3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

981

982

983

984

985

986

987

988

989

990

Configuring NAT Log 993

packets that pass through the VLAN interface have been redirected to the L3+NAT

module, causing the QoS redirection function ineffective.

Configuring NAT Log

Introduction to NAT Log NAT log is a type of system information generated by the NAT gateway during the

IP address translation. NAT log contains such information as the packet’s source IP

address, source port address, destination IP address, destination port address,

translated source IP address, translated source port address and other user

operations. The log only traces operations of private network users in accessing an

external network, not those in the opposite direction.

As multiple private users share one public IP address when accessing an external

network through a NAT gateway, it is hard to identify each of the users. The log

function, however, can enhance network security (for supervising purpose) by

keeping records of the private network users that access the external network.

Enabling NAT Log

Function

Follow these steps to enable NAT log function:

Exporting NAT Logs NAT logs can be exported in two directions, either to the information center or to

the NAT log server.

In the former case, NAT logs are first converted into system logs and exported to

the local device’s information center. Depending on the configuration of the

information system, NAT logs are again exported to their final destination. At most

10 NAT logs can be exported to the information center at one time.

In the latter case, NAT logs are encapsulated into UDP packets and sent to the log

server, as shown in

Figure 298. The UDP packets may come in several versions,

each with different packet formats. Only version 1 is used presently. A UDP packet

is composed of a header and several NAT logs.

To do... Use the command... Remarks

Enter system view system-view -

Enable log function nat log enable [ acl

acl-number ]

Required

Disabled by default

Generate NAT log when

establishing a NAT session

nat log flow-begin Required

By default, no log is

generated when establishing

NAT session.

Enable and set the interval for

logging active flows

nat log flow-active minutes Required

Disabled by default