Manualshelf

R3166-R3206-HP High-End Firewalls NAT and ALG Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
10
Note that:
You can configure multiple associations or use the undo command to remove an association on an
interface that serves as the egress of an internal network to the external network.
When the undo nat outbound command is executed to remove an association, the NAT entries
depending on the association are not deleted; they will be aged out automatically after 5 to 10
minutes. During this period, the involved users cannot access the external network whereas all the
other users are not affected.
When an ACL rule is not operative, no new NAT session entry depending on the rule can be
created. However, existing connections are still available for communication.
If a packet matches the specified next hop, the packet will be translated using an IP address in the
address pool; if not, the packet will not be translated.
You can bind an ACL to only one address pool on an interface; an address pool can be bound to
multiple ACLs.
NAPT cannot translate connections from external hosts to internal hosts.
In stateful failover networking, make sure that you associate each address pool configured on an
interface with one VRRP group only; otherwise, the system associates the address pool with the
VRRP group having the highest group ID.
NOTE:
The ACL rules referenced by the same interface cannot conflict. That is, the source IP address, destination
IP address in any two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the
source IP address in any two ACL rules are the same, a conflict occurs.
Examples
# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses
202.110.10.10 through 202.110.10.12. Assume that interface GigabitEthernet0/1 is connected to the
Internet.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Sysname-acl-basic-2001] rule deny
[Sysname-acl-basic-2001] quit
[Sysname] nat address-group 1 202.110.10.10 202.110.10.12
# To also translate TCP/UDP port information, do the following:
[Sysname] interface GigabitEthernet0/1
[Sysname-GigabitEthernet0/1] nat outbound 2001 address-group 1
# To ignore the TCP/UDP port information in translation, do the following:
<Sysname> system-view
[Sysname] interface GigabitEthernet0/1
[Sysname- GigabitEthernet0/1] nat outbound 2001 address-group 1 no-pat
# To use the IP address of the GigabitEthernet0/1 interface for translation, do the following:
<Sysname> system-view
[Sysname] interface GigabitEthernet0/1
[Sysname- GigabitEthernet0/1] nat outbound 2001