NetEngine AR600, AR6100, AR6200, and AR6300 V300R022 Command Reference

NAT Configuration Commands

Support for NAT Configuration
display nat address-group
display nat alg
display nat sip cac bandwidth information
display nat dns-map
display nat filter-mode
display nat outbound
display nat overlap-address
display nat server
display nat session
display nat static
display nat static interface enable
display nat mapping-mode
display nat mapping table
display stun configuration
display stun statistics packet
nat address-group
nat alg
nat assymmetric route enable
nat address-pool deny-ping enable
nat sip cac enable
nat dns-map
nat filter-mode
nat log-format elog
nat miss forward deny
nat outbound
nat outbound (Easy IP)
nat overlap-address
nat server
nat session limit
nat static (interface view)
nat static (system view)
nat static enable
nat mapping-mode
nat miss forward session disable
reset nat session
reset stun statistics packet
stun client enable
stun client destination-port
stun server enable
stun server listening-ip
stun server listening-port

Support for NAT Configuration

Hardware Requirements

Table 9-40 NAT hardware requirements

Series	Feature Support
AR600&AR6100&AR6200&AR6300 Series	Supported Only the AR631I-LTE4CN and AR631I-LTE4EA do not support NAT STUN.
RU-5G	The RU-5G-101 does not support NAT STUN.

Series

Feature Support

AR600&AR6100&AR6200&AR6300 Series

Supported

Only the AR631I-LTE4CN and AR631I-LTE4EA do not support NAT STUN.

RU-5G

The RU-5G-101 does not support NAT STUN.

display nat address-group

Function

The display nat address-group command displays the configuration of a NAT address pool.

Format

display nat address-group [ group-index ] [ verbose ]

Parameters

Parameter	Description	Value
group-index	Indicates the index of a NAT address pool.	The value must be an existing NAT address pool index.
verbose	Displays details about the NAT address pool.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can check the configuration and application of the NAT address pool.

Example

# Display all the NAT address pools.

<Huawei> display nat address-group
NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 1            10.1.1.1        10.1.1.10
 2         10.10.10.10      10.10.10.15
 --------------------------------------
  Total : 2

# Display the NAT address pool according to the index of the NAT address pool.

<Huawei> display nat address-group 1 
 NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 1            10.1.1.1        10.1.1.10
 --------------------------------------
  Total : 1

# Display details about the NAT address pool.

<Huawei> display nat address-group 1 verbose
NAT Address-Group Information:
 -----------------------------------------------------------
 Index   Start-address      End-address  Ref-times  Ref-type
 -----------------------------------------------------------
 1            10.1.1.1        10.1.1.10          0      ----
 -----------------------------------------------------------
  Total : 1

Table 9-41 Description of the display nat address-group command output

Item	Description
NAT Address-Group Information	Information of the NAT address pool.
Index	Index of the NAT address pool.
Start-address	Start IP address of the NAT address pool.
End-address	End IP address of the NAT address pool
Ref-times	Number of times that a NAT address pool is referenced.
Ref-type	Mode in which the NAT address pool is referenced. pat: translates the IP address and port information of data packets. no-pat: only translates the IP addresses of data packets, not port information. ----: indicates that the NAT address pool is not referenced.
Total	Number of NAT address pools.

display nat alg

Function

The display nat alg command displays whether NAT application level gateway (ALG) is enabled for an application layer protocol.

Format

display nat alg

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the status of NAT ALG.

<Huawei> display nat alg
NAT Application Level Gateway Information:                                      
----------------------------------                                              
  Application            Status                                                 
----------------------------------                                              
  dns                    Disabled                                               
  ftp                    Disabled                                               
  rtsp                   Enabled                                                
  sip                    Disabled                                               
  pptp                   Disabled                                               
----------------------------------

Table 9-42 Description of the display nat alg command output

Item	Description
NAT Application Level Gateway Information	Information of the NAT ALG.
Application	Application protocol type.
Status	Whether the NAT ALG function is enabled.

display nat sip cac bandwidth information

Function

The display nat sip cac bandwidth information command displays the current total bandwidth and occupied bandwidth on the device.

Format

display nat sip cac bandwidth information [ verbose ]

Parameters

Parameter	Description	Value
verbose	Displays details about the current total bandwidth and occupied bandwidth.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display details about the current total bandwidth and occupied bandwidth on the device.

<Huawei> display nat sip cac bandwidth information verbose
------------------------------------------------------------------------------- 
Total Bandwidth(Kbps)       Used Bandwidth(Kbps)                                
  3000                        1900                                                 
------------------------------------------------------------------------------- 
Src-IP          Src-Port Dest-IP         Dest-Port Protocol Used Bandwidth(Kbps)
192.168.0.4     50       1.1.1.1         5060      udp        1900
-------------------------------------------------------------------------------

Table 9-43 Description of the display nat sip cac bandwidth information verbose command output

Item	Description
Total Bandwidth	Total bandwidth on the device, in Kbps. To configure the total bandwidth, run the nat sip cac enable command.
Used Bandwidth	Occupied bandwidth on the device, in Kbps.
Src-IP	Source IP address, that is, calling-party IP address.
Src-Port	Source port number, that is, calling-party port number.
Dest-IP	Destination IP address, that is, called-party IP address.
Dest-Port	Destination port number, that is, called-party port number.
Protocol	Corresponding protocol of the SIP calling, and the protocol can only be UDP.

display nat dns-map

Function

The display nat dns-map command displays the configuration of DNS mapping.

Format

display nat dns-map [ domain-name ]

Parameters

Parameter	Description	Value
domain-name	Specifies the valid domain name that can be resolved by the DNS server.	The value is a string of 1 to 255 case-insensitive characters without spaces. The string cannot contain the following characters: / : < > @ \ \| % ' ".

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the configuration of NAT DNS mapping.

 <Huawei> display nat dns-map
  NAT DNS mapping information:
  Domain-name : www.example.com                                                  
  Global IP   : gigabitethernet0/0/1 (Real IP : 192.168.4.2)                    
  Global port : 2                                                               
  Protocol    : tcp

  Total : 1

Table 9-44 Description of the display nat dns-map command output

Item	Description
NAT DNS mapping information	Information of NAT DNS Mapping.
Domain-name	Domain name.
Global IP	IP address provided for external access.
Global port	Port number provided for external access.
Protocol	Type of the protocol carried over IP.
Total	Number of NAT DNS mapping information items.

display nat filter-mode

Function

The display nat filter-mode command displays the current NAT filtering mode.

Format

display nat filter-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the current NAT filtering mode. The modes include:

endpoint-independent: independent of the external address and port.
endpoint-dependent: dependent on the external address and independent of the port.
endpoint-and-port-dependent: dependent on the external address and port.

Example

# Display the current NAT filtering mode.

<Huawei> display nat filter-mode
Nat filter mode is : endpoint-independent

Table 9-45 Description of the display nat dns-map command output

Item	Description
Nat filter mode is	The current NAT filtering mode.

display nat outbound

Function

The display nat outbound command displays information about outbound NAT.

Format

display nat outbound [ acl acl-number | address-group group-index | interface interface-type interface-number [ .subnumber ] ]

Parameters

Parameter	Description	Value
acl acl-number	Displays the number of a basic ACL or an advanced ACL.	The value must be an existing ACL number.
address-group group-index	Displays the index of a NAT address pool.	The value must be an existing address pool index.
interface interface-type interface-number [ .subnumber ]	Displays the type and number of an interface or a sub-interface.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all information about outbound NAT.

<Huawei> display nat outbound
 NAT Outbound Information:                                                      
 --------------------------------------------------------------------------     
 Interface                     Acl     Address-group/IP/Interface      Type     
 --------------------------------------------------------------------------     
 GigabitEthernet0/0/2         2000                              1    no-pat     
 --------------------------------------------------------------------------     
  Total : 1

Table 9-46 Description of the display nat outbound command output

Item	Description
Interface	Name of an interface.
Acl	Basic or advanced ACL that is in use.
Address-group/IP/Interface	The index of a NAT address pool or IP address or loopback interface.
Type	Type of NAT. (If no NAT address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is used.)
Total	Number of outbound NAT information items.

display nat overlap-address

Function

The display nat overlap-address command displays information about the mapping between the overlapped address pool and the temporary address pool.

Format

display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name }

Parameters

Parameter	Description	Value
map-index	Specifies the index of the mapping between the overlapped address pool and the temporary address pool.	The value must be an existing mapping index.
all	Displays the configuration of all the overlapped address pools.	-
inside-vpn-instance inside-vpn-instance-name	Displays the VPN instance of the private network.	The value is a string of 1 to 31 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the configuration of all the overlapped address pools.

<Huawei> display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
 -------------------------------------------------------------------------------
 Id  Overlap-Address  Temp-Address    Pool-Length         Inside-VPN-Instance-Name
 -------------------------------------------------------------------------------
 1   10.2.2.2         10.3.10.10        255                            cmml                
 -------------------------------------------------------------------------------
  Total : 1

Table 9-47 Description of the display nat overlap-address command output

Item	Description
Id	Index of the mapping between the overlapped address pool and the temporary address pool.
Overlap-Address	Start IP address of the overlapped address pool.
Temp-Address	Start IP address of the temporary address pool.
Pool-Length	Length of the address pool.
Inside-VPN-Instance-Name	Name of the VPN instance of the private network.

display nat server

Function

The display nat server command displays the configuration of the NAT server.

Format

display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ]

Parameters

Parameter	Description	Value
global global-address	Indicates the public address of the NAT server.	The value is in dotted decimal notation.
inside host-address	Indicates the private address of the NAT server.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Indicates the VPN instance name.	The value is a string of 1 to 31 characters.
interface interface-type interface-number [ .subnumber ]	Indicates the type and number of an interface or a sub-interface.	-
acl acl-number	Indicates the number of an ACL.	The value is an integer that ranges from 2000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use this command to check whether the NAT server is configured correctly.

Example

# Display the configuration of all NAT servers.

<Huawei> display nat server
    Nat Server Information:                                                       
    Interface  : GigabitEthernet1/0/0              
    Global IP/Port     : 1.1.1.1/1~2                                            
    Inside IP/Port     : 10.10.1.2~10.10.1.3/1                                      
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                   
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Description : ---- 
                                                                                    
  Total :    1

Table 9-48 Description of the display nat server command output

Item	Description
Nat Server Information	Information of Nat Server.
Interface	Name of an interface.
Global IP/Port	Public IP address and port number.
Inside IP/Port	Private IP address and port number.
Protocol	Protocol number and protocol type.
VPN instance-name	Name of the VPN instance.
Acl number	Number of the ACL in the NAT server.
Vrrp id	VRRP ID.
Description	NAT description.
Total	Number of NAT servers.

display nat session

Function

The display nat session command displays the NAT mapping table.

Format

display nat session { all [ verbose ] | number }

display nat session protocol { protocol-name | protocol-number } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

display nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display nat session destination destination-address [ destination-port ] [ verbose ]

Parameters

Parameter	Description	Value
all	Displays all entries in the NAT mapping table.	-
verbose	Displays detailed information about the NAT mapping table.	-
number	Displays the number of entries in the NAT mapping table.	-
protocol { protocol-name \| protocol-number }	Displays the NAT mapping table with a specified protocol type or port number.	The value of protocol-name can be icmp, tcp, or udp. The value of protocol-number is an integer that ranges from 1 to 255.
source source-address [ source-port ]	Specifies the source IP address and port number before the NAT translation.	source-address: The value is in dotted decimal notation. source-port: The value is an integer that ranges from 1 to 65535.
destination destination-address [ destination-port ]	Specifies the destination IP address and port number before the NAT translation.	destination-address: The value is in dotted decimal notation. destination-port: The value is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays information about the NAT mapping table. You can view information about all entries or display information by specifying keywords. The entries in a NAT mapping table are triggered by service packets. If the device does not receive any service packet, no entry is generated.

Example

# Display details about all entries in the NAT mapping table.

<Huawei> display nat session all verbose
  NAT Session Table Information:

     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21

     Protocol          : UDP(17)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.3
       New DestPort    : 21

  Total : 2

Table 9-49 Description of the display nat session all verbose command output

Item	Description
NAT Session Table Information	Information of NAT mapping entries.
Protocol	Protocol type.
SrcAddr Port Vpn	Source address, service port number, and VPN instance name before the translation.
DestAddr Port Vpn	Destination address, service port number, and VPN instance name before the translation.
Time To Live	Time to live (TTL) of the mapping table entries.
NAT-Info	NAT information.
New SrcAddr	Source address after the translation.
New SrcPort	Source port number after the translation.
New DestAddr	Destination address after the translation.
New DestPort	Destination port number after the translation.
Total	Number of NAT mapping entries.

display nat static

Function

The display nat static command displays the configuration of static NAT.

Format

display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-number ]

Parameters

Parameter	Description	Value
global global-address	Indicates the public address for static NAT.	The value is in dotted decimal notation.
inside host-address	Indicates the private address for static NAT.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance.	The value is a string of 1 to 31 characters.
interface interface-type interface-number [ .subnumber ]	Indicates the type and number of an interface or a sub-interface.	-
acl acl-number	Indicates the number of an ACL.	The value is an integer that ranges from 2000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After static NAT is configured, you can use the display nat static command to view the configuration of static NAT.

Example

# Display the global configuration of static NAT.

<Huawei> display nat static
  Static Nat Information:                                                       
  Interface  : GigabitEthernet1/0/0                                         
    Global IP/Port     : 1.1.1.1/1~2                                           
    Inside IP/Port     : 10.2.2.2~10.2.2.3/2                                    
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                   
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Netmask  : 255.255.255.255                                                  
    Description : ----                                                   
                                                                                
  Total :    1

Table 9-50 Description of the display nat static command output

Item	Description
Static Nat Information	Information of Static Nat.
Interface	Name of an interface.
Global IP/Port	Public IP address and port number.
Inside IP/Port	Private IP address and port number.
Protocol	Protocol number and protocol type.
VPN instance-name	Name of the VPN instance.
Acl number	Number of the ACL in the static NAT.
Vrrp id	VRRP ID.
Netmask	Network mask.
Description	NAT description.
Total	Number of static NATs.

display nat static interface enable

Function

The display nat static interface enable command displays the interface enabled with the static NAT function.

Format

display nat static interface enable

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the interface enabled with the static NAT function.

<Huawei> display nat static interface enable
 Static Nat  enable  Information :                                             
------------------------------------------------                                
 interface Vlanif300                                              
------------------------------------------------                                
  Total : 1

Table 9-51 Description of the display nat static interface enable command output

Item	Description
Static Nat enable Information	Interface enabled with the static NAT function.
Total	Number of interfaces enabled with the static NAT function.

display nat mapping-mode

Function

The display nat mapping-mode command displays the NAT mapping mode.

Format

display nat mapping-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After NAT mapping is configured, you can view the NAT mapping information. For example, you can view:

Endpoint-independent mapping information about TCP packets.
Endpoint-independent mapping information about UDP packets.
Endpoint-independent mapping about TCP and UDP packets.

Example

# Display NAT mapping information.

<Huawei> display nat mapping-mode
  NAT Mapping Mode Information: 
-----------------------------------------------------------
nat mapping-mode endpoint-independent tcp
-----------------------------------------------------------
  Total : 1

Table 9-52 Description of display nat mapping-mode command output

Item	Description
NAT Mapping Mode Information	Information of the NAT mapping mode.
Total	Number of the NAT mapping mode.

display nat mapping table

Function

The display nat mapping table command displays NAT mapping table information or the number of entries in the NAT table.

Format

display nat mapping table { all | number }

display nat mapping table inside-address ip-address protocol protocol-name port port-number [ vpn-instance vpn-instance-name ]

Parameters

Parameter	Description	Value
all	Displays information about all entries in the NAT mapping table.	-
number	Displays the number of entries in the NAT mapping table.	-
inside-address ip-address	Indicates the internal IP address of the server.	The value is in dotted decimal notation.
protocol protocol-name	Indicates the protocol type.	The value can be tcp or udp.
port port-number	Indicates the protocol port number.	The value is an integer that ranges from 1 to 65535.
vpn-instance vpn-instance-name	Indicates the VPN instance name.	The value is a string of 1 to 31 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display nat mapping table command displays information about all entries in a NAT table or the number of entries in the NAT table. You can also enter keywords to view a specified entry.

Example

# Display the number of entries in the NAT table.

<Huawei> display nat mapping table number
 The total number of NAT dynamic mapping tables is: 1

# Display information about all entries in the NAT table.

<Huawei> display nat mapping table all
 NAT Dynamic Mapping Table Information:

   Protocol             : UDP(17)
   InsideAddr  Port Vpn : 192.168.1.121   555   
   GlobalAddr  Port     : 1.1.1.1         10491

   Protocol             : UDP(17)
   InsideAddr  Port Vpn : 192.168.1.119   555   
   GlobalAddr  Port     : 2.2.2.2         23099

  Total : 2

Table 9-53 Description of the display nat mapping table command output

Item	Description
The total number of NAT dynamic mapping tables is	Number of NAT mapping tables.
NAT Dynamic Mapping Table Information	Information of NAT mapping tables.
Protocol	Application protocol type.
InsideAddr Port Vpn	Private IP address, port number, and VPN instance name. NOTE: If no VPN is configured, the VPN instance name is not displayed.
GlobalAddr Port	Public IP address and port number.
Total	Number of NAT mapping tables.

display stun configuration

Function

The display stun configuration command displays STUN server configuration.

Format

display stun configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display stun configuration command to view STUN server configuration, including the IP address, UDP port number, and VPN instance on which a STUN server listens.

Example

# Display STUN server configuration.

<Huawei> display stun configuration
 STUN Configuration:
--------------------------------------------------------------
  STUN Server Enable                 : Yes
  STUN Server Listening IP           : -
  STUN Server Listening VPN-instance : -
  STUN Server Listening Port         : 3480
--------------------------------------------------------------

Table 9-54 Description of the display stun configuration command output

Item	Description
STUN Configuration	STUN configuration information.
STUN Server Enable	Whether the STUN server function is enabled: Yes No To configure the STUN server function, run the stun server enable command.
STUN Server Listening IP	IP address on which a STUN server listens. To configure the IP address on which a STUN server listens, run the stun server listening-ip command.
STUN Server Listening VPN-instance	VPN instance on which a STUN server listens. To configure the VPN instance on which a STUN server listens, run the stun server listening-ip command.
STUN Server Listening Port	UDP port number on which a STUN server listens. To configure the VPN instance on which a STUN server listens, run the stun server listening-port command.

display stun statistics packet

Function

The display stun statistics packet command displays STUN packet statistics.

Format

display stun statistics packet

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display stun statistics packet command to view received and sent STUN packet statistics for STUN fault location and maintenance.

Example

# Display STUN packet statistics.

<Huawei> display stun statistics packet

 STUN packet statistics information:
------------------------------------------------------
 STUN Detect Initiate                     : 0
 STUN Detect Timeout                      : 0
 STUN Detect Request Send OK/Error        : 0/0
 STUN Detect Request Resend OK/Error      : 0/0
 STUN Detect Response Receive OK/Error    : 0/0
 STUN Detect Request Receive OK/Error     : 0/0
 STUN Detect Response Send OK/Error       : 0/0
 STUN Pathset Initiate                    : 0
 STUN Pathset Timeout                     : 0
 STUN Pathset Request Send OK/Error       : 0/0
 STUN Pathset Request Resend OK/Error     : 0/0
 STUN Pathset Response Receive OK/Error   : 0/0
 STUN Pathset Request Receive OK/Error    : 0/0
 STUN Pathset Response Send OK/Error      : 0/0
------------------------------------------------------

Table 9-55 Description of the display stun statistics packet command output

Item	Description
STUN packet statistics information	STUN packet statistics.
STUN Detect Initiate	Number of initiated STUN detections.
STUN Detect Timeout	Number of expired STUN detections.
STUN Detect Request Send OK/Error	Number of STUN detection requests that were sent successfully or failed to be sent.
STUN Detect Request Resend OK/Error	Number of STUN detection requests that were retransmitted successfully or failed to be sent.
STUN Detect Response Receive OK/Error	Number of STUN detection responses that were received successfully or failed to be received.
STUN Detect Request Receive OK/Error	Number of STUN detection requests that were received successfully or failed to be received.
STUN Detect Response Send OK/Error	Number of STUN detection responses that were sent successfully or failed to be sent.
STUN Pathset Initiate	Number of initiated STUN pathsets.
STUN Pathset Timeout	Number of expired STUN pathsets.
STUN Pathset Request Send OK/Error	Number of STUN pathset requests that were sent successfully or failed to be sent.
STUN Pathset Request Resend OK/Error	Number of STUN pathset requests that were retransmitted successfully or failed to be retransmitted.
STUN Pathset Response Receive OK/Error	Number of STUN pathset responses that were received successfully or failed to be received.
STUN Pathset Request Receive OK/Error	Number of STUN pathset requests that were received successfully or failed to be received.
STUN Pathset Response Send OK/Error	Number of STUN pathset responses that were sent successfully or failed to be sent.

nat address-group

Function

The nat address-group command configures a NAT address pool.

The undo nat address-group command deletes a NAT address pool.

By default, no NAT address pool is configured.

Format

nat address-group group-index start-address end-address

undo nat address-group group-index

Parameters

Parameter	Description	Value
group-index	Specifies the index of a NAT address pool.	The value is an integer. AR651W-X4, AR651-X8, AR6140-16G4XG, AR6140H-S, AR6140K-9G-2AC, AR6140-9G-2AC, AR6140E-9G-2AC, AR6140-S, AR6140E-S: 0 to 255 SRU-100H, SRU-100HH, SRU-200H, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H: 0 to 255 For other models: 0 to 31.
start-address	Specifies the start address of the address pool.	The value is in dotted decimal notation.
end-address	Specifies the end address of the address pool.	The value is in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The address pool is a set of consecutive IP addresses. When a packet from the private network reaches the public network through address translation, the source address of the packet will be translated to another address by the address pool.

Precautions

The start IP address of the address pool must be smaller than or equal to the end IP address of the address pool and up to 255 IP addresses can be configured in the address pool.

Example

# Configure an address pool ranging from 10.110.10.10 to 10.110.10.15, with the address pool index being 1.

<Huawei> system-view
[Huawei] nat address-group 1 10.110.10.10 10.110.10.15

nat alg

Function

The nat alg command enables the NAT ALG function for application protocols.

The undo nat alg command disables the NAT ALG function for application protocols.

By default, NAT ALG is disabled.

Format

nat alg { all | protocol-name } enable

undo nat alg { all | protocol-name } enable

Parameters

Parameter	Description	Value
all	Enables the NAT ALG function for DNS, FTP, SIP, PPTP and RTSP.	-
protocol-name	Enables the NAT ALG function for the specified protocol type.	The value can be dns, ftp, sip, pptp, and rtsp.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the public network through NAT. Otherwise, the application protocol cannot work normally.

Example

# Enable the NAT ALG function for FTP.

<Huawei> system-view
[Huawei] nat alg ftp enable

# Disable the NAT ALG function for FTP.

<Huawei> system-view
[Huawei] undo nat alg ftp enable

nat assymmetric route enable

Function

The nat assymmetric route enable command disables the magic number check function for NAT services.

The undo nat assymmetric route enable command enables the magic number check function for NAT services.

By default, the magic number check function is enabled for NAT services.

Format

nat assymmetric route enable

undo nat assymmetric route enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to disable the magic number check function for NAT services.

Example

# Disable the magic number check function for NAT services.

<Huawei> system-view
[Huawei] interface GigabitEthernet 0/0/2
[Huawei-GigabitEthernet0/0/2] nat assymmetric route enable
Info: nat assymmetric route enable

nat address-pool deny-ping enable

Function

The nat address-pool deny-ping enable command enables the function of denying access to addresses in a NAT address pool.

The undo nat address-pool deny-ping enable command disables the function of denying access to addresses in a NAT address pool.

By default, the function of denying access to addresses in a NAT address pool is disabled.

This function is supported only in V300R022C00SPC100 and later versions.

Format

nat address-pool deny-ping enable

undo nat address-pool deny-ping enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a NAT address pool is configured, the device delivers UNRs. In this case, users can access addresses in the NAT address pool. After the function of denying access to addresses in the NAT address pool is enabled, users cannot access addresses in the NAT address pool, ensuring route security.

Example

# Enable the function of denying access to addresses in a NAT address pool.

<Huawei> system-view
[Huawei] nat address-pool deny-ping enable

nat sip cac enable

Function

The nat sip cac enable command enables the function of call admission control and configures the total bandwidth of the device to limit the SIP call bandwidth.

The undo nat sip cac enable command disables the function of call admission control and cancels the configuration of total bandwidth. The SIP call bandwidth is not limited.

The default bandwidth of a device is 0, and the call bandwidth is not limited.

Format

nat sip cac enable bandwidth { bandwidth-value | percent value interface interface-type interface-number [ .subnumber ] }

undo nat sip cac enable

Parameters

Parameter	Description	Value
bandwidth bandwidth-value	Specifies the total bandwidth of the device.	The value is an integer that ranges from 1 to 4294967295, in kbit/s.
percent value	Specifies the total bandwidth on the device, which is a percentage of the bandwidth on SIP outgoing interface.	The value is an integer that ranges from 1 to 100.
interface interface-type interface-number [ .subnumber ]	Specifies the SIP outgoing interface type and number. interface-type specifies the interface type. interface-number [ .subnumber ] specifies the interface number.	-

Parameter

Description

Value

bandwidth bandwidth-value

Specifies the total bandwidth of the device.

The value is an integer that ranges from 1 to 4294967295, in kbit/s.

percent value

Specifies the total bandwidth on the device, which is a percentage of the bandwidth on SIP outgoing interface.

The value is an integer that ranges from 1 to 100.

interface interface-type interface-number [ .subnumber ]

Specifies the SIP outgoing interface type and number.

interface-type specifies the interface type.
interface-number [ .subnumber ] specifies the interface number.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a SIP server is deployed on the public network and SIP phones in public and private networks are interconnected, the call quality is affected if the bandwidth on the NAT device is insufficient. You can enable call admission control (CAC) and set the total bandwidth on the NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the specified value, the SIP call is rejected.

Example

# Set the total bandwidth of the device to 2000 kbit/s to limit the call bandwidth.

<Huawei> system-view
[Huawei] nat sip cac enable bandwidth 2000

# Set the total bandwidth on the device to 10% of the bandwidth on GE1/0/0 to limit the call bandwidth.

<Huawei> system-view
[Huawei] nat sip cac enable bandwidth percent 10 interface gigabitethernet 1/0/0

nat dns-map

Function

The nat dns-map command configures a mapping entry from the domain name to the public IP address, port number, and protocol type.

The undo nat dns-map command deletes a mapping entry from the domain name to the public IP address, port number, and protocol type.

By default, no mapping entry is configured.

Format

nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

undo nat dns-map domain-name { global-address | interface interface-type interface-number [ .subnumber ] } global-port protocol-name

Parameters

Parameter	Description	Value
domain-name	Specifies a valid domain name that can be resolved by the DNS server.	The value is a string of 1 to 255 case-insensitive characters without spaces. The domain name of each level contains a maximum of 63 characters. Domain names of different levels are separated by periods (.) and contain a maximum of 255 characters. The string cannot contain the following characters: / : < > @ \ \| % ' ".
global-address	Specifies a valid IP address provided for external access.	The value is in dotted decimal notation.
interface interface-type interface-number [ .subnumber ]	Specifies the type and number of an interface or a sub-interface.	-
global-port	Specifies the port number of the service provided for external access.	The value is an integer that ranges from 1 to 65535.
protocol-name	Specifies the protocol carried over IP.	The value can be tcp and udp.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use this command to configure the mapping from the domain name to the public IP address, port number, and protocol type for internal hosts. In this manner, internal hosts can differentiate and access corresponding internal servers according to domain names when no DNS server is deployed on the private network.

By default, DNS mapping is not configured. In this case, after the external DNS server resolves public IP addresses from domain name requests of internal hosts, the internal hosts can be mapped to only one internal server. In addition, internal hosts cannot differentiate and access corresponding internal servers according to domain names.

Follow-up Procedure

Run the nat alg dns enable command to enable the DNS NAT ALG function. The NAT ALG function allows hosts on a private network to access servers on the private network through the external DNS server.

Example

# Configure a mapping entry from a domain name to public IP address, port number, and protocol type.

<Huawei> system-view
[Huawei] nat dns-map www.test.com 10.1.1.1 2012 tcp

nat filter-mode

Function

The nat filter-mode command sets the NAT filtering mode.

The default NAT filtering mode is endpoint-and-port-dependent.

Format

nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

Parameters

Parameter	Description	Value
endpoint-dependent	Indicates the NAT filtering mode dependent on the external address and independent of the port.	-
endpoint-independent	Indicates the NAT filtering mode independent of the external address and port.	-
endpoint-and-port-dependent	Indicates the NAT filtering mode dependent on the external address and port.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

NAT filtering allows applications using the STUN and TURN technologies to traverse the NAT server.

NAT is performed on the traffic from the external network to the internal network:

If the NAT filtering mode is set to endpoint-independent, the system uses "destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The destination address and port in the entry are the IP address and port number on the internal network.
If the NAT filtering mode is set to endpoint-dependent, the system uses "source IP address+destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The behavior in the reverse mapping entry is the same as the behavior in the mapping table entry.
If the NAT filtering mode is set to endpoint-and-port-dependent, the system uses "source IP address+source port number+destination IP address+destination port number+protocol number" as the key to search the mapping table. If a corresponding entry is found, the system generates a reverse mapping entry. The behavior in the reverse mapping entry is the same as the behavior in the mapping table entry.

You can change the NAT filtering mode only when no traffic is transmitted between the external network and internal network.

Example

# Set the NAT filtering mode independent of the external address and port.

<Huawei> system-view
[Huawei] nat filter-mode endpoint-independent

nat log-format elog

Function

The nat log-format elog command sets the NAT log format to eLog. The logs are generated in the format specified by the eLog server.

The undo nat log-format elog command changes the current NAT log format from eLog to a common format.

By default, a common format is used as the NAT log format.

Format

nat log-format elog

undo nat log-format elog

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In the scenario where connection between the device and eLog server is required, the device must send log packets in the specified format to the eLog server to establish the connection. You can run the nat log-format elog or undo nat log-format elog command to set the log format to eLog or a common format.

Example

# Set the NAT session log format to eLog.

<Huawei> system-view
[Huawei] nat log-format elog

# Set the NAT session log format to a common format.

<Huawei> system-view
[Huawei] undo nat log-format elog

nat miss forward deny

Function

The nat miss forward deny command enables a device to discard the packets that do not match the ACL rules bound to NAT.

The undo nat miss forward deny command disables a device from discarding the packets that do not match the ACL rules bound to NAT.

By default, the function of discarding the packets that do not match the ACL rules bound to NAT is disabled on a device.

Format

nat miss forward deny

undo nat miss forward deny

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After an ACL is associated with an NAT address pool, the device translates the source address of a data packet matching the ACL into an IP address in the NAT address pool. You can run the nat miss forward deny command to enable the function of discarding the packets that do not match the ACL rules bound to NAT.

After the nat miss forward deny command is run, packets will be discarded if NAT fails because the number of session entries exceeds the upper limit or a flow table conflict occurs.

Example

# Enable the device to discard the packets that do not match the ACL rules bound to NAT.

<Huawei> system-view
[Huawei] nat miss forward deny

nat outbound

Function

The nat outbound command associates an ACL with a NAT address pool. In this way, the addresses specified in the ACL can be translated using the NAT address pool.

The undo nat outbound command disables outbound NAT.

By default, outbound NAT is disabled.

Format

nat outbound acl-number address-group group-index [ no-pat ][ vrrp vrrpid ]

undo nat outbound acl-number address-group group-index [ no-pat ][ vrrp vrrpid ]

Parameters

Parameter	Description	Value
acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 2000 to 3999.
address-group group-index	Indicates that the NAT address pool is used for address translation. If no NAT address pool is specified, the IP address of the interface is used as the translated IP address. That is, Easy IP is used.	The value is an integer. AR651W-X4, AR651-X8, AR6140-16G4XG, AR6140H-S, AR6140K-9G-2AC, AR6140-9G-2AC, AR6140E-9G-2AC, AR6140-S, AR6140E-S: 0 to 255 SRU-100H, SRU-100HH, SRU-200H, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H: 0 to 255 For other models: 0 to 31.
no-pat	Indicates one-to-one address translation; that is, only the IP address in a data packet is translated and the port number is not translated.	-
vrrp vrrpid	Specifies a VRRP ID. NOTE: Currently, this parameter does not take effect because a VRRP virtual IP address cannot be used as the post-NAT address on AR routers.	The value is an integer that ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

After an ACL is associated with a NAT address pool, NAT translates the source IP address of a data packet matching the ACL into an IP address in the NAT address pool.

Multiple ACL-to-address pool associations can be configured on the same interface. This interface usually connects to an ISP network and is the egress of the internal network.

This command can be run only on NAT-capable Layer 3 interfaces.

Example

# Select the addresses from 1.1.1.1 to 1.1.1.3 to form NAT address pool 1, and configure many-to-one address translation (using TCP/UDP port information) for the hosts in the network segment 10.110.10.0/24 using the addresses in address pool 1.

<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] nat address-group 1 1.1.1.1 1.1.1.3
[Huawei] interface gigabitethernet 1/0/0  
[Huawei-GigabitEthernet1/0/0] nat outbound 2001 address-group 1

nat outbound (Easy IP)

Function

The nat outbound command configures Easy IP.

The undo nat outbound command disables Easy IP.

By default, Easy IP is disabled.

Format

nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ] [ vrrp vrrpid ]

undo nat outbound acl-number [ interface interface-type interface-number [ .subnumber ] ][ vrrp vrrpid ]

Parameters

Parameter	Description	Value
acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 2000 to 3999.
interface interface-type interface-number [ .subnumber ]	Specifies an interface or sub-interface whose address is used as the post-NAT address.	-
vrrp vrrpid	Specifies a VRRP ID. NOTE: Currently, this parameter does not take effect because a VRRP virtual IP address cannot be used as the post-NAT address on AR routers.	The value is an integer that ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Easy IP uses the IP address of an interface as the post-NAT IP address.

This command can be run only on NAT-capable Layer 3 interfaces.

Example

# Configure the IP address of an interface as the post-NAT IP address.

<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] nat outbound 2001

nat overlap-address

Function

The nat overlap-address command configures the mapping between an overlapped address pool and a temporary address pool.

The undo nat overlap-address command deletes the mapping between an overlapped address pool and a temporary address pool.

By default, the mapping between an overlapped address pool and a temporary address pool is not configured.

Format

nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

undo nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name }

Parameters

Parameter	Description	Value
map-index	Specifies the index of the mapping between the overlapped address pool and the temporary address pool.	The value on the AR651-X8 is an integer that ranges from 0 to 15. The value on the AR6140-16G4XG and AR6140H-S is an integer that ranges from 0 to 31. The value on the other device of the AR600 and AR6100 series is an integer that ranges from 0 to 7. SRU-100H, SRU-100HH, SRU-200H, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H is an integer that ranges from 0 to 31.
overlappool-startaddress	Specifies the start address of the overlapped address pool. IP addresses of overlapped address pools must be different.	The value is in dotted decimal notation.
temppool-startaddress	Specifies the start address of the temporary address pool. IP addresses of temporary address pools must be different.	The value is in dotted decimal notation.
pool-length length	Indicates the length of the address pool. The lengths of the overlapped address pool and the temporary address pool are the same and an address in the overlapped address pool maps an address in the temporary address pool.	The value is an integer that ranges from 1 to 255.
all	The configuration of all the overlapped address pools.	-
inside-vpn-instance inside-vpn-instance-name	Indicates the VPN instance of the private network.	The value is a string of 1 to 31 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When IP addresses of internal hosts and external hosts are overlapped, you need to configure the mapping between the overlapped address pool and the temporary address pool. After the mapping is configured, the overlapped address is translated into a unique temporary address. The packets can be forwarded correctly. In addition, you need to configure outbound NAT to implement twice NAT.

Example

# Configure the mapping between an overlapped address pool and a temporary address pool with the index being 1. The length of the overlapped address pool is 255, the overlapped address pool belongs to the VPN huawei, and the start address of the overlapped address pool is 10.10.10.1. The start address of the temporary address pool is 10.100.100.1.

<Huawei> system-view
[Huawei] ip vpn-instance huawei  
[Huawei-vpn-instance-huawei] route-distinguisher 200:1
[Huawei-vpn-instance-huawei-af-ipv4]  quit
[Huawei-vpn-instance-huawei] quit
[Huawei] nat overlap-address 1 10.10.10.1 10.100.100.1 pool-length 255 inside-vpn-instance huawei

nat server

Function

The nat server command defines a mapping table of internal servers so that external users can access internal servers through address and port translation.

The undo nat server command cancels the mapping table.

By default, no mapping table is configured.

Format

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

undo nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ]

undo nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ]

Parameters

Parameter	Description	Value
protocol	Indicates the protocol type.	-
protocol-number	Specifies the protocol number.	The value is an integer that ranges from 1 to 255.
global	Configures external information about the NAT server.	-
icmp	Indicates that servers communicate with each other using ICMP.	-
tcp	Indicates that servers communicate with each other using TCP.	-
udp	Indicates that servers communicate with each other using UDP.	-
global-address	Specifies a valid IP address provided for external access.	The value is in dotted decimal notation.
inside	Configures internal information about the NAT server.	-
host-address	Specifies an IP address of the NAT server.	The value is in dotted decimal notation.
host-address2	Specifies the ending IP address of the private network.	The value is in dotted decimal notation.
global-port	Specifies the external service port number. You can use keywords to replace common port numbers. For example, the FTP port number is 21, so you can use the keyword ftp. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
global-port2	Specifies the external service ending port number. You can use keywords to replace common port numbers. For example, the FTP port number is 21, so you can use the keyword ftp. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
host-port	Specifies the service port number provided by the NAT server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.	The value is an integer that ranges from 0 to 65535. When expressed by name, the value can be any of the following: any(0), bgp(179), CHARgen(19), cmd(514), daytime(13), discard(9), domain(53), echo(7), exec(512), finger(79), ftp(21), gopher(70), hostname(101), irc(194), klogin(543), kshell(544), login(513), lpd(515), nntp(119), pop2(109), pop3(110), smtp(25), sunrpc(111), tacacs(49), talk(517), telnet(23), time(37), uucp(540), whois(43), www(80). The numbers in the brackets indicate the service port numbers.
vpn-instance vpn-instance-name	Specifies the name of a private network-side VPN instance.	The value is a string of 1 to 31 characters.
vrrp vrrpid	Specifies the VRRP ID. After NAT address pools are configured on devices in a VRRP group, both devices may perform NAT for packets, resulting in conflicts. You can specify vrrp vrrpid to configure the master device to perform NAT, preventing conflicts. NOTE: Currently, this parameter does not take effect because a VRRP virtual IP address cannot be used as the post-NAT address on AR routers.	The value is an integer that ranges from 1 to 255.
acl acl-number	Indicates the number of an ACL.	The value is an integer that ranges from 2000 to 3999.
description description	Indicates the NAT description.	The value is a string of 1 to 255 case-sensitive characters. It can contain spaces.
current-interface	Indicates a public address as the current interface address.	-
interface interface-type interface-number [ .subnumber ]	Indicates a public address as the interface address.	-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure an internal server so that the external network can access the server in an active manner. When a host on the public network sends a connection request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request into a private address (inside-address). The request is then forwarded to the server on the private network.

You can configure ACL rules to allow specified users to access an internal server.

This command can be run only on NAT-capable Layer 3 interfaces.
When configuring an internal NAT server, ensure that global-address and host-address are different from IP addresses of ports and IP addresses in the user address pool.
You can use the IP address of current-interface or loopback as the internal server's IP address.
The undo nat server command does not delete mapping entries immediately. You can run the reset nat session command to delete mapping entries.
Compared with static NAT, NAT Server translates only the IP address, but not the port number, when the private network initiatively accesses the public network.
When you configure one-to-one NAT Server that borrows an interface IP address (no interface number is specified and the IP address is mapped to a private network address), other services enabled on the interface may become unavailable. Confirm your action before performing the configuration. If you want to enable other applications on the interface, add an ACL rule after the configuration to filter out the number of the interface on which the applications are enabled.

Precautions

The specified global-port or host-port cannot be used by other applications. Otherwise, the configuration does not take effect.

When specifying global-port2 to configure multiple public ports, you must also specify host-address2 to configure multiple private addresses and ensure that the number of ports is the same as that of private addresses.

If you need to map the private address of an internal server into the IP address of the public network interface when configuring this command on the public network interface, you must set the current-interface parameter to specify a global address as the current interface address.

If you specify vrrp vrrpid when configuring the nat server command on an interface, the interface must support the VRRP function.

The vpn-instance-name parameter in the command specifies a private network-side VPN instance and does not take effect on the global-address parameter. The ip binding vpn-instance vpn-instance-name command can be run in the interface view to bind a public network-side VPN instance to the interface.

Example

# Add a NAT server and translate public address 1.1.1.1 of the TCP service to private address 192.168.0.1.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1

# Configure NAT server on the public network interface Gigabitethernet 0/0/1 to map TCP port 8080 in the private IP address 192.168.20.2 of an internal server into port 8080 in the IP address of Gigabitethernet 0/0/1.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 8080 inside 192.168.20.2 8080

# Add a NAT server, translate public address 1.1.1.1 of the TCP protocol to private address 192.168.0.1, and only allow users with public address 2.2.2.2 to access the intranet server using IP address 1.1.1.1.

<Huawei> system-view
[Huawei] acl 2001
[Huawei-acl-basic-2001] rule 5 permit source 2.2.2.2 0
[Huawei-acl-basic-2001] quit
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1 acl 2001

nat session limit

Function

The nat session limit command configures the maximum number of NAT mapping entries that can be used by a user.

The undo nat session limit command deletes the setting of the maximum number of NAT mapping entries that can be used by a user.

By default, the maximum number of NAT mapping entries that can be used by a user is not configured.

Format

nat session limit limit-number { per-src-ip | per-des-ip | per-src-port | per-des-port } [ acl acl-number ]

undo nat session limit

Parameters

Parameter	Description	Value
limit-number	Specifies the maximum number of NAT mapping entries that can be used by a user.	The value is an integer ranging from 1 to 65535.
per-src-ip	Specifies the maximum number of NAT mapping entries that can be used by a user based on the user's source IP address.	-
per-des-ip	Specifies the maximum number of NAT mapping entries that can be used by a user based on the user's destination IP address.	-
per-src-port	Specifies the maximum number of NAT mapping entries that can be used by a user based on the user's source port.	-
per-des-port	Specifies the maximum number of NAT mapping entries that can be used by a user based on the user's destination port.	-
acl acl-number	Specifies the number of an ACL.	The value is an integer ranging from 2000 to 3999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Application Usage Scenario

Since terminals are vulnerable to network attacks on a complex network, the terminals under network attacks will occupy a large number of NAT mapping entries on the devices they connected to. Once the NAT mapping entries on the devices are exhausted, other terminals cannot access the Internet because no NAT mapping entry can be allocated to them. In this case, you can run the nat session limit command to set the maximum number of NAT mapping entries that can be used by users. When the number of NAT mapping entries created for a user exceeds the configured limit, the device does not generate new NAT mapping entries. As a result, denying the user's Internet access is restricted.

Precautions

This command cannot be used together with other functions for creating flow tables, such as the firewall, IPS, and SAC. Otherwise, this command may not take effect.
If an ACL is configured, ACL rule updates do not affect the maximum number of NAT mapping entries that can be used by a user.
If an ACL is configured and the ACL rule defines deny, the number of NAT mapping entries that can be used by a user is not limited.
The NAT session table created on the device before this command is run is not included in the statistics of NAT mapping entries.
After an active/standby device switchover is performed, the devices clear the statistics of NAT mapping entries that have been collected before the switchover and re-collects the statistics.

Example

# Set the maximum number of NAT mapping entries that can be created for a user's source IP address to 2000.

<Huawei> system-view
[Huawei] nat session limit 2000 per-src-ip

nat static (interface view)

Function

The nat static command configures the static mapping between a private IP address and a public IP address.

The undo nat static command deletes the static mapping between a private IP address and a public IP address.

By default, the static mapping between a private IP address and a public IP address is not configured.

Format

nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]

nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ global-to-inside | inside-to-global ] [ description description ]

nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port global-port2 [ vrrp vrrpid ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]

undo nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ global-to-inside | inside-to-global ]

undo nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ global-to-inside | inside-to-global ]

undo nat static protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port global-port2 [ vrrp vrrpid ] inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ]

Parameters

Parameter	Parameters	Value
protocol	Indicates the protocol.	-
protocol-number	Specifies a protocol number.	The value is an integer that ranges from 1 to 255.
icmp	Indicates address translation for ICMP packets.	-
tcp	Indicates address translation for TCP packets.	-
udp	Indicates address translation for UDP packets.	-
global	Configures public network information.	-
global-address	Specifies a public IP address.	The value is in dotted decimal notation.
global-port	Specifies the external service port number. If this parameter is not specified, the value of global-port is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
global-port2	Specifies a public end port number. If this parameter is specified, a range of consecutive port numbers are translated. If this parameter is not specified, only the port number global-port is translated.	The value is an integer that ranges from 0 to 65535.
inside	Configures private network information.	-
host-address	Specifies a private IP address.	The value is in dotted decimal notation.
host-address2	Specifies a private end IP address. If this parameter is specified, a range of consecutive IP addresses are translated. If this parameter is not specified, only the private IP address host-address is translated.	The value is in dotted decimal notation.
host-port	Specifies a service port number provided by private network devices. If this parameter is not specified, the value of host-port is the same as the value of global-port.	The value is an integer that ranges from 0 to 65535. When expressed by name, the value can be any of the following: any(0), bgp(179), CHARgen(19), cmd(514), daytime(13), discard(9), domain(53), echo(7), exec(512), finger(79), ftp(21), gopher(70), hostname(101), irc(194), klogin(543), kshell(544), login(513), lpd(515), nntp(119), pop2(109), pop3(110), smtp(25), sunrpc(111), tacacs(49), talk(517), telnet(23), time(37), uucp(540), whois(43), www(80). The numbers in the brackets indicate the service port numbers.
host-port2	Specifies a private end port number.	The value is an integer that ranges from 0 to 65535.
vpn-instance vpn-instance-name	Specifies the name of a private network-side VPN instance.	The value must be the name of an existing VPN instance.
vrrp vrrpid	Specifies a VRRP ID. NOTE: Currently, this parameter does not take effect because a VRRP virtual IP address cannot be used as the post-NAT address on AR routers.	The value is an integer that ranges from 1 to 255.
netmask mask	Specifies the network mask for static NAT.	The value ranges from 255.255.255.0 to 255.255.255.255.
acl acl-number	Specifies the number of an ACL. You can use an ACL to control NAT implementation, ensuring that NAT is performed only for data packets that meet rules in the ACL.	The value is an integer that ranges from 2000 to 3999.
global-to-inside	Indicates static NAT in the direction from the public network to the private network. If unidirectional static NAT is not configured, IP addresses are translated in both directions.	-
inside-to-global	Indicates static NAT in the direction from the private network to the public network. If unidirectional static NAT is not configured, IP addresses are translated in both directions.	-
description description	Specifies the NAT description.	The value is a string of 1 to 255 case-sensitive characters without question marks (?). It can contain spaces.
current-interface	Specifies a public IP address as the IP address of the current interface.	-
interface interface-type interface-number [ .subnumber ]	Specifies a public IP address as the IP address of an interface or sub-interface. interface-type specifies the interface type. interface-number [ .subnumber ] specifies the number of the interface or sub-interface.	-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If devices on a private network allow access from devices on a public network through a fixed IP address, for example, a private server provides services to public network devices, the public network devices can access the server through a fixed public IP address. You can configure static NAT to translate the private IP address of the private server into the specified public IP address.

If a private server provides services to multiple public network segments, the private IP address of the server needs to be translated into multiple public IP addresses to ensure security. Generally, bidirectional translation between private and public IP addresses is implemented in static NAT. When a private server accesses a public network, the private IP address of the server cannot be translated into multiple public IP addresses. You can configure unidirectional static NAT to solve this problem. When a public network device accesses the private server, multiple public IP addresses are translated into the private IP address of the server using static NAT. When the private server accesses the public network, IP addresses are translated using outbound NAT.

Static NAT also supports IP address translation between network segments, that is, private IP addresses within a specified range and public IP addresses within a specified range can be translated into each other.

Precautions

After the undo nat static command is run on the device, static mapping entries on the device will not be cleared immediately. To clear static mapping entries immediately, run the reset nat session command.

When the global-port, global-port2, host-port, and host-port2 parameters are specified to configure mappings between public and private port numbers, the number of public port numbers must be the same as the number of private port numbers, and the port numbers must be mapped in sequence, meaning there are multiple static NAT mappings. For example, when nat static protocol tcp global 1.1.1.0 11 20 inside 10.10.10.0 21 30 netmask 24 is configured, the public IP address 1.1.1.0-1.1.1.255 maps the private IP address 10.10.10.0-10.10.10.255, and public port numbers 11 to 20 map private port numbers 21 to 30 in sequence.

When host-address2 is specified, global-port2 and host-port must also be specified. The number of private addresses must be the same as the number of public port numbers. That is, the same public address maps different private addresses, and different public port numbers map the same private port number. For example, when nat static protocol tcp global 1.1.1.1 11 12 inside 10.10.10.1 10.10.10.2 30 is configured, 1.1.1.1 and public port 11 map 10.10.10.1 and private port 30, and 1.1.1.1 and public port 12 map 10.10.10.2 and private port 30.

If you specify vrrp vrrpid when configuring the nat static command on an interface, the interface must support the VRRP function.

If you specify acl-number when configuring multiple nat static commands on an interface, the ACL number specified in the commands must be the same. Otherwise, the configuration fails.

Example

# Translate the combination of the public IP address 1.1.1.1 and port 200 in TCP packets to the combination of the private IP address 10.10.10.1 and port 300.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static protocol tcp global 1.1.1.1 200 inside 10.10.10.1 300

# Replace the IP address of packets from the VPN huawei and on the network segment 10.2.2.2 (24-bit mask) with the IP address on the network segment 10.3.3.3 (24-bit mask).

<Huawei> system-view
[Huawei] ip vpn-instance huawei                                    
[Huawei-vpn-instance-huawei]  quit    
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat static global 10.3.3.3 inside 10.2.2.2 vpn-instance huawei netmask 255.255.255.0

nat static (system view)

Function

The nat static command configures one-to-one NAT between private addresses and public addresses in the system view.

The undo nat static command deletes one-to-one NAT configured between private addresses and public addresses in the system view.

By default, no one-to-one NAT is configured.

Format

nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global global-address global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

nat static protocol { tcp | udp } global interface loopback interface-number global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global global-address global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address | interface loopback interface-number } inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global global-address global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

undo nat static protocol { tcp | udp } global interface loopback interface-number global-port global-port2 inside host-address host-port host-port2 [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

Parameters

Parameter	Description	Value
protocol	Indicates a protocol.	-
protocol-number	Specifies the protocol number.	The value is an integer that ranges from 1 to 255.
global	Configures external address and port number.	-
global-address	Specifies the public IP address for NAT.	The value is in dotted decimal notation.
inside	Configures internal address and port number.	-
host-address	Specifies the private IP address for NAT.	The value is in dotted decimal notation.
host-address2	Specifies the ending IP address of the private network.	-
global-port	Specifies the external service port number. If this parameter is not specified, the value of this parameter is 0. That is, any type of service can be provided.	The value is an integer that ranges from 0 to 65535.
global-port2	Specifies the external service ending port number.	The value is an integer that ranges from 0 to 65535.
host-port	Specifies the service port number provided by the server. If this parameter is not specified, the value of this parameter is the same as the value of global-port.	The value is an integer that ranges from 0 to 65535. When expressed by name, the value can be any of the following: any(0), bgp(179), CHARgen(19), cmd(514), daytime(13), discard(9), domain(53), echo(7), exec(512), finger(79), ftp(21), gopher(70), hostname(101), irc(194), klogin(543), kshell(544), login(513), lpd(515), nntp(119), pop2(109), pop3(110), smtp(25), sunrpc(111), tacacs(49), talk(517), telnet(23), time(37), uucp(540), whois(43), www(80). The numbers in the brackets indicate the service port numbers.
host-port2	Specifies a private end port number.	The value is an integer that ranges from 0 to 65535.
icmp	Indicates that servers communicate with each other using ICMP.	-
tcp	Indicates that servers communicate with each other using TCP.	-
udp	Indicates that servers communicate with each other using UDP.	-
vpn-instance vpn-instance-name	Indicates the VPN instance name.	The value is a string of 1 to 31 characters.
netmask mask	Indicates the network mask for static NAT.	The value ranges from 255.255.255.0 to 255.255.255.255.
description description	Indicates the NAT description.	The value is a string of 1 to 255 characters. The character string is case sensitive. It can contain spaces but cannot contain the question mark (?).
interface loopback interface-number	Specifies a loopback interface address as the public address.	The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Static NAT indicates that a private address is statically bound to a public address when NAT is performed. The public IP address in static NAT is only used for translation of the unique and fixed private IP address of a host.

Static PAT indicates that a combination of the private address of a host, TCP/UDP protocol number, and internal port number is statically bound to a combination of the public address, TCP/UDP protocol number, and external port number. The public IP address in static PAT can be used for translation of multiple private addresses.

Using static NAT or PAT, hosts on the private network and hosts on the public network can access each other.

If you run the undo nat static command, static mapping entries are not immediately deleted. To clear static mapping entries, run the reset nat session command.
When the global-port, global-port2, host-port, and host-port2 parameters are specified to configure mappings between public and private port numbers, the number of public port numbers must be the same as the number of private port numbers and the port numbers must be mapped in sequence. For example, when nat static protocol tcp global 1.1.1.1 11 20 inside 10.10.10.1 21 30 is configured, the public IP address 1.1.1.1 maps the private IP address 10.10.10.1, and public port numbers 11 to 20 map private port numbers 21 to 30 in sequence.
When host-address2 is specified, global-port2 and host-port must also be specified. The number of private addresses must be the same as the number of public port numbers. That is, the same public address maps different private addresses, and different public port numbers map the same private port number. For example, when nat static protocol tcp global 1.1.1.1 11 12 inside 10.10.10.1 10.10.10.2 30 is configured, 1.1.1.1 and public port 11 map 10.10.10.1 and private port 30, and 1.1.1.1 and public port 12 map 10.10.10.2 and private port 30.
nat static protocol { tcp | udp } global interface loopback interface-number global-port [ global-port2 ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description description ]

In the command, the first vpn-instance-name parameter specifies the VPN instance bound to the loopback interface, and the second vpn-instance-name parameter specifies a private network-side VPN instance.
If the ip binding vpn-instance vpn-instance-name command is run in the interface view to bind a public network-side VPN instance to the interface, the nat static command in the system view does not take effect. In this case, you need to run the nat static or nat server command in the interface view.

Example

# Translate the combination of Loopback 4 interface address and port 43 in TCP packets to private address 192.168.2.55.

<Huawei> system-view
[Huawei] interface loopback 4
[Huawei-LoopBack4] ip address 192.168.8.8 24
[Huawei-LoopBack4] quit 
[Huawei] nat static protocol tcp global interface loopback 4 43 inside 192.168.2.55 netmask 255.255.255.255

nat static enable

Function

The nat static enable command enables static NAT on an interface.

The undo nat static enable command disables static NAT on an interface.

By default, static NAT on an interface is disabled.

Format

nat static enable

undo nat static enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Using the nat static enable command, you can enable static NAT on an interface.

This command can only be used on Layer 3 interfaces, except loopback and NULL interfaces.
When enabling static NAT on a sub-interface, you must also enable the function on the main interface. Otherwise, the function does not take effect on the sub-interface.

Example

# Enable static NAT on an interface.

<Huawei> system-view
[Huawei] interface gigabitethernet 
[Huawei-GigabitEthernet] nat static enable

nat mapping-mode

Function

The nat mapping-mode command sets the NAT mapping mode.

The undo nat mapping-mode command restores the NAT mapping mode.

The default NAT mapping mode is endpoint-and-port-dependent.

Format

nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

undo nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]

Parameters

Parameter	Description	Value
endpoint-independent	Indicates the endpoint-independent mode.	-
protocol-name	Indicates the protocol type.	The value can be tcp and udp.
dest-port port-number	Indicates the destination port. NAT is performed on only the packets of which destination ports are this specified port.	The value is an integer that ranges from 1 to 65535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The NAT function resolves the problem of IPv4 address shortage and improves network security. NAT implementation of different vendors may be different, so the applications using the STUN, TURN, and ICE technologies may fail to traverse the NAT devices of these vendors. These technologies are mainly used on the SIP proxy. NAT mapping enables these applications to traverse the NAT devices.

NAT mapping has the following modes:

Endpoint-independent mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.
Address and port-dependent mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port while the mapping is still active.

Example

# Enable the endpoint-and-port-independent mapping mode for TCP packets.

<Huawei> system-view
[Huawei] nat mapping-mode endpoint-independent tcp

# Enable the endpoint-and-port-independent mapping mode for TCP and UDP packets.

<Huawei> system-view
[Huawei] nat mapping-mode endpoint-independent

nat miss forward session disable

Function

The nat miss forward session disable command disables a device from generating a flow table for traffic that does not undergo NAT.

The undo nat miss forward session disable command restores the default configuration.

By default, the function of generating a flow table for traffic that does not undergo NAT is enabled.

This function is supported in V300R022C00SPC100 and later versions.

Format

nat miss forward session disable

undo nat miss forward session disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the NAT service is configured on an interface of a device, the device generates flow entries for all packets arriving at the interface by default. If a large number of packets do not require the NAT service, numerous flow entry resources will be wasted, and even the number of generated flow entries exceeds the device specification. As a result, flow entries cannot be generated for the packets that require the NAT service, thereby causing NAT translation failures. If you only need to perform NAT for packets from a specific network segment, run the nat miss forward session disable command to disable the device from generating flow entries for packets that do not require NAT. This saves flow entry resources and improves service flow entry utilization.

Precautions

This command takes effect only for new service traffic.
After this command is run, NAT forwarding performance deteriorates (AR611, AR611-S, AR611W-S, AR611E-S, AR611-LTE4EA, AR611W-LTE6EA, AR611W, AR611W-LTE4CN, AR617VW, AR617VW-LTE4, AR617VW-LTE4EA: The maximum device performance deteriorates by about 15%. Other models: The maximum device performance deteriorates by less than 5%. The device performance is not affected if the current CPU usage of the data plane is less than 70%.) Therefore, exercise caution when running this command based on actual service scenarios.

Example

# Disable the device from generating a flow table for traffic that does not undergo NAT.

<Huawei> system-view
[Huawei] nat miss forward session disable

reset nat session

Function

The reset nat session command deletes entries from the NAT mapping table.

Format

reset nat session { all | transit interface interface-type interface-number [ .subnumber ] }

reset nat session protocol { protocol-name | protocol-number } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ]

reset nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ]

reset nat session destination destination-address [ destination-port ]

The protocol { protocol-name | protocol-number }, source source-address [ source-port ], and destination destination-address [ destination-port ] parameters are supported in V300R022C10 and later versions.

Parameters

Parameter	Description	Value
all	Deletes all entries from the NAT mapping table.	-
transit	Deletes NAT mapping entries of traffic passing through a specified interface.	-
interface interface-type interface-number [ .subnumber ]	Specifies the type and number of an interface or a sub-interface.	-
protocol { protocol-name \| protocol-number }	Deletes the NAT mapping table with a specified protocol type or port number.	The value of protocol-name can be icmp, tcp, or udp. The value of protocol-number is an integer that ranges from 1 to 255.
source source-address [ source-port ]	Specifies the source IP address and port number before NAT translation.	source-address: The value is in dotted decimal notation. source-port: The value is an integer that ranges from 1 to 65535. NOTE: When the packet protocol is ICMP, the value of source-port is the Type value in the display nat session all command output.
destination destination-address [ destination-port ]	Specifies the destination IP address and port number before NAT translation.	destination-address: The value is in dotted decimal notation. destination-port: The value is an integer that ranges from 1 to 65535. NOTE: When the packet protocol is ICMP, the value of destination-port is the IcmpId value in the display nat session all command output.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the configurations of nat alg, nat server, nat static, and nat outbound are changed, the packets are not forwarded based on new configurations. You can run the reset nat session command to make the new configurations take effect. This command deletes all NAT mapping entries, NAT mapping entries with a specified protocol type, source IP address, or destination IP address, or NAT mapping entries of traffic passing through a specified interface. When you run this command, the system prompts you to confirm the command execution.

Precautions

After this command is executed, entries are deleted from the NAT mapping table and new NAT configurations take effect immediately.
After this command is executed, wait at least 10 seconds if you need to run the command again; otherwise, an error message is displayed.
If all entries are deleted, communication through certain sessions may be affected for a short period of time.

Example

# Delete all entries from the NAT mapping table.

<Huawei> system-view
[Huawei] reset nat session all
Warning:The current all NAT sessions will be deleted. 
Are you sure to continue?[Y/N] y

# Delete entries from the NAT mapping table on the interface GigabitEthernet0/0/1.

<Huawei> system-view
[Huawei] reset nat session transit interface gigabitethernet 0/0/1
Warning:The current all NAT sessions transiting GigabitEthernet0/0/1 will be deleted. 
Are you sure to continue?[Y/N] y

reset stun statistics packet

Function

The reset stun statistics packet command clears STUN packet statistics.

Format

reset stun statistics packet

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

STUN packet statistics cannot be restored after being cleared. Therefore, exercise caution before clearing the statistics.

When locating STUN problems, you can collect STUN packet statistics only within a specified period for fault location. In this case, you need to run the reset stun statistics packet command to clear historical STUN packet statistics and run the display stun statistics packet command to view current STUN packet statistics.

Example

# Clear STUN packet statistics.

<Huawei> reset stun statistics packet

stun client enable

Function

The stun client enable command enables the STUN client function on an interface.

The undo stun client enable command disables the STUN client function on an interface.

By default, the STUN client function is disabled on an interface.

Format

stun client enable

undo stun client enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

In the SD-WAN Solution, a branch CPE can access the campus network through the Internet, and NAT devices are often deployed on the Internet. After a packet sent from the branch CPE passes through a NAT device, the IP address changes. To obtain the real IP address of the packet passing through the NAT device, you can run the stun client enable command to enable the STUN client function. The STUN client communicates with the STUN server through STUN packets to detect whether there is a NAT device between CPEs. In addition, the STUN client sends IP addresses and port numbers before and after NAT traversal of the branch CPE to other CPEs through BGP. Subsequently, the CPE uses the IP address and port number before and after NAT traversal to send a STUN binding request packet to the peer respectively, and determines the real reachable IP address between the CPEs according to the response packet.

Prerequisites

Before configuring this command, you must complete the following configurations:

Deliver site configurations to CPEs through the iMaster NCE.

For details, see section "Configuring Information of a Site" in NetEngine AR600, AR6100, AR6200, and AR6300 NETCONF YANG API.
Deliver TNP configurations on an interface to CPEs through the iMaster NCE.

For details, see section "Configuring TNP Information of an Interface" in NetEngine AR600, AR6100, AR6200, and AR6300 NETCONF YANG API.

Precautions

Currently, this command is supported on Ethernet interfaces, serial interfaces, dialer interfaces, VE interfaces, VT interfaces, ATM interfaces, IMA-Group interfaces, Eth-Trunk interfaces, and cellular interfaces only when they work in Layer 3 mode.

Follow-up Procedure

In the interface view, you can run the stun client destination-port port-number command to configure the destination port number for the STUN client to access the STUN server.

Example

# Enable the STUN client function on GigabitEthernet1/0/0.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] stun client enable

stun client destination-port

Function

The stun client destination-port command configures the destination port number for the STUN client to access the STUN server.

The undo stun client destination-port command restores the destination port number for the STUN client to access the STUN server to the default value.

By default, the destination port number for the STUN client to access the STUN server is 3478.

Format

stun client destination-port port-number

undo stun client destination-port port-number

Parameters

Parameter	Parameter Description	Value
port-number	Specifies the destination port number for the STUN client to access the STUN server.	The value is an integer in the range from 1024 to 65535.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

In the SD-WAN Solution, to detect whether there is a NAT device between CPEs and obtain the real IP address of a packet passing through the NAT device, you need to enable the STUN client function and configure the destination port number for the STUN client to access the STUN server. By default, the destination port number for the STUN client to access the STUN server is 3478. If the port number is used by other services, you can run the stun client destination-port command to change the destination port number for the STUN client to access the STUN server.

Prerequisites

Before configuring this command, you must complete the following configurations:

Deliver site configurations to CPEs through the iMaster NCE.

For details, see section "Configuring Information of a Site" in NetEngine AR600, AR6100, AR6200, and AR6300 NETCONF YANG API.
Deliver TNP configurations on an interface to CPEs through the iMaster NCE.

For details, see section "Configuring TNP Information of an Interface" in NetEngine AR600, AR6100, AR6200, and AR6300 NETCONF YANG API.
In the interface view, run the stun client enable command to enable the STUN client function on the interface.

Precautions

Example

# Set the destination port number for the STUN client to access the STUN server on GigabitEthernet1/0/0 to 2000.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] stun client enable
[Huawei-GigabitEthernet1/0/0] stun client destination-port 2000

stun server enable

Function

The stun server enable command enables the STUN server function.

The undo stun server enable command disables the STUN server function.

By default, the STUN server function is disabled.

Format

stun server enable

undo stun server enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To configure the device as a STUN server, run the stun server enable command to enable the STUN server function. After this function is enabled, the device will respond to binding requests sent from STUN clients, helping them determine the presence of a NAT device.

Example

# Enable the STUN server function.

<Huawei> system-view
[Huawei] stun server enable
Warning: If you configure the STUN server without specifying the listening IP address, the STUN server will listen on all IP addresses. Continue? [y/n]y

stun server listening-ip

Function

The stun server listening-ip command configures an IP address to be checked by the STUN server.

The undo stun server listening-ip command restores the default configuration.

By default, the STUN server checks all IP addresses.

Format

stun server listening-ip ip-address [ vpn-instance vpn-instance-name ]

undo stun server listening-ip

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address to be checked by the STUN server.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Specifies a VPN instance name.	The VPN instance must already exist.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the stun server enable command, the STUN server checks all IP addresses for STUN messages by default. To configure the STUN server to check a specific IP address, run the stun server listening-ip command to specify the IP address as needed.

Precautions

The IP address checked by a STUN server must be a local IP address.

Example

# Configure the STUN server to check IP address 1.1.1.1.

<Huawei> system-view
[Huawei] stun server listening-ip 1.1.1.1

# Restore the default IP address checked by the STUN server.

<Huawei> system-view
[Huawei] undo stun server listening-ip
Warning: If you delete the specified listening IP address but do not disable the STUN server function, the STUN server will listen on all IP addresses. Continue? [y/n]y

stun server listening-port

Function

The stun server listening-port command configures the UDP port number on which the STUN server listens.

The undo stun server listening-port command restores the default configuration.

By default, the STUN server listens on UDP port 3478.

Format

stun server listening-port port-number

undo stun server listening-port

Parameters

Parameter	Description	Value
port-number	Specifies the number of the UDP port on which the STUN server listens.	The value is an integer that ranges from 1024 to 65535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the stun server enable command is executed, the STUN server listens on the UDP port 3478 by default. If this UDP port number has been used by other services and causes STUN service to become unavailable, run the stun server listening-port command to change the UDP port number on which the STUN server listens.

Precautions

The configured UDP port number cannot be used by other services. Otherwise, the STUN server may fail to process STUN messages.

Example

# Set the UDP port number on which a STUN server listens to 3480.

<Huawei> system-view
[Huawei] stun server listening-port 3480

Support for NAT Configuration
display nat address-group
display nat alg
display nat sip cac bandwidth information
display nat dns-map
display nat filter-mode
display nat outbound
display nat overlap-address
display nat server
display nat session
display nat static
display nat static interface enable
display nat mapping-mode
display nat mapping table
display stun configuration
display stun statistics packet
nat address-group
nat alg
nat assymmetric route enable
nat address-pool deny-ping enable
nat sip cac enable
nat dns-map
nat filter-mode
nat log-format elog
nat miss forward deny
nat outbound
nat outbound (Easy IP)
nat overlap-address
nat server
nat session limit
nat static (interface view)
nat static (system view)
nat static enable
nat mapping-mode
nat miss forward session disable
reset nat session
reset stun statistics packet
stun client enable
stun client destination-port
stun server enable
stun server listening-ip
stun server listening-port

Translation

Favorite

Download

Update Date：2024-11-27

Document ID：EDOC1100320924

Downloads：606

Average rating：0.0Points

Digital Signature File

digtal sigature tool