3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

291

292

293

294

295

296

297

298

299

300

NAT Configuration Commands 295

pro-type: The protocol type carried by IP, possibly being a protocol ID, or a key

word as a substitution. For example: icmp (its protocol ID is 1), tcp (its protocol ID

is 6), udp (its protocol ID is 7).

Description

Use the nat server command to define the mapping table of an internal server.

Users can access the internal server with the address and port as host-addr and

host-port respectively through the address port defined by global-addr and

global-port.

Use the undo nat server command to remove the mapping table.

Through this command, you can configure some internal network servers for

outside use. The internal server can locate in the ordinary private network. For

example, www, ftp, telnet, pop3, dns and so on.

Up to 256 internal server conversion commands can be configured on one

interface and at most 4096 internal servers can be configured on one interface.

Up to 1024 internal server conversion commands can be configured in one

system. If the nat servers are configured in the form of port range (i.e., specify a

port range through configuring global-port1 and global-port2, forming a

corresponding relation with the address range of the internal hosts), then the

number of internal servers will be the same as that of the ports configured, and

the max number of them are also 4096.

TFTP is a special protocol; therefore, make sure you configure the corresponding

nat outbound command on the internal TFTP server when you configure NAT

Server for the TFTP server.

The interface on which this command is configured is interconnected with ISP and

serves as the gateway of the internal network.

Example

# Specify the IP address of the interior www server of the LAN as 10.110.10.10,

the IP address of the interior ftp server as 10.110.10.11. It is expected that the

outside can access WEB through http:// 202.110.10.10:8080 and connect FTP web

site through ftp://202.110.10.10. Suppose that GigabitEthernet0/0.1 is connected

to ISP.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global

202.110.10.10 8080 inside 10.110.10.10 www

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global

202.110.10.10 inside 10.110.10.11 ftp

# Specify one interior host 10.110.10.12, expecting that the host of the exterior

network can ping it with ping 202.110.10.11 command.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol icmp global

202.110.10.11 inside 10.110.10.12

# Delete the www server.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp

global 202.110.10.10 8070 inside 10.110.10.10 www