Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
14
Hardware Ar
g
ument com
p
atibilit
y
U200-S Optional.
address-group group-number: Specifies an address pool for NAT. The IP address of the interface is used
as the translated IP address. That is, Easy IP is enabled.
The following matrix shows the value range for the group-number argument on different firewalls and
UTM devices:
Hardware Value ran
g
e
F1000-A-EI/F1000-S-EI 0 to 255
F1000-E 0 to 255
F5000 0 to 255
Firewall module 0 to 255
U200-A 0 to 255
U200-S 0 to 31
vpn-instance vpn-instance-name: Specifies the VPN to which the addresses of the address pool belong.
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With this option,
inter-VPN access through NAT is supported. Without this option, the addresses in the address pool do
not belong to any VPN.
no-pat: Specifies not to use the TCP/UDP port number for many-to-many NAT. If this keyword is not
specified, the TCP/UDP port number is used for many-to-one NAT.
track vrrp virtual-router-id: Associates address translation on a specific outbound interface with a VRRP
group. The virtual-router-id argument indicates the number of the VRRP group in the range of 1 to 255.
Without this argument specified, no VRRP group is associated.
Usage guidelines
You can configure multiple associations or use the undo command to remove an association from an
interface that serves as the egress of an internal network to the external network.
When the undo nat outbound command is executed to remove an association, the NAT entries
depending on the association are not deleted. They are aged out automatically after 5 to 10 minutes.
During this period, the involved users cannot access the external network whereas all the other users are
not affected.
When an ACL rule is not operative, no new NAT session entry depending on the rule can be created.
However, existing connections are still available for communication.
If a packet matches the specified next hop, the packet is translated using an IP address in the address
pool. If not, the packet is not translated.
You can bind an ACL to only one address pool on an interface. An address pool can be bound to
multiple ACLs.
NAPT cannot translate connections from external hosts to internal hosts.
In stateful failover networking, make sure you associate each address pool configured on an interface
with one VRRP group only. Otherwise, the system associates the address pool with the VRRP group
having the highest group ID.