H3C S9500 Series Command Manual
Routing switches
Hide thumbs
Also See for S9500 Series:
- Command manual (1842 pages) ,
- Operation manual (1504 pages) ,
- Operating manual (76 pages)
Table of Contents
Advertisement
Quick Links
Command Manual - NAT
H3C S9500 Series Routing Switches
Chapter 1 NAT Configuration Commands .................................................................................. 1-1
1.1 NAT Configuration Commands.......................................................................................... 1-1
1.1.1 display nat address-group....................................................................................... 1-1
1.1.2 display nat aging-time ............................................................................................. 1-1
1.1.3 display nat all........................................................................................................... 1-2
1.1.4 display nat auto-reset-session ................................................................................ 1-3
1.1.5 display nat blacklist ................................................................................................. 1-4
1.1.6 display nat outbound ............................................................................................... 1-5
1.1.7 display nat server .................................................................................................... 1-6
1.1.8 display nat static...................................................................................................... 1-7
1.1.9 display nat statistics ................................................................................................ 1-7
1.1.10 display nat vpn limit............................................................................................... 1-8
1.1.11 nat address-group ................................................................................................. 1-9
1.1.12 nat aging-time...................................................................................................... 1-11
1.1.13 nat auto-reset-session......................................................................................... 1-11
1.1.14 nat blacklist start ................................................................................................. 1-12
1.1.15 nat blacklist mode ............................................................................................... 1-13
1.1.16 nat blacklist limit amount ..................................................................................... 1-14
1.1.17 nat blacklist limit rate........................................................................................... 1-15
1.1.18 nat blacklist limit rate source ............................................................................... 1-16
1.1.19 nat outbound ....................................................................................................... 1-18
1.1.20 nat server ............................................................................................................ 1-21
1.1.21 nat static .............................................................................................................. 1-24
1.1.22 nat vpn limit ......................................................................................................... 1-27
1.1.23 reset nat session ................................................................................................. 1-28
1.2 NAT Security Logging Configuration Commands............................................................ 1-28
1.2.1 display ip userlog export ....................................................................................... 1-28
1.2.2 ip userlog nat......................................................................................................... 1-29
1.2.3 ip userlog nat active-time ...................................................................................... 1-30
1.2.4 ip userlog nat export host...................................................................................... 1-31
1.2.5 ip userlog nat export source-ip.............................................................................. 1-31
1.2.6 ip userlog nat export version ................................................................................. 1-32
1.2.7 ip userlog nat mode flow-begin ............................................................................. 1-32
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Related Manuals for H3C S9500 Series
Summary of Contents for H3C S9500 Series
-
Page 1: Table Of Contents
Command Manual – NAT H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 NAT Configuration Commands .................. 1-1 1.1 NAT Configuration Commands..................1-1 1.1.1 display nat address-group..................1-1 1.1.2 display nat aging-time ..................... 1-1 1.1.3 display nat all......................1-2 1.1.4 display nat auto-reset-session ................ -
Page 2: Chapter 1 Nat Configuration Commands
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands Chapter 1 NAT Configuration Commands Note: The line processing units (LPU) mentioned in this chapter refer to LSB1NATB0. 1.1 NAT Configuration Commands 1.1.1 display nat address-group... -
Page 3: Display Nat All
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands View Any view Parameters None Description Use the display nat aging-time command to display the aging time of a NAT entry. Examples # View the aging times of the NAT entries of various protocols. -
Page 4: Display Nat Auto-Reset-Session
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands --0 entry found-- NAT outbound information: No interfaces have been configured for NAT --0 entry found-- Server in private network information: No internal servers have been configured... -
Page 5: Display Nat Blacklist
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands 1.1.5 display nat blacklist Syntax display nat blacklist { all | [ vpn-instance vpn-name ] ip [ ip-address ] slot slot-no } View Any view Parameters all: Displays all blacklist configurations. -
Page 6: Display Nat Outbound
Rate control limit uses special configuration. # Display the blacklist configurations and operation states for IP address 100.0.0.3 in VPN1. <H3C> display nat blacklist vpn-instance vpn1 ip 100.0.0.3 slot 4 Blacklist function global configuration: Blacklist function is started. Connection amount control is enabled. -
Page 7: Display Nat Server
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands [address-group] 1 [type] pat [slot] 5 Vlan-interface3 : [acl] 2000 [address-group] 0 -- teacher [type] no-pat [slot] 5 Vlan-interface4 : [acl] 2001 [address-group] interface [type] pat... -
Page 8: Display Nat Static
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands 1.1.8 display nat static Syntax display nat static View Any view Parameters None Description Use the display nat static command to display all static address translation entries. -
Page 9: Display Nat Vpn Limit
STATIC NAT session table count entries Note: In PTA mode, hardware of S9500 series switches creates a positive stream and a reversed stream (which is used for reversed PAT) when creating a stream. However, the NAT log exports the positive stream only. -
Page 10: Nat Address-Group
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands vpn-instance: Queries the maximum number of users and connections of the specified VPN. vpn-name: Name of a VPN instance. Description Use the display nat vpn limit command to display the maximum number of users and connections of all the VPNs or the specified VPN of NAT. - Page 11 # Configure address pool 2 with addresses 203.110.10.10 to 203.110.10.110, and the description character string is teacher. <H3C> system-view [H3C] nat address-group 2 203.110.10.10 203.110.10.110 description teacher # Modify the description character string of address group 2 to teacher&student. <H3C> system-view [H3C] nat address-group 2 description teacher&student...
-
Page 12: Nat Aging-Time
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands 1.1.12 nat aging-time Syntax nat aging-time alg time-value undo nat aging-time alg View System view Parameters alg time-value: Aging time of NAT entries requiring application level gateway (ALG) processing in seconds. -
Page 13: Nat Blacklist Start
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands Parameters None Description Use the nat auto-reset-session command to enable the NAT session table auto-reset function when a NAT enabled VLAN interface goes up or down. -
Page 14: Nat Blacklist Mode
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands Examples # Enable the blacklist function for the whole system. <H3C> system-view [H3C] nat blacklist start 1.1.15 nat blacklist mode Syntax nat blacklist mode { amount | rate | all }... -
Page 15: Nat Blacklist Limit Amount
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands 1.1.16 nat blacklist limit amount Syntax nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ] max-amount undo nat blacklist limit amount [ [ vpn-instance vpn-name ] source user-ip ]... -
Page 16: Nat Blacklist Limit Rate
# Set the threshold value for the number of connections to the IP address 100.0.0.1 in the private network VPN1. <H3C> system-view [H3C] nat blacklist limit amount vpn-instance vpn1 source 100.0.0.1 2222 1.1.17 nat blacklist limit rate Syntax nat blacklist limit rate [ source ip ] cir cir-value [ cbs burst-size ] [ ebs burst-size ]... -
Page 17: Nat Blacklist Limit Rate Source
[H3C] nat blacklist limit rate cir 20 cbs 1799 ebs 40 # Set the special threshold value for the rate of link set-up <H3C> system-view [H3C] nat blacklist limit rate source ip cir 20 cbs 1799 ebs 40 1.1.18 nat blacklist limit rate source Syntax... - Page 18 [H3C] nat blacklist limit rate source 2.2.2.2 # Use the special threshold value to control the rate of link set-up of the user 200.0.0.1 in the private network VPN1. <H3C> system-view [H3C] nat blacklist limit rate vpn-instance vpn1 source 200.0.0.1 1-17...
-
Page 19: Nat Outbound
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands 1.1.19 nat outbound Syntax nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-no undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot... - Page 20 NAT. The address will be translated into one of address pool 1. [H3C] interface Vlan-interface 2 [H3C-Vlan-interface2] nat outbound 3000 address-group 1 slot 3 # Configure to use one-to-one NAT (do not use TCP/UDP port information for NAT). [H3C-Vlan-interface2] nat outbound 3000 address-group 1 no-pat slot 3 1-19...
- Page 21 # Customize a flow template, and then apply it to Ethernet 4/1/1. The interface card is located in slot 4. For details about flow template, refer to Defining and Applying Flow Template in ACL Configuration of the QoS ACL Volume. [H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1...
-
Page 22: Nat Server
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands 1.1.20 nat server Syntax nat server protocol { tcp | udp } global global-addr global-port inside [ vpn-name ] host-addr host-port slot slot-no undo nat server protocol { tcp | udp } global global-addr global-port inside... - Page 23 Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands host-addr1 host-addr2: Specifies an address scope of internal hosts that corresponds to the address range of external service port numbers. host-addr2 must be bigger than host-addr1. The number of the address scope must be the same as the number of external service ports.
- Page 24 202.110.10.12. Suppose that VLAN-interface 2 is connected to the ISP. <H3C> system-view [H3C] interface Vlan-interface 2 [H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 8080 inside VPN1 10.110.10.10 www slot 3 [H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 ftp inside VPN1 10.110.10.10 ftp slot 3...
-
Page 25: Nat Static
[H3C-acl-adv-3001] quit # Customize a flow template, and then apply the flow template to Ethernet 4/1/1. The interface card is located in slot 4. [H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1 [H3C-Ethernet4/1/1] flow-template user-defined # Reference the ACLs to redirect the packets that needs to be translated to the NAT LPU. - Page 26 Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands undo nat static global global-addr inside [ vpn-name ] host-addr slot slot-no nat static global global-addr1 global-addr2 inside [ vpn-name ] host-addr1 host-addr2 slot slot-no undo nat static global global-addr1 global-addr2 inside [ vpn-name ] host-addr1...
- Page 27 10.110.10.10 slot 3 # Configure ACL 3001. [H3C] acl number 3001 [H3C-acl-adv-3001] rule permit ip source 10.110.10.10 0.0.0.0 [H3C-acl-adv-3001] quit # Reference ACL 3001 to redirect packets that are to be serviced by NAT to the NAT board. Ethernet 4/1/1 is connected to the private network, and 192 is the corresponding VLAN ID.
-
Page 28: Nat Vpn Limit
Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands Caution: You need to configure QACL redirection after binding VLAN 192 to the VPN. 1.1.22 nat vpn limit Syntax nat vpn limit [ vpn-instance vpn-name ] user-limit flow-limit... -
Page 29: Reset Nat Session
The maximum numbers of users and connections in a VPN does not apply to the NO-PAT mode. Examples # Configure the maximum numbers of users and connections in a VPN. . <H3C> system-view [H3C] nat vpn limit vpn-instance test 5000 5500 1.1.23 reset nat session Syntax reset nat session slot slot-no View... -
Page 30: Ip Userlog Nat
Use the display ip userlog export command to display configurations and statistics of system logging. Examples # Display configurations of NAT logging. <H3C> display ip userlog export slot 3 NAT: IP userlog export is not enabled Version 1 export is enabled Export logs to 0.0.0.0 (Port: 0) -
Page 31: Ip Userlog Nat Active-Time
The ACL for NAT logging supports the SIP and DIP fields only. Examples # Employ ACL 2000 as the logging rule, and enable NAT logging. <H3C> system-view [H3C] ip userlog nat slot 3 acl 2000 1.2.3 ip userlog nat active-time Syntax ip userlog nat active-time minutes... -
Page 32: Ip Userlog Nat Export Host
# Set the destination address and UDP port number of log packets to 169.254.1.1 and 200 respectively. <H3C> system-view [H3C] ip userlog nat export host 169.254.1.1 200 1.2.5 ip userlog nat export source-ip Syntax ip userlog nat export source-ip src-address... -
Page 33: Ip Userlog Nat Export Version
IP address of log packets. Examples # Set the source IP address of log packets to 169.254.1.1. <H3C> system-view [H3C] ip userlog nat export source-ip 169.254.1.1 1.2.6 ip userlog nat export version Syntax ip userlog nat export version version-number undo ip userlog nat export version... - Page 34 Command Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Commands Parameters None Description Use the ip userlog nat mode flow-begin command to enable the NAT server logging when an NAT connection is established and deleted. Use the undo ip userlog nat mode flow-begin command to restore the default logging mode.
Need help?
Do you have a question about the S9500 Series and is the answer not in the manual?
Questions and answers