HP VPN Firewall Appliances NAT and ALG Configuration Guide
50
When static NAT444, dynamic NAT444, static NAT, and dynamic NAT all exist and are used for
matching the same flows, the matching sequence is as follows:
1. Static NAT.
2. Static NAT444.
3. For dynamic NAT444 and dynamic NAT, ACLs are matched in descending order.
Configuring NAT444 static IP-port mappings
By configuring an internal-to-external IP-port mapping manually, NAT444 assigns a public address and
a port block to each user of the private address pool. CGN uses the specified public address and port
block to translate the private source IP and port when an internal user accesses an external network.
To configure a NAT444 static IP-port mapping in system view:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure a NAT444
static IP-port mapping.
nat444 static local local-start-address
local-end-address [ vpn-instance local-name ]
global global-start-address global-end-address
port-range port-range-start port-range-end
block-size block-size
The command takes effect
globally.
3. Enter interface view.
interface interface-type interface-number N/A
4. Enable static NAT444
on the interface to
make the static IP-port
mapping take effect.
nat444 outbound static
The command applies to
the interface.
To configure a NAT444 static IP-port mapping in interface view:
Ste
p
Command
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure a NAT444 static IP-port
mapping.
nat444 static local local-start-address local-end-address
[ vpn-instance local-name ] global global-start-address
global-end-address port-range port-range-start port-range-end
block-size block-size
4. Enable static NAT444 on the
interface to make the static IP-port
mapping take effect.
nat444 outbound static
Configuring NAT444 dynamic IP-port mappings
NAT444 dynamic IP-port mappings combine traditional dynamic NAT associations (configured with nat
outbound acl) and NAT444 static IP-port mappings. When an internal user accesses the Internet,
NAT444 translates the source addresses of the outbound packets permitted by the associated ACL.
NAT444 assigns a dynamic IP port block from the associated public address pool to the user for the first