HP VPN Firewall Appliances NAT and ALG Command Reference Part number: 5998-4176 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents NAT commands···························································································································································· 1 address ······································································································································································ 1 display nat address-group ·································································································································
Subscription service ·············································································································································· 45 Related information ························································································································································ 45 Documents ······························································································································································
NAT commands address Use address to add a member that specifies an address pool to the address group. The address pools of group members might not be consecutive. Use undo address to remove a group member from the address group. Syntax address start-address end-address undo address start-address end-address Views Address group view Default command level 2: System level Parameters start-address: Specifies the start IP address of the address group member.
Syntax display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters group-number: Specifies the NAT address group number. If this argument is not provided, this command displays information about all NAT address pools.
Table 1 Command output Field Description 1 : from 202.110.10.10 to 202.110.10.15 The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15. Related commands nat address-group display nat all Use display nat all to display all NAT configuration information. Syntax display nat all [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
NAT static information: There are currently 1 NAT static configuration(s) single static: Local-IP : 1.1.1.1 Global-IP : 2.2.2.2 Local-VPN : --- NAT static enabled information: Interface Direction GigabitEthernet0/4 out-static # Display all NAT configuration information. display nat all NAT address-group information: There are currently 2 nat address-group(s) 1 : from 202.110.10.10 to 202.110.10.15 2 : from 202.110.10.20 to 202.110.10.
GigabitEthernet0/2 out-static Table 2 Command output Field Description There are currently 1 nat address-group(s) See the display nat address-group command for descriptions on the specified fields. NAT bound information: Configuration information for internal address-to-external address translation. See the display nat bound command for descriptions on the specified fields. NAT server in private network information Internal server information.
Next-hop: 100.100.100.1 Status: Active Interface:GigabitEthernet0/2 Direction: outbound ACL: 3000 Address-group: 300 NO-PAT: N VPN-instance: vpn2 Out-interface: Vlan-interface200 Next-hop: 100.100.110.1 Status: Inactive Interface:GigabitEthernet0/3 Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N VPN-instance: --- Table 3 Command output Field Description NAT bound information: Display configured NAT address translation information.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display NAT DNS mapping configuration information. display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: www.server.com Global-IP : 202.113.16.117 Global-port: 80(www) Protocol : 6(tcp) Domain-name: ftp.server.com Global-IP : 202.113.16.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about internal servers. display nat server NAT server in private network information: There are currently 2 internal server(s) Interface:GigabitEthernet0/1, Protocol: 6(tcp) Global: 100.100.120.
display nat static Use display nat static to display static NAT entries and interfaces with static NAT enabled. Syntax display nat static [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Field net-to-net Description Net-to-net static NAT. Support for this output information depends on the device model. single static One-to-one static NAT. Local-IP Internal IP address. Global-IP External IP address. Netmask Network mask. Local-VPN VPN to which the internal IP address belongs. Global-VPN VPN to which the external IP address belongs. Related commands • nat static • nat outbound static display nat statistics Use display nat statistics to display NAT statistics.
Table 7 Command output Field Description total PAT session table count Number of PAT session entries. total NO-PAT session table count Number of NO-PAT session entries. total SERVER session table count Number of SERVER session entries. total STATIC session table count Number of STATIC session entries. nat address-group Use nat address-group to configure a NAT address pool. When the start and end IP addresses are specified, this command specifies an address pool.
1024 to 34999 for devices in stateful failover state, and 1024 to 65535 for devices not in stateful failover state. The default value is 1. In the asymmetric stateful failover network scenario, configure different port assignment levels for the address pools on the two stateful failover devices. Usage guidelines An address pool consists of a set of consecutive IP addresses. An address group consists of multiple group members, each of which specifies an address pool with the address command.
(.). Each label has no more than 63 characters that must begin and end with letters or digits. Dashes (-) can also be included. protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp. ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network. port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.
Hardware Value range F5000 0 to 255 F5000-S/F5000-C 0 to 255 VPN firewall modules 0 to 2047 20-Gbps VPN firewall modules 0 to 2047 vpn-instance vpn-instance-name: Specifies the VPN to which the addresses of the address pool belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With this option, inter-VPN access through NAT is supported. Without this option, the addresses in the address pool do not belong to any VPN.
[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255 [Sysname-acl-basic-2001] rule deny [Sysname-acl-basic-2001] quit [Sysname] nat address-group 1 202.110.10.10 202.110.10.12 # Configure address pool 1. [Sysname] nat address-group 1 202.110.10.10 202.110.10.12 # Use addresses in address pool 1 as translated addresses and TCP/UDP port information.
nat server (for normal NAT server) Use nat server to configure a load sharing internal server. Use undo nat server to remove the configuration.
protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify port number for the internal server. global-address: Specifies the public IP address for the internal server. current-interface: Uses the current interface address as the external IP address for the internal server. interface: Uses a specific interface address as the external IP address for the internal server, enabling Easy IP.
Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside in an internal network or a VPN. The maximum number of internal server configuration commands that can be configured on an interface depends on the device model. The number of internal servers that each command can define equals the difference between global-port2 and global-port1.
[Sysname-GigabitEthernet0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10 # Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 in VPN vrf10 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.
local-port: Specifies the port number provided by the internal server, in the range of 0 to 65535, excluding FTP port number 20. • You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, ftp to represent port number 21, and so on. • You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.
vpn-instance local-name: Specifies the VPN to which the internal IP address belongs. The local-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the internal IP address does not belong to any VPN. global-ip: Specifies the external IP address. vpn-instance global-name: Specifies the VPN to which the external IP address belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external IP address does not belong to any VPN.
global-network: Specifies the external network address. vpn-instance global-name: Specifies the VPN to which the external network belongs. The global-name argument is a case-sensitive string of 1 to 31 characters. Without this option, the external network does not belong to any VPN. mask-length: Specifies the length of the network mask. mask: Specifies the network mask. Examples # Configure a net-to-net static NAT mapping: Internal network address is 192.168.1.
NAT-PT commands NAT-PT is not supported on VLAN interfaces and does not support VPN instances, IPv4 fragments, or ICMPv6 fragments. display natpt address-group Use display natpt address-group to display NAT-PT address pool configuration information. Syntax display natpt address-group [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
display natpt all Use display natpt all to display all NAT-PT configuration information. Syntax display natpt all [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Total Sessions: 0 Expired Sessions: 0 Hits: 0 Misses: 0 Total Address Mappings: 1 (static: 1 dynamic: 0 ) Total V6Server Mappings: 2 Enabled Interfaces: NONE For the explanations to the information displayed above, see the descriptions of related commands. display natpt statistics Use display natpt statistics to display NAT-PT statistics.
GigabitEthernet0/1 Table 10 Command output Field Description Total Sessions Total number of sessions. Expired Sessions Number of expired sessions. Hits Number of times that a packet matches a NAT-PT session. Misses Number of times that a packet matches no NAT-PT sessions. Total Address Mapping Number of static and dynamic mappings. Total V6Server Mappings Number of V6Server mappings (address/port mappings). Enabled Interfaces NAT-PT enabled interfaces.
Related commands display natpt address-group Examples # Configure a NAT-PT address pool. system-view [Sysname] natpt address-group 3 2.3.4.5 2.3.4.10 natpt enable Use natpt enable to enable the NAT-PT feature on an interface. Use undo natpt enable to disable the NAT-PT feature on an interface. Syntax natpt enable undo natpt enable Default The NAT-PT feature is disabled on an interface. No NAT-PT is implemented for packets received or sent on the interface.
Default command level 2: System level Parameters natpt-prefix: Specifies the prefix of an IPv6 address, 96 bits in length. interface interface-type interface-number: Specifies an interface by its type and number. If the specified interface exists and is enabled with NAT-PT, the matching packets are translated. If the specified interface does not exist or is not enabled with NAT-PT, the matching packets are discarded. nexthop ipv4-address: This option does not take effect.
natpt turn-off traffic-class Use natpt turn-off traffic-class to set the Traffic Class field in an IPv6 packet translated from an IPv4 packet to 0. Use undo natpt turn-off traffic-class to restore the default. Syntax natpt turn-off traffic-class undo natpt turn-off traffic-class Default The value of the Traffic Class field in an IPv6 packet translated from an IPv4 packet is the same as that of the ToS field in the IPv4 packet.
The natpt-prefix argument in the natpt v4bound dynamic command must be specified by the natpt prefix command in advance. Examples # Configure a dynamic source address mapping policy for packets from IPv4 hosts to IPv6 hosts. Use ACL 2000 to match IPv4 packets and add the NAT-PT prefix 2001:: to translate the source IPv4 address into an IPv6 address.
Syntax natpt v4bound static v6server protocol protocol-type ipv4-address-destination ipv4-port-number ipv6-address-destination ipv6-port-number undo natpt v4bound static v6server protocol protocol-type ipv4-address-destination ipv4-port-number ipv6-address-destination ipv6-port-number Views System view Default command level 2: System level Parameters protocol protocol-type: Specifies the protocol type. The protocol-type argument can be: • tcp: Specifies the TCP protocol.
Parameters acl6 number acl6-number: Specifies the IPv6 ACL number. If the source IPv6 address of a packet sent from an IPv6 network to an IPv4 network matches this IPv6 ACL, the source IPv6 address is translated based on the command. The IPv6 ACL number ranges 2000 to 2999. prefix natpt-prefix: Specifies the NAT-PT prefix. If the destination IPv6 address of a packet sent from an IPv6 network to an IPv4 network is in this NAT-PT prefix, the source IPv6 address is translated based on the command.
system-view [Sysname] natpt v6bound static 2001::1 2.3.4.5 Related commands display natpt address-mapping reset natpt statistics Use reset natpt statistics to clear NAT-PT statistics. Syntax reset natpt statistics Views User view Default command level 1: Monitor level Parameters None Usage guidelines This command cannot clear the statistics of total sessions and total address mappings. Examples # Clear NAT-PT statistics.
NAT444 commands The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules Yes 20-Gbps VPN firewall modules Yes display nat444 dynamic-ip-port-block Use display nat444 dynamic-ip-port-block to display NAT444 dynamic IP-port block mappings. Syntax display nat444 dynamic-ip-port-block Views Any view Examples # Display NAT444 dynamic IP-port block mappings.
Related commands nat444 outbound display nat444 static-ip-port-block Use display nat444 static-ip-port-block to display NAT444 static IP-port block mappings. Syntax display nat444 static-ip-port-block Views Any view Examples # Display NAT444 static IP-port block mappings. display nat444 static-ip-port-block Static NAT444 IP-port-block tables: (Used: 3, Unused:11) Local-IP <-> Global-IP Port-block : Connections, Local-VPN 192.168.101.110 <-> 222.222.211.200 (10001 - 35000): 0, --- 192.
Related commands nat444 static local nat444 static Use nat444 static local to create a static IP-port block mapping. Use undo nat444 static local to remove the static IP-port block mapping.
Examples # Configure a static IP port block for users from 192.168.1.1 to 192.168.1.10. system-view [Sysname] nat444 static local 192.168.1.1 192.168.1.10 global 202.1.1.1 202.1.1.2 port-range 10001 20000 block-size 2000 Related commands nat444 outbound static nat444 log session-end Use nat444 log session-end to enable NAT444 session removal logging. Use undo nat444 log session-end to restore the default.
nat444 log user Use nat444 log user to enable NAT444 user logging. Use undo nat444 log user to disable NAT444 user logging. Syntax nat444 log user undo nat444 log user Default NAT444 user logging is disabled. Views System view Examples # Enable NAT444 user logging. system-view [Sysname] nat444 log user nat mapping-behavior Use nat mapping-behavior to configure the mapping behavior mode for NAT444. Use undo nat mapping-behavior to restore the default.
to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT444 gateways. For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAT444 mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers.
block-size: Port block size. If the value for the port block size exceeds the one for the port range that equals port-range-end – port-range-start + 1, the system changes the value for the port block size to the one for the port range.
undo nat444 outbound static Views Interface view Usage guidelines Only after you execute the nat444 outbound static command on an interface, packets from this interface to an external network can match the static IP-port block mappings configured by the globally executed command nat444 static local for NAT. Examples # Configure a NAT444 static IP port block for users from 192.168.1.1 to 192.168.1.100, and enable static NAT444 on GigabitEthernet 0/1.
ALG commands alg Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled only for FTP. Views System view Default command level 2: System level Parameters all: Enables ALG for all protocols. dns: Enables ALG for DNS.
# Disable ALG for DNS.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ADNRSW nat server (for normal NAT server),16 A nat static,20 address,1 nat static net-to-net,21 alg,43 nat444 log session-end,38 D nat444 log session-start,38 display nat address-group,1 nat444 log user,39 display nat all,3 nat444 outbound,40 display nat bound,5 nat444 outbound static,41 display nat dns-map,6 nat444 static,37 display nat server,7 natpt address-group,27 display nat static,9 natpt enable,28 display nat statistics,10 natpt prefix,28 display nat444 dynamic-ip-port-b
