H3C S9500 Series Command Manual page 20

Command Manual – NAT
H3C S9500 Series Routing Switches
Note:
As for the ACL associated with an address pool, only the source VPN, source IP
address, and the destination IP address fields in it are used. They are also used to
tell whether or not two rules conflict.
Do not execute the undo nat outbound command too often after the configuration
is stable.
Caution:
Address translation is performed on the NAT LPU. Because packets sent from a private
network will not be delivered to the NAT LPU by default, you need to reference QACLs
on the receiving interface to redirect those packets to the NAT LPU. For details, refer to
the traffic-redirect command in QoS Commands of the QoS ACL Volume. You do not
need to configure the DIP in the response packet sent from the public network because
it is an address from the address pool.
Examples
# Allow hosts on the network segment 192.168.1.0/24 in VPN1 and VPN2 and the
network segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to
202.110.10.12. Suppose VLAN interface 2 is connected to the ISP.
<H3C> system-view
[H3C] acl number 3000
[H3C-acl-adv-3000] rule permit ip source 10.110.10.0 0.0.0.255
[H3C-acl-adv-3000] rule permit ip vpn-instance VPN1 source 192.168.1.0
0.0.0.255
[H3C-acl-adv-3000] rule permit ip vpn-instance VPN2 source 192.168.1.0
0.0.0.255
[H3C-acl-adv-3000] quit
# Configure the address pool.
[H3C] nat address-group 1 202.110.10.10 202.110.10.12
# Configure NAT binding on NAT LPU 3, allowing packets that match ACL 3000 to be
processed by NAT. The address will be translated into one of address pool 1.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat outbound 3000 address-group 1 slot 3
# Configure to use one-to-one NAT (do not use TCP/UDP port information for NAT).
[H3C-Vlan-interface2] nat outbound 3000 address-group 1 no-pat slot 3
Chapter 1 NAT Configuration Commands
1-19