HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2659 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents NAT configuration commands ···································································································································· 1 address ······································································································································································ 1 display nat address-group ······································································································································· 1
NAT configuration commands address Syntax address start-address end-address undo address start-address end-address View Address group view Default level 2: System level Parameters start-address: Start IP address of the address group member. end-address: End IP address of the address group member. The end-address must not be lower than the start-address. If they are the same, the group member has only one IP address.
Default level 1: Monitor level Parameters group-number: NAT address group number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description NAT bound information: Configuration information about internal address-to-external address translation. For description on the specific fields, see the display nat bound commands. NAT server in private network information Internal server information. For description on the specific fields, see the display nat server command. NAT static information Information about static NAT. For description on the specific fields, see the display nat static command.
Table 3 Command output Field Description NAT bound information: Display configured NAT address translation information Interface Interface associated with a NAT address pool Direction Address translation direction: outbound ACL ACL number Address-group Address group number. The field is displayed as null in Easy IP mode. NO-PAT Support for NO-PAT mode or not VPN-instance VPN where the NAT address pool belongs. The field displays three hyphens (---) if it is not configured.
Global-IP : 202.113.16.
Table 5 Command output Field Description Server in private network information Information about internal servers Interface Internal server interface Protocol Protocol type Global External IP address and port number of a server, and the VPN that the external address belongs to.
single static: Local-IP : 4.4.4.4 Global-IP : 5.5.5.
Description Use display nat statistics to display NAT statistics. Examples # Display NAT statistics.
Use undo nat address-group to remove an address pool or address group. An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command. The address pools of group members may not be consecutive. You cannot remove an address pool or address group that has been associated with an ACL. Different address pools must not overlap.
Use undo nat dns-map to remove a DNS mapping. Related commands: display nat dns-map. Examples # A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name. system-view [Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.
Use undo nat outbound to remove an association. If the acl-number argument is specified, a packet matching the associated ACL will be serviced by NAT. If the acl-number argument is not specified, a packet whose source IP address is not the IP address of the outbound interface will be serviced by NAT. • You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to the external network.
[Sysname-acl-basic-2001] quit [Sysname] nat address-group 1 202.110.10.10 202.110.10.
nat server Syntax nat server [ acl-number ] [ index ] protocol pro-type global { global-address | interface interface-type interface-number | current-interface } global-port1 global-port2 [ vpn-instance global-name ] inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] undo nat server [ acl-number ] [ index ] protocol pro-type global { global-address | interface interface-type interface-number | current-interface } global-port1 global-port2 [ vpn-insta
vpn-instance global-name: Specifies the VPN to which the external address belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option specified, the external address does not belong to any VPN. vpn-instance local-name: Specifies the L3VPN to which the internal server belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option specified, the internal server does not belong to any VPN.
CAUTION: When the protocol type is not udp (with a protocol number of 17) or tcp (with a protocol number of 6), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers. Examples # Allow external users to access the internal Web server 10.110.10.10 on the LAN through http://202.110.10.10:8080, and the internal FTP server 10.110.10.11 in VPN vrf10 through ftp://202.110.10.10/.
nat static Syntax nat static [ acl-number ] local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] undo nat static [ acl-number ] local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] View System view Default level 2: System level Parameters acl-number: Specifies an ACL by its number, in the range of 2000 to 3999. With this argument specified, the device can control the destination IP address that the internal hosts can visit. local-ip: Internal IP address.
Parameters acl-number: Specifies an ACL by its number, in the range of 2000 to 3999. local-network: Internal network address. vpn-instance local-name: Specifies the L3VPN to which the internal network belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal network does not belong to any VPN. global-network: External network address. vpn-instance global-name: Specifies the L3VPN to which the external network belongs.
NAT-PT configuration commands display natpt address-group Syntax display natpt address-group [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
display natpt all Syntax display natpt all [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression.
Enabled Interfaces: GigabitEthernet0/1 For the explanations to the output, see the descriptions of related commands. display natpt statistics Syntax display natpt statistics [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Hits Number of times that a packet matches a NAT-PT session Misses Number of times that a packet matches no NAT-PT sessions Total Address Mapping Number of static and dynamic mappings Total V6Server Mappings Number of V6Server mappings (address/port mappings) Enabled Interfaces NAT-PT enabled interfaces natpt address-group Syntax natpt address-group group-number start-ipv4-address end-ipv4-address undo natpt address-group group-number View System view Default level 2: System
natpt enable Syntax natpt enable undo natpt enable View Interface view Default level 2: System level Parameters None Description Use natpt enable to enable the NAT-PT feature on an interface. Use undo natpt enable to disable the NAT-PT feature on an interface. By default, the NAT-PT feature is disabled on an interface. That is, no NAT-PT is implemented for packets received or sent on the interface. This command enables both NAT-PT and Address Family Translation (AFT).
nexthop ipv4-address: Specifies the IPv4 address of the next hop. This option does not work on the firewall. Description Use natpt prefix to configure a NAT-PT prefix. Use undo natpt prefix to remove the configured NAT-PT prefix. A NAT-PT prefix must be different from the IPv6 address prefix of the receiving interface on the NAT-PT device. Otherwise, NAT-PT translation for a received packet with the prefix will result in packet loss.
View System view Default level 2: System level Parameters None Description Use natpt turn-off traffic-class to set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0. Use undo natpt turn-off traffic-class to restore the default. By default, the value of the Traffic Class field in an IPv6 packet translated from an IPv4 packet is the same as that of the ToS field in the IPv4 packet. Examples # Set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0.
Related commands: display natpt address-mapping. Examples # Configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts in system view. Use ACL 2000 to match IPv4 packets and add the NAT-PT prefix 2001:: to translate the source IPv4 address into an IPv6 address.
Default level 2: System level Parameters protocol protocol-type: Specifies the protocol type. The protocol-type argument can be: • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. ipv4-address-destination: IPv4 address to which an IPv6 address is mapped. ipv4-port-number: IPv4 port number, in the range of 1 to 12287. ipv6-address-destination: Destination IPv6 address to be mapped. ipv6-port-number: IPv6 port number, in the range of 1 to 12287.
no-pat: Specifies no port address translation. If the no-pat keyword is not provided, port address translation will be performed. interface interface-type interface-number: Specifies the IPv4 address of the interface as the translated source IPv6 address. interface-type interface-number specifies the interface type and number. Description Use natpt v6bound dynamic to configure a dynamic source address mapping policy for packets from IPv6 hosts to IPv4 hosts.
reset natpt statistics Syntax reset natpt statistics View User view Default level 1: Monitor level Parameters None Description Use reset natpt statistics to clear all NAT-PT statistics information. Related commands: display natpt statistics. Examples # Clear all NAT-PT statistics information.
ALG configuration commands alg Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } View System view Default level 2: System level Parameters all: Enables ALG for all protocols. dns: Enables ALG for DNS. ftp: Enables ALG for FTP. gtp: Enables ALG for GTP. h323: Enables ALG for H.323. ils: Enables ALG for ILS. msn: Enables ALG for MSN.
# Disable ALG for DNS.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ADNRSW nat outbound static,13 A nat server,14 address,1 nat static,17 alg,31 nat static net-to-net,17 D natpt address-group,23 display nat address-group,1 natpt enable,24 display nat all,2 natpt prefix,24 display nat bound,4 natpt turn-off tos,25 display nat dns-map,5 natpt turn-off traffic-class,25 display nat server,6 natpt v4bound dynamic,26 display nat static,7 natpt v4bound static,27 display nat statistics,8 natpt v4bound static v6server,27 display natpt address-group,19 n
