number: Address pool number, in the range 0 to 319.
slot-no: Number of the slot where the NAT LPU resides.
Description
Use the nat outbound command to associate an ACL with an address pool.
Use the undo nat outbound command to delete the corresponding NAT rule.
After the association, the addresses meeting the criteria of acl-number can use address
pool group-number for NAT. The NAT LPU in which the address pool resides is
specified for NAT. All the address translations using this address pool are processed on
this NAT LPU.
After configuring the association between the ACL and the address pool, the eligible
source address of a data packet will be translated by either selecting an address from
the address pool or using the IP address of the interface directly. Multiple NAT
associations can be configured on a VLAN interface, which is normally connected to
the ISP and acts as the egress of the internal network. You may use the corresponding
undo command to delete a NAT association.
If you do not specify any value for the address-group keyword, the Easy IP feature is
implemented for NAT, and the IP address of the interface is used as the translated
address.
1-18
Command Manual NAT

Note:
z
As for the ACL associated with an address pool, only the source VPN, source IP
address, and the destination IP address fields in it are used. They are also used to
tell whether or not two rules conflict.
Do not execute the undo nat outbound command too often after the configuration
is stable.
Caution:
Address translation is performed on the NAT LPU. Because packets sent from a private
network will not be delivered to the NAT LPU by default, you need to reference QACLs
on the receiving interface to redirect those packets to the NAT LPU. For details, refer to
the traffic-redirect command in QoS Commands of the QoS ACL Volume. You do not
need to configure the DIP in the response packet sent from the public network because
it is an address from the address pool.
Examples
# Allow hosts on the network segment 192.168.1.0/24 in VPN1 and VPN2 and the
network segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to
202.110.10.12. Suppose VLAN interface 2 is connected to the ISP.
<H3C> system-view
[H3C] acl number 3000
[H3C-acl-adv-3000] rule permit ip source 10.110.10.0 0.0.0.255
[H3C-acl-adv-3000] rule permit ip vpn-instance VPN1 source 192.168.1.0
0.0.0.255
[H3C-acl-adv-3000] rule permit ip vpn-instance VPN2 source 192.168.1.0
0.0.0.255
[H3C-acl-adv-3000] quit
# Configure the address pool.

[H3C] nat address-group 1 202.110.10.10 202.110.10.12
# Configure NAT binding on NAT LPU 3, allowing packets that match ACL 3000 to be
processed by NAT. The address will be translated into one of address pool 1.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat outbound 3000 address-group 1 slot 3
# Configure to use one-to-one NAT (do not use TCP/UDP port information for NAT).
[H3C-Vlan-interface2] nat outbound 3000 address-group 1 no-pat slot 3
1-19
Command Manual NAT

# Perform the following configuration to use the IP address of VLAN-interface 2 directly.

[H3C-Vlan-interface2] nat outbound 3000 slot 3
# Configure ACLs for packet redirection. You are recommended to configure two ACLs,
namely, ACL 4000 and ACL 3001. ACL 4000 allows packets with VLAN ID 192 and
DMAC being the MAC address of VLAN-interface 192 (000f-e23f-3294) to pass (only
Layer 3 packets need to be redirected to the NAT LPU for translation, while protocol
and Layer 2 packets do not need to be redirected). ACL 3001 allows the packets with
source IP address 10.110.10.0/24 to pass. The ID of the VLAN on the private network
side is 192.
[H3C-acl-link-4000] rule permit ingress 192 egress 000f-e23f-3294 0-0-0
[H3C-acl-link-4000] quit
# Customize a flow template, and then apply it to Ethernet 4/1/1. The interface card is
located in slot 4. For details about flow template, refer to Defining and Applying Flow
Template in ACL Configuration of the QoS ACL Volume.
[H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0
vlanid
[H3C] interface Ethernet4/1/1
[H3C-Ethernet4/1/1] flow-template user-defined
# Reference the ACLs to redirect the packets that needs to be translated to the NAT
LPU. Ethernet 4/1/1 is the inbound interface on the private network side and the VLAN
ID is 192.
[H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 link-group 4000
rule 0 slot 3 designated-vlan 192
Caution:
You need to bind VPN 1 to VLAN 192 on the private network side before referencing
the ACLs for packet redirection.
# The configuration of VPN 2 is similar to that of VPN 1.
1-20
Command Manual NAT

1.1.20 nat server

Syntax
nat server protocol { tcp | udp } global global-addr global-port inside [ vpn-name ]
host-addr host-port slot slot-no
undo nat server protocol { tcp | udp } global global-addr global-port inside
[ vpn-name ] host-addr host-port slot slot-no
nat server protocol { tcp | udp } global global-addr global-port1 global-port2 inside
[ vpn-name ] host-addr1 host-addr2 host-port slot slot-no
undo nat server protocol { tcp | udp } global global-addr global-port1 global-port2
inside [ vpn-name ] host-addr1 host-addr2 host-port slot slot-no
nat server protocol { icmp | tcp | udp } global global-addr inside [ vpn-name ]
host-addr slot slot-no
undo nat server protocol { icmp | tcp | udp } global global-addr inside [ vpn-name ]
host-addr slot slot-no
View
VLAN interface view
Parameters
global-addr: Servers public IP address by which external devices can access servers.
global-port: External service port numbers of servers. When TCP or UDP is selected as
the protocol type, the external devices can access the services provided by servers
through the external service ports.
host-addr: IP address of the server on the internal LAN.
host-port: Service port number provided by the server, in the range from 0 to 12287. A
value of 0 indicates the server can provide any type of services. You can use a keyword
to indicate a frequently used port number. For example, you can use www for WWW
service port number 80, ftp for ftp service port number 21, and any for 0.
Note that the global-port argument must be any when the host-port argument is any,
indicating an AnyServer is configured. Otherwise, this configuration does not take
effect.
global-port1 global-port2: Specifies a scope of external service port numbers that
corresponds to the address range of internal hosts. global-port2 must be bigger than
global-port1, and the corresponding host-port cannot be 0.
vpn-name: Name of the VPN of the
internal server private network side. If this
argument is not specified, the private network side does not belong to any VPN.
Note that IP addresses cannot be used as vpn-name. If you use IP addresses as VPN
names, the CLI treats them as IP addresses uniformly.
1-21
Command Manual NAT

host-addr1 host-addr2: Specifies an address scope of internal hosts that corresponds

to the address range of external service port numbers. host-addr2 must be bigger than
host-addr1. The number of the address scope must be the same as the number of
external service ports.
slot-no: Specifies number of the slot in which the NAT service board resides.
Description
Use the nat server command to define mapping relationships from public addresses
and external service port numbers to internal addresses and internal service port
numbers.
After the configuration, by using the address and port number defined by the
global-addr and the global-port parameters, you can access the internal server with the
address and port number specified by the host-addr and host-port parameters.
Use the undo nat server command to cancel the mapping table.
The keywords icmp, tcp and udp are the protocol types carried by IP, which can be
represented by 1, 6 and 17 respectively. You can select only one protocol type in a
command. If no port is specified in the command, an AnyServer is configured.
An AnyServer is used to define mapping relationship between a public address and the
internal address of a server of the specified protocol type. Through this mapping, hosts
on the public network and private network can access each other.
1-22
Command Manual NAT

Caution:
z
Up to 256 internal server translation commands can be configured for a VLAN

interface.
One command can be used to configure up to 128 internal servers.
Up to 4,096 internal TCP and UDP servers can be configured for a VLAN interface.
Only the same NAT LPU can be configured for a VLAN interface.
Up to 1,024 internal server translation commands are supported by the system.
Up to 512 AnyServers are supported by the system.
The public address of an AnyServer cannot conflict with any interface public IP
addresses or other public addresses used by NAT; the private address of the
AnyServer cannot conflict with those configured in the static address translation
entries or those of the servers of the same protocol.
Do not execute the undo nat server command too often after the configuration is
stable.
Address translation is performed on the NAT LPU. Because packets sent from the
private network will not be delivered to the NAT LPU by default, you need to
reference QACLs on the receiving interface to redirect those packets to the NAT
LPU. You do not need to specify the DIP in the response packet sent from the public
network because it is the public network address corresponding to the internal
server.
IP addresses cannot be used as vpn-name. If you use IP addresses as VPN names,

the CLI treats them as IP addresses uniformly.
The interface configured with this command should be connected to the ISP and acts
as the egress of the internal network.
Examples
# Specify the IP address of the internal WWW server in the LAN VPN1 as 10.110.10.10,
the IP address of the internal FTP server as 10.110.10.11, and allow external hosts to
access the WWW server and FTP server by http://202.110.10.10:8080 and
ftp://202.110.10.10 respectively. Specify the IP address of the internal server providing
TCP and UDP services as 10.110.10.12 and the corresponding external address as
202.110.10.12. Suppose that VLAN-interface 2 is connected to the ISP.
<H3C> system-view
[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 8080 inside
VPN1 10.110.10.10 www slot 3
[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 ftp inside
VPN1 10.110.10.10 ftp slot 3
1-23
Command Manual NAT

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.12 any inside

VPN1 10.110.10.12 any slot 3
[H3C-Vlan-interface2] nat server protocol udp global 202.110.10.12 any inside
VPN1 10.110.10.12 any slot 3
# Configure ACLs for packet redirection. You are recommended to configure two ACLs:
ACL 4000 and ACL 3001. ACL 4000 allows packets with VLAN ID 192 and DMAC being
the MAC address of VLAN-interface 192 to pass (only Layer 3 packets need to be
redirected to the NAT LPU for translation, while protocol and Layer 2 packets do not
need to be redirected). ACL 3001 is used to redirect packets that need to be translated
to the NAT LPU. The ID of the VLAN on the private network side is 192.
[H3C-acl-link-4000] rule permit ingress 192 egress 000f-e23f-3294 0-0-0
[H3C-acl-link-4000] quit
# Customize a flow template, and then apply the flow template to Ethernet 4/1/1. The
interface card is located in slot 4.
[H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0
vlanid
[H3C-Ethernet4/1/1] flow-template user-defined
# Reference the ACLs to redirect the packets that needs to be translated to the NAT
LPU. Ethernet 4/1/1 is the inbound interface on the private network side, and the VLAN
ID is 192.
[H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 link-group 4000
rule 0 slot 3 designated-vlan 192
Caution:
You need to bind VPN 1 to VLAN 192 on the private network side before referencing
the ACLs for packet redirection.
1.1.21 nat static

Syntax
nat static global global-addr inside [ vpn-name ] host-addr slot slot-no
1-24
Command Manual NAT

undo nat static global global-addr inside [ vpn-name ] host-addr slot slot-no
nat static global global-addr1 global-addr2 inside [ vpn-name ] host-addr1
host-addr2 slot slot-no
undo nat static global global-addr1 global-addr2 inside [ vpn-name ] host-addr1
host-addr2 slot slot-no
View
VLAN interface view
Parameters
global-addr: Public network address.
global-addr1 global-addr2: A group of public network addresses.
host-addr: Private network address.
host-addr1 host-addr2: A group of private network addresses.
vpn-name: VPN name of the private network address. If this argument is not specified,
the private network address does not belong to any VPN.
slot-no: Number of the slot where the NAT service board is located.
Description
Use the nat static command to create static NAT mappings between public network
addresses and private network addresses.
After executing this command, the source IP address of a packet sent from an internal
host will be translated into the public network address specified by the global-addr
argument. External users can also access the TCP, UDP and ICMP services provided
by the internal hosts through the specified public network address.
Use the undo nat static command to remove the static NAT mappings.
1-25
Command Manual NAT

Caution:
z
Up to 1,024 static address translation commands are supported by the system.
Up to 4,096 static NAT mappings are supported by the system.
NAT configuration for a VLAN can only be made on the same NAT LPU.
Do not remove static NAT entries too often if they operate normally.
Address translation is performed on the NAT LPU. Because packets sent from the
private network will not be delivered to the NAT LPU by default, you need to
reference QACLs on the receiving interface to redirect those packets to the NAT
LPU. You do not need to make specific NAT configuration for response packets
from the public network because their destination public IP addresses are recorded
in NAT entries.
The public network address in a static NAT entry should globally unique.
IP addresses cannot be used as VPN names. If you use IP addresses as VPN

names, the CLI treats them as IP addresses.
Examples
# Create a static mapping between the IP address 10.110.10.10 of a host in VPN 1 and
public network address 202.110.10.10. Suppose that VLAN-interface 2 is connected to
the ISP.
<H3C> system-view
[H3C-Vlan-interface2]
nat
static
global
202.110.10.10
inside
VPN1
10.110.10.10 slot 3
# Configure ACL 3001.

# Reference ACL 3001 to redirect packets that are to be serviced by NAT to the NAT
board. Ethernet 4/1/1 is connected to the private network, and 192 is the corresponding
VLAN ID.
[H3C-Ethernet4/1/1]
traffic-redirect
designated-vlan 192
1-26
inbound
ip-group
3001
slot
Command Manual NAT

Caution:
You need to configure QACL redirection after binding VLAN 192 to the VPN.
1.1.22 nat vpn limit

Syntax
nat vpn limit [ vpn-instance vpn-name ] user-limit flow-limit
undo nat vpn limit [ vpn-instance vpn-name ]
View
System view
Parameters
vpn-instance vpn-name: Name of a VPN instance. If this argument is not specified, it
limits the number of users and connections in the non-VPN private network side.
user-limit: Maximum number of users in a VPN translated by NAT. The sum of the
maximum user numbers configured in VPNs cannot exceed 8,192.
flow-limit: Maximum number of unidirectional connections in a VPN translated by NAT.
The sum of the maximum connection numbers configured in VPNs cannot exceed
1,257,291.
Description
Use the nat vpn limit command to configure the maximum numbers of users and
connections in the specified VPN. You must configure this command before configuring
NAT bindings and blacklists. Because NP need not set up streams for NAT translation
in the NO-PAT mode, this command is effective only for NAT translation in the PAT
mode.
Use the undo nat vpn limit command to disable the configured maximum numbers of
users and connections in the specified VPN.
The maximum number of connections configured in the blacklist is limited by the
maximum number of connections in the VPN. If the number of streams established in
the VPN has reached the upper limit, you cannot create new connections any more.
1-27
Command Manual NAT

Note:
The maximum numbers of users and connections in a VPN does not apply to the
NO-PAT mode.
Examples
# Configure the maximum numbers of users and connections in a VPN. .
<H3C> system-view
[H3C] nat vpn limit vpn-instance test 5000 5500
1.1.23 reset nat session

Syntax
reset nat session slot slot-no
View
User view
Parameters
slot slot-no: Number of the slot where the NAT LPU resides.
Description
Use the reset nat session command to clear NAT mapping tables from the memory
and NP.
Examples
# Clear the NAT mapping table established by the NAT LPU in slot 3.
<H3C> reset nat session slot 3
1.2 NAT Security Logging Configuration Commands

1.2.1 display ip userlog export
Syntax
display ip userlog export slot slot-no
View
Any view
1-28
Command Manual NAT

Parameters
slot-no: Number of the slot where the LPU resides.
Description
Use the display ip userlog export command to display configurations and statistics of
system logging.
Examples
# Display configurations of NAT logging.
<H3C> display ip userlog export slot 3
NAT:
IP userlog export is not enabled
Version 1 export is enabled
Export logs to 0.0.0.0 (Port: 0)
Export using source address 0.0.0.0
IP userlog flowbegin mode is not enabled
IP userlog active time: 0 minutes
0 logs exported in 0 udp datagrams
0 logs in 0 udp datagrams failed to output
0 entries buffered currently
1.2.2 ip userlog nat

Syntax
ip userlog nat acl acl-number
undo ip userlog nat
View
System view
Parameters
acl-number: ACL number, in the range of 2000 to 3999.
Description
Use the ip userlog nat acl command to enable NAT logging and configure NAT
logging rules, which defines the packets to be logged.
Use the undo ip userlog nat command to disable the NAT logging function.
By default, NAT logging is disabled for each NAT LPU.
1-29
Command Manual NAT

Caution:
The ACL for NAT logging supports the SIP and DIP fields only.
Examples
# Employ ACL 2000 as the logging rule, and enable NAT logging.
<H3C> system-view
[H3C] ip userlog nat slot 3 acl 2000
1.2.3 ip userlog nat active-time

Syntax
ip userlog nat active-time minutes
undo ip userlog nat active-time
View
System view
Parameters
minutes: Time duration of an active NAT connection before a log record is created for it,
ranging from 10 to 120, in minutes. The default time duration is 0, which indicates that
this function is disabled.
Description
Use the ip userlog nat active-time command to set the time duration of an active NAT
connection before a log record is created for it.
Use the undo ip userlog nat active-time command to cancel the threshold configured
for logging.
If the NAT process performs logging only when a NAT connection is deleted, some
connections may be active for a long time without being logged. Devices can record this
type of connection regularly after this command is configured.
Examples
# Set the active time of a connection after which a NAT log record is created to 30
minutes.
<H3C> system-view
[H3C] ip userlog nat active-time 30
1-30
Command Manual NAT

1.2.4 ip userlog nat export host

Syntax
ip userlog nat export host ip-address udp-port
undo ip userlog nat export host
View
System view
Parameters
ip-address: IP address of the log server, that is, the destination IP address for log
packets.
udp-port: UDP port number of the log server, that is, the destination port number for log
packets. The valid range is from 0 to 65,535. By default, it is 0.
Description
Use the ip userlog nat export host command to set the address and port number of
the destination server of log packets.
Use the undo ip userlog nat export host command to remove the configuration.
Examples
# Set the destination address and UDP port number of log packets to 169.254.1.1 and
200 respectively.
<H3C> system-view
[H3C] ip userlog nat export host 169.254.1.1 200
1.2.5 ip userlog nat export source-ip

Syntax
ip userlog nat export source-ip src-address
undo ip userlog nat export source-ip
View
System view
Parameters
src-address: Source IP address of the log packets, which is 0.0.0.0 by default.
Description
Use the ip userlog nat export source-ip command to set the source IP address of log
packets.
1-31
Command Manual NAT

Use the undo ip userlog nat export source-ip command to restore the default source
IP address of log packets.
Examples
# Set the source IP address of log packets to 169.254.1.1.
<H3C> system-view
[H3C] ip userlog nat export source-ip 169.254.1.1
1.2.6 ip userlog nat export version

Syntax
ip userlog nat export version version-number
undo ip userlog nat export version
View
System view
Parameters
version-number: Version of the output log packets. It is 1 by default. It can only be 1
currently.
Description
Use the ip userlog nat export version command to set the version of log packets.
Use the undo ip userlog nat export version command to restore the default version
of log packets.
Examples
# Set the version of the log packets to 1.
<H3C> system-view
[H3C] ip userlog nat export version 1
1.2.7 ip userlog nat mode flow-begin

Syntax
ip userlog nat mode flow-begin
undo ip userlog nat mode flow-begin
View
System view
1-32
Command Manual NAT

Parameters
None
Description
Use the ip userlog nat mode flow-begin command to enable the NAT server logging
when an NAT connection is established and deleted.
Use the undo ip userlog nat mode flow-begin command to restore the default
logging mode.
Use the corresponding commands to select the logging mode. There are two options:
z
Perform logging only when a NAT connection is deleted.
Perform logging when a NAT connection is established or deleted.
By default, the NAT server performs logging only when a NAT connection is deleted.
Examples
# Configure to make the NAT server log when a connection is established and deleted.
<H3C> system-view
[H3C] ip userlog nat mode flow-begin
1-33

Chapter 1 NAT Configuration Commands .................................................................................. 1-1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapter 1 NAT Configuration Commands .................................................................................. 1-1

Hochgeladen von

Copyright:

Verfügbare Formate

Command Manual NAT

H3C S9500 Series Routing Switches

Command Manual NAT