group-number: Specifies a NAT address pool by its number in the range of 0 to 7. The value range for this argument varies by device model. For more information, see About the H3C Access Controllers Command References. If you do not specify this argument, this command displays information about all NAT address pools.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display NAT address pool information.

<Sysname> display nat address-group

NAT address-group information:

There are currently 2 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

2 : from 202.110.10.20 to 202.110.10.25

# Display information about NAT address group 1.

<Sysname> display nat address-group 1

NAT address-group information:

1 : from 202.110.10.10 to 202.110.10.15

Table 1 Command output

Field	Description
1 : from 202.110.10.10 to 202.110.10.15	The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15.

Related commands

nat address-group

display nat aging-time

Use display nat aging-time to display the NAT aging time settings for various protocols.

Syntax

display nat aging-time [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the NAT aging time settings for various protocols.

<Sysname> display nat aging-time

NAT aging-time value information:

tcp ---- aging-time value is 300 (seconds)

udp ---- aging-time value is 240 (seconds)

icmp ---- aging-time value is 10 (seconds)

pptp ---- aging-time value is 300 (seconds)

dns ---- aging-time value is 10 (seconds)

tcp-fin ---- aging-time value is 10 (seconds)

tcp-syn ---- aging-time value is 10 (seconds)

ftp-ctrl ---- aging-time value is 300 (seconds)

ftp-data ---- aging-time value is 300 (seconds)

no-pat ---- aging-time value is 240 (seconds)

Table 2 Command output

Field	Description
NAT aging-time value information	NAT aging time settings for various protocols.
tcp	NAT aging time for TCP.
udp	NAT aging time for UDP.
icmp	NAT aging time for ICMP.
pptp	NAT aging time for PPTP.
dns	NAT aging time for DNS.
tcp-fin	NAT aging time for TCP FIN and RST connections.
tcp-syn	NAT aging time for TCP SYN connection.
ftp-ctrl	NAT aging time for FTP control link.
ftp-data	NAT aging time for FTP data link.
no-pat	NAT aging time in NO-PAT mode.

Related commands

nat aging-time

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address-group information:

There are currently 1 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

NAT bound information:

There are currently 1 nat bound rule(s)

Interface: Vlan-interface1

Direction: outbound ACL: 2009 Address-group: 1 NO-PAT: N

NAT server-group information:

There are currently 2 NAT server-group(s)

Server-group Inside-IP Port Weight Connections

1 10.1.1.1 21 101 0

1 10.110.10.20 30 100 0

2 --- --- --- ---

NAT server in private network information:

There are currently 1 internal server(s)

Interface: Vlan-interface2, Protocol: 6(tcp)

Global: 5.5.5.5 : 80(www)

Local : 192.1.1.1 : 80(www)

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 1.1.1.1

Global-IP : 2.2.2.2

Local-VPN : ---

NAT static enabled information:

Interface Direction

Vlan-interface3 out-static

NAT aging-time value information:

tcp ---- aging-time value is 300 (seconds)

udp ---- aging-time value is 240 (seconds)

icmp ---- aging-time value is 10 (seconds)

pptp ---- aging-time value is 300 (seconds)

dns ---- aging-time value is 10 (seconds)

tcp-fin ---- aging-time value is 10 (seconds)

tcp-syn ---- aging-time value is 10 (seconds)

ftp-ctrl ---- aging-time value is 300 (seconds)

ftp-data ---- aging-time value is 300 (seconds)

no-pat ---- aging-time value is 240 (seconds)

NAT log information:

log enable : enable

flow-begin : enable

Table 3 Command output

Field	Description
There are currently 1 nat address-group(s)	See the display nat address-group command for descriptions on the specific fields.
NAT bound information:	Configuration information about internal address to external address translation. See the display nat bound command for descriptions on the specific fields.
NAT server-group information	Internal server group information. See the display nat server-group command for descriptions on the specific fields.
NAT server in private network information	Internal server information. See the display nat server command for descriptions on the specific fields.
NAT static information	Information about static NAT. See the display nat static command for descriptions on the specific fields.
NAT static enabled information	Information about static NAT entries and interfaces with static NAT enabled. See the display nat static command for descriptions on the specific fields.
NAT aging-time value information	Information about NAT aging time. See the display nat aging-time command for descriptions on the specific fields.
NAT log information	Information about NAT logging configuration. See the display nat log command for descriptions on the specific fields.

display nat bound

Use display nat bound to display NAT configuration information.

Syntax

display nat bound [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display NAT configuration information.

<Sysname> display nat bound

NAT bound information:

There are currently 3 nat bound rule(s)

Interface:Vlan-interface10

Direction: outbound ACL: 2000 Address-group: 319 NO-PAT: Y

Interface:Vlan-interface10

Direction: outbound ACL: 3000 Address-group: 300 NO-PAT: N

Interface:Vlan-interface20

Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N

Table 4 Command output

Field	Description
NAT bound information:	Display configured NAT address translation information.
Interface	Interface associated with a NAT address pool.
Direction	Address translation direction.
ACL	ACL number.
Address-group	Address group number. The field is blank in Easy IP mode.
NO-PAT	Identifies whether NO-PAT mode is supported.

Related commands

nat outbound

display nat dns-map

Use display nat dns-map to display NAT DNS mapping configuration information.

Syntax

display nat dns-map [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display NAT DNS mapping configuration information.

<Sysname> display nat dns-map

NAT DNS mapping information:

There are currently 2 NAT DNS mapping(s)

Domain-name: www.server.com

Global-IP : 202.113.16.117

Global-port: 80(www)

Protocol : 6(tcp)

Domain-name: ftp.server.com

Global-IP : 202.113.16.100

Global-port: 21(ftp)

Protocol : 6(tcp)

Table 5 Command output

Field	Description
Domain-name	Domain name of the internal server.
Global-IP	External IP address of the internal server.
Global-port	Public port number of the internal server.
Protocol	Protocol type of the internal server.

Related commands

nat dns-map

display nat log

Use display nat log to view the NAT logging configuration information.

Syntax

display nat log [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# View the NAT logging configuration information.

<Sysname> display nat log

NAT log information:

log enable : enable acl 2000

flow-begin : enable

flow-active : 10(minutes)

Table 6 Command output

Field	Description
NAT log information :	NAT logging configuration information.
log enable : enable acl 2000	Logging data flows matching ACL 2000.
flow-begin : enable	Logging newly established sessions.
flow-active : 10(minutes)	Interval in logging active flows (10 minutes)

display nat server

Use display nat server to display information about internal servers.

Syntax

display nat server [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about internal servers.

<Sysname> display nat server

NAT server in private network information:

There are currently 2 internal server(s)

Interface: Vlan-interface10, Protocol: 6(tcp)

Global: 100.100.120.120 : 21(ftp)

Local : 192.168.100.100 : 21(ftp)

Interface: Vlan-interface11, Protocol: 6(tcp)

Global: 100.100.100.121 : 80(www)

Local : 192.168.100.101 : 80(www)

Table 7 Command output

Field	Description
Server in private network information	Information about internal servers.
Interface	Internal server interface.
Protocol	Protocol type.
Global	External IP address and port number of a server.
Local	Internal network information about a server.

Related commands

nat server

display nat server-group

Use display nat server-group to display configuration information about internal server groups.

Syntax

display nat server-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

group-number: Internal server group number. The value range is 0 to 19. If this argument is not specified, information of all internal server groups is displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display configuration information about all internal server groups.

<Sysname> display nat server-group

NAT server-group information:

There are currently 1 NAT server-group(s)

Server-group Inside-IP Port Weight Connections

1 2.2.2.2 21 245 3

1 2.2.2.5 21 100 1

Table 8 Command output

Field	Description
Server-group	Internal server group number.
Inside-IP	IP address of an internal server.
Port	Port number of an internal server.
Weight	Weight of an internal server.
Connections	Number of current connections of an internal server. If multiple members exist in an internal server group, this field displays the total number of member connections.

Related commands

nat server-group

display nat session

Use display nat session to display dynamic NAT entries.

Syntax

Centralized devices:

display nat session [ source { global global-address | inside inside-address } ] [ destination dst-address ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

source global global-address: Displays NAT entries for the specified external source IP address.

source inside inside-address: Displays NAT entries for the specified internal source IP address.

destination dst-address: Displays NAT entries for the specified destination IP address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display dynamic NAT entries.

<Sysname> display nat session

There are currently 1 NAT session:

Pro GlobalAddr:Port LocalAddr:Port DestAddr:Port

TCP 100.1.1.1:23 63.1.1.1:23 51.1.1.2:1781

GlobalVPN: vpn3 LocalVPN: vpn1

Status:11 TTL:00:00:10 Left:00:00:02

Table 9 Command output

Field	Description
Pro	Protocol type.
GlobalAddr:Port	External IP address and port number after translation.
InsideAddr:Port	Internal IP address and port number before translation.
DestAddr:Port	Destination IP address and port number.
status	NAT session status.
TTL	NAT session lifetime in the format of hh:mm:ss.
Left	NAT session remaining lifetime, in the format of hh:mm:ss.

display nat static

Use display nat static to display static NAT entries and interfaces with static NAT enabled.

Syntax

display nat static [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display static NAT entries and interfaces with static NAT enabled.

<Sysname> display nat static

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 4.4.4.4

Global-IP : 5.5.5.5

Local-VPN : ---

NAT static enabled information:

Interface Direction

Vlan-interface11 out-static

Table 10 Command output

Field	Description
NAT static information	Configuration information about static NAT.
single static	One-to-one static NAT.
Local-IP	Internal IP address.
Global-IP	External IP address.
Local-VPN	VPN to which the internal IP address belongs.
NAT static enabled information	Information about static NAT enabled on the interfaces.
Interface	Interface on which static NAT is configured.
Direction	Direction of packets to be translated.

Related commands

· nat static

· nat outbound static

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display NAT statistics.

<Sysname> display nat statistics

total PAT session table count: 1

total NO-PAT session table count: 0

total SERVER session table count: 0

total STATIC session table count: 0

Table 11 Command output

Field	Description
total PAT session table count	Number of PAT session entries.
total NO-PAT session table count	Number of NO-PAT session entries.
total SERVER session table count	Number of SERVER session entries.
total STATIC session table count	Number of STATIC session entries.

display userlog export

Use display userlog export to view the configuration and statistics of logs output to the log server.

Syntax

display userlog export [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command can display all types of logs output to the log server, but it only displays NAT logs in this document.

Related commands

reset userlog nat export

Examples

# View the configuration and statistics of NAT logs.

<Sysname> display userlog export

nat:

Export Version 1 logs to log server : enabled

Address of log server : 100.1.1.100 (port: 5000)

Total Logs/UDP packets exported : 0/0

Logs in buffer : 0

flow:

No userlog export is enabled

Table 12 Command output

Field	Description
nat	NAT log information to be displayed.
flow	Flow log information to be displayed.
No userlog export is enabled	NAT logs cannot be exported. The reason may be: · The NAT log function is not enabled. · The NAT log function is enabled, but NAT logs are configured to be exported to the information center. · The NAT log function is enabled, but the IP address and the UDP port number of the log server are not configured.
Export Version 1 logs to log server	NAT logs of version 1 are exported to the log server.
Address of log server	Log server address, including the IP address and port number.
Total Logs/UDP packets exported	Total number of the logs sent and that of the UDP packets carrying NAT logs. (The term "UDP packets" refers to the UDP packets carrying NAT logs. A UDP packet can carry multiple pieces of NAT logs.)
Logs in buffer	Total number of flow or NAT logs buffered.

nat address-group

Use nat address-group to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool. Without the start and end IP addresses specified, the command places you into the address group view.

Use undo nat address-group to remove an address pool or address group.

Syntax

nat address-group group-number [ start-address end-address [ level level ] ]

undo nat address-group group-number [ start-address end-address [ level level ] ]

Views

System view

Default command level

2: System level

Parameters

group-number: Assigns an index to the address pool. The value range for this argument varies by device model. For more information, see About the H3C Access Controllers Command References.

start-address: Specifies the start IP address of the address pool.

end-address: Specifies the end IP address of the address pool. The end-address cannot be lower than the start-address. If they are the same, the address pool has only one IP address. The maximum number of IP addresses that an address pool can include varies by device model. For more information, see About the H3C Access Controllers Command References.

level level: Specifies the level of port numbers assigned in NAPT translation for this address pool. It is the value of either 1 or 0. 0 represents a lower level, and the value range for the assignable port numbers is 35000 to 65535. 1 represents a higher level, and the value range for the assignable port numbers is 1024 to 34999 for devices in stateful failover state, and 1024 to 65535 for devices not in stateful failover state. The default value is 1. In the asymmetric stateful failover network scenario, configure different port assignment levels for the address pools on the two stateful failover devices.

Usage guidelines

An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command. The address pools of group members may not be consecutive.

· You cannot remove an address pool or address group that has been associated with an ACL.

· Different address pools must not overlap.

· The address pools of group members must not overlap with each other or with other address pools.

· An address pool or address group is not needed in the case of Easy IP where the interface's public IP address is used as the translated IP address.

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15.

<Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

Related commands

display nat address-group

nat aging-time

Use nat aging-time to set NAT aging time.

Use undo nat aging-time to restore the default.

Syntax

nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } seconds

undo nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } [ seconds ]

Default

The default NAT aging times of various protocols are as follows:

· 10 seconds for DNS.

· 300 seconds for FTP control link.

· 300 seconds for FTP data link.

· 10 seconds for ICMP.

· 240 seconds in NO-PAT mode.

· 300 seconds for PPTP.

· 300 seconds for TCP.

· 10 seconds for TCP FIN and RST connections.

· 10 seconds for TCP SYN connections.

· 240 seconds for UDP.

Views

System view

Default command level

2: System level

Parameters

dns: Specifies the NAT aging time for DNS.

ftp-ctrl: Specifies the NAT aging time for FTP control link.

ftp-data: Specifies the NAT aging time for FTP data link.

icmp: Specifies the NAT aging time for ICMP.

no-pat: Specifies the NAT aging time in No-PAT mode.

pptp: Specifies the NAT aging time for PPTP.

tcp: Specifies the NAT aging time for TCP.

tcp-fin: Specifies the NAT aging time for TCP FIN or RST connection.

tcp-syn: Specifies the NAT aging time for TCP SYN connection.

udp: Specifies the NAT aging time for UDP.

seconds: NAT aging time, in the range of 10 to 86400 seconds.

Usage guidelines

A NAT entry is not permanent. You can use this command to configure NAT aging time for TCP, UDP, ICMP, and other protocols. If a NAT entry is not used within the configured time, it will be aged out. For example, when a user with IP address 10.110.10.10 and port number 2000 establishes an external TCP connection, NAT assigns an IP address and a port number for the user. If, within a preconfigured aging time, the TCP connection is not used, the system removes it.

In NO-PAT mode, if the private network is big and the users frequently go online and offline, you can set a smaller aging time to speed up the release of addresses.

Examples

# Set the NAT aging time for TCP to 240 seconds.

<Sysname> system-view

[Sysname] nat aging-time tcp 240

Related commands

display nat aging-time

nat alg

Use nat alg to enable NAT application layer gateway for one or more protocols.

Use undo nat alg to disable NAT application layer gateway.

Syntax

nat alg { all | dns | ftp | ils | nbt | pptp }

undo nat alg { all | dns | ftp | ils | nbt | pptp }

Default

NAT application layer gateway is enabled.

Views

System view

Default command level

2: System level

Parameters

all: Supports all special protocols.

dns: Supports DNS.

ftp: Supports FTP.

ils: Supports ILS.

nbt: Supports NBT.

pptp: Supports PPTP.

Examples

# Enable NAT application layer gateway for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

nat dns-map

Use nat dns-map to map the domain name to the public network information about an internal server.

Use undo nat dns-map to remove a DNS mapping.

Syntax

nat dns-map domain domain-name protocol pro-type ip global-ip port global-port

undo nat dns-map domain domain-name

Views

System view

Default command level

2: System level

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits. Dashes (-) can also be included.

protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp.

ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network.

port global-port: Specifies the port number used by the internal server to provide services to the external network. The value range for the global-port argument is 1 to 65535.

Usage guidelines

A device can support a maximum of 16 DNS mappings.

Examples

# A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port www

Related commands

display nat dns-map

nat link-down reset-session enable

Use nat link-down reset-session enable to enable aging out NAT entries upon master link failure.

Use undo nat link-down reset-session enable to restore the default.

Syntax

nat link-down reset-session enable

undo nat link-down reset-session enable

Default

This feature is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable aging out NAT entries upon master link failure.

<Sysname> system-view

[Sysname] nat link-down reset-session enable

nat log enable

Use nat log enable to enable the NAT logging function for all data flows outbound from the internal network or outbound data flows matching a specific ACL.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl acl-number ]

undo nat log enable [ acl acl-number ]

Default

The NAT logging function is disabled.

Views

System view

Default command level

2: System level

Parameters

acl acl-number: Specifies an ACL by its number, in the range of 2000 to 3999.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable acl 2001

nat log flow-active

Use nat log flow-active to enable logging for active NAT sessions and set the logging interval.

Use undo nat log flow-active to disable this function.

Syntax

nat log flow-active minutes

undo nat log flow-active [ minutes ]

Default

This function is disabled.

Views

System view

Default command level

2: System level

Parameters

minutes: Interval for logging active NAT sessions, in the range of 10 to 120 minutes.

Usage guidelines

This function helps in tracking active flows by logging them regularly. Without this function, logs are generated only when a session is established or deleted and no logs are available for tracking a session that lasts for a long period.

Examples

# Enable logging for active NAT sessions and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

nat log flow-begin

Use nat log flow-begin to enable logging of NAT session establishment events.

Use undo nat log flow-begin to restore the default.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

No log is generated when a session is established.

Views

System view

Default command level

2: System level

Examples

# Enable logging of NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

nat outbound

Use nat outbound to enable outbound NAT on an interface.

Use undo nat outbound to disable outbound NAT.

Syntax

nat outbound [ acl-number ] [ address-group group-number [ no-pat ] ] [ track vrrp virtual-router-id ]

undo nat outbound [ acl-number ] [ address-group group-number [ no-pat ] ] [ track vrrp virtual-router-id ]

Views

Interface view

Default command level

2: System level

Parameters

acl-number: Specifies an ACL number in the range of 2000 to 3999. A packet matching a permit rule in the ACL is translated by NAT. If you do not specify any ACL, a packet that is not sourced from the outbound interface is translated by NAT.

address-group group-number: Specifies an address pool for NAT. The value range for the group-number argument varies by device model. For more information, see About the H3C Access Controllers Command References. If you do not specify any address pool, the IP address of the interface is used as the translated IP address. That is, Easy IP is enabled.

no-pat: Specifies not to use the TCP/UDP port number for many-to-many NAT. If this keyword is not specified, the TCP/UDP port number is used for many-to-one NAT.

track vrrp virtual-router-id: Associates address translation on a specific outbound interface with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this argument specified, no VRRP group is associated.

Usage guidelines

You can configure multiple associations or use the undo command to remove an association from an interface that serves as the egress of an internal network to the external network.

When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted. They are aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected.

When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication.

You can bind an ACL to only one address pool on an interface. An address pool can be bound to multiple ACLs.

In stateful failover networking, make sure you associate each address pool configured on an interface with one VRRP group only. Otherwise, the system associates the address pool with the VRRP group having the highest group ID.

For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address, and VPN instance information in two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in two ACL rules are the same, a conflict occurs.

Examples

# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses 202.110.10.10 through 202.110.10.12. Assume that interface VLAN-interface 1 is connected to the Internet.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

# Configure address pool 1.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Use addresses in address pool 1 as translated addresses and TCP/UDP port information.

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound 2001 address-group 1

# Use addresses in address pool 1 as translated addresses without using TCP/UDP port information.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound 2001 address-group 1 no-pat

# Use the IP address of interface VLAN-interface 1 as translated address.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound 2001

nat outbound static

Use nat outbound static to enable static NAT on an interface, making the configured static NAT mappings take effect.

Use undo nat outbound static to disable static NAT on the interface.

Syntax

nat outbound static [ track vrrp virtual-router-id ]

undo nat outbound static [ track vrrp virtual-router-id ]

Views

Interface view

Default command level

2: System level

Parameters

track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. If you do not specify this option, no VRRP group is associated.

Examples

# Configure a one-to-one NAT mapping and enable static NAT on interface VLAN-interface 1.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat outbound static

Related commands

display nat static

nat server (for normal NAT server)

Use nat server to configure a load sharing internal server.

Use undo nat server to remove the configuration.

Syntax

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port [ track vrrp virtual-router-id ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside local-address1 local-address2 local-port [ track vrrp virtual-router-id ]

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] [ track vrrp virtual-router-id ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] [ track vrrp virtual-router-id ]

Views

Interface view

Default command level

2: System level

Parameters

protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server.

global-address: Specifies the public IP address for the internal server.

current-interface: Uses the current interface address as the external IP address for the internal server.

interface: Uses the IP address of an interface as the external IP address for the internal server to enable Easy IP.

interface-type interface-number: Specifies the interface type and interface number. Only loopback interfaces are supported and must be configured. Otherwise, the configuration is considered illegal.

global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. The global-port2 argument must be greater than global-port1.

local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. The local-address2 argument must be greater than local-address1 and that the number of addresses must match that of the specified ports.

local-port: Specifies the port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20.

· You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on.

· You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.

global-port: Specifies the global port number for the internal server, in the range of 0 to 65535.

local-address: Specifies the internal IP address of the internal server.

track vrrp virtual-router-id: Associates the internal server with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group to be associated, in the range of 1 to 255. Without this option specified, no VRRP group is associated.

Usage guidelines

Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port.

If one of the two arguments global-port and local-port is set to any, the other must also be any or remain undefined.

Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in an internal network.

The maximum number of internal server configuration commands that can be configured on an interface depends on the device model. The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands.

In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external network.

The device supports using an interface address as the external IP address of an internal server, which is Easy IP. If you specify the current-interface keyword, the internal server uses the current primary IP address of the current interface. If you use interface { interface-type interface-number } to specify an interface, the interface must be an existing loopback interface, and the current primary IP address of the loopback interface is used.

H3C recommends that if an internal server using Easy IP is configured on the current interface, the IP address of this interface should not be configured as the external address of another internal server and vice versa. This is because that the interface address that is referenced by the internal server using Easy IP serves as the external address of the internal server.

In stateful failover networking, make sure you associate the public address of an internal server on an interface with one VRRP group only. Otherwise, the system associates the public address with the VRRP group having the highest group ID.

When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers.

Examples

# Allow external hosts to ping the host with an IP address of 10.110.10.12 by using the ping 202.110.10.11 command.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

# Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

# Remove the Web server.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

# Remove the FTP server.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] undo nat server protocol tcp global 202.110.10.11 21 inside 10.110.10.11 ftp

Related commands

display nat server

nat server-group

Use nat server-group to configure an internal server group.

Use undo nat server-group to remove the specified internal server group.

Syntax

nat server-group group-number

undo nat server-group group-number

Views

System view

Default command level

2: System level

Parameters

group-number: Internal server group number. The value range is 0 to 19.

Usage guidelines

An interval server group referenced by the nat server command on an interface cannot be removed.

Examples

# Configure internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

nat server

nat static

Use nat static to configure a one-to-one static NAT mapping.

Use undo nat static to remove a one-to-one static NAT mapping.

Syntax

nat static [ acl-number ] local-ip global-ip

undo nat static [ acl-number ] local-ip global-ip

Views

System view

Default command level

2: System level

Parameters

acl-number: Specifies an ACL number in the range of 2000 to 3999. You can use an ACL to specify the destination addresses that internal hosts can access.

local-ip: Specifies the internal IP address.

global-ip: Specifies the external IP address.

Examples

# Configure static NAT mapping between internal IP address 192.168.1.1 and external IP address 2.2.2.2.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

# Configure static NAT to allow the internal host 192.168.1.1 to access only the external network 3.3.3.0/24 by using the external IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-adv-3001] quit

[Sysname] nat static 3001 192.168.1.1 2.2.2.2

Related commands

display nat static

reset nat session

Use reset nat session to clear the address translation table and release the memory dynamically assigned for storing the table.

Syntax

reset nat session

Views

User view

Default command level

2: System level

Examples

# Clear the address translation table.

<Sysname> reset nat session

reset userlog nat export

Use reset userlog nat export to clear NAT log statistics.

Syntax

reset userlog nat export

Views

User view

Default command level

2: System level

Usage guidelines

Once the NAT log function is enabled, the system takes statistics for NAT logs periodically.

Examples

# Clear the NAT log information.

<Sysname> reset userlog nat export

Related commands

display userlog export

reset userlog nat logbuffer

Use reset userlog nat logbuffer to clear the NAT log buffer.

Syntax

reset userlog nat logbuffer

Views

User view

Default command level

2: System level

Usage guidelines

Clearing the NAT log buffer causes NAT logs loss. H3C recommends you not to use this command in normal situations.

Examples

# Clear the NAT log buffer.

<Sysname> reset userlog nat logbuffer

userlog nat export host

Use userlog nat export host to specify the IP address and UDP port number of the NAT log server that receives NAT logs.

Use undo userlog nat export host to restore the default.

Syntax

userlog nat export host { ipv4-address | ipv6 ipv6-address } udp-port

undo userlog nat export host { ipv4-address | ipv6 ipv6-address }

Default

No NAT log server IP address or UDP port number is configured.

Views

System view

Default command level

2: System level

Parameters

ipv4-address: IPv4 address of the NAT log server. It must be a valid unicast IPv4 address and cannot be a loopback address.

ipv6 ipv6-address: IPv6 address of the NAT log server. It must be a valid unicast IPv6 address.

udp-port: UDP port number of the NAT log server, ranging from 0 to 65535.

Usage guidelines

Specify the NAT log server to successfully export NAT logs in UDP packets.

Use a UDP port number greater than 1024 to avoid conflicting with common UDP port numbers.

Examples

# Export NAT logs to NAT log server with IP address 169.254.1.1 and port number 2000.

<Sysname> system-view

[Sysname] userlog nat export host 169.254.1.1 2000

Related commands

userlog nat export source-ip

Use userlog nat export source-ip to configure the source IP address for the UDP packets that carry NAT logs.

Use undo userlog nat export source-ip to restore the default.

Syntax

userlog nat export source-ip ip-address

undo userlog nat export source-ip

Default

The source IP address of the UDP packets that carry NAT logs is the IP address of the interface that sends the UDP packets.

Views

System view

Default command level

2: System level

Parameters

ip-address: Source IP address for the UDP packets.

Examples

# Use 169.254.1.2 as the source IP address of the UDP packets that carry NAT logs.

<Sysname> system-view

[Sysname] userlog nat export source-ip 169.254.1.2

Related commands

userlog nat export host

userlog nat export version

Use userlog nat export version to set the version number of the NAT log packets.

Use undo userlog nat export version to restore the default.

Syntax

userlog nat export version version-number

undo userlog nat export version

Default

The version number of NAT log packets is 1.

Views

System view

Default command level

2: System level

Parameters

version-number: Version number for the NAT log packets. The system supports only version 1.

Examples

# Set the version number of NAT log packets to 1.

<Sysname> system-view

[Sysname] userlog nat export version 1

userlog nat syslog

Use userlog nat syslog to configure the device to export NAT logs to the information center.

Use undo userlog nat syslog to restore the default.

Syntax

userlog nat syslog

undo userlog nat syslog

Default

NAT logs are exported to the NAT log server.

Views

System view

Default command level

2: System level

Usage guidelines

As NAT logs may consume a large volume of memory, H3C recommends that you not export large amounts of NAT logs to the information center.

Examples

# Export NAT logs to the information center.

<Sysname> system-view

[Sysname] userlog nat syslog

04-Layer 3 Command Reference

display nat log

display userlog export

nat aging-time

nat link-down reset-session enable

nat outbound static

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us