Manualshelf

HP VPN Firewall Appliances NAT and ALG Command Reference

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
41
block-size: Port block size. If the value for the port block size exceeds the one for the port range that
equals port-range-end – port-range-start + 1, the system changes the value for the port block size to the
one for the port range.
Usage guidelines
After the first packet of the first connection from an internal user to Internet matches the ACL specified by
the nat444 outbound acl-number command, NAT444 obtains a public address with spare port blocks
from the address pool referenced by the command, and then assigns one port block to the internal user.
For all connections from the internal user to Internet, IP-port blocks dynamically assigned by NAT444 are
used for NAT.
An address pool referenced by a dynamic NAT444 association cannot be referenced by other dynamic
NAT444 associations, and vice versa.
You cannot apply the same ACL to both dynamic NAT444 and dynamic NAT on an interface.
You can only apply an ACL to one NAT444 association on an interface. The priority for configurations
with an ACL to take effect depends on the ACL number. The bigger number, the higher priority.
The port range must be in accordance with the port block configurations when a NAT address pool is
referenced by different dynamic NAT444 associations. If not, the system automatically adjust it for
consistency.
The IP-port block mapping tables created by dynamic NAT444 on an interface takes effect only on the
interface.
Examples
# Create an ACL rule to permit hosts in the network segment 10.110.10.0/24 to be translated.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Sysname-acl-basic-2001] rule deny
[Sysname-acl-basic-2001] quit
# Create address group 1, add a group member that contains IP addresses 202.110.10.10 through
202.110.10.12 to it, configure the port block range as 1 to 65535, and set the block size for each internal
address to 1024. Assume that GigabitEthernet 0/1 connects the external network.
[Sysname] nat address-group 1
[Sysname-nat-address-group-1] address 202.110.10.10 202.110.10.12
[Sysname] interface gigabitethernet0/1
[Sysname-GigabitEthernet0/1] nat444 outbound 2001 address-group 1 port-range 1 65535
block-size 1024
Related commands
nat address-group
nat444 outbound static
Use nat444 outbound static to enable static NAT444 on the outbound interface to make the IP-port
mappings take effect. The interface serves as the egress of an internal network to the external network.
Use undo nat444 outbound static to disable static NAT444 on the interface.
Syntax
nat444 outbound static