R3721-F3210-F3171-HP High-End Firewalls NAT and ALG Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

vpn-instance global-name: Specifies the VPN to which the external address belongs. The global-name

argument is a case-sensitive string of 1 to 31 characters. Without this option specified, the external

address does not belong to any VPN.

vpn-instance local-name: Specifies the L3VPN to which the internal server belongs. The local-name

argument is a case-sensitive string of 1 to 31 characters. Without this option specified, the internal server

does not belong to any VPN.

track vrrp virtual-router-id: Associates the internal server with a VRRP group. The virtual-router-id

argument indicates the number of the VRRP group to be associated. Without this option specified, no

VRRP group is associated.

The following matrix shows the argument and firewall compatibility:

ument F1000-A-EI/S-EI

F1000-E

F5000

Firewall module

index

Yes.

Value range: 1 to 1024.

No No No

Description

Use nat server to define an internal server.

Using the address and port defined by the global-address and global-port parameters, external users

can access the internal server with an IP address of local-address and a port of local-port.

Use undo nat server to remove the configuration.

• If the acl-number argument is specified, the device performs NAT for the packets matching a specific

ACL rule, and no longer matches the packets against the interzone policy.

• If one of the two arguments global-port and local-port is set to any, the other must also be any or

remain undefined.

• Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS

servers) to provide services for external users. An internal server can reside in an internal network

or a VPN.

• The number of internal servers that each command can define equals the difference between

global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The

system allows up to 1024 internal server configuration commands.

• In general, this command is configured on an interface that serves as the egress of an internal

network and connects to the external network.

• The firewall supports using an interface address as the external IP address of an internal server,

which is Easy IP. If you specify the current-interface keyword, the internal server uses the current

primary IP address of the current interface. If you use interface { interface-type interface-number } to

specify an interface, the interface must be an existing loopback interface and the current primary

IP address of the loopback interface is used.

• Do not configure the IP address of an interface as the external address of another internal server

after you configure an internal server using Easy IP on this interface, and vice versa. This is because

the interface address that is referenced by the internal server using Easy IP serves as the external

address of the internal server.

• In stateful failover networking, make sure that you associate the public address of an internal server

on an interface with one VRRP group only; otherwise, the system associates the public address with

the VRRP group having the highest group ID.

Related commands: display nat server.