Manualshelf

R3721-F3210-F3171-HP High-End Firewalls NAT and ALG Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
12
Use undo nat outbound to remove an association.
If the acl-number argument is specified, a packet matching the associated ACL will be serviced by NAT.
If the acl-number argument is not specified, a packet whose source IP address is not the IP address of the
outbound interface will be serviced by NAT.
You can configure multiple associations or use the undo command to remove an association on an
interface that serves as the egress of an internal network to the external network.
When the undo nat outbound command is executed to remove an association, the NAT entries
depending on the association are not deleted; they will be aged out automatically after 5 to 10
minutes. During this period, the involved users cannot access the external network whereas all the
other users are not affected.
When an ACL rule is not operative, no new NAT session entry depending on the rule can be
created. However, existing connections are still available for communication.
If a packet matches the specified next hop, the packet will be translated using an IP address in the
address pool; if not, the packet will not be translated.
You can bind an ACL to only one address pool on an interface; an address pool can be bound to
multiple ACLs.
NAPT cannot translate connections from external hosts to internal hosts.
With reverse address translation enabled, after NAT creates an entry for an internal host to access
the Internet, NAT can use this entry to perform destination IP address translation for new
connections from the Internet to the public IP address of the internal host. If an ACL is associated
with the address pool where the public IP address of the internal host resides, the connections must
match the ACL; otherwise, they cannot be translated.
In stateful failover networking, make sure that you associate each address pool configured on an
interface with one VRRP group only; otherwise, the system associates the address pool with the
VRRP group having the highest group ID.
If Easy IP is configured on an interface or the public IP address is the same as the IP address of the
interface, address translation cannot be associated with any VRRP group.
The following matrix shows the argument and firewall compatibility:
Ar
g
ument F1000-A-EI/S-EI
F1000-E
F5000
Firewall module
acl-number Optional Required Required Required
NOTE:
For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP
address, destination IP address and VPN instance information in any two ACL rules cannot be the same.
For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in
any two ACL rules are the same, a conflict occurs.
Examples
# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses
202.110.10.10 through 202.110.10.12. Assume that interface GigabitEthernet 1/0 is connected to the
Internet.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Sysname-acl-basic-2001] rule deny