HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2639 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents NAT configuration commands ···································································································································· 1 display nat address-group ······································································································································· 1 display nat all ··························································································································································· 1 dis
NAT configuration commands display nat address-group Syntax display nat address-group [ group-number ] View Any view Default level 1: Monitor level Parameters group-number: NAT address group number, in the range from 0 to 255. If this argument is not provided, information of all NAT address pools is displayed. Description Use the display nat address-group command to display the NAT address pool information. Related commands: nat address-group. Examples # Display the NAT address pool information.
View Any view Default level 1: Monitor level Parameters None Description Use the display nat all command to display all NAT configuration information. Examples # Display all NAT configuration information. display nat all NAT address-group information: There are currently 1 nat address-group(s) 1 : from 202.110.10.10 to 202.110.10.
Field Description NAT server in private network information Internal server information. See the display nat server command for description on the specific fields. NAT static information Information about static NAT. See the display nat static command for description on the specific fields. NAT static enabled information Information about static NAT entries and interface(s) with static NAT enabled. See the display nat static command for description on the specific fields.
display nat dns-map Syntax display nat dns-map View Any view Default level 1: Monitor level Parameters None Description Use the display nat dns-map command to display NAT DNS mapping configuration information. Related commands: nat dns-map. Examples # Display NAT DNS mapping configuration information. display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: www.server.com Global-IP : 202.113.16.
View Any view Default level 1: Monitor level Parameters None Description Use the display nat server command to display information about internal servers. Related commands: nat server. Examples # Display information about internal servers. display nat server NAT server in private network information: There are currently 2 internal server(s) Interface: GigabitEthernet0/1, Protocol: 6(tcp) Global: 100.100.120.120 : 21(ftp) Local : 192.168.100.
View Any view Default level 1: Monitor level Parameters None Description Use the display nat static command to display static NAT entries and interface(s) with static NAT enabled. Related commands: nat static and nat outbound static. Examples # Display static NAT entries and interface(s) with static NAT enabled. display nat static NAT static information: There are currently 1 NAT static configuration(s) single static: Local-IP : 4.4.4.4 Global-IP : 5.5.5.
View Any view Default level 1: Monitor level Parameters None Description Use the display nat statistics command to display NAT statistics. Examples # Display NAT statistics.
range from 35000 to 65535; 1 represents a higher level, and the assignable port numbers range from 1024 to 34999 for devices in stateful failover state, and from 1024 to 65535 for devices not in stateful failover state. The default value for argument level is 1. In the asymmetric stateful failover network scenario, configure different port assignment levels for the address pools on the two stateful failover devices. Description Use the nat address-group command to configure a NAT address pool.
Use the undo nat dns-map command to remove a DNS mapping. The maximum number of DNS mappings is 16. Related commands: display nat dns-map. Examples # A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name. system-view [Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.
Note that: • You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to the external network. • When the undo nat outbound command is executed to remove an association, the NAT entries depending on the association are not deleted; they will be aged out automatically after 5 to 10 minutes. During this period, the involved users cannot access the external network whereas all the other users are not affected.
nat outbound static Syntax nat outbound static [ track vrrp virtual-router-id ] undo nat outbound static [ track vrrp virtual-router-id ] View Interface view Default level 2: System level Parameters track vrrp virtual-router-id: Associates static NAT with a VRRP group. The virtual-router-id argument indicates the number of the VRRP group, in the range of 1 to 255. Without this keyword and argument combination specified, no VRRP group is associated.
protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server. global-address: Public IP address for the internal server. interface: Uses a specified interface address as the external IP address for the internal server, enabling Easy IP. interface-type interface-number: Specifies the interface type and interface number.
• In stateful failover networking, make sure that you associate the public address of an internal server on an interface with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID. Related commands: display nat server.
View System view Default level 2: System level Parameters acl-number: Number of an ACL, in the range of 2000 to 3999. You can use an ACL to specify the destination addresses that internal hosts can access. local-ip: Internal IP address. vpn-instance local-name: Specifies the VPN to which the internal IP address belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this keyword and argument combination, the internal IP address does not belong to any VPN.
ALG configuration commands alg Syntax alg { all | dns | ftp | h323 | ils | msn | nbt | pptp | qq | rtsp | sip | sqlnet | tftp } undo alg { all | dns | ftp | h323 | ils | msn | nbt | pptp | qq | rtsp | sip | sqlnet | tftp } View System view Default level 2: System level Parameters all: Enables ALG for all protocols. dns: Enables ALG for DNS. ftp: Enables ALG for FTP. h323: Enables ALG for H.323. ils: Enables ALG for ILS. msn: Enables ALG for MSN. nbt: Enables ALG for NBT. pptp: Enables ALG for PPTP.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall chassis or a firewall module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ADNSW nat address-group,7 A nat dns-map,8 alg,15 nat outbound,9 D nat outbound static,11 display nat address-group,1 nat server,11 display nat all,1 nat static,13 display nat bound,3 S display nat dns-map,4 Subscription service,16 display nat server,4 display nat static,5 W display nat statistics,6 Websites,16 Documents,16 N 19
