F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Configuration Guide-6PW100
Table Of Contents
- Title Page
- Table of Contents
- Configuring NAT
- Overview
- Configuration guidelines
- Configuring NAT in the Web interface
- Recommended configuration procedure
- Creating an address pool
- Configuring dynamic NAT on an interface
- Creating a static address mapping
- Enabling static NAT on an interface
- Configuring an internal server
- Configuring ACL-based NAT on the internal server
- Configuring DNS mapping
- NAT configuration example
- Internal server configuration example
- Configuring NAT at the CLI
- NAT configuration task list
- Configuring static NAT
- Configuring dynamic NAT
- Configuring an internal server
- Configuring ACL-based NAT on an internal server
- Configuring DNS mapping
- Displaying and maintaining NAT
- One-to-one static NAT configuration example
- Dynamic NAT configuration example
- Common internal server configuration example
- NAT DNS mapping configuration example
- Troubleshooting NAT
- Configuring NAT-PT
- Feature and hardware compatibility
- Overview
- NAT-PT configuration task list
- Configuration prerequisites
- Enabling NAT-PT
- Configuring a NAT-PT prefix
- Configuring IPv4/IPv6 address mappings on the IPv6 side
- Configuring IPv4/IPv6 address mappings on the IPv4 side
- Setting the ToS field after NAT-PT translation
- Setting the traffic class field after NAT-PT translation
- Configuring static NAPT-PT mappings of IPv6 servers
- Displaying and maintaining NAT-PT
- NAT-PT configuration examples
- Troubleshooting NAT-PT
- NAT444
- Configuring ALG
- Support and other resources
- Index
50
89BConfiguration procedure
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Configure an outbound
NAT444.
nat444 outbound acl-number
address-group group-number port-range
port-range-start port-range-end block-size
block-size
The ACL can be modified and
also can be nonexistent. The
configuration does not take effect
when the ACL does not exist.
The address pool must be
existing and cannot be modified
once it is referenced.
A NAT444 dynamic IP-port mapping is created when a user first accesses the Internet, and is removed
when the user's last connection is removed. You cannot remove the NAT444 dynamic IP-port mapping
manually.
When you remove the NAT444 dynamic associations of an interface, if other NAT444 associations do
not associate the address pool, all NAT444 dynamic IP-port mappings of the address pool are removed.
31B
Configuring Full cone NAT
Full cone NAT sets the mapping behavior mode for NAT444:
• Endpoint-Independent Mapping—For packets with the same source address and port number, the
same NAT444 mapping applies so that the source IP address and port number are mapped to the
same external address and port number, regardless of the destination addresses of the packets. The
NAT444 gateway also allows external hosts to access the internal network by using the translated
external addresses and port numbers. This mode facilitates communication among hosts that
connect to different NAT444 gateways.
• Address and Port-Dependent Mapping—For packets with the same source address and source port
number but different destination addresses and destination port numbers, different NAT444
mappings apply so that the source address and port number are mapped to the same external IP
address but different port numbers. The NAT444 gateway allows the hosts only on the
corresponding external networks where these destination addresses reside to access the internal
network. This mode is secure but inconvenient for communication among hosts that connect to
different NAT444 gateway.
If an ACL is configured, NAT444 mapping in endpoint-independent mapping behavior mode applies to
packets permitted by the ACL only. If no ACL is configured, NAT444 mapping in that mode applies to all
packets.
To configure Full cone NAT:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure Full cone
NAT.
nat mapping-behavior
endpoint-independent [ acl acl-num ]
NAT444 mapping behavior
mode is Address and Port
Dependent Mapping.