R3721-F3210-F3171-HP High-End Firewalls NAT and ALG Configuration Guide-6PW101
40
Task Command
Remarks
Display NAT-PT statistics information.
display natpt statistics [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Clear all NAT-PT statistics information. reset natpt statistics Available in user view
NAT-PT configuration examples
Configuring dynamic mapping on the IPv6 side
Network requirements
As shown in Figure 30, Firewall C with IPv6 address 2001::2/64 on an IPv6 network wants to access
Firewall A with IPv4 address 8.0.0.2/24 on an IPv4 network, whereas Firewall A cannot actively access
Firewall C.
To meet the preceding requirements, you need to configure Firewall B that is deployed between the IPv4
network and IPv6 network as a NAT-PT device, and configure dynamic mapping policies on the IPv6 side
on Firewall B so that IPv6 hosts can access IPv4 hosts but IPv4 hosts cannot access IPv6 hosts.
Figure 30 Network diagram
Configuring Firewall B (NAT-PT device)
# Configure interface addresses and enable NAT-PT on the interfaces.
<FirewallB> system-view
[FirewallB] ipv6
[FirewallB] interface GigabitEthernet 0/1
[FirewallB-GigabitEthernet0/1] ip address 8.0.0.1 255.255.255.0
[FirewallB-GigabitEthernet0/1] natpt enable
[FirewallB-GigabitEthernet0/1] quit
[FirewallB] interface GigabitEthernet 0/2
[FirewallB-GigabitEthernet0/2] ipv6 address 2001::1/64
[FirewallB-GigabitEthernet0/2] natpt enable
[FirewallB-GigabitEthernet0/2] quit
# Configure a NAT-PT prefix.
[FirewallB] natpt prefix 3001::
# Configure a NAT-PT address pool.
[FirewallB] natpt address-group 1 9.0.0.10 9.0.0.19
# Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts.
[FirewallB] natpt v6bound dynamic prefix 3001:: address-group 1