No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAT Configuration Commands

NAT Configuration Commands

NOTE:

By default, the route forwarding function is enabled on high-end LAN cards (8FE1GE, 24GE, and 24ES2GP). These cards do not send received IP packets to the CPU when the IP packets are forwarded on a LAN card. In this way, NAT services configured on VLANIF interfaces do not take effect.

display firewall-nat session aging-time

Function

The display firewall-nat session aging-time command displays the timeout interval of entries in the firewall session table or NAT session table.

Format

display firewall-nat session aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the timeout interval of sessions on the firewall session table or NAT session table.

Example

# Display the timeout time of all entries in the session table.

<Huawei> display firewall-nat session aging-time
---------------------------------------------                                   
  tcp protocol timeout         : 600   (s)                                      
  tcp-proxy timeout            : 10    (s)                                      
  udp protocol timeout         : 120   (s)                                      
  icmp protocol timeout        : 20    (s)                                      
  dns protocol timeout         : 120   (s)                                      
  http protocol timeout        : 120   (s)                                      
  ftp protocol timeout         : 120   (s)                                      
  ftp-data protocol timeout    : 120   (s)                                      
  rtsp protocol timeout        : 60    (s)                                      
  rtsp-media protocol timeout  : 120   (s)                                      
  sip protocol timeout         : 1800  (s)                                      
  sip-media protocol timeout   : 120   (s)                                      
  pptp protocol timeout        : 600   (s)                 
  pptp-data protocol timeout   : 600   (s) 
---------------------------------------------  
Table 7-43  Description of the display firewall-nat session aging-time command output

Item

Description

tcp protocol timeout

Timeout interval of TCP connections. The default value is 600, in seconds.

tcp-proxy timeout

Timeout interval of the TCP proxy. The default value is 10, in seconds.

udp protocol timeout

Timeout interval of UDP connections. The default value is 120, in seconds.

icmp protocol timeout

Timeout interval of ICMP connections. The default value is 20, in seconds.

dns protocol timeout

Timeout interval of the DNS protocol. The default value is 120, in seconds.

http protocol timeout

Timeout interval of the HTTP connections. The default value is 120, in seconds.

ftp protocol timeout

Timeout interval of the FTP control connection. The default value is 120, in seconds.

ftp-data protocol timeout

Timeout interval of the FTP connections. The default value is 120, in seconds.

sip protocol timeout

Timeout interval of the SIP protocol. The default value is 1800, in seconds.

sip-media protocol timeout

Timeout interval of the SIP media protocol. The default value is 120, in seconds.

rtsp protocol timeout

Timeout interval of the RTSP protocol. The default value is 60, in seconds.

rtsp-media protocol timeout

Timeout interval of the RTSP media protocol. The default value is 120, in seconds.

pptp protocol timeout

Timeout interval of the PPTP control connection. The default value is 600, in seconds.

pptp-data protocol timeout

Timeout interval of the PPTP data connection. The default value is 600, in seconds.

display nat address-group

Function

The display nat address-group command displays the configuration of a NAT address pool.

Format

display nat address-group [ group-index ] [ verbose ]

Parameters

Parameter

Description

Value

group-index

Indicates the index of a NAT address pool.

The value must be an existing NAT address pool index.

verbose

Displays details about the NAT address pool.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can check the configuration and application of the NAT address pool.

Example

# Display all the NAT address pools.

<Huawei> display nat address-group
NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 1            10.1.1.1        10.1.1.10
 2         10.10.10.10      10.10.10.15
 --------------------------------------
  Total : 2   

# Display the NAT address pool according to the index of the NAT address pool.

<Huawei> display nat address-group 1 
 NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 1            10.1.1.1        10.1.1.10
 --------------------------------------
  Total : 1 

# Display details about the NAT address pool.

<Huawei> display nat address-group 1 verbose
NAT Address-Group Information:
 -----------------------------------------------------------
 Index   Start-address      End-address  Ref-times  Ref-type
 -----------------------------------------------------------
 1            10.1.1.1        10.1.1.10          0      ----
 -----------------------------------------------------------
  Total : 1  
Table 7-44  Description of the display nat address-group command output

Item

Description

NAT Address-Group Information

Information of the NAT address pool.

Index

Index of the NAT address pool.

Start-address

Start IP address of the NAT address pool.

End-address

End IP address of the NAT address pool

Ref-times

Number of times that a NAT address pool is referenced.

Ref-type

Mode in which the NAT address pool is referenced.

  • pat: translates the IP address and port information of data packets.
  • no-pat: only translates the IP addresses of data packets, not port information.
  • ----: indicates that the NAT address pool is not referenced.

Total

Number of NAT address pools.

Related Topics

display nat alg

Function

The display nat alg command displays whether NAT application level gateway (ALG) is enabled for an application layer protocol.

Format

display nat alg

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the status of NAT ALG.

<Huawei> display nat alg
NAT Application Level Gateway Information:                                      
----------------------------------                                              
  Application            Status                                                 
----------------------------------                                              
  dns                    Disabled                                               
  ftp                    Disabled                                               
  rtsp                   Enabled                                                
  sip                    Disabled                                               
  pptp                   Disabled                                               
----------------------------------     
Table 7-45  Description of the display nat alg command output

Item

Description

NAT Application Level Gateway Information

Information of the NAT ALG.

Application

Application protocol type.

NOTE:

The AR510 series do not support sip.

Status

Whether the NAT ALG function is enabled.

Related Topics

display nat sip cac bandwidth information

Function

The display nat sip cac bandwidth information command displays the current total bandwidth and occupied bandwidth on the device.

NOTE:

The AR510 series do not support this command.

Format

display nat sip cac bandwidth information [ verbose ]

Parameters

Parameter

Description

Value

verbose

Displays details about the current total bandwidth and occupied bandwidth.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display details about the current total bandwidth and occupied bandwidth on the device.

<Huawei> display nat sip cac bandwidth information verbose
------------------------------------------------------------------------------- 
Total Bandwidth(Kbps)       Used Bandwidth(Kbps)                                
  3000                        1900                                                 
------------------------------------------------------------------------------- 
Src-IP          Src-Port Dest-IP         Dest-Port Protocol Used Bandwidth(Kbps)
192.168.0.4     50       202.10.34.8     5060      udp        1900
-------------------------------------------------------------------------------
Table 7-46  Description of the display nat sip cac bandwidth information verbose command output

Item

Description

Total Bandwidth

Total bandwidth on the device, in Kbps.

To configure the total bandwidth, run the nat sip cac enable command.

Used Bandwidth

Occupied bandwidth on the device, in Kbps.

Src-IP

Source IP address, that is, calling-party IP address.

Src-Port

Source port number, that is, calling-party port number.

Dest-IP

Destination IP address, that is, called-party IP address.

Dest-Port

Destination port number, that is, called-party port number.

Protocol

Corresponding protocol of the SIP calling, and the protocol can only be UDP.

display nat dns-map

Function

The display nat dns-map command displays the configuration of DNS mapping.

Format

display nat dns-map [ domain-name ]

Parameters

Parameter

Description

Value

domain-name

Specifies the valid domain name that can be resolved by the DNS server.

The value is a string of 1 to 255 case-insensitive characters without spaces. The string cannot contain the following characters: / : < > @ \ | % ' ".

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the configuration of NAT DNS mapping.

 <Huawei> display nat dns-map
  NAT DNS mapping information:
  Domain-name : www.huawei.com                                                  
  Global IP   : gigabitethernet0/0/1 (Real IP : 192.168.4.2)                    
  Global port : 2                                                               
  Protocol    : tcp

  Total : 1  
Table 7-47  Description of the display nat dns-map command output

Item

Description

NAT DNS mapping information

Information of NAT DNS Mapping.

Domain-name

Domain name.

Global IP

IP address provided for external access.

Global port

Port number provided for external access.

Protocol

Type of the protocol carried over IP.

Total

Number of NAT DNS mapping information items.

Related Topics

display nat filter-mode

Function

The display nat filter-mode command displays the current NAT filtering mode.

Format

display nat filter-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the current NAT filtering mode. The modes include:
  • endpoint-independent: independent of the external address and port.
  • endpoint-dependent: dependent on the external address and independent of the port.
  • endpoint-and-port-dependent: dependent on the external address and port.

Example

# Display the current NAT filtering mode.

<Huawei> display nat filter-mode
Nat filter mode is : endpoint-independent     
Table 7-48  Description of the display nat dns-map command output

Item

Description

Nat filter mode is

The current NAT filtering mode.

Related Topics

display nat outbound

Function

The display nat outbound command displays information about outbound NAT.

Format

display nat outbound [ acl acl-number | address-group group-index | interface interface-type interface-number [ .subnumber ] ]

Parameters

Parameter

Description

Value

acl acl-number

Displays the number of a basic ACL or an advanced ACL.

The value must be an existing ACL number.

address-group group-index

Displays the index of a NAT address pool.

The value must be an existing address pool index.

interface interface-type interface-number [ .subnumber ]

Displays the type and number of an interface or a sub-interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all information about outbound NAT.

<Huawei> display nat outbound
 NAT Outbound Information:                                                      
 --------------------------------------------------------------------------     
 Interface                     Acl     Address-group/IP/Interface      Type     
 --------------------------------------------------------------------------     
 GigabitEthernet0/0/2         2000                              1    no-pat     
 --------------------------------------------------------------------------     
  Total : 1 
Table 7-49  Description of the display nat outbound command output

Item

Description

Interface

Name of an interface.

Acl

Basic or advanced ACL that is in use.

Address-group/IP/Interface

The index of a NAT address pool or IP address or loopback interface.

Type

Type of NAT. (If no NAT address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is used.)

Total

Number of outbound NAT information items.

Related Topics

display nat overlap-address

Function

The display nat overlap-address command displays information about the mapping between the overlapped address pool and the temporary address pool.

Format

display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name }

Parameters

Parameter

Description

Value

map-index

Specifies the index of the mapping between the overlapped address pool and the temporary address pool.

The value must be an existing mapping index.

all

Displays the configuration of all the overlapped address pools.

-

inside-vpn-instance inside-vpn-instance-name

Displays the VPN instance of the private network.

The value is a string of 1 to 31 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the configuration of all the overlapped address pools.

<Huawei> display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
 -------------------------------------------------------------------------------
 Id  Overlap-Address  Temp-Address    Pool-Length         Inside-VPN-Instance-Name
 -------------------------------------------------------------------------------
 1   10.2.2.2         10.3.10.10        255                            cmml                
 -------------------------------------------------------------------------------
  Total : 1    
Table 7-50  Description of the display nat overlap-address command output

Item

Description

Id

Index of the mapping between the overlapped address pool and the temporary address pool.

Overlap-Address

Start IP address of the overlapped address pool.

Temp-Address

Start IP address of the temporary address pool.

Pool-Length

Length of the address pool.

Inside-VPN-Instance-Name

Name of the VPN instance of the private network.

Related Topics

display nat server

Function

The display nat server command displays the configuration of the NAT server.

Format

display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ]

Parameters

Parameter

Description

Value

global global-address

Indicates the public address of the NAT server.

The value is in dotted decimal notation.

inside host-address

Indicates the private address of the NAT server.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the VPN instance name.

The value is a string of 1 to 31 characters.

interface interface-type interface-number [ .subnumber ]

Indicates the type and number of an interface or a sub-interface.

-

acl acl-number

Indicates the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use this command to check whether the NAT server is configured correctly.

Example

# Display the configuration of all NAT servers.

<Huawei> display nat server
    Nat Server Information:                                                       
    Interface  : GigabitEthernet1/0/0                                       
    Global IP/Port     : 1.1.1.1/1~2                                            
    Inside IP/Port     : 2.2.2.2~2.2.2.3/1                                      
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                   
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Description : ---- 
                                                                                    
  Total :    1
Table 7-51  Description of the display nat server command output

Item

Description

Nat Server Information

Information of Nat Server.

Interface

Name of an interface.

Global IP/Port

Public IP address and port number.

Inside IP/Port

Private IP address and port number.

Protocol

Protocol number and protocol type.

VPN instance-name

Name of the VPN instance.

Acl number

Number of the ACL in the NAT server.

Vrrp id

VRRP ID.

Description

NAT description.

Total

Number of NAT servers.

Related Topics

display nat session

Function

The display nat session command displays the NAT mapping table.

Format

display nat session { all [ verbose ] | number }

display nat session protocol { protocol-name | protocol-number } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

display nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display nat session destination destination-address [ destination-port ] [ verbose ]

Parameters

Parameter

Description

Value

all

Displays all entries in the NAT mapping table.

-

verbose

Displays detailed information about the NAT mapping table.

-

number

Displays the number of entries in the NAT mapping table.

-

protocol { protocol-name | protocol-number }

Displays the NAT mapping table with a specified protocol type or port number.

  • The value of protocol-name can be icmp, tcp, or udp.
  • The value of protocol-number is an integer that ranges from 1 to 255.

source source-address [ source-port ]

Specifies the source IP address and port number before the NAT translation.

  • source-address: The value is in dotted decimal notation.
  • source-port: The value is an integer that ranges from 1 to 65535.

destination destination-address [ destination-port ]

Specifies the destination IP address and port number before the NAT translation.

  • destination-address: The value is in dotted decimal notation.
  • destination-port: The value is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays information about the NAT mapping table. You can view information about all entries or display information by specifying keywords. The entries in a NAT mapping table are triggered by service packets. If the device does not receive any service packet, no entry is generated.

Example

# Display details about all entries in the NAT mapping table.

<Huawei> display nat session all verbose
  NAT Session Table Information:

     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21

     Protocol          : UDP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.3
       New DestPort    : 21

  Total : 2
Table 7-52  Description of the display nat session all verbose command output

Item

Description

NAT Session Table Information

Information of NAT mapping entries.

Protocol

Protocol type.

SrcAddr Port Vpn

Source address, service port number, and VPN instance name before the translation.

DestAddr Port Vpn

Destination address, service port number, and VPN instance name before the translation.

Time To Live

Time to live (TTL) of the mapping table entries.

NAT-Info

NAT information.

New SrcAddr

Source address after the translation.

New SrcPort

Source port number after the translation.

New DestAddr

Destination address after the translation.

New DestPort

Destination port number after the translation.

Total

Number of NAT mapping entries.

display nat static

Function

The display nat static command displays the configuration of static NAT.

Format

display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ]

Parameters

Parameter

Description

Value

global global-address

Indicates the public address for static NAT.

The value is in dotted decimal notation.

inside host-address

Indicates the private address for static NAT.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance.

The value is a string of 1 to 31 characters.

interface interface-type interface-number [ .subnumber ]

Indicates the type and number of an interface or a sub-interface.

-

acl acl-number

Indicates the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After static NAT is configured, you can use the display nat static command to view the configuration of static NAT.

Example

# Display the global configuration of static NAT.

<Huawei> display nat static
  Static Nat Information:                                                       
  Interface  : GigabitEthernet1/0/0                                         
    Global IP/Port     : 1.1.1.1/1~2                                           
    Inside IP/Port     : 10.2.2.2~10.2.2.3/2                                    
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                   
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Netmask  : 255.255.255.255                                                  
    Description : ----                                                   
                                                                                
  Total :    1      
Table 7-53  Description of the display nat static command output

Item

Description

Static Nat Information

Information of Static Nat.

Interface

Name of an interface.

Global IP/Port

Public IP address and port number.

Inside IP/Port

Private IP address and port number.

Protocol

Protocol number and protocol type.

VPN instance-name

Name of the VPN instance.

Acl number

Number of the ACL in the static NAT.

Vrrp id

VRRP ID.

Netmask

Network mask.

Description

NAT description.

Total

Number of static NATs.

display nat static interface enable

Function

The display nat static interface enable command displays the interface enabled with the static NAT function.

Format

display nat static interface enable

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the interface enabled with the static NAT function.

<Huawei> display nat static interface enable
 Static Nat  enable  Information :                                             
------------------------------------------------                                
 interface Vlanif300                                              
------------------------------------------------                                
  Total : 1  
Table 7-54  Description of the display nat static interface enable command output

Item

Description

Static Nat enable Information

Interface enabled with the static NAT function.

Total

Number of interfaces enabled with the static NAT function.

Related Topics

display nat mapping-mode

Function

The display nat mapping-mode command displays the NAT mapping mode.

Format

display nat mapping-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After NAT mapping is configured, you can view the NAT mapping information. For example, you can view:

  • Endpoint-independent mapping information about TCP packets.
  • Endpoint-independent mapping information about UDP packets.
  • Endpoint-independent mapping about TCP and UDP packets.

Example

# Display NAT mapping information.

<Huawei> display nat mapping-mode
  NAT Mapping Mode Information: 
-----------------------------------------------------------
nat mapping-mode endpoint-independent tcp
-----------------------------------------------------------
  Total : 1
Table 7-55  Description of display nat mapping-mode command output

Item

Description

NAT Mapping Mode Information

Information of the NAT mapping mode.

Total

Number of the NAT mapping mode.

Related Topics

display nat mapping table

Function

The display nat mapping table command displays NAT mapping table information or the number of entries in the NAT table.

Format

display nat mapping table { all | number }

display nat mapping table inside-address ip-address protocol protocol-name port port-number [ vpn-instance vpn-instance-name ]

Parameters

Parameter

Description

Value

all

Displays information about all entries in the NAT mapping table.

-

number

Displays the number of entries in the NAT mapping table.

-

inside-address ip-address

Indicates the internal IP address of the server.

The value is in dotted decimal notation.

protocol protocol-name

Indicates the protocol type.

The value can be tcp or udp.

port port-number

Indicates the protocol port number.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Indicates the VPN instance name.

The value is a string of 1 to 31 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display nat mapping table command displays information about all entries in a NAT table or the number of entries in the NAT table. You can also enter keywords to view a specified entry.

Example

# Display the number of entries in the NAT table.

<Huawei> display nat mapping table number
 The total number of NAT dynamic mapping tables is: 1

# Display information about all entries in the NAT table.

<Huawei> display nat mapping table all
 NAT Dynamic Mapping Table Information:

   Protocol             : UDP(17)
   InsideAddr  Port Vpn : 192.168.14.121    555   
   GlobalAddr  Port     : 192.168.3.10    10491

   Protocol             : UDP(17)
   InsideAddr  Port Vpn : 192.168.66.119   555   
   GlobalAddr  Port     : 192.168.3.10    23099

  Total : 2
Table 7-56  Description of the display nat mapping table command output

Item

Description

The total number of NAT dynamic mapping tables is

Number of NAT mapping tables.

NAT Dynamic Mapping Table Information

Information of NAT mapping tables.

Protocol

Application protocol type.

InsideAddr Port Vpn

Private IP address, port number, and VPN instance name.
NOTE:

If no VPN is configured, the VPN instance name is not displayed.

GlobalAddr Port

Public IP address and port number.

Total

Number of NAT mapping tables.

firewall-nat session aging-time

Function

The firewall-nat session aging-time command sets the timeout interval of each entry in the session table.

The undo firewall-nat session aging-time command restores the default timeout interval of each entry in the session table.

Format

firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value

undo firewall-nat session { all | dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time

NOTE:

AR510 series do not support the sip and sip-media keywords.

Parameters

Parameter

Description

Value

dns

Sets the timeout interval of the DNS protocol.

-

ftp

Sets the timeout interval of the FTP control connection.

-

ftp-data

Sets the timeout interval of the FTP connection.

-

http

Sets the timeout interval of the HTTP connection.

-

icmp

Sets the timeout interval of the ICMP connection.

-

tcp

Sets the timeout interval of the TCP connection.

-

tcp-proxy

Sets the timeout interval of the TCP proxy.

-

udp

Sets the timeout interval of the UDP connection.

-

sip

Sets the timeout interval of the SIP connection.

-

sip-media

Sets the timeout interval of the SIP media protocol.

-

rtsp

Sets the timeout interval of the RTSP protocol.

-

rtsp-media

Sets the timeout interval of the RTSP media protocol.

-

pptp

Sets the timeout interval of the PPTP control connection.

-

pptp-data

Sets the timeout interval of the PPTP connection.

-

all

Restores the default timeout interval of all the preceding connections.

-

aging-time time-value

Specifies the timeout interval value.

The value of time-value is an integer that ranges from 1 to 65535, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The firewall-nat session aging-time command sets the timeout interval for sessions of each protocol. If an entry in a session table is not used within the specified period, the entry expires. For example, the user with IP address 10.110.10.10 initiates a TCP connection through port 2000. If the TCP connection is not used within the timeout interval, the system deletes the TCP connection.

The following table lists the default session timeout interval of each protocol.

Protocol

Default Session Timeout Interval

tcp

600 seconds

tcp-proxy

10 seconds

udp

120 seconds

icmp

20 seconds

dns

120 seconds

http

120 seconds

ftp

120 seconds

ftp-data

120 seconds

sip

1800 seconds

sip-media

120 seconds

rtsp

60 seconds

rtsp-media

120 seconds

pptp

600 seconds

pptp-data

600 seconds

Precautions

For some services such as voice service, increase the TCP/UDP timeout interval to prevent service interruption.

Example

# Set the timeout interval of the DNS connection to 60 seconds.

<Huawei> system-view
[Huawei] firewall-nat session dns aging-time 60

nat address-group

Function

The nat address-group command configures a NAT address pool.

The undo nat address-group command deletes a NAT address pool.

By default, no NAT address pool is configured.

Format

nat address-group group-index start-address end-address

undo nat address-group group-index

Parameters

Parameter

Description

Value

group-index

Specifies the index of a NAT address pool.

  • AR510: the value is an integer that ranges from 0 to 3.
  • The other devices: the value is an integer that ranges from 0 to 7.

start-address

Specifies the start address of the address pool.

The value is in dotted decimal notation.

end-address

Specifies the end address of the address pool.

The value is in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The address pool is a set of consecutive IP addresses. When a packet from the private network reaches the public network through address translation, the source address of the packet will be translated to another address by the address pool.

Precautions

The start IP address of the address pool must be smaller than or equal to the end IP address of the address pool and up to 255 IP addresses can be configured in the address pool.

The start address of the address pool must be smaller or equal to the end address. For the AR510, the number of addresses between the start address and end address cannot exceed 16; for other models, the number cannot exceed 255.

Example

# Configure an address pool ranging from 10.110.10.10 to 10.110.10.15, with the address pool index being 1.

<Huawei> system-view
[Huawei] nat address-group 1 10.110.10.10 10.110.10.15  

nat alg

Function

The nat alg command enables the NAT ALG function for application protocols.

The undo nat alg command disables the NAT ALG function for application protocols.

By default, NAT ALG is disabled.

Format

nat alg { all | protocol-name } enable

undo nat alg { all | protocol-name } enable

Parameters

Parameter

Description

Value

all

Enables the NAT ALG function for DNS, FTP, SIP, PPTP and RTSP.

-

protocol-name

Enables the NAT ALG function for the specified protocol type.

The value can be , sip, pptp and rtsp.

NOTE:

The AR510 series do not support sip.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the public network through NAT. Otherwise, the application protocol cannot work normally.

Example

# Enable the NAT ALG function for FTP.

<Huawei> system-view
[Huawei] nat alg ftp enable

# Disable the NAT ALG function for FTP.

<Huawei> system-view
[Huawei] undo nat alg ftp enable

nat sip cac enable

Function

The nat sip cac enable command enables the function of call admission control and configures the total bandwidth of the device to limit the SIP call bandwidth.

The undo nat sip cac enable command disables the function of call admission control and cancels the configuration of total bandwidth. The SIP call bandwidth is not limited.

The default bandwidth of a device is 0, and the call bandwidth is not limited.

NOTE:

The AR510 series do not support this command.

Format

nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number [ .subnumber ] }

undo nat sip cac enable

Parameters

Parameter

Description

Value

bandwidth bandwidth-value

Specifies the total bandwidth of the device.

The value is an integer that ranges from 1 to 4294967295, in Kbps.

percent value

Specifies the total bandwidth on the device, which is a percentage of the bandwidth on SIP outgoing interface.

The value is an integer that ranges from 1 to 100.

interface interface-type interface-number [ .subnumber ]

Specifies the SIP outgoing interface type and number.

  • interface-type specifies the interface type.
  • interface-number [ .subnumber ] specifies the interface number.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a SIP server is deployed on the public network and SIP phones in public and private networks are interconnected, the call quality is affected if the bandwidth on the NAT device is insufficient. You can enable call admission control (CAC) and set the total bandwidth on the NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the specified value, the SIP call is rejected.

Example

# Set the total bandwidth of the device to 2000 Kbps to limit the call bandwidth.

<Huawei> system-view
[Huawei] nat sip cac enable bandwidth 2000

# Set the total bandwidth on the device to 10% of the bandwidth on GE1/0/0 to limit the call bandwidth.

<Huawei> system-view
[Huawei] nat sip cac enable bandwidth percent 10 interface gigabitethernet 1/0/0

nat dns-map

Function

The nat dns-map command configures a mapping entry from the domain name to the public IP address, port number, and protocol type.

The undo nat dns-map command deletes a mapping entry from the domain name to the public IP address, port number, and protocol type.

By default, no mapping entry is configured.

Format

nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

undo nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

Parameters

Parameter

Description

Value

domain-name

Specifies a valid domain name that can be resolved by the DNS server.

The value is a string of 1 to 255 case-insensitive characters without spaces. The string cannot contain the following characters: / : < > @ \ | % ' ".

global-address

Specifies a valid IP address provided for external access.

The value is in dotted decimal notation.

interface interface-type interface-number [ .subnumber ]

Specifies the type and number of an interface or a sub-interface.

-

interface interface-type interface-number

Specifies the type and number of an interface.

-

global-port

Specifies the port number of the service provided for external access.

The value is an integer that ranges from 1 to 65535.

protocol-name

Specifies the protocol carried over IP.

The value can be tcp and udp.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use this command to configure the mapping from the domain name to the public IP address, port number, and protocol type for internal hosts. In this manner, internal hosts can differentiate and access corresponding internal servers according to domain names when no DNS server is deployed on the private network.

By default, DNS mapping is not configured. In this case, after the external DNS server resolves public IP addresses from domain name requests of internal hosts, the internal hosts can be mapped to only one internal server. In addition, internal hosts cannot differentiate and access corresponding internal servers according to domain names.

Follow-up Procedure

Run the nat alg dns enable command to enable the DNS NAT ALG function. The NAT ALG function allows hosts on a private network to access servers on the private network through the external DNS server.

Example

# Configure a mapping entry from a domain name to public IP address, port number, and protocol type.

<Huawei> system-view
[Huawei] nat dns-map www.test.com 10.1.1.1 2012 tcp
Related Topics

nat filter-mode

Function

The nat filter-mode command sets the NAT filtering mode.

The default NAT filtering mode is endpoint-and-port-dependent.

Format

nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

Parameters

Parameter

Description

Value

endpoint-dependent

Indicates the NAT filtering mode dependent on the external address and independent of the port.

-

endpoint-independent

Indicates the NAT filtering mode independent of the external address and port.

-

endpoint-and-port-dependent

Indicates the NAT filtering mode dependent on the external address and port.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

NAT filtering allows applications using the STUN and TURN technologies to traverse the NAT server.

NAT is performed on the traffic from the external network to the internal network:

  • If the NAT filtering mode is set to endpoint-independent, the system uses "destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The destination address and port in the entry are the IP address and port number on the internal network.
  • If the NAT filtering mode is set to endpoint-dependent, the system uses "source IP address+destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The behavior in the reverse mapping entry is the same as the behavior in the mapping table entry.
  • If the NAT filtering mode is set to endpoint-and-port-dependent, the system uses "source IP address+source port number+destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The behavior in the reverse mapping entry is the same as the behavior in the mapping table entry.

You can change the NAT filtering mode only when no traffic is transmitted between the external network and internal network.

Example

# Set the NAT filtering mode independent of the external address and port.

<Huawei> system-view
[Huawei] nat filter-mode endpoint-independent

nat log-format elog

Function

The nat log-format elog command sets the NAT log format to eLog. The logs are generated in the format specified by the eLog server.

The undo nat log-format elog command changes the current NAT log format from eLog to a common format.

By default, a common format is used as the NAT log format.

Format

nat log-format elog

undo nat log-format elog

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In the scenario where connection between the device and eLog server is required, the device must send log packets in the specified format to the eLog server to establish the connection. You can run the nat log-format elog or undo nat log-format elog command to set the log format to eLog or a common format.

Example

# Set the NAT session log format to eLog.

<Huawei> system-view
[Huawei] nat log-format elog

# Set the NAT session log format to a common format.

<Huawei> system-view
[Huawei] undo nat log-format elog

nat miss forward deny

Function

The nat miss forward deny command enables the device to directly discard packets that cannot be processed using NAT.

The undo nat miss forward deny command disables the device from directly discarding packets that cannot be processed using NAT.

By default, the device does not process packets that cannot be processed using NAT.

Format

nat miss forward deny

undo nat miss forward deny

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Some packets cannot be processed using NAT due to configuration or specification (maximum number of NAT sessions) problems. By default, the device does not process these packets. After the nat miss forward deny command is run, the device directly discards these packets.

Example

# Enable the device to directly discard packets that cannot be processed using NAT.

<Huawei> system-view
[Huawei] nat miss forward deny

nat outbound

Function

The nat outbound command associates an ACL with a NAT address pool. In this manner, the addresses specified in the ACL can be translated using the NAT address pool.

The undo nat outbound command disables outbound NAT.

By default, outbound NAT is disabled.

Format

nat outbound acl-number address-group group-index [ no-pat ][ vrrp vrrpid ]

undo nat outbound acl-number address-group group-index [ no-pat ][ vrrp vrrpid ]

Parameters

Parameter

Description

Value

acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

address-group group-index

Indicates that the NAT address pool is used for address translation. If no NAT address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is used.

AR510: the value is an integer that ranges from 0 to 3.

The other device: the value is an integer that ranges from 0 to 7.

no-pat

Indicates one-to-one NAT, that is, only the IP address in a datagram is translated and the port number is not translated.

-

vrrp vrrpid

Specifies the VRRP ID.

After NAT address pools are configured on devices in a VRRP group, both devices may perform NAT for packets, resulting in conflicts. You can specify vrrp vrrpid to configure the master device to perform NAT, preventing conflicts.

The value is an integer that ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

After an ACL is associated with a NAT address pool, NAT translates the source IP address of a data packet matching the ACL to an IP address in the NAT address pool.

On the same interface, different IP addresses can be translated and associated. This interface usually connects to an ISP network and is the egress of the internal network.

NOTE:

This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.

Example

# Select the addresses from 1.1.1.1 to 1.1.1.3 to form NAT address pool 1, and configure the hosts in the network segment 10.110.10.0/24 to use the addresses in address pool 1 for many-to-one address translation (using TCP/UDP port information).

<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] nat address-group 1 1.1.1.1 1.1.1.3
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] nat outbound 2001 address-group 1
Related Topics

nat outbound (Easy-IP)

Function

The nat outbound command configures Easy IP.

The undo nat outbound command disables outbound NAT.

By default, Easy IP is disabled.

Format

nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ] [ vrrp vrrpid ]

undo nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ][ vrrp vrrpid ]

Parameters

Parameter

Description

Value

acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

interface interface-type interface-number [ .subnumber ]

Indicates that an specified interface address or a sub-interface is specified as the translated address.

-

vrrp vrrpid

Specifies the VRRP ID.

After NAT address pools are configured on devices in a VRRP group, both devices may perform NAT for packets, resulting in conflicts. You can specify vrrp vrrpid to configure the master device to perform NAT, preventing conflicts.

The value is an integer that ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Easy IP indicates that the IP address of the interface is used as the translated IP address.

NOTE:

This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.

Example

# Set the IP address of the interface to the translated IP address.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] nat outbound 2001
Related Topics

nat overlap-address

Function

The nat overlap-address command configures the mapping between an overlapped address pool and a temporary address pool.

The undo nat overlap-address command deletes the mapping between an overlapped address pool and a temporary address pool.

By default, the mapping between an overlapped address pool and a temporary address pool is not configured.

Format

nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

undo nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name }

Parameters

Parameter

Description

Value

map-index

Specifies the index of the mapping between the overlapped address pool and the temporary address pool.

  • AR510: the value is an integer that ranges from 0 to 3.
  • The other devices: the value is an integer that ranges from 0 to 7.

overlappool-startaddress

Specifies the start address of the overlapped address pool. IP addresses of overlapped address pools must be different.

The value is in dotted decimal notation.

temppool-startaddress

Specifies the start address of the temporary address pool. IP addresses of temporary address pools must be different.

The value is in dotted decimal notation.

pool-length length

Indicates the length of the address pool. The lengths of the overlapped address pool and the temporary address pool are the same and an address in the overlapped address pool maps an address in the temporary address pool.

The value is an integer that ranges from 1 to 255.

all

The configuration of all the overlapped address pools.

-

inside-vpn-instance inside-vpn-instance-name

Indicates the VPN instance of the private network.

The value is a string of 1 to 31 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When IP addresses of internal hosts and external hosts are overlapped, you need to configure the mapping between the overlapped address pool and the temporary address pool. After the mapping is configured, the overlapped address is translated into a unique temporary address. The packets can be forwarded correctly. In addition, you need to configure outbound NAT to implement twice NAT.

Example

# Configure the mapping between an overlapped address pool and a temporary address pool with the index being 1. The length of the overlapped address pool is 255, the overlapped address pool belongs to the VPN huawei, and the start address of the overlapped address pool is 10.10.10.1. The start address of the temporary address pool is 10.100.100.1.

<Huawei> system-view
[Huawei] ip vpn-instance huawei  
[Huawei-vpn-instance-huawei] route-distinguisher 200:1
[Huawei-vpn-instance-huawei-af-ipv4]  quit
[Huawei-vpn-instance-huawei] quit
[Huawei] nat overlap-address 1 10.10.10.1 10.100.100.1 pool-length 255 inside-vpn-instance huawei

nat server

Function

The nat server command defines a mapping table of internal servers so that external users can access internal servers through address and port translation.

The undo nat server command cancels the mapping table.

By default, no mapping table is configured.

Format

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

undo nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ]

undo nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ]

Parameters

Parameter

Description

Value

protocol

Indicates the protocol type.

-

protocol-number

Specifies the protocol number.

The value is an integer that ranges from 1 to 255.

global

Configures external information about the NAT server.

-

icmp

Indicates that servers communicate with each other using ICMP.

-

tcp

Indicates that servers communicate with each other using TCP.

-

udp

Indicates that servers communicate with each other using UDP.

-

global-address

Specifies a valid IP address provided for external access.

The value is in dotted decimal notation.

inside

Configures internal information about the NAT server.

-

host-address

Specifies an IP address of the NAT server.

The value is in dotted decimal notation.

host-address2

Specifies the ending IP address of the private network.

The value is in dotted decimal notation.

global-port

Specifies the external service port number. You can use keywords to replace common port numbers. For example, the FTP port number is 21, so you can use the keyword ftp. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.

The value is an integer that ranges from 0 to 65535.

global-port2

Specifies the external service ending port number. You can use keywords to replace common port numbers. For example, the FTP port number is 21, so you can use the keyword ftp. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.

The value is an integer that ranges from 0 to 65535.

host-port

Specifies the service port number provided by the NAT server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.

The value is an integer that ranges from 0 to 65535.

vpn-instance vpn-instance-name

Indicates the VPN instance name.

The value is a string of 1 to 31 characters.

vrrp vrrpid

Specifies the VRRP ID.

After NAT address pools are configured on devices in a VRRP group, both devices may perform NAT for packets, resulting in conflicts. You can specify vrrp vrrpid to configure the master device to perform NAT, preventing conflicts.

The value is an integer that ranges from 1 to 255.

acl acl-number

Indicates the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

description description

Indicates the NAT description.

The value is a string of 1 to 255 characters. The character string is case sensitive. It can contain spaces but cannot contain the question mark (?).

current-interface

Indicates a public address as the current interface address.

-

interface interface-type interface-number [ .subnumber ]

Indicates a public address as the interface address.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure an internal server so that the external network can access the server in an active manner. When a host on the public network sends a connection request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request into a private address (inside-address). The request is then forwarded to the server on the private network.

NOTE:
  • This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.

  • If you run the undo nat server command, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.

Precautions

The specified global-port or host-port cannot be used by other applications. Otherwise, the configuration does not take effect.

When specifying global-port2 to configure multiple public ports, you must also specify host-address2 to configure multiple private addresses and ensure that the number of ports is the same as that of private addresses.

Example

# Add a NAT server and translate public address 1.1.1.1 of the TCP service to private address 192.168.0.1.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1

nat static (interface view)

Function

The nat static command configures one-to-one NAT between private addresses and public addresses.

The undo nat static command deletes one-to-one NAT between private addresses and public addresses.

By default, no one-to-one NAT is configured.

Format

nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]

nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]

undo nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ]

undo nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ]

Parameters

Parameter

Description

Value

protocol

Indicates a protocol.

-

protocol-number

Specifies the protocol number.

The value is an integer that ranges from 1 to 255.

global

Configures external address and port number.

-

global-address

Specifies the public IP address for NAT.

The value is in dotted decimal notation.

inside

Configures internal address and port number.

-

host-address

Specifies the private IP address for NAT.

The value is in dotted decimal notation.

host-address2

Specifies the ending IP address of the private network.

The value is in dotted decimal notation.

global-port

Specifies the external service port number. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.

The value is an integer that ranges from 0 to 65535.

global-port2

Specifies the external service ending port number.

The value is an integer that ranges from 0 to 65535.

host-port

Specifies the service port number provided by the server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.

The value is an integer that ranges from 0 to 65535.

icmp

Indicates that servers communicate with each other using ICMP.

-

tcp

Indicates that servers communicate with each other using TCP.

-

udp

Indicates that servers communicate with each other using UDP.

-

vpn-instance vpn-instance-name

Indicates the VPN instance name.

The value is a string of 1 to 31 characters.

vrrp vrrpid

Specifies the VRRP ID.

After NAT address pools are configured on devices in a VRRP group, both devices may perform NAT for packets, resulting in conflicts. You can specify vrrp vrrpid to configure the master device to perform NAT, preventing conflicts.

The value is an integer that ranges from 1 to 255.

netmask mask

Indicates the network mask for static NAT.

The value ranges from 255.255.255.0 to 255.255.255.255.

acl acl-number

Indicates the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

description description

Indicates the NAT description.

The value is a string of 1 to 255 characters. The character string is case sensitive. It can contain spaces but cannot contain the question mark (?).

current-interface

Indicates a public address as the current interface address.

-

interface interface-type interface-number [ .subnumber ]

Indicates a public address as the interface address.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Static NAT indicates that a private address is statically bound to a public address when NAT is performed. The public IP address in static NAT is only used for translation of the unique and fixed private IP address of a host.

Static PAT indicates that a combination of the private address of a host, TCP/UDP protocol number, and internal port number is statically bound to a combination of the public address, TCP/UDP protocol number, and external port number. The public IP address in static PAT can be used for translation of multiple private addresses.

Using static NAT or PAT, hosts on the private network and hosts on the public network can access each other.

NOTE:
  • This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.

  • If you run the undo nat static command, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.
  • When host-address2 is specified, global-port2 and host-port must also be specified. The number of private addresses must be the same as the number of public port numbers. That is, the same public address maps different private addresses, and different public port numbers map the same private port number. For example, when nat static protocol tcp global 1.1.1.1 11 12 inside 10.10.10.1 10.10.10.2 30 is configured, 1.1.1.1 and public port 11 map 10.10.10.1 and private port 30, and 1.1.1.1 and public port 12 map 10.10.10.2 and private port 30.

Example

# Translate the combination of the public address 1.1.1.1 and port 200 in TCP packets to the combination of the private address 10.10.10.1 and port 300.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static protocol tcp global 1.1.1.1 200 inside 10.10.10.1 300

# Replace the IP address of packets from the VPN huawei and on the network segment 10.2.2.2 (24-bit mask) with the IP address on the network segment 10.3.3.3 (24-bit mask).

<Huawei> system-view
[Huawei] ip vpn-instance huawei                                    
[Huawei-vpn-instance-huawei]  quit    
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static global 10.3.3.3 inside 10.2.2.2 vpn-instance huawei netmask 255.255.255.0

nat static (system view)

Function

The nat static command configures one-to-one NAT between private addresses and public addresses in the system view.

The undo nat static command deletes one-to-one NAT configured between private addresses and public addresses in the system view.

By default, no one-to-one NAT is configured.

Format

nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

Parameters

Parameter

Description

Value

protocol

Indicates a protocol.

-

protocol-number

Specifies the protocol number.

The value is an integer that ranges from 1 to 255.

global

Configures external address and port number.

-

global-address

Specifies the public IP address for NAT.

The value is in dotted decimal notation.

inside

Configures internal address and port number.

-

host-address

Specifies the private IP address for NAT.

The value is in dotted decimal notation.

host-address2

Specifies the private ending IP address for NAT.

-

global-port

Specifies the external service port number. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.

The value is an integer that ranges from 0 to 65535.

global-port2

Specifies the external service ending port number.

The value is an integer that ranges from 0 to 65535.

host-port

Specifies the service port number provided by the server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.

The value is an integer that ranges from 0 to 65535.

icmp

Indicates that servers communicate with each other using ICMP.

-

tcp

Indicates that servers communicate with each other using TCP.

-

udp

Indicates that servers communicate with each other using UDP.

-

vpn-instance vpn-instance-name

Indicates the VPN instance name.

The value is a string of 1 to 31 characters.

netmask mask

Indicates the network mask for static NAT.

The value ranges from 255.255.255.0 to 255.255.255.255.

description description

Indicates the NAT description.

The value is a string of 1 to 255 characters. The character string is case sensitive. It can contain spaces but cannot contain the question mark (?).

interface loopback interface-number

Indicates a public address as the loopback interface address.

The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Static NAT indicates that a private address is statically bound to a public address when NAT is performed. The public IP address in static NAT is only used for translation of the unique and fixed private IP address of a host.

Static PAT indicates that a combination of the private address of a host, TCP/UDP protocol number, and internal port number is statically bound to a combination of the public address, TCP/UDP protocol number, and external port number. The public IP address in static PAT can be used for translation of multiple private addresses.

Using static NAT or PAT, hosts on the private network and hosts on the public network can access each other.

NOTE:
  • If you run the undo nat static command, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.

  • When host-address2 is specified, global-port2 and host-port must also be specified. The number of private addresses must be the same as the number of public port numbers. That is, the same public address maps different private addresses, and different public port numbers map the same private port number. For example, when nat static protocol tcp global 1.1.1.1 11 12 inside 10.10.10.1 10.10.10.2 30 is configured, 1.1.1.1 and public port 11 map 10.10.10.1 and private port 30, and 1.1.1.1 and public port 12 map 10.10.10.2 and private port 30.

Example

# Translate the combination of Loopback 4 interface address and port 43 in TCP packets to private address 192.168.2.55.

<Huawei> system-view
[Huawei] interface loopback 4
[Huawei-LoopBack4] ip address 192.168.8.8 24
[Huawei-LoopBack4] quit 
[Huawei] nat static protocol tcp global interface loopback 4 43 inside 192.168.2.55 netmask 255.255.255.255

nat static enable

Function

The nat static enable command enables static NAT on an interface.

The undo nat static enable command disables static NAT on an interface.

By default, static NAT on an interface is disabled.

Format

nat static enable

undo nat static enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Using the nat static enable command, you can enable static NAT on an interface.

NOTE:
This command can only be used on Layer 3 interfaces, except the Loopback,NULL interfaces.

Example

# Enable static NAT on an interface.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static enable
Related Topics

nat mapping-mode

Function

The nat mapping-mode command sets the NAT mapping mode.

The undo nat mapping-mode command restores the NAT mapping mode.

The default NAT mapping mode is endpoint-and-port-dependent.

Format

nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

undo nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

Parameters

Parameter

Description

Value

endpoint-independent

Indicates the endpoint-independent mode.

-

protocol-name

Indicates the protocol type.

The value can be tcp and udp.

dest-port port-number

Indicates the destination port. NAT is performed on only the packets of which destination ports are this specified port.

The value is an integer that ranges from 1 to 65535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The NAT function resolves the problem of IPv4 address shortage and improves network security. NAT implementation of different vendors may be different, so the applications using the STUN, TURN, and ICE technologies may fail to traverse the NAT devices of these vendors. These technologies are mainly used on the SIP proxy. NAT mapping enables these applications to traverse the NAT devices.

NAT mapping has the following modes:

  • Endpoint-independent mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.
  • Address and port-dependent mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port while the mapping is still active.

Example

# Enable the endpoint-and-port-independent mapping mode for TCP packets.

<Huawei> system-view
[Huawei] nat mapping-mode endpoint-independent tcp

# Enable the endpoint-and-port-independent mapping mode for TCP and UDP packets.

<Huawei> system-view
[Huawei] nat mapping-mode endpoint-independent 

port-mapping

Function

The port-mapping command configures the mappings between ports and application-layer protocols.

The undo port-mapping command deletes the mappings between ports and application-layer protocols.

Format

port-mapping { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number

undo port-mapping { all | { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number }

Parameters

Parameter

Description

Value

all

Deletes the mappings from all ports.

-

dns

Specifies the mapping between the DNS protocol and a port.

-

ftp

Specifies the mapping between the FTP protocol and a port.

-

sip

Specifies the mapping between the SIP protocol and a port.

-

rtsp

Specifies the mapping between the RTSP protocol and a port.

-

pptp

Specifies the mapping between the PPTP protocol and a port.

-

http

Specifies the mapping between the HTTP protocol and a port.

-

port port-number

Specifies the port mapping to a protocol.

The value of port-number is an integer that ranges from 1 to 65535.

acl acl-number

Specifies the ACL that controls the packets to which port mapping is applied.

The value of acl-number is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Port mapping enables a server to provide various application-layer services for external systems through non-well-known ports. For example, the well-known port of the HTTP service is port 80. After port mapping is configured on the firewall, the firewall can use a non-well-known port to provide the HTTP service.

Port mapping reduces attacks to a certain service on the server.

Example

# Map the HTTP service to port 10 and apply ACL 2000 to control the packets to which the mapping takes effect.

<Huawei> system-view
[Huawei] acl 2000 
[Huawei-acl-basic-2000] rule  permit 
[Huawei-acl-basic-2000] quit  
[Huawei] port-mapping http port 10 acl 2000
Related Topics

reset nat session

Function

The reset nat session command deletes entries from the NAT mapping table.

Format

reset nat session { all | transit interface interface-type interface-number [ .subnumber ] }

Parameters

Parameter

Description

Value

all

Deletes all entries from the NAT mapping table.

-

transit

Deletes the entries of traffic passing a specified interface.

-

interface interface-type interface-number [ .subnumber ]

Indicates the type and number of an interface or a sub-interface.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the configurations of nat alg, nat server, nat static, and nat outbound are changed, the packets are not forwarded based on new configurations. You can run the reset nat session command to make the new configurations take effect. This command can be used to delete all entries or the entries of traffic passing a specified interface from the NAT mapping table.

Precautions

  • After this command is used, entries are deleted from the NAT mapping table and the NAT configurations are modified immediately.
  • After this command is executed, you must wait at least 10 seconds if you need to run the command again; otherwise, an error message is displayed.
  • If all entries are deleted, communication among certain sessions may be affected for a short period.

Example

# Delete all entries from the NAT mapping table.

<Huawei> system-view
[Huawei] reset nat session all
Warning:The current all NAT sessions will be deleted. 
Are you sure to continue?[Y/N] y
# Delete entries from the NAT mapping table on port GigabitEthernet0/0/1.
<Huawei> system-view
[Huawei] reset nat session transit interface gigabitethernet 0/0/1
Warning:The current all NAT sessions transiting GigabitEthernet0/0/1 will be deleted. 
Are you sure to continue?[Y/N] y
Related Topics

tcp proxy

Function

The tcp proxy command enables the TCP proxy function.

The undo tcp proxy command disables the TCP proxy function.

By default, the TCP proxy function is disabled on the device.
NOTE:

Only V200R007C01 supports this command.

Format

tcp proxy ip-address port-number [ acl acl-number ]

undo tcp proxy

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address bound to the TCP proxy.

The value is in dotted decimal notation. The IP address can only be a unicast IP address on the local device.

port-number

Specifies the listening port of the TCP proxy.

The value is an integer that ranges from 1024 to 65000.

This port number cannot be occupied by other modules.

acl acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 3000 to 3999.

It is recommended that ACL filtering be performed for the IP address of the TCP connection initiator.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

In the SIP ALG scenario, if a SIP data packet sent by the SIP client is too large to be sent to the SIP server at a time, the client divides the oversized SIP data packet into multiple small data packets and sends them to the SIP server. In this case, you need to enable the TCP proxy function on the device so that the device reassembles the received small data packets into the original SIP packet, performs NAT, and then forwards the packet to the SIP server.

The device listens to packets based on the specified IP address and port number after the TCP proxy function is enabled, and then sets up a TCP connection with host A that initiates a TCP connection. After successfully setting up the TCP connection, the device proactively sets up a TCP connection with host B which is the destination device of host A, ensuring that hosts A and B can communicate properly.

Precautions

After the TCP proxy function is disabled, the device deletes TCP connections set up with all hosts and the session table saved on the device. Run the reset nat session all command to delete all flow table information.

Example

# Enable the TCP proxy function.

<Huawei> system-view
[Huawei] tcp proxy 10.1.1.1 3333

tcp proxy aging-time

Function

The tcp proxy aging-time command sets the aging time of a TCP connection set up by the TCP proxy.

The undo tcp proxy aging-time command restores the default aging time of a TCP connection set up by the TCP proxy.

By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.
NOTE:

Only V200R007C01 supports this command.

Format

tcp proxy aging-time aging-time

undo tcp proxy aging-time

Parameters

Parameter

Description

Value

aging-time

Specifies the aging time of a TCP connection set up by the TCP proxy.

The value is an integer that ranges from 10 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In the SIP ALG scenario, if a SIP data packet sent by the SIP client is too large to be sent to the SIP server at a time, the client divides the oversized SIP data packet into multiple small data packets and sends them to the SIP server. In this case, you need to enable the TCP proxy function on the device so that the device reassembles the received small data packets into the original SIP packet, performs NAT, and then forwards the packet to the SIP server.

If the TCP proxy function is enabled, the device exchanges TCP keepalive packets with a host after it sets up a TCP connection with the host. If the device does not receive TCP keepalive packets from the host within the time three times the aging time, it automatically deletes the TCP connection and corresponding session entry.

Example

# Set the aging time of a TCP connection set up by the TCP proxy to 240 seconds.

<Huawei> system-view
[Huawei] tcp proxy aging-time 240
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 49327

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next