Manualshelf

R3166-R3206-HP High-End Firewalls NAT and ALG Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
21222324252627282930
18
translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating
also TCP/UDP port numbers.
Typically, a NAT entry is configured on the outbound interface of the NAT device. If internal hosts need
to access external networks through multiple outbound interfaces on the NAT device, you must configure
NAT entries on each of the interfaces. To avoid this, the device supports configuring a NAT entry on the
inbound interface on the NAT device. When hosts in a VPN want to access other VPNs through multiple
outbound interfaces on a NAT device, you can configure a NAT entry on the inbound interface on the
NAT device, simplifying NAT configuration.
When a packet from an internal host to the external network arrives: If it is the first packet and an address
pool is associated with an outbound interface, NAT determines whether to translate the packet based on
the ACL. If yes, NAT chooses an address from the associated address pool or gets the associated
interface address, performs address translation, and then saves the address mapping in the address
translation table. All subsequent packets from the internal host are serviced by NAT directly according to
the mapping entry.
1. Configuration prerequisites
Configure an ACL to specify IP addresses permitted to be translated.
Decide whether to use an interface’s IP address as the translated source address.
Determine a public IP address pool for address translation.
Decide whether to translate port information.
NOTE:
For more information about ACL, see
Access Control Configuration Guide
.
2. Configuring NAT address pools
The NAT device selects an IP address from a specified NAT address pool as the source address of a
packet.
Follow these steps to configure an address pool:
To do… Use the command…
Remarks
Enter system view system-view
Configure an address pool
nat address-group group-number
start-address end-address [ level
level ]
Required
Not necessary when the device
provides only Easy IP, where an
interface’s public IP address is
used as the translated IP address.
NOTE:
A
ddress pools must not overlap.
3. Configuring Easy IP
Easy IP allows the device to use the IP address of one of its interfaces as the source address of NATed
packets.
Follow these steps to configure Easy IP:
To do… Use the command…
Remarks
Enter system view system-view