HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 294

Configuring Network Address Translation
Configuring NAT
6-10
For example, if you want to NAT all traffic that enters through the Ethernet
interface, you create this permit entry in the ACL:
ProCurve(config-std-nacl)# permit any
If you want to NAT a subnet, enter:
ProCurve(config-std-nacl)# permit <A.B.C.D> <wildcard bits>
Replace <A.B.C.D> with the IP address of the subnet and use wildcard bits
to define the number of hosts in the subnet. Wildcard bits define which address
bits the Secure Router OS firewall should match and which address bits it
should ignore. Although wildcard bits resemble subnet masks, they use
reverse logic.
With wildcard bits, 0 means that you want the Secure Router OS firewall to
match that bit; 1 means that you do not want the Secure Router OS firewall to
match that bit.
For example, you might enter:
ProCurve(config-std-nacl)# deny 192.168.115.0 0.0.0.31
If you enter 192.168.115.0 with the wildcard bits 0.0.0.31, the Secure Router
OS firewall will not match the last five address bits in the fourth octet. The
firewall will match all hosts with addresses between 192.168.115.1 and
192.168.115.31 to the deny entry. If you enter permit 192.168.115.0
0.0.0.255, the Secure Router OS firewall will not match any address bits in
the last octet. This entry selects all hosts in the 192.168.115.0 /24 network.
Configuring an Extended ACL for One-to-One NAT. When you config-
ure one-to-one NAT, you must create an extended ACL to define the public
destination address that the ProCurve Secure Router will NAT to a private IP
on the internal network. For example, to create an extended ACL called
Outside, enter:
ProCurve(config)# ip access-list extended Outside
You can then use the following command to create the permit and deny entries
that select the traffic for NAT:
Syntax: [permit | deny] <protocol> <source address> <source port> <destination
address> <destination port>