R2511-HP MSR Router Series Layer 3 - IP Services Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

171

172

173

174

175

176

177

178

179

180

167

port-range port-range-start port-range-end: Specifies a port range for the NAT addresses. The

port-range-start argument specifies the start port in the range of 1 to 65535. The port-range-end

argument specifies the end port in the range of 1 to 65535. The end port number cannot be smaller than

the start port number.

track vrrp virtual-router-id: Associates address translation on a specific outbound interface with a VRRP

group. The virtual-router-id argument indicates the number of the VRRP group in the range of 1 to 255.

Without this argument specified, no VRRP group is associated.

Usage guidelines

The nat outbound acl-number address-group group-number no-pat command enables many-to-many

NAT by associating an ACL with an IP address pool to translate only the IP address.

The nat outbound address-group group-number command or the nat outbound acl-number

address-group group-number command enables NAPT by associating an ACL with an IP address pool

to translate both the IP address and port number. If the acl-number argument is specified, a packet

matching the associated ACL is translated by NAT. If the acl-number argument is not specified, a packet

whose source IP address is not the IP address of the outbound interface is translated by NAT.

You can configure multiple associations or use the undo command to remove an association on an

interface that serves as the egress of an internal network to the external network.

When an ACL rule is not operative, no new NAT session entry depending on the rule can be created.

However, existing connections are still available for communication.

If a packet matches the specified next hop, the packet is translated using an IP address in the address

pool. If not, the packet is not translated.

You can bind an ACL to only one address pool on an interface. An address pool can be bound to

multiple ACLs.

NAPT cannot translate connections from external hosts to internal hosts.

With reverse address translation enabled, after NAT creates an entry for an internal host to access the

Internet, NAT can use this entry to perform destination IP address translation for new connections from the

Internet to the public IP address of the internal host. If an ACL is associated with the address pool where

the public IP address of the internal host resides, the connections must match the ACL. Otherwise, they

cannot be translated.

For some devices, the ACL rules referenced by the same interface cannot conflict. That is, the source IP

address, destination IP address and VPN instance information in any two ACL rules cannot be the same.

For basic ACLs (in the range of 2000 to 2999), if the source IP address and VPN instance information

in any two ACL rules are the same, a conflict occurs.

Examples

# Configure NAT for hosts on subnet 10.110.10.0/24. The NAT address pool contains addresses

202.110.10.10 through 202.110.10.12. Assume that interface Serial 1/0 is connected to the Internet.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# Configure address pool 1.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12