AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 Command Reference

NAT Configuration Commands

By default, the route forwarding function is enabled on 8FE1GE and 24GE cards. These cards do not send received IP packets to the CPU when the IP packets are forwarded on a LAN card. In this way, NAT services configured on VLANIF interfaces do not take effect.

display firewall-nat session aging-time

Function

The display firewall-nat session aging-time command displays the timeout interval of entries in the firewall session table or NAT session table.

Format

display firewall-nat session aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the timeout interval of sessions on the firewall session table or NAT session table.

Example

# Display the timeout time of all entries in the session table.

<Huawei> display firewall-nat session aging-time
---------------------------------------------                                   
Protocol timeout:
  tcp protocol timeout         : 600   (s)                                      
  tcp-proxy timeout            : 10    (s)                                      
  http protocol timeout        : 120   (s)                                      
  udp protocol timeout         : 120   (s) 
  icmp protocol timeout        : 20    (s)                                      
  dns protocol timeout         : 120   (s)                                      
  ftp protocol timeout         : 120   (s)                                      
  ftp-data protocol timeout    : 120   (s)                                      
  rtsp protocol timeout        : 60    (s)                                      
  rtsp-media protocol timeout  : 120   (s)                                      
  sip protocol timeout         : 1800  (s)                                      
  sip-media protocol timeout   : 120   (s)                                      
User-define port timeout:
  tcp protocol port 10001     : 65535 (s)                                       
  tcp protocol port 1         : 111   (s)                                       
  tcp protocol port 4443      : 65535 (s)                                       
  tcp protocol port 181       : 180   (s)                                       
  udp protocol port 180       : 180   (s)                                       
  udp protocol port 182       : 208   (s)           
---------------------------------------------

Table 8-47 Description of the display firewall-nat session aging-time command output

Item	Description
Protocol timeout	Session timeout interval of each protocol.
tcp protocol timeout	Timeout interval of TCP connections. The default value is 600, in seconds.
tcp-proxy timeout	Timeout interval of the TCP proxy. The default value is 10, in seconds.
udp protocol timeout	Timeout interval of UDP connections. The default value is 120, in seconds.
icmp protocol timeout	Timeout interval of ICMP connections. The default value is 20, in seconds.
dns protocol timeout	Timeout interval of the DNS protocol. The default value is 120, in seconds.
http protocol timeout	Timeout interval of the HTTP connections. The default value is 120, in seconds.
ftp protocol timeout	Timeout interval of the FTP control connection. The default value is 120, in seconds.
ftp-data protocol timeout	Timeout interval of the FTP connections. The default value is 120, in seconds.
sip protocol timeout	Timeout interval of the SIP protocol. The default value is 1800, in seconds.
sip-media protocol timeout	Timeout interval of the SIP media protocol. The default value is 120, in seconds.
rtsp protocol timeout	Timeout interval of the RTSP protocol. The default value is 60, in seconds.
rtsp-media protocol timeout	Timeout interval of the RTSP media protocol. The default value is 120, in seconds.
User-define port timeout	Timeout interval of a connection with a user-defined port as the destination port.
tcp protocol port port-number	Timeout interval of a data connection with a user-defined TCP port as the destination port. The default value is the default data connection timeout interval of the corresponding protocol, in seconds.
udp protocol port port-number	Timeout interval of a data connection with a user-defined UDP port as the destination port. The default value is the default data connection timeout interval of the corresponding protocol, in seconds.

Related Topics

firewall-nat session aging-time

display nat address-group

Function

The display nat address-group command displays the configuration of a NAT address pool.

Format

display nat address-group [ group-index ] [ verbose ]

Parameters

Parameter	Description	Value
group-index	Indicates the index of a NAT address pool.	The value must be an existing NAT address pool index.
verbose	Displays details about the NAT address pool.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can check the configuration and application of the NAT address pool.

Example

# Display all the NAT address pools.

<Huawei> display nat address-group
NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 1            10.1.1.1        10.1.1.10
 2         10.10.10.10      10.10.10.15
 --------------------------------------
  Total : 2

# Display the NAT address pool according to the index of the NAT address pool.

<Huawei> display nat address-group 1 
 NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 1            10.1.1.1        10.1.1.10
 --------------------------------------
  Total : 1

# Display details about the NAT address pool.

<Huawei> display nat address-group 1 verbose
NAT Address-Group Information:
 -----------------------------------------------------------
 Index   Start-address      End-address  Ref-times  Ref-type
 -----------------------------------------------------------
 1            10.1.1.1        10.1.1.10          0      ----
 -----------------------------------------------------------
  Total : 1

Table 8-48 Description of the display nat address-group command output

Item	Description
NAT Address-Group Information	Information of the NAT address pool.
Index	Index of the NAT address pool.
Start-address	Start IP address of the NAT address pool.
End-address	End IP address of the NAT address pool
Ref-times	Number of times that a NAT address pool is referenced.
Ref-type	Mode in which the NAT address pool is referenced. pat: translates the IP address and port information of data packets. no-pat: only translates the IP addresses of data packets, not port information. ----: indicates that the NAT address pool is not referenced.
Total	Number of NAT address pools.

Related Topics

nat address-group

display nat alg

Function

The display nat alg command displays whether NAT application level gateway (ALG) is enabled for an application layer protocol.

Format

display nat alg

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the status of NAT ALG.

<Huawei> display nat alg
NAT Application Level Gateway Information:                                      
----------------------------------                                              
  Application            Status                                                 
----------------------------------                                              
  dns                    Disabled                                               
  ftp                    Disabled                                               
  rtsp                   Enabled                                                
  sip                    Disabled                                               
  pptp                   Disabled                                               
----------------------------------

Table 8-49 Description of the display nat alg command output

Item	Description
NAT Application Level Gateway Information	Information of the NAT ALG.
Application	Application protocol type.
Status	Whether the NAT ALG function is enabled.

Related Topics

nat alg

display nat sip cac bandwidth information

Function

The display nat sip cac bandwidth information command displays the current total bandwidth and occupied bandwidth on the device.

Format

display nat sip cac bandwidth information [ verbose ]

Parameters

Parameter	Description	Value
verbose	Displays details about the current total bandwidth and occupied bandwidth.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display details about the current total bandwidth and occupied bandwidth on the device.

<Huawei> display nat sip cac bandwidth information verbose
------------------------------------------------------------------------------- 
Total Bandwidth(Kbps)       Used Bandwidth(Kbps)                                
  3000                        1900                                                 
------------------------------------------------------------------------------- 
Src-IP          Src-Port Dest-IP         Dest-Port Protocol Used Bandwidth(Kbps)
192.168.0.4     50       1.1.1.1         5060      udp        1900
-------------------------------------------------------------------------------

Table 8-50 Description of the display nat sip cac bandwidth information verbose command output

Item	Description
Total Bandwidth	Total bandwidth on the device, in Kbps. To configure the total bandwidth, run the nat sip cac enable command.
Used Bandwidth	Occupied bandwidth on the device, in Kbps.
Src-IP	Source IP address, that is, calling-party IP address.
Src-Port	Source port number, that is, calling-party port number.
Dest-IP	Destination IP address, that is, called-party IP address.
Dest-Port	Destination port number, that is, called-party port number.
Protocol	Corresponding protocol of the SIP calling, and the protocol can only be UDP.

Related Topics

nat alg

nat sip cac enable

display nat dns-map

Function

The display nat dns-map command displays the configuration of DNS mapping.

Format

display nat dns-map [ domain-name ]

Parameters

Parameter	Description	Value
domain-name	Specifies the valid domain name that can be resolved by the DNS server.	The value is a string of 1 to 255 case-insensitive characters without spaces. The string cannot contain the following characters: / : < > @ \ \| % ' ".

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the configuration of NAT DNS mapping.

 <Huawei> display nat dns-map
  NAT DNS mapping information:
  Domain-name : www.huawei.com                                                  
  Global IP   : gigabitethernet0/0/1 (Real IP : 192.168.4.2)                    
  Global port : 2                                                               
  Protocol    : tcp

  Total : 1

Table 8-51 Description of the display nat dns-map command output

Item	Description
NAT DNS mapping information	Information of NAT DNS Mapping.
Domain-name	Domain name.
Global IP	IP address provided for external access.
Global port	Port number provided for external access.
Protocol	Type of the protocol carried over IP.
Total	Number of NAT DNS mapping information items.

Related Topics

nat dns-map

display nat filter-mode

Function

The display nat filter-mode command displays the current NAT filtering mode.

Format

display nat filter-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the current NAT filtering mode. The modes include:

endpoint-independent: independent of the external address and port.
endpoint-dependent: dependent on the external address and independent of the port.
endpoint-and-port-dependent: dependent on the external address and port.

Example

# Display the current NAT filtering mode.

<Huawei> display nat filter-mode
Nat filter mode is : endpoint-independent

Table 8-52 Description of the display nat dns-map command output

Item	Description
Nat filter mode is	The current NAT filtering mode.

Related Topics

nat filter-mode

display nat outbound

Function

The display nat outbound command displays information about outbound NAT.

Format

display nat outbound [ acl acl-number | address-group group-index | interface interface-type interface-number [ .subnumber ] ]

Parameters

Parameter	Description	Value
acl acl-number	Displays the number of a basic ACL or an advanced ACL.	The value must be an existing ACL number.
address-group group-index	Displays the index of a NAT address pool.	The value must be an existing address pool index.
interface interface-type interface-number [ .subnumber ]	Displays the type and number of an interface or a sub-interface.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all information about outbound NAT.

<Huawei> display nat outbound
 NAT Outbound Information:                                                      
 --------------------------------------------------------------------------     
 Interface                     Acl     Address-group/IP/Interface      Type     
 --------------------------------------------------------------------------     
 GigabitEthernet0/0/2         2000                              1    no-pat     
 --------------------------------------------------------------------------     
  Total : 1

Table 8-53 Description of the display nat outbound command output

Item	Description
Interface	Name of an interface.
Acl	Basic or advanced ACL that is in use.
Address-group/IP/Interface	The index of a NAT address pool or IP address or loopback interface.
Type	Type of NAT. (If no NAT address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is used.)
Total	Number of outbound NAT information items.

Related Topics

nat outbound

display nat overlap-address

Function

The display nat overlap-address command displays information about the mapping between the overlapped address pool and the temporary address pool.

Format

display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name }

Parameters

Parameter	Description	Value
map-index	Specifies the index of the mapping between the overlapped address pool and the temporary address pool.	The value must be an existing mapping index.
all	Displays the configuration of all the overlapped address pools.	-
inside-vpn-instance inside-vpn-instance-name	Displays the VPN instance of the private network.	The value is a string of 1 to 31 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the configuration of all the overlapped address pools.

<Huawei> display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
 -------------------------------------------------------------------------------
 Id  Overlap-Address  Temp-Address    Pool-Length         Inside-VPN-Instance-Name
 -------------------------------------------------------------------------------
 1   10.2.2.2         10.3.10.10        255                            cmml                
 -------------------------------------------------------------------------------
  Total : 1

Table 8-54 Description of the display nat overlap-address command output

Item	Description
Id	Index of the mapping between the overlapped address pool and the temporary address pool.
Overlap-Address	Start IP address of the overlapped address pool.
Temp-Address	Start IP address of the temporary address pool.
Pool-Length	Length of the address pool.
Inside-VPN-Instance-Name	Name of the VPN instance of the private network.

Related Topics

nat overlap-address

display nat server

Function

The display nat server command displays the configuration of the NAT server.

Format

display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ]

Parameters

Parameter	Description	Value
global global-address	Indicates the public address of the NAT server.	The value is in dotted decimal notation.
inside host-address	Indicates the private address of the NAT server.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Indicates the VPN instance name.	The value is a string of 1 to 31 characters.
interface interface-type interface-number [ .subnumber ]	Indicates the type and number of an interface or a sub-interface.	-
acl acl-number	Indicates the number of an ACL.	The value is an integer that ranges from 2000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use this command to check whether the NAT server is configured correctly.

Example

# Display the configuration of all NAT servers.

<Huawei> display nat server
    Nat Server Information:                                                       
    Interface  : GigabitEthernet1/0/0                                       
    Global IP/Port     : 1.1.1.1/1~2                                            
    Inside IP/Port     : 10.10.10.2~10.10.10.3/1                                      
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                   
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Description : ---- 
                                                                                    
  Total :    1

Table 8-55 Description of the display nat server command output

Item	Description
Nat Server Information	Information of Nat Server.
Interface	Name of an interface.
Global IP/Port	Public IP address and port number.
Inside IP/Port	Private IP address and port number.
Protocol	Protocol number and protocol type.
VPN instance-name	Name of the VPN instance.
Acl number	Number of the ACL in the NAT server.
Vrrp id	VRRP ID.
Description	NAT description.
Total	Number of NAT servers.

Related Topics

nat server

display nat session

Function

The display nat session command displays the NAT mapping table.

Format

display nat session { all [ verbose ] | number }

display nat session protocol { protocol-name | protocol-number } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

display nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display nat session destination destination-address [ destination-port ] [ verbose ]

Parameters

Parameter	Description	Value
all	Displays all entries in the NAT mapping table.	-
verbose	Displays detailed information about the NAT mapping table.	-
number	Displays the number of entries in the NAT mapping table.	-
protocol { protocol-name \| protocol-number }	Displays the NAT mapping table with a specified protocol type or port number.	The value of protocol-name can be icmp, tcp, or udp. The value of protocol-number is an integer that ranges from 1 to 255.
source source-address [ source-port ]	Specifies the source IP address and port number before the NAT translation.	source-address: The value is in dotted decimal notation. source-port: The value is an integer that ranges from 1 to 65535.
destination destination-address [ destination-port ]	Specifies the destination IP address and port number before the NAT translation.	destination-address: The value is in dotted decimal notation. destination-port: The value is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays information about the NAT mapping table. You can view information about all entries or display information by specifying keywords. The entries in a NAT mapping table are triggered by service packets. If the device does not receive any service packet, no entry is generated.

Example

# Display details about all entries in the NAT mapping table.

<Huawei> display nat session all verbose
  NAT Session Table Information:

     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21

     Protocol          : UDP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.3
       New DestPort    : 21

  Total : 2

Table 8-56 Description of the display nat session all verbose command output

Item	Description
NAT Session Table Information	Information of NAT mapping entries.
Protocol	Protocol type.
SrcAddr Port Vpn	Source address, service port number, and VPN instance name before the translation.
DestAddr Port Vpn	Destination address, service port number, and VPN instance name before the translation.
Time To Live	Time to live (TTL) of the mapping table entries.
NAT-Info	NAT information.
New SrcAddr	Source address after the translation.
New SrcPort	Source port number after the translation.
New DestAddr	Destination address after the translation.
New DestPort	Destination port number after the translation.
Total	Number of NAT mapping entries.

display nat static

Function

The display nat static command displays the configuration of static NAT.

Format

display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ]

Parameters

Parameter	Description	Value
global global-address	Indicates the public address for static NAT.	The value is in dotted decimal notation.
inside host-address	Indicates the private address for static NAT.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance.	The value is a string of 1 to 31 characters.
interface interface-type interface-number [ .subnumber ]	Indicates the type and number of an interface or a sub-interface.	-
acl acl-number	Indicates the number of an ACL.	The value is an integer that ranges from 2000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After static NAT is configured, you can use the display nat static command to view the configuration of static NAT.

Example

# Display the global configuration of static NAT.

<Huawei> display nat static
  Static Nat Information:                                                       
  Interface  : GigabitEthernet1/0/0                                         
    Global IP/Port     : 1.1.1.1/1~2                                           
    Inside IP/Port     : 10.2.2.2~10.2.2.3/2                                    
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                   
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Netmask  : 255.255.255.255                                                  
    Description : ----                                                   
                                                                                
  Total :    1

Table 8-57 Description of the display nat static command output

Item	Description
Static Nat Information	Information of Static Nat.
Interface	Name of an interface.
Global IP/Port	Public IP address and port number.
Inside IP/Port	Private IP address and port number.
Protocol	Protocol number and protocol type.
VPN instance-name	Name of the VPN instance.
Acl number	Number of the ACL in the static NAT.
Vrrp id	VRRP ID.
Netmask	Network mask.
Description	NAT description.
Total	Number of static NATs.

Related Topics

nat static (interface view)

display nat static interface enable

Function

The display nat static interface enable command displays the interface enabled with the static NAT function.

Format

display nat static interface enable

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the interface enabled with the static NAT function.

<Huawei> display nat static interface enable
 Static Nat  enable  Information :                                             
------------------------------------------------                                
 interface Vlanif300                                              
------------------------------------------------                                
  Total : 1

Table 8-58 Description of the display nat static interface enable command output

Item	Description
Static Nat enable Information	Interface enabled with the static NAT function.
Total	Number of interfaces enabled with the static NAT function.

Related Topics

nat static enable

display nat mapping-mode

Function

The display nat mapping-mode command displays the NAT mapping mode.

Format

display nat mapping-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After NAT mapping is configured, you can view the NAT mapping information. For example, you can view:

Endpoint-independent mapping information about TCP packets.
Endpoint-independent mapping information about UDP packets.
Endpoint-independent mapping about TCP and UDP packets.

Example

# Display NAT mapping information.

<Huawei> display nat mapping-mode
  NAT Mapping Mode Information: 
-----------------------------------------------------------
nat mapping-mode endpoint-independent tcp
-----------------------------------------------------------
  Total : 1

Table 8-59 Description of display nat mapping-mode command output

Item	Description
NAT Mapping Mode Information	Information of the NAT mapping mode.
Total	Number of the NAT mapping mode.

Related Topics

nat mapping-mode

display nat mapping table

Function

The display nat mapping table command displays NAT mapping table information or the number of entries in the NAT table.

Format

display nat mapping table { all | number }

display nat mapping table inside-address ip-address protocol protocol-name port port-number [ vpn-instance vpn-instance-name ]

Parameters

Parameter	Description	Value
all	Displays information about all entries in the NAT mapping table.	-
number	Displays the number of entries in the NAT mapping table.	-
inside-address ip-address	Indicates the internal IP address of the server.	The value is in dotted decimal notation.
protocol protocol-name	Indicates the protocol type.	The value can be tcp or udp.
port port-number	Indicates the protocol port number.	The value is an integer that ranges from 1 to 65535.
vpn-instance vpn-instance-name	Indicates the VPN instance name.	The value is a string of 1 to 31 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display nat mapping table command displays information about all entries in a NAT table or the number of entries in the NAT table. You can also enter keywords to view a specified entry.

Example

# Display the number of entries in the NAT table.

<Huawei> display nat mapping table number
 The total number of NAT dynamic mapping tables is: 1

# Display information about all entries in the NAT table.

<Huawei> display nat mapping table all
 NAT Dynamic Mapping Table Information:

   Protocol             : UDP(17)
   InsideAddr  Port Vpn : 192.168.1.121   555   
   GlobalAddr  Port     : 1.1.1.1         10491

   Protocol             : UDP(17)
   InsideAddr  Port Vpn : 192.168.1.119   555   
   GlobalAddr  Port     : 2.2.2.2         23099

  Total : 2

Table 8-60 Description of the display nat mapping table command output

Item	Description
The total number of NAT dynamic mapping tables is	Number of NAT mapping tables.
NAT Dynamic Mapping Table Information	Information of NAT mapping tables.
Protocol	Application protocol type.
InsideAddr Port Vpn	Private IP address, port number, and VPN instance name. NOTE: If no VPN is configured, the VPN instance name is not displayed.
GlobalAddr Port	Public IP address and port number.
Total	Number of NAT mapping tables.

firewall-nat session aging-time

Function

The firewall-nat session aging-time command sets the timeout interval of each entry in the session table.

The undo firewall-nat session aging-time command restores the default timeout interval of each entry in the session table.

Format

firewall-nat session { { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time time-value

undo firewall-nat session { { all | dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time

Parameters

Parameter	Description	Value
dns	Sets the timeout interval of the DNS protocol.	-
ftp	Sets the timeout interval of the FTP control connection.	-
ftp-data	Sets the timeout interval of the FTP connection.	-
http	Sets the timeout interval of the HTTP connection.	-
icmp	Sets the timeout interval of the ICMP connection.	-
tcp	Sets the timeout interval of the TCP connection.	-
tcp-proxy	Sets the timeout interval of the TCP proxy.	-
udp	Sets the timeout interval of the UDP connection.	-
sip	Sets the timeout interval of the SIP connection.	-
sip-media	Sets the timeout interval of the SIP media protocol.	-
rtsp	Sets the timeout interval of the RTSP protocol.	-
rtsp-media	Sets the timeout interval of the RTSP media protocol.	-
pptp	Sets the timeout interval of the PPTP control connection.	-
pptp-data	Sets the timeout interval of the PPTP connection.	-
all	Restores the default timeout interval of all the preceding connections.	-
user-define port-number	Specifies the user-defined TCP or UDP port number and configures the timeout interval for all data connections with this port as the destination port. NOTE: This parameter only supports NAT and does not support firewall.	The value is an integer that ranges from 1 to 65535.
aging-time time-value	Specifies the timeout interval value.	The value is an integer that ranges from 1 to 65535, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The firewall-nat session aging-time command sets the timeout interval for sessions of each protocol or port. If an entry in a session table is not used within the specified period, the entry expires. For example, the user with IP address 10.110.10.10 initiates a TCP connection through port 2000. If the TCP connection is not used within the timeout interval, the system deletes the TCP connection.

The default session timeout interval of a port is the same as that of the corresponding protocol. The following table lists the default session timeout interval of each protocol.

Protocol	Default Session Timeout Interval
tcp	600 seconds
tcp-proxy	10 seconds
udp	120 seconds
icmp	20 seconds
dns	120 seconds
http	120 seconds
ftp	120 seconds
ftp-data	120 seconds
sip	1800 seconds
sip-media	120 seconds
rtsp	60 seconds
rtsp-media	120 seconds
pptp	600 seconds
pptp-data	600 seconds

When configuring the timeout interval for all sessions with a user-defined port as the destination port, you cannot set the port number to a default port number of the preceding protocols.

Precautions

For some services such as voice service, increase the TCP/UDP timeout interval to prevent service interruption.

You can set the session timeout interval for a maximum of 24 ports on the device.

Example

# Set the timeout interval of the DNS connection to 60 seconds.

<Huawei> system-view
[Huawei] firewall-nat session dns aging-time 60

Related Topics

display firewall-nat session aging-time

nat address-group

Function

The nat address-group command configures a NAT address pool.

The undo nat address-group command deletes a NAT address pool.

By default, no NAT address pool is configured.

Format

nat address-group group-index start-address end-address

undo nat address-group group-index

Parameters

Parameter	Description	Value
group-index	Specifies the index of a NAT address pool.	The value on AR100, AR120, AR150, AR160, AR200 and AR1200 series is an integer that ranges from 0 to 7. The value on AR2201-48FE, AR2202-48FE, AR2204E, AR2204-27GE, AR2204-27GE-P, AR2204E-D-27GE, and AR2204-51GE-P is an integer that ranges from 0 to 7. The value on AR2204, AR2220E, AR2220, AR2240, and AR2240C is an integer that ranges from 0 to 255. The value on AR3200 and AR3600 series is an integer that ranges from 0 to 255.
start-address	Specifies the start address of the address pool.	The value is in dotted decimal notation.
end-address	Specifies the end address of the address pool.	The value is in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The address pool is a set of consecutive IP addresses. When a packet from the private network reaches the public network through address translation, the source address of the packet will be translated to another address by the address pool.

Precautions

The start IP address of the address pool must be smaller than or equal to the end IP address of the address pool and up to 255 IP addresses can be configured in the address pool.

Example

# Configure an address pool ranging from 10.110.10.10 to 10.110.10.15, with the address pool index being 1.

<Huawei> system-view
[Huawei] nat address-group 1 10.110.10.10 10.110.10.15

Related Topics

display nat address-group

nat alg

Function

The nat alg command enables the NAT ALG function for application protocols.

The undo nat alg command disables the NAT ALG function for application protocols.

By default, NAT ALG is disabled.

Format

nat alg { all | protocol-name } enable

undo nat alg { all | protocol-name } enable

Parameters

Parameter	Description	Value
all	Enables the NAT ALG function for DNS, FTP, SIP, PPTP and RTSP.	-
protocol-name	Enables the NAT ALG function for the specified protocol type.	The value can be sippptp and rtsp.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the public network through NAT. Otherwise, the application protocol cannot work normally.

Example

# Enable the NAT ALG function for FTP.

<Huawei> system-view
[Huawei] nat alg ftp enable

# Disable the NAT ALG function for FTP.

<Huawei> system-view
[Huawei] undo nat alg ftp enable

Related Topics

display nat mapping-mode

nat sip cac enable

Function

The nat sip cac enable command enables the function of call admission control and configures the total bandwidth of the device to limit the SIP call bandwidth.

The undo nat sip cac enable command disables the function of call admission control and cancels the configuration of total bandwidth. The SIP call bandwidth is not limited.

The default bandwidth of a device is 0, and the call bandwidth is not limited.

Format

nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number [ .subnumber ] }

undo nat sip cac enable

Parameters

Parameter	Description	Value
bandwidth bandwidth-value	Specifies the total bandwidth of the device.	The value is an integer that ranges from 1 to 4294967295, in kbit/s.
percent value	Specifies the total bandwidth on the device, which is a percentage of the bandwidth on SIP outgoing interface.	The value is an integer that ranges from 1 to 100.
interface interface-type interface-number [ .subnumber ]	Specifies the SIP outgoing interface type and number. interface-type specifies the interface type. interface-number [ .subnumber ] specifies the interface number.	-

Parameter

Description

Value

bandwidth bandwidth-value

Specifies the total bandwidth of the device.

The value is an integer that ranges from 1 to 4294967295, in kbit/s.

percent value

Specifies the total bandwidth on the device, which is a percentage of the bandwidth on SIP outgoing interface.

The value is an integer that ranges from 1 to 100.

interface interface-type interface-number [ .subnumber ]

Specifies the SIP outgoing interface type and number.

interface-type specifies the interface type.
interface-number [ .subnumber ] specifies the interface number.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a SIP server is deployed on the public network and SIP phones in public and private networks are interconnected, the call quality is affected if the bandwidth on the NAT device is insufficient. You can enable call admission control (CAC) and set the total bandwidth on the NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the specified value, the SIP call is rejected.

Example

# Set the total bandwidth of the device to 2000 kbit/s to limit the call bandwidth.

<Huawei> system-view
[Huawei] nat sip cac enable bandwidth 2000

# Set the total bandwidth on the device to 10% of the bandwidth on GE1/0/0 to limit the call bandwidth.

<Huawei> system-view
[Huawei] nat sip cac enable bandwidth percent 10 interface gigabitethernet 1/0/0

nat dns-map

Function

The nat dns-map command configures a mapping entry from the domain name to the public IP address, port number, and protocol type.

The undo nat dns-map command deletes a mapping entry from the domain name to the public IP address, port number, and protocol type.

By default, no mapping entry is configured.

Format

nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

undo nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

Parameters

Parameter	Description	Value
domain-name	Specifies a valid domain name that can be resolved by the DNS server.	The value is a string of 1 to 255 case-insensitive characters without spaces. The domain name of each level contains a maximum of 63 characters. Domain names of different levels are separated by periods (.) and contain a maximum of 255 characters. The string cannot contain the following characters: / : < > @ \ \| % ' ".
global-address	Specifies a valid IP address provided for external access.	The value is in dotted decimal notation.
interface interface-type interface-number [ .subnumber ]	Specifies the type and number of an interface or a sub-interface.	-
global-port	Specifies the port number of the service provided for external access.	The value is an integer that ranges from 1 to 65535.
protocol-name	Specifies the protocol carried over IP.	The value can be tcp and udp.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use this command to configure the mapping from the domain name to the public IP address, port number, and protocol type for internal hosts. In this manner, internal hosts can differentiate and access corresponding internal servers according to domain names when no DNS server is deployed on the private network.

By default, DNS mapping is not configured. In this case, after the external DNS server resolves public IP addresses from domain name requests of internal hosts, the internal hosts can be mapped to only one internal server. In addition, internal hosts cannot differentiate and access corresponding internal servers according to domain names.

Follow-up Procedure

Run the nat alg dns enable command to enable the DNS NAT ALG function. The NAT ALG function allows hosts on a private network to access servers on the private network through the external DNS server.

Example

# Configure a mapping entry from a domain name to public IP address, port number, and protocol type.

<Huawei> system-view
[Huawei] nat dns-map www.test.com 10.1.1.1 2012 tcp

Related Topics

display nat dns-map

nat filter-mode

Function

The nat filter-mode command sets the NAT filtering mode.

The default NAT filtering mode is endpoint-and-port-dependent.

Format

nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

Parameters

Parameter	Description	Value
endpoint-dependent	Indicates the NAT filtering mode dependent on the external address and independent of the port.	-
endpoint-independent	Indicates the NAT filtering mode independent of the external address and port.	-
endpoint-and-port-dependent	Indicates the NAT filtering mode dependent on the external address and port.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

NAT filtering allows applications using the STUN and TURN technologies to traverse the NAT server.

NAT is performed on the traffic from the external network to the internal network:

If the NAT filtering mode is set to endpoint-independent, the system uses "destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The destination address and port in the entry are the IP address and port number on the internal network.
If the NAT filtering mode is set to endpoint-dependent, the system uses "source IP address+destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The behavior in the reverse mapping entry is the same as the behavior in the mapping table entry.
If the NAT filtering mode is set to endpoint-and-port-dependent, the system uses "source IP address+source port number+destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The behavior in the reverse mapping entry is the same as the behavior in the mapping table entry.

You can change the NAT filtering mode only when no traffic is transmitted between the external network and internal network.

Example

# Set the NAT filtering mode independent of the external address and port.

<Huawei> system-view
[Huawei] nat filter-mode endpoint-independent

Related Topics

display nat filter-mode

nat inside priority enable

Function

The nat inside priority enable command enables the NAT service to have a higher priority than routing service.

The undo nat inside priority enable command disables the NAT service priority function and restores the priority of routing service.

By default, the routing service has a higher priority.

Format

nat inside priority enable

undo nat inside priority enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

You can run this command to specify whether the NAT service or routing service has a higher priority. If the NAT service has a higher priority, NAT is performed for traffic entering the device before routing. If the routing service has a higher priority, traffic is routed before NAT. This function is applicable to multi-uplink scenarios. For example, in a dual-uplink scenario, when you run the nat static command in the interface view or nat static in the system view on the master device to configure a static mapping between a public IP address and a private IP address, a user network route (UNR) is generated. When you run the ip route-static command in the system view, a static route from the public IP address to the private IP address is configured. By running the preceding two commands, you expect that NAT can be performed on traffic entering the device and a backup route is available. A static route has a higher priority than that of the UNR. Therefore, the static route that is configured later overwrites the UNR, and NAT and route backup cannot be implemented on the device at the same time. To resolve this problem, run the nat inside priority enable command to enable the NAT service to take precedence over the routing service so that the device performs NAT on traffic before routing it.

Prerequisites

The static mapping from the private IP address to the public IP address has been configured. Two NAT methods are available to configure the static mapping from a private IP address to a public IP address:

Run the nat static (interface view) command in the interface view to configure the static mapping between a private IP address and a public IP address.
Run the nat static (system view) command in the system view to configure one-to-one NAT between private addresses and public addresses. Then run the nat static enable command in the interface view to enable the static NAT function.

Example

# Enable the NAT service to have a higher priority than the routing service.

<Huawei> system-view
[Huawei] nat inside priority enable

nat log-format elog

Function

The nat log-format elog command sets the NAT log format to eLog. The logs are generated in the format specified by the eLog server.

The undo nat log-format elog command changes the current NAT log format from eLog to a common format.

By default, a common format is used as the NAT log format.

Format

nat log-format elog

undo nat log-format elog

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In the scenario where connection between the device and eLog server is required, the device must send log packets in the specified format to the eLog server to establish the connection. You can run the nat log-format elog or undo nat log-format elog command to set the log format to eLog or a common format.

Example

# Set the NAT session log format to eLog.

<Huawei> system-view
[Huawei] nat log-format elog

# Set the NAT session log format to a common format.

<Huawei> system-view
[Huawei] undo nat log-format elog

Related Topics

firewall log session nat enable

nat miss forward deny

Function

The nat miss forward deny command enables a device to discard the packets that do not match the ACL rules bound to NAT.

The undo nat miss forward deny command disables a device from discarding the packets that do not match the ACL rules bound to NAT.

By default, the function of discarding the packets that do not match the ACL rules bound to NAT is disabled on a device.

Format

nat miss forward deny

undo nat miss forward deny

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After an ACL is associated with an NAT address pool, the device translates the source address of a data packet matching the ACL into an IP address in the NAT address pool. You can run the nat miss forward deny command to enable the function of discarding the packets that do not match the ACL rules bound to NAT.

After this command is run, packets are discarded if the number of session entries exceeds the upper limit.

Example

# Enable the device to discard the packets that do not match the ACL rules bound to NAT.

<Huawei> system-view
[Huawei] nat miss forward deny

nat outbound

Function

The nat outbound command associates an ACL with a NAT address pool. In this manner, the addresses specified in the ACL can be translated using the NAT address pool.

The undo nat outbound command disables outbound NAT.

By default, outbound NAT is disabled.

Format

nat outbound acl-number address-group group-index [ no-pat ][ vrrp vrrpid ]

undo nat outbound acl-number address-group group-index [ no-pat ][ vrrp vrrpid ]

Parameters

Parameter	Description	Value
acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 2000 to 3999.
address-group group-index	Indicates that the NAT address pool is used for address translation. If no NAT address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is used.	The value on AR100, AR120, AR150, AR160, AR200 and AR1200 series is an integer that ranges from 0 to 7. The value on AR2201-48FE, AR2202-48FE, AR2204E, AR2204-27GE, AR2204-27GE-P, AR2204E-D-27GE, and AR2204-51GE-P is an integer that ranges from 0 to 7. The value on AR2204, AR2220E, AR2220, AR2240, and AR2240C is an integer that ranges from 0 to 255. The value on AR3200 and AR3600 series is an integer that ranges from 0 to 255.
no-pat	Indicates one-to-one NAT, that is, only the IP address in a datagram is translated and the port number is not translated.	-
vrrp vrrpid	Specifies the VRRP ID.	The value is an integer that ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

After an ACL is associated with a NAT address pool, NAT translates the source IP address of a data packet matching the ACL to an IP address in the NAT address pool.

On the same interface, different IP addresses can be translated and associated. This interface usually connects to an ISP network and is the egress of the internal network.

This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.

Precautions

On the Layer 2 interface card of the AR2220, AR2240, AR2240C, AR3200 series, 3600 series, NAT needs to be configured on the VLANIF interface. In this case, run the set workmode lan-card l3centralize command in the system view to enable centralized forwarding.

Example

# Select the addresses from 1.1.1.1 to 1.1.1.3 to form NAT address pool 1, and configure the hosts in the network segment 10.110.10.0/24 to use the addresses in address pool 1 for many-to-one address translation (using TCP/UDP port information).

<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] nat address-group 1 1.1.1.1 1.1.1.3
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] nat outbound 2001 address-group 1

Related Topics

display nat outbound

nat outbound (Easy-IP)

Function

The nat outbound command configures Easy IP.

The undo nat outbound command disables outbound NAT.

By default, Easy IP is disabled.

Format

nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ] [ vrrp vrrpid ]

undo nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ][ vrrp vrrpid ]

Parameters

Parameter	Description	Value
acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 2000 to 3999.
interface interface-type interface-number [ .subnumber ]	Indicates that a specified interface address or a sub-interface is specified as the translated address.	-
vrrp vrrpid	Specifies the VRRP ID.	The value is an integer that ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Easy IP indicates that the IP address of the interface is used as the translated IP address.

This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.

Only one command can be configured on an interface.

Example

# Set the IP address of the interface to the translated IP address.

<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] nat outbound 2001

Related Topics

display nat outbound

nat overlap-address

Function

The nat overlap-address command configures the mapping between an overlapped address pool and a temporary address pool.

The undo nat overlap-address command deletes the mapping between an overlapped address pool and a temporary address pool.

By default, the mapping between an overlapped address pool and a temporary address pool is not configured.

Format

nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

undo nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name }

Parameters

Parameter	Description	Value
map-index	Specifies the index of the mapping between the overlapped address pool and the temporary address pool.	The value on AR100, AR120, AR150, AR160, AR200 and AR1200 series is an integer that ranges from 0 to 7. The value on AR2201-48FE, AR2202-48FE and AR2204 is an integer that ranges from 0 to 7. The value on AR2220E and AR2220 is an integer that ranges from 0 to 15. The value on AR2204XE and AR2204XE-DC is an integer that ranges from 0 to 31. The value on the AR2240 and AR3200 varies according to the SRU model: SRU40 and SRU60: 0-15. SRU80, SRU100, SRU100E, SRU200, SRU200E and SRU400: 0-31. The value on AR3600 is an integer that ranges from 0 to 31.
overlappool-startaddress	Specifies the start address of the overlapped address pool. IP addresses of overlapped address pools must be different.	The value is in dotted decimal notation.
temppool-startaddress	Specifies the start address of the temporary address pool. IP addresses of temporary address pools must be different.	The value is in dotted decimal notation.
pool-length length	Indicates the length of the address pool. The lengths of the overlapped address pool and the temporary address pool are the same and an address in the overlapped address pool maps an address in the temporary address pool.	The value is an integer that ranges from 1 to 255.
all	The configuration of all the overlapped address pools.	-
inside-vpn-instance inside-vpn-instance-name	Indicates the VPN instance of the private network.	The value is a string of 1 to 31 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When IP addresses of internal hosts and external hosts are overlapped, you need to configure the mapping between the overlapped address pool and the temporary address pool. After the mapping is configured, the overlapped address is translated into a unique temporary address. The packets can be forwarded correctly. In addition, you need to configure outbound NAT to implement twice NAT.

Example

# Configure the mapping between an overlapped address pool and a temporary address pool with the index being 1. The length of the overlapped address pool is 255, the overlapped address pool belongs to the VPN huawei, and the start address of the overlapped address pool is 10.10.10.1. The start address of the temporary address pool is 10.100.100.1.

<Huawei> system-view
[Huawei] ip vpn-instance huawei  
[Huawei-vpn-instance-huawei] route-distinguisher 200:1
[Huawei-vpn-instance-huawei-af-ipv4]  quit
[Huawei-vpn-instance-huawei] quit
[Huawei] nat overlap-address 1 10.10.10.1 10.100.100.1 pool-length 255 inside-vpn-instance huawei

Related Topics

display nat overlap-address

nat server

Function

The nat server command defines a mapping table of internal servers so that external users can access internal servers through address and port translation.

The undo nat server command cancels the mapping table.

By default, no mapping table is configured.

Format

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

undo nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ]

undo nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ]

Parameters

Parameter	Description	Value
protocol	Indicates the protocol type.	-
protocol-number	Specifies the protocol number.	The value is an integer that ranges from 1 to 255.
global	Configures external information about the NAT server.	-
icmp	Indicates that servers communicate with each other using ICMP.	-
tcp	Indicates that servers communicate with each other using TCP.	-
udp	Indicates that servers communicate with each other using UDP.	-
global-address	Specifies a valid IP address provided for external access.	The value is in dotted decimal notation.
inside	Configures internal information about the NAT server.	-
host-address	Specifies an IP address of the NAT server.	The value is in dotted decimal notation.
host-address2	Specifies the ending IP address of the private network.	The value is in dotted decimal notation.
global-port	Specifies the external service port number. You can use keywords to replace common port numbers. For example, the FTP port number is 21, so you can use the keyword ftp. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
global-port2	Specifies the external service ending port number. You can use keywords to replace common port numbers. For example, the FTP port number is 21, so you can use the keyword ftp. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
host-port	Specifies the service port number provided by the NAT server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.	The value is an integer that ranges from 0 to 65535.
vpn-instance vpn-instance-name	Specifies the name of a private network-side VPN instance.	The value is a string of 1 to 31 characters.
vrrp vrrpid	Specifies the VRRP ID. After NAT address pools are configured on devices in a VRRP group, both devices may perform NAT for packets, resulting in conflicts. You can specify vrrp vrrpid to configure the master device to perform NAT, preventing conflicts.	The value is an integer that ranges from 1 to 255.
acl acl-number	Indicates the number of an ACL.	The value is an integer that ranges from 2000 to 3999.
description description	Indicates the NAT description.	The value is a string of 1 to 255 case-sensitive characters. It can contain spaces.
current-interface	Indicates a public address as the current interface address.	-
interface interface-type interface-number [ .subnumber ]	Indicates a public address as the interface address.	-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure an internal server so that the external network can access the server in an active manner. When a host on the public network sends a connection request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request into a private address (inside-address). The request is then forwarded to the server on the private network.

This command can only be used on Layer 3 interfaces, except the Loopback, Tunnel-Template, and NULL interfaces.
When configuring an internal NAT server, ensure that global-address and host-address are different from IP addresses of ports and IP addresses in the user address pool.
You can use the IP address of current-interface or loopback as the internal server's IP address.
The undo nat server command does not delete mapping entries immediately. You can run the reset nat session command to delete mapping entries.
Compared with static NAT, NAT Server translates only the IP address, but not the port number, when the private network initiatively accesses the public network.
When you configure one-to-one NAT Server that borrows an interface IP address (no interface number is specified and the IP address is mapped to a private network address), other services enabled on the interface may become unavailable. Confirm your action before performing the configuration. If you want to enable other applications on the interface, add an ACL rule after the configuration to filter out the number of the interface on which the applications are enabled.

Precautions

The specified global-port or host-port cannot be used by other applications. Otherwise, the configuration does not take effect.

When specifying global-port2 to configure multiple public ports, you must also specify host-address2 to configure multiple private addresses and ensure that the number of ports is the same as that of private addresses.

If you need to map the private address of an internal server into the IP address of the public network interface when configuring this command on the public network interface, you must set the current-interface parameter to specify a global address as the current interface address.

If you specify vrrp vrrpid when configuring the nat server command on an interface, the interface must support the VRRP function.

The vpn-instance-name parameter in the command specifies a private network-side VPN instance and does not take effect on the global-address parameter. The ip binding vpn-instance vpn-instance-name command can be run in the interface view to bind a public network-side VPN instance to the interface.

Example

# Add a NAT server and translate public address 1.1.1.1 of the TCP service to private address 192.168.0.1.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1

# Configure NAT server on the public network interface Gigabitethernet 0/0/1 to map TCP port 8080 in the private IP address 192.168.20.2 of an internal server into port 8080 in the IP address of Gigabitethernet 0/0/1.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 8080 inside 192.168.20.2 8080

# Add a NAT server, translate public address 1.1.1.1 of the TCP protocol to private address 192.168.0.1, and only allow users with public address 2.2.2.2 to access the intranet server using IP address 1.1.1.1.

<Huawei> system-view
[Huawei] acl 2001
[Huawei-acl-basic-2001] rule 5 permit source 2.2.2.2 0
[Huawei-acl-basic-2001] quit
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1 acl 2001

Related Topics

display nat server

reset nat session

nat session limit

Function

The nat session limit command configures the maximum number of NAT mapping entries that can be used by a user.

The undo nat session limit command deletes the setting of the maximum number of NAT mapping entries that can be used by a user.

By default, the maximum number of NAT mapping entries that can be used by a user is not configured.

Only V200R010C10 and later version support this function.

Format

nat session limit limit-number per-ip [ acl acl-number ]

undo nat session limit

Parameters

Parameter	Description	Value
limit-number	Specifies the maximum number of NAT mapping entries that can be used by a user.	The value is an integer ranging from 1 to 65535.
per-ip	Specifies the maximum number of NAT mapping entries that can be used by a user based on the user's source IP address.	-
acl acl-number	Specifies the number of an ACL.	The value is an integer ranging from 2000 to 3999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Application Usage Scenario

Since terminals are vulnerable to network attacks on a complex network, the terminals under network attacks will occupy a large number of NAT mapping entries on the devices they connected to. Once the NAT mapping entries on the devices are exhausted, other terminals cannot access the Internet because no NAT mapping entry can be allocated to them. In this case, you can run the nat session limit command to set the maximum number of NAT mapping entries that can be used by users. When the number of NAT mapping entries created for a user exceeds the configured limit, the device does not generate new NAT mapping entries. As a result, denying the user's Internet access is restricted.

Precautions

This command cannot be used together with other functions for creating flow tables, such as the firewall, IPS, and SAC. Otherwise, this command may not take effect.
If an ACL is configured, ACL rule updates do not affect the maximum number of NAT mapping entries that can be used by a user.
If an ACL is configured and the ACL rule defines deny, the number of NAT mapping entries that can be used by a user is not limited.
The NAT session table created on the device before this command is run is not included in the statistics of NAT mapping entries.
After an active/standby device switchover is performed, the devices clear the statistics of NAT mapping entries that have been collected before the switchover and re-collects the statistics.

Example

# Set the maximum number of NAT mapping entries that can be created for a user's source IP address to 2000.

<Huawei> system-view
[Huawei] nat session limit 2000 per-ip

nat static (interface view)

Function

The nat static command configures the static mapping between a private IP address and a public IP address.

The undo nat static command deletes the static mapping between a private IP address and a public IP address.

By default, the static mapping between a private IP address and a public IP address is not configured.

Format

nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]

nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]

nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port global-port2 [ vrrp vrrpid ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]

undo nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ global-to-inside | inside-to-global ]

undo nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ global-to-inside | inside-to-global ]

undo nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port global-port2 [ vrrp vrrpid ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ]

Parameters

Parameter	Parameters	Value
protocol	Indicates the protocol.	-
protocol-number	Specifies a protocol number.	The value is an integer that ranges from 1 to 255.
icmp	Indicates address translation for ICMP packets.	-
tcp	Indicates address translation for TCP packets.	-
udp	Indicates address translation for UDP packets.	-
global	Configures public network information.	-
global-address	Specifies a public IP address.	The value is in dotted decimal notation.
global-port	Specifies the external service port number. If this parameter is not specified, the value of global-port is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
global-port2	Specifies a public end port number. If this parameter is specified, a range of consecutive port numbers are translated. If this parameter is not specified, only the port number global-port is translated.	The value is an integer that ranges from 0 to 65535.
inside	Configures private network information.	-
host-address	Specifies a private IP address.	The value is in dotted decimal notation.
host-address2	Specifies a private end IP address. If this parameter is specified, a range of consecutive IP addresses are translated. If this parameter is not specified, only the private IP address host-address is translated.	The value is in dotted decimal notation.
host-port	Specifies a service port number provided by private network devices. If this parameter is not specified, the value of host-port is the same as the value of global-port.	The value is an integer that ranges from 0 to 65535.
host-port2	Specifies a private end port number.	The value is an integer that ranges from 0 to 65535.
vpn-instance vpn-instance-name	Specifies the name of a private network-side VPN instance.	The value must be the name of an existing VPN instance.
vrrp vrrpid	Specifies a VRRP ID.	The value is an integer that ranges from 1 to 255.
netmask mask	Specifies the network mask for static NAT.	The value ranges from 255.255.255.0 to 255.255.255.255.
acl acl-number	Specifies the number of an ACL. You can use an ACL to control NAT implementation, ensuring that NAT is performed only for data packets that meet rules in the ACL.	The value is an integer that ranges from 2000 to 3999.
global-to-inside	Indicates static NAT in the direction from the public network to the private network. If unidirectional static NAT is not configured, IP addresses are translated in both directions.	-
inside-to-global	Indicates static NAT in the direction from the private network to the public network. If unidirectional static NAT is not configured, IP addresses are translated in both directions.	-
description description	Specifies the NAT description.	The value is a string of 1 to 255 case-sensitive characters without question marks (?). It can contain spaces.
current-interface	Specifies a public IP address as the IP address of the current interface.	-
interface interface-type interface-number [ .subnumber ]	Specifies a public IP address as the IP address of an interface or sub-interface. interface-type specifies the interface type. interface-number [ .subnumber ] specifies the number of the interface or sub-interface.	-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If devices on a private network allow access from devices on a public network through a fixed IP address, for example, a private server provides services to public network devices, the public network devices can access the server through a fixed public IP address. You can configure static NAT to translate the private IP address of the private server into the specified public IP address.

If a private server provides services to multiple public network segments, the private IP address of the server needs to be translated into multiple public IP addresses to ensure security. Generally, bidirectional translation between private and public IP addresses is implemented in static NAT. When a private server accesses a public network, the private IP address of the server cannot be translated into multiple public IP addresses. You can configure unidirectional static NAT to solve this problem. When a public network device accesses the private server, multiple public IP addresses are translated into the private IP address of the server using static NAT. When the private server accesses the public network, IP addresses are translated using outbound NAT.

Static NAT also supports IP address translation between network segments, that is, private IP addresses within a specified range and public IP addresses within a specified range can be translated into each other.

Precautions

After the undo nat static command is run on the device, static mapping entries on the device will not be cleared immediately. To clear static mapping entries immediately, run the reset nat session command.

When the global-port, global-port2, host-port, and host-port2 parameters are specified to configure mappings between public and private port numbers, the number of public port numbers must be the same as the number of private port numbers and the port numbers must be mapped in sequence. For example, when nat static protocol tcp global 1.1.1.1 11 20 inside 10.10.10.1 21 30 is configured, the public IP address 1.1.1.1 maps the private IP address 10.10.10.1, and public port numbers 11 to 20 map private port numbers 21 to 30 in sequence.

When host-address2 is specified, global-port2 and host-port must also be specified. The number of private addresses must be the same as the number of public port numbers. That is, the same public address maps different private addresses, and different public port numbers map the same private port number. For example, when nat static protocol tcp global 1.1.1.1 11 12 inside 10.10.10.1 10.10.10.2 30 is configured, 1.1.1.1 and public port 11 map 10.10.10.1 and private port 30, and 1.1.1.1 and public port 12 map 10.10.10.2 and private port 30.

If you specify vrrp vrrpid when configuring the nat static command on an interface, the interface must support the VRRP function.

If you specify acl-number when configuring multiple nat static commands on an interface, the ACL number specified in the commands must be the same. Otherwise, the configuration fails.

Example

# Translate the combination of the public IP address 1.1.1.1 and port 200 in TCP packets to the combination of the private IP address 10.10.10.1 and port 300.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static protocol tcp global 1.1.1.1 200 inside 10.10.10.1 300

# Replace the IP address of packets from the VPN huawei and on the network segment 10.2.2.2 (24-bit mask) with the IP address on the network segment 10.3.3.3 (24-bit mask).

<Huawei> system-view
[Huawei] ip vpn-instance huawei                                    
[Huawei-vpn-instance-huawei]  quit    
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static global 10.3.3.3 inside 10.2.2.2 vpn-instance huawei netmask 255.255.255.0

Related Topics

display nat static

reset nat session

nat static (system view)

Function

The nat static command configures one-to-one NAT between private addresses and public addresses in the system view.

The undo nat static command deletes one-to-one NAT configured between private addresses and public addresses in the system view.

By default, no one-to-one NAT is configured.

Format

nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global global-address global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global interface loopback interface-number global-port global-port2 [ vpn-instance vpn-instance-name ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global global-address global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global interface loopback interface-number global-port global-port2 [ vpn-instance vpn-instance-name ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

Parameters

Parameter	Description	Value
protocol	Indicates a protocol.	-
protocol-number	Specifies the protocol number.	The value is an integer that ranges from 1 to 255.
global	Configures external address and port number.	-
global-address	Specifies the public IP address for NAT.	The value is in dotted decimal notation.
inside	Configures internal address and port number.	-
host-address	Specifies the private IP address for NAT.	The value is in dotted decimal notation.
host-address2	Specifies the ending IP address of the private network.	-
global-port	Specifies the external service port number. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
global-port2	Specifies the external service ending port number.	The value is an integer that ranges from 0 to 65535.
host-port	Specifies the service port number provided by the server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.	The value is an integer that ranges from 0 to 65535.
host-port2	Specifies a private end port number.	The value is an integer that ranges from 0 to 65535.
icmp	Indicates that servers communicate with each other using ICMP.	-
tcp	Indicates that servers communicate with each other using TCP.	-
udp	Indicates that servers communicate with each other using UDP.	-
vpn-instance vpn-instance-name	Indicates the VPN instance name.	The value is a string of 1 to 31 characters.
netmask mask	Indicates the network mask for static NAT.	The value ranges from 255.255.255.0 to 255.255.255.255.
description description	Indicates the NAT description.	The value is a string of 1 to 255 characters. The character string is case sensitive. It can contain spaces but cannot contain the question mark (?).
interface loopback interface-number	Indicates a public address as the loopback interface address.	The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Static NAT indicates that a private address is statically bound to a public address when NAT is performed. The public IP address in static NAT is only used for translation of the unique and fixed private IP address of a host.

Static PAT indicates that a combination of the private address of a host, TCP/UDP protocol number, and internal port number is statically bound to a combination of the public address, TCP/UDP protocol number, and external port number. The public IP address in static PAT can be used for translation of multiple private addresses.

Using static NAT or PAT, hosts on the private network and hosts on the public network can access each other.

If you run the undo nat static command, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.
When the global-port, global-port2, host-port, and host-port2 parameters are specified to configure mappings between public and private port numbers, the number of public port numbers must be the same as the number of private port numbers and the port numbers must be mapped in sequence. For example, when nat static protocol tcp global 1.1.1.1 11 20 inside 10.10.10.1 21 30 is configured, the public IP address 1.1.1.1 maps the private IP address 10.10.10.1, and public port numbers 11 to 20 map private port numbers 21 to 30 in sequence.
When host-address2 is specified, global-port2 and host-port must also be specified. The number of private addresses must be the same as the number of public port numbers. That is, the same public address maps different private addresses, and different public port numbers map the same private port number. For example, when nat static protocol tcp global 1.1.1.1 11 12 inside 10.10.10.1 10.10.10.2 30 is configured, 1.1.1.1 and public port 11 map 10.10.10.1 and private port 30, and 1.1.1.1 and public port 12 map 10.10.10.2 and private port 30.
nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]
In the command, the first vpn-instance-name parameter specifies the VPN instance bound to the loopback interface, and the second vpn-instance-name parameter specifies a private network-side VPN instance.
If the ip binding vpn-instance vpn-instance-name command is run in the interface view to bind a public network-side VPN instance to the interface, the nat static command in the system view does not take effect. In this case, you need to run the nat static or nat server command in the interface view.

Example

# Translate the combination of Loopback 4 interface address and port 43 in TCP packets to private address 192.168.2.55.

<Huawei> system-view
[Huawei] interface loopback 4
[Huawei-LoopBack4] ip address 192.168.8.8 24
[Huawei-LoopBack4] quit 
[Huawei] nat static protocol tcp global interface loopback 4 43 inside 192.168.2.55 netmask 255.255.255.255

Related Topics

display nat static

reset nat session

nat static enable

Function

The nat static enable command enables static NAT on an interface.

The undo nat static enable command disables static NAT on an interface.

By default, static NAT on an interface is disabled.

Format

nat static enable

undo nat static enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Using the nat static enable command, you can enable static NAT on an interface.

This command can only be used on Layer 3 interfaces, except loopback and NULL interfaces.

When enabling static NAT on a sub-interface, you must also enable the function on the main interface. Otherwise, the function does not take effect on the sub-interface.

Example

# Enable static NAT on an interface.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static enable

Related Topics

display nat static

nat mapping-mode

Function

The nat mapping-mode command sets the NAT mapping mode.

The undo nat mapping-mode command restores the NAT mapping mode.

The default NAT mapping mode is endpoint-and-port-dependent.

Format

nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

undo nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

Parameters

Parameter	Description	Value
endpoint-independent	Indicates the endpoint-independent mode.	-
protocol-name	Indicates the protocol type.	The value can be tcp and udp.
dest-port port-number	Indicates the destination port. NAT is performed on only the packets of which destination ports are this specified port.	The value is an integer that ranges from 1 to 65535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The NAT function resolves the problem of IPv4 address shortage and improves network security. NAT implementation of different vendors may be different, so the applications using the STUN, TURN, and ICE technologies may fail to traverse the NAT devices of these vendors. These technologies are mainly used on the SIP proxy. NAT mapping enables these applications to traverse the NAT devices.

NAT mapping has the following modes:

Endpoint-independent mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.
Address and port-dependent mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port while the mapping is still active.

Example

# Enable the endpoint-and-port-independent mapping mode for TCP packets.

<Huawei> system-view
[Huawei] nat mapping-mode endpoint-independent tcp

# Enable the endpoint-and-port-independent mapping mode for TCP and UDP packets.

<Huawei> system-view
[Huawei] nat mapping-mode endpoint-independent

Related Topics

display nat mapping-mode

port-mapping

Function

The port-mapping command configures the mappings between ports and application-layer protocols.

The undo port-mapping command deletes the mappings between ports and application-layer protocols.

Format

port-mapping { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number

undo port-mapping { all | { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number }

Parameters

Parameter	Description	Value
all	Deletes the mappings from all ports.	-
dns	Specifies the mapping between the DNS protocol and a port.	-
ftp	Specifies the mapping between the FTP protocol and a port.	-
http	Specifies the mapping between the HTTP protocol and a port.	-
sip	Specifies the mapping between the SIP protocol and a port.	-
rtsp	Specifies the mapping between the RTSP protocol and a port.	-
pptp	Specifies the mapping between the PPTP protocol and a port.	-
port port-number	Specifies the port mapping to a protocol.	The value of port-number is an integer that ranges from 1 to 65535.
acl acl-number	Specifies the ACL that controls the packets to which port mapping is applied.	The value of acl-number is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Port mapping enables a server to provide various application-layer services for external systems through non-well-known ports. For example, the well-known port of the HTTP service is port 80. After port mapping is configured on the firewall, the firewall can use a non-well-known port to provide the HTTP service.

Port mapping reduces attacks to a certain service on the server.

Example

# Map the HTTP service to port 10 and apply ACL 2000 to control the packets to which the mapping takes effect.

<Huawei> system-view
[Huawei] acl 2000 
[Huawei-acl-basic-2000] rule  permit 
[Huawei-acl-basic-2000] quit  
[Huawei] port-mapping http port 10 acl 2000

Related Topics

display port-mapping

reset nat session

Function

The reset nat session command deletes entries from the NAT mapping table.

Format

reset nat session { all | transit interface interface-type interface-number[.subnumber ] }

reset nat session protocol { protocol-name | protocol-number } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ]

reset nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ]

reset nat session destination destination-address [ destination-port ]

V200R010C10 and later versions support the protocol, source, and destination parameters.

Parameters

Parameter	Description	Value
all	Deletes all entries from the NAT mapping table.	-
transit	Deletes the entries of traffic passing a specified interface.	-
interface interface-type interface-number[.subnumber ]	Indicates the type and number of an interface or a sub-interface.	-
protocol { protocol-name \| protocol-number }	Deletes the NAT mapping table with a specified protocol type or port number.	The value of protocol-name can be icmp, tcp, or udp. The value of protocol-number is an integer that ranges from 1 to 255.
source source-address [ source-port ]	Specifies the source IP address and port number before the NAT translation.	source-address: The value is in dotted decimal notation. source-port: The value is an integer that ranges from 1 to 65535.
destination destination-address [ destination-port ]	Specifies the destination IP address and port number before the NAT translation.	destination-address: The value is in dotted decimal notation. destination-port: The value is an integer that ranges from 1 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the configurations of nat alg, nat server, nat static, and nat outbound are changed, the packets are not forwarded based on new configurations. You can run the reset nat session command to make the new configurations take effect. This command can be used to delete all entries or the entries for a specified protocol type or the entries of traffic passing a specified interface from the NAT mapping table.

Precautions

After this command is used, entries are deleted from the NAT mapping table and the NAT configurations are modified immediately.
After this command is executed, you must wait at least 10 seconds if you need to run the command again; otherwise, an error message is displayed.
If all entries are deleted, communication among certain sessions may be affected for a short period.

Example

# Delete all entries from the NAT mapping table.

<Huawei> system-view
[Huawei] reset nat session all
Warning:The current all NAT sessions will be deleted. 
Are you sure to continue?[Y/N] y

# Delete entries from the NAT mapping table on port GigabitEthernet0/0/1.

<Huawei> system-view
[Huawei] reset nat session transit interface gigabitethernet 0/0/1
Warning:The current all NAT sessions transiting GigabitEthernet0/0/1 will be deleted. 
Are you sure to continue?[Y/N] y

# Delete the NAT mapping entries of TCP.

<Huawei> system-view
[Huawei] reset nat session protocol tcp
Warning:The current NAT sessions (protocol: tcp) will be deleted. 
Are you sure to continue?[Y/N] y

Related Topics

display nat session

set nat-session self-healing enable

Function

The set nat-session self-healing enable command enables the self-healing function on the timer of a NAT module.

The set nat-session self-healing disable command disables the self-healing function on the timer of a NAT module.

By default, the self-healing function on the timer of a NAT module is disabled.

Format

set nat-session self-healing enable

set nat-session self-healing disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the running timer of a NAT module is faulty, the NAT service fails and the device cannot work properly. In this case, run the set nat-session self-healing enable command. After the self-healing function is enabled on the timer of a NAT module, the usage of the timer can be automatically detected. If the timer is faulty, you can reset the device to rectify the fault and ensure the proper running of the device.

Example

# Enable the self-healing function on the timer of a NAT module.

<Huawei> system
[Huawei] set nat-session self-healing enable

tcp proxy

Function

The tcp proxy command enables the TCP proxy function.

The undo tcp proxy command disables the TCP proxy function.

By default, the TCP proxy function is disabled on the device.

Format

tcp proxy ip-address port-number [ acl acl-number ]

undo tcp proxy

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address bound to the TCP proxy.	The value is in dotted decimal notation. The IP address can only be a unicast IP address on the local device.
port-number	Specifies the listening port of the TCP proxy.	The value is an integer that ranges from 1024 to 65000. This port number cannot be occupied by other modules.
acl acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 3000 to 3999. It is recommended that ACL filtering be performed for the IP address of the TCP connection initiator.

Parameter

Description

Value

ip-address

Specifies the IP address bound to the TCP proxy.

The value is in dotted decimal notation. The IP address can only be a unicast IP address on the local device.

port-number

Specifies the listening port of the TCP proxy.

The value is an integer that ranges from 1024 to 65000.

This port number cannot be occupied by other modules.

acl acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 3000 to 3999.

It is recommended that ACL filtering be performed for the IP address of the TCP connection initiator.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the SIP ALG scenario, if a SIP data packet sent by the SIP client is too large to be sent to the SIP server at a time, the client divides the oversized SIP data packet into multiple small data packets and sends them to the SIP server. In this case, you need to enable the TCP proxy function on the device so that the device reassembles the received small data packets into the original SIP packet, performs NAT, and then forwards the packet to the SIP server.

The device listens to packets based on the specified IP address and port number after the TCP proxy function is enabled, and then sets up a TCP connection with host A that initiates a TCP connection. After successfully setting up the TCP connection, the device proactively sets up a TCP connection with host B which is the destination device of host A, ensuring that hosts A and B can communicate properly.

Precautions

After the TCP proxy function is disabled, the device deletes TCP connections set up with all hosts and the session table saved on the device. Run the reset nat session all command to delete all flow table information.

Example

# Enable the TCP proxy function.

<Huawei> system-view
[Huawei] tcp proxy 10.1.1.1 3333

tcp proxy aging-time

Function

The tcp proxy aging-time command sets the aging time of a TCP connection set up by the TCP proxy.

The undo tcp proxy aging-time command restores the default aging time of a TCP connection set up by the TCP proxy.

By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.

Format

tcp proxy aging-time aging-time

undo tcp proxy aging-time

Parameters

Parameter	Description	Value
aging-time	Specifies the aging time of a TCP connection set up by the TCP proxy.	The value is an integer that ranges from 10 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the TCP proxy function is enabled, the device exchanges TCP keepalive packets with a host after it sets up a TCP connection with the host. If the device does not receive TCP keepalive packets from the host within the time three times the aging time, it automatically deletes the TCP connection and corresponding session entry.

Example

# Set the aging time of a TCP connection set up by the TCP proxy to 240 seconds.

<Huawei> system-view
[Huawei] tcp proxy aging-time 240

Translation

Favorite

Download

Update Date：2025-08-28

Document ID：EDOC1100041733

Downloads：1838

Average rating：0.0Points

Digital Signature File

digtal sigature tool