Manualshelf

R3721-F3210-F3171-HP High-End Firewalls NAT and ALG Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
16
CAUTION:
hen the protocol type is not
udp (with a protocol number of 17) or tcp (with a protocol number of 6), you
can configure one-to-one NAT between an internal IP address and an external IP address only, but canno
t
specify port numbers.
Examples
# Allow external users to access the internal Web server 10.110.10.10 on the L AN through
http://202.110.10.10:8080, and the internal FTP server 10.110.10.11 in VPN vrf10
through ftp://202.110
.10.10/. Assume that the interface GigabitEthernet 0/1 is connected to the
external network.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 8080 inside
10.110.10.10 www
[Sysname-GigabitEthernet0/1] quit
[Sysname] ip vpn-instance vrf10
[Sysname-vpn-instance] route-distinguisher 100:001
[Sysname-vpn-instance] vpn-target 100:1 export-extcommunity
[Sysname-vpn-instance] vpn-target 100:1 import-extcommunity
[Sysname-vpn-instance] quit
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 21 inside
10.110.10.11 vpn-instance vrf10
# Allow external hosts to ping the host with an IP address of 10.110.10.12 in VPN vrf10 by using the ping
202.110.10.11 command.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] nat server protocol icmp global 202.110.10.11 inside
10.110.10.12 vpn-instance vrf10
# Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 in VPN
vrf10 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a
user can telnet to 202.110.10.10:1001 to access 10.110.10.1, telnet to 202.110.10.10:1002 to access
10.110.10.2, and so on.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside
10.110.10.1 10.110.10.100 telnet vpn-instance vrf10
# Remove the Web server.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] undo nat server protocol tcp global 202.110.10.10 8080 inside
10.110.10.10 www
# Remove the FTP server from VPN vrf10.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] undo nat server protocol tcp global 202.110.10.11 21 inside
10.110.10.11 ftp vpn-instance vrf10