HP Firewalls and UTM Devices NAT and ALG Command Reference Part number: 5998-4176 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents NAT configuration commands ···································································································································· 1 address ······································································································································································ 1 display nat address-group ······································································································································· 1
Subscription service ·············································································································································· 45 Related information ························································································································································ 45 Documents ······························································································································································
NAT configuration commands address Use address to add a member that specifies an address pool to the address group. The address pools of group members may not be consecutive. Use undo address to remove a group member from the address group. Syntax address start-address end-address undo address start-address end-address Views Address group view Default command level 2: System level Parameters start-address: Start IP address of the address group member.
Syntax display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters group-number: NAT address group number. If this argument is not provided, this command displays information about all NAT address pools.
Table 1 Command output Field Description 1 : from 202.110.10.10 to 202.110.10.15 The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15. Related commands nat address-group display nat all Use display nat all to display all NAT configuration information. Syntax display nat all [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
There are currently 1 NAT static configuration(s) single static: Local-IP : 1.1.1.1 Global-IP : 2.2.2.2 Local-VPN : --- NAT static enabled information: Interface Direction GigabitEthernet0/4 out-static # Display all NAT configuration information. display nat all NAT address-group information: There are currently 2 nat address-group(s) 1 : from 202.110.10.10 to 202.110.10.15 2 : from 202.110.10.20 to 202.110.10.
Table 2 Command output Field Description There are currently 1 nat address-group(s) See the display nat address-group command for descriptions on the specific fields. NAT bound information: Configuration information about internal address-to-external address translation. See the display nat bound command for descriptions on the specific fields. NAT server in private network information Internal server information. See the display nat server command for descriptions on the specific fields.
Status: Active Interface:GigabitEthernet0/2 Direction: outbound ACL: 3000 Address-group: 300 NO-PAT: N VPN-instance: vpn2 Out-interface: Vlan-interface200 Next-hop: 100.100.110.1 Status: Inactive Interface:GigabitEthernet0/3 Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N VPN-instance: --- Table 3 Command output Field Description NAT bound information: Display configured NAT address translation information. Interface Interface associated with a NAT address pool.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display NAT DNS mapping configuration information. display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: www.server.com Global-IP : 202.113.16.117 Global-port: 80(www) Protocol : 6(tcp) Domain-name: ftp.server.com Global-IP : 202.113.16.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about internal servers. display nat server NAT server in private network information: There are currently 2 internal server(s) Interface:GigabitEthernet0/1, Protocol: 6(tcp) Global: 100.100.120.120 : 21(ftp) Local : 192.168.100.
display nat static Use display nat static to display static NAT entries and interfaces with static NAT enabled. Syntax display nat static [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Field net-to-net Description Net-to-net static NAT. Support for this output information depends on the device model. single static One-to-one static NAT. Local-IP Internal IP address. Global-IP External IP address. Netmask Network mask. Local-VPN VPN to which the internal IP address belongs. Global-VPN VPN to which the external IP address belongs. Related commands • nat static • nat outbound static display nat statistics Use display nat statistics to display NAT statistics.
Table 7 Command output Field Description total PAT session table count Number of PAT session entries. total NO-PAT session table count Number of NO-PAT session entries. total SERVER session table count Number of SERVER session entries. total STATIC session table count Number of STATIC session entries. nat address-group Use nat address-group to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool.
devices in stateful failover state, and from 1024 to 65535 for devices not in stateful failover state. The default value is 1. In the asymmetric stateful failover network scenario, configure different port assignment levels for the address pools on the two stateful failover devices. Usage guidelines An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command.
(.). Each label has no more than 63 characters that must begin and end with letters or digits. Dashes (-) can also be included. protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp. ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network. port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.
Hardware Argument compatibility U200-S Optional. address-group group-number: Specifies an address pool for NAT. The IP address of the interface is used as the translated IP address. That is, Easy IP is enabled.
For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination IP address, and VPN instance information in two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in two ACL rules are the same, a conflict occurs. Examples # Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses 202.110.10.10 through 202.110.10.12.
Parameters track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. If this option is not specified, no VRRP group is associated. Examples # Configure a one-to-one NAT mapping and enable static NAT on interface GigabitEthernet 0/1. system-view [Sysname] nat static 192.168.1.1 2.2.2.
Parameters index: Index of the internal server. The following matrix shows the index argument and hardware compatibility, and the value range for the argument on different firewalls and UTM devices: Hardware Argument compatibility Value range F1000-A-EI/F1000-S-EI Yes 0 to 1024 F1000-E No N/A F5000 No N/A Firewall module No N/A U200-A Yes 0 to 1024 U200-S Yes 0 to 256 acl-number: Number of an ACL, in the range of 2000 to 3999. protocol pro-type: Specifies a protocol type.
remote-host host-address: IP address of the remote host accessing the internal server. lease-duration lease-time: Valid time of the service provided by the internal server. The lease-time argument indicates the valid time in seconds, in the range of 0 to 4294967295. The value 0 indicates that the service never expires. description string: Detailed information about the internal server. The string argument is a case-insensitive string of 1 to 256 characters.
[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [Sysname-GigabitEthernet0/1] quit [Sysname] ip vpn-instance vrf10 [Sysname-vpn-instance] route-distinguisher 100:001 [Sysname-vpn-instance] vpn-target 100:1 export-extcommunity [Sysname-vpn-instance] vpn-target 100:1 import-extcommunity [Sysname-vpn-instance] quit [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.
undo nat server protocol pro-type global acl-number inside local-address [ local-port ] [ vpn-instance local-name ] Views Interface view Default command level 2: System level Parameters protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server. acl-number: Number of an ACL, in the range of 2000 to 3999. local-address: Internal IP address of the internal server.
Views System view Default command level 2: System level Parameters acl-number: Number of an ACL, in the range of 2000 to 3999. You can use an ACL to control the access traffic between internal and external hosts. Only hosts permitted by an ACL can be performed static NAT. local-ip: Internal IP address. vpn-instance local-name: Specifies the VPN to which the internal IP address belongs. The local-name argument is a case-sensitive string of 1 to 31 characters.
Default command level 2: System level Parameters acl-number: Number of an ACL, in the range of 2000 to 3999. You can use an ACL to control the access traffic between internal and external hosts. Only hosts permitted by an ACL can be performed static NAT. local-network: Internal network address. vpn-instance local-name: Specifies the VPN to which the internal network belongs. The local-name argument is a case-sensitive string of 1 to 31 characters.
NAT-PT configuration commands NOTE: NAT-PT is not supported on VLAN interfaces and does not support VPN instances, IPv4 fragments, or ICMPv6 fragments. The following matrix shows the feature and hardware compatibility: Hardware NAT-PT compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No display natpt address-group Use display natpt address-group to display NAT-PT address pool configuration information.
Table 8 Command output Field Description 1 Address pool number. from 1.1.1.1 Start IP address in an address pool. to 1.1.1.4 End IP address in an address pool. display natpt address-mapping Use display natpt address-mapping to display static and dynamic NAT-PT address mappings. Syntax display natpt address-mapping [ | { begin | exclude | include } regular-expression ] Views Any view Default Level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Field Description IPv4 Address IPv4 address. IPv6 Address IPv6 address. Type of the mapping: • SOURCE—Mapping created according to the configuration on the Type IPv6 side. • DESTINATION—Mapping created according to the configuration on the IPv4 side. NATPT V6Server static mapping Displays the NAT-PT mapping of an IPv6 server. IPv4Address IPv4 address and port number. IPv6 Address Corresponding IPv6 address and port number. Pro Protocol type.
V6Server static mapping: IPv4Address 1.1.1.
Usage guidelines The statistics does not include information about port translation through the NAPT-PT mechanism. Examples # Display NAT-PT statistics. display natpt statistics Statistics: Total Sessions: 0 Expired Sessions: 0 Hits: 0 Misses: 0 Total Address Mapping: 0 (static: 0 dynamic: 0 ) Total V6Server Mappings: 0 Enabled Interfaces: GigabitEthernet0/1 Table 10 Command output Field Description Total Sessions Total number of sessions.
Parameters group-number: Number of an address pool, in the range of 1 to 32. start-ipv4-address: Start IPv4 address in a pool. end-ipv4-address: End IPv4 address in a pool. Usage guidelines If start-ipv4-address is the same as end-ipv4-address, only one address is available in the address pool. The execution of the undo natpt address-group command may affect some dynamic NAT-PT mappings. A NAT-PT address pool and an IPv4 NAT address pool do not share any address.
[Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] natpt enable natpt prefix Use natpt prefix to configure a NAT-PT prefix. Use undo natpt prefix to remove the configured NAT-PT prefix. Syntax natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ] undo natpt prefix natpt-prefix Views System view Default Level 2: System level Parameters natpt-prefix: Prefix of an IPv6 address, 96 bits in length.
Default The value of the ToS field in an IPv4 packet translated from an IPv6 packet is the same as that of the Traffic Class field in the IPv6 packet. Views System view Default Level 2: System level Examples # Set the ToS field in an IPv4 packet translated from an IPv6 packet to 0. system-view [Sysname] natpt turn-off tos natpt turn-off traffic-class Use natpt turn-off traffic-class to set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0.
Views System view Default Level 2: System level Parameters acl number acl-number: Specifies the IPv4 access control list (ACL) number, in the range of 2000 to 2999. prefix natpt-prefix: Specifies the NAT-PT prefix, which is 96 bits in length. Usage guidelines For a packet from an IPv4 host to an IPv6 host, if the source IPv4 address matches the specified ACL, the NAT-PT prefix is added to translate the source IPv4 address into an IPv6 address.
Examples # Configure a static mapping between the IPv4 address 2.3.4.9 and the IPv6 address 2001::1 on the IPv4 side. system-view [Sysname] natpt v4bound static 2.3.4.9 2001::1 Related commands display natpt address-mapping natpt v4bound static v6server Use natpt v4bound static v6server to configure a static NAPT-PT mapping for an IPv6 server. Use undo natpt v4bound static v6server to remove a static NAPT-PT mapping for an IPv6 server.
natpt v6bound dynamic Use natpt v6bound dynamic to configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts. Use undo natpt v6bound dynamic to remove the dynamic mapping.
Syntax natpt v6bound static ipv6-address ipv4-address undo natpt v6bound static ipv6-address ipv4-address Views System view Default Level 2: System level Parameters ipv6-address: IPv6 address to be mapped. ipv4-address: IPv4 address to which an IPv6 address is mapped. Examples # Configure the static mapping between the IPv6 address 2001::1 and the IPv4 address 2.3.4.5 on the IPv6 side. system-view [Sysname] natpt v6bound static 2001::1 2.3.4.
NAT444 configuration commands The following matrix shows the feature and hardware compatibility: Hardware NAT444 compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 No Firewall module Yes U200-A No U200-S No display nat444 dynamic-ip-port-block Use display nat444 dynamic-ip-port-block to display NAT444 dynamic IP-port block mappings. Syntax display nat444 dynamic-ip-port-block Views Any view Parameter None Examples # Display NAT444 dynamic IP-port block mappings.
Field Description Local-VPN VPN to which the internal IP address belongs. Three hyphens (---) indicates that the address does not belongs to any VPN. Related commands nat444 outbound display nat444 static-ip-port-block Use display nat444 static-ip-port-block to display NAT444 static IP-port block mappings. Syntax display nat444 static-ip-port-block Views Any view Parameter None Examples # Display NAT444 static IP-port block mappings.
Field Description Global-IP External IP address for the internal user. Port-block Port block for the internal user, including the start port and the end port. Connections Connections established by using the specified port block. Local-VPN VPN to which the internal IP address belongs. Three hyphens (---) indicates that the address does not belongs to any VPN. Related commands nat444 static local nat444 static Use nat444 static local to create a static IP-port block mapping.
It is users, not conflict detection, that make sure there is no conflict between configurations in interface view and system view, and configurations in different interface views. Conflict detection is performed on configurations for an interface by using the same algorithm as the one used for configurations in system view. Examples # Configure a static IP port block for users from 192.168.1.1 to 192.168.1.10. system-view [Sysname] nat444 static local 192.168.1.1 192.168.1.10 global 202.1.1.
Parameter None Examples # Enable NAT session establishment logging. system-view [Sysname] nat444 log session-start nat444 log user Use nat444 log user to enable NAT444 user logging. Use undo nat444 log user to disable NAT444 user logging. Syntax nat444 log user undo nat444 log user Default NAT444 user logging is disabled. Views System view Parameter None Examples # Enable NAT444 user logging.
Parameter endpoint-independent: Specifies the endpoint-independent mapping behavior mode. In this mode, the peer IP address and peer port are not considered in address translation. acl acl-number: Specifies the ACL for matching a specific NAT mapping behavior mode. The acl-number argument represents the ACL number in the range of 2000 to 3999.
Parameter acl-number: ACL number in the range of 2000 to 3999. address-group group-number: Specifies an address pool for address translation. The group-number in the range of 0 to 255. port-range-start port-range-end: Port range for external addresses. The port-range-start argument specifies the start port, and the port-range-end argument specifies the end port that must be no lower than the start port. block-size: Port block size.
nat444 outbound static Use nat444 outbound static to enable static NAT444 on the outbound interface to make the IP-port mappings take effect. The interface serves as the egress of an internal network to the external network. Use undo nat444 outbound static to disable static NAT444 on the interface.
ALG configuration commands alg Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled only for FTP. Views System view Default command level 2: System level Parameters all: Enables ALG for all protocols.
# Disable ALG for DNS.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ADNRSW nat server (for normal NAT server),16 A nat static,20 address,1 nat static net-to-net,21 alg,43 nat444 log session-end,38 D nat444 log session-start,38 display nat address-group,1 nat444 log user,39 display nat all,3 nat444 outbound,40 display nat bound,5 nat444 outbound static,42 display nat dns-map,6 nat444 static,37 display nat server,7 natpt address-group,27 display nat static,9 natpt enable,28 display nat statistics,10 natpt prefix,29 display nat444 dynamic-ip-port-b
