4000 Router Series Layer 3 - IP Services Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

151

152

153

154

155

156

157

158

159

160

148

address-group group-number: Specifies an address group for address translation. The value range for

the group-number argument is 0 to 65535.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the

address group belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

To specify addresses in the public network, do not use this option.

no-pat: Uses NO-PAT for inbound NAT. If you do not specify this keyword, PAT is used. PAT supports only

TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Allows reverse address translation. NAT translates the destination IP address of the packets of

a connection originating from an internal host to the NAT address based on the existing NO-PAT entry.

add-route: Adds a route to the NAT address when address translation is performed for a packet. The

output interface is the NAT interface and the next-hop is the source address before translation. If you do

not specify this keyword, you must manually add the route. HP recommends that you specify this

keyword.

Usage guidelines

If an incoming packet matches a permit rule of the specified ACL on the interface with inbound dynamic

NAT configured, the source IP address of the packet is translated into an address in the address group

specified by the group-number argument.

Inbound dynamic NAT supports the PAT and NO-PAT modes.

• PAT—Performs port translation in addition to IP address translation.

• NO-PAT—Performs only IP address translation.

Inbound dynamic NAT typically operate with outbound dynamic NAT (the nat outbound command), the

NAT Server feature (the nat server command), or outbound static NAT (the nat static command) to

implement bidirectional NAT.

An address group can be used by only one inbound or outbound NAT rule.

An ACL can be used by only one inbound dynamic NAT rule an interface.

You can configure multiple inbound dynamic NAT rules on an interface.

Examples

# Configure ACL 2001, and create a rule to permit packets only from segment 10.110.10.0/24 in VPN

vpn10 to pass through.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit vpn-instance vpn10 source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

# Configure the VPN instance named vpn10.

[Sysname] ip vpn-instance vpn10

[Sysname-vpn-instance-vpn10] route-distinguisher 100:001

[Sysname-vpn-instance-vpn10] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance-vpn10] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance-vpn10] quit

# Create address group 1 and add members to the group.

[Sysname] nat address-group 1

[Sysname-nat-address-group-1] address 202.110.10.10 202.110.10.12