Scribd
Upload
13 views3 pages

Nat Outbound

The document provides instructions for configuring outbound dynamic NAT rules using the 'nat outbound' command, detailing both PAT and NO-PAT modes. It outlines syntax, parameters, usage guidelines, and restrictions for address groups and ACLs. Additionally, it includes examples of configuring NAT rules on specific interfaces.

Uploaded by

TesfaMariam kassie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
13 views3 pages

Nat Outbound

The document provides instructions for configuring outbound dynamic NAT rules using the 'nat outbound' command, detailing both PAT and NO-PAT modes. It outlines syntax, parameters, usage guidelines, and restrictions for address groups and ACLs. Additionally, it includes examples of configuring NAT rules on specific interfaces.

Uploaded by

TesfaMariam kassie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.


Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax
NO-PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group { group-id | name group-name }
[ vpn-instance vpn-instance-name ] no-pat [ reversible ] [ disable ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group { group-id | name group-
name } ] [ vpn-instance vpn-instance-name ] [ port-preserved ] [ disable ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default
No outbound dynamic NAT rules exist.

Views
Interface view

Predefined user roles


network-admin

Parameters
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The
ACL name must start with an English letter and to avoid confusion, it cannot be all.
address-group group-id: Specifies an address group for NAT. If you do not specify an address group, the
IP address of the interface is used as the NAT address. Easy IP is used.
group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.
name group-name: Specifies the address group name, a case-insensitive string of 1 to 63 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the
address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
If the addresses in the address group belong to the public network, do not use this option.
no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only
supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source
port number.
reversible: Allows reverse address translation. Reverse address translation uses existing NO-PAT
entries to translate destination addresses for packets of connections actively initiated by external hosts to
internal hosts.
port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic
NAT444.
disable: Disables the outbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.

Usage guidelines
Outbound dynamic NAT is typically configured on the interface connected to the external network. You
can configure multiple outbound dynamic NAT rules on an interface.
Outbound dynamic NAT supports the following modes:
 PAT—Performs both IP address translation and port translation. The PAT mode allows external
hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.
 NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively
access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse
address translation only applies to packets permitted by ACL reverse matching. ACL reverse
matching works as follows:
o Compares the source IP address/port of a packet with the destination IP addresses/ports in the
ACL.
o Translates the destination IP address of the packet according to the matching NO-PAT entry, and
then compares the translated destination IP address/port with the source IP addresses/ports in the
ACL.
Dynamic NAT444 does not support the NO-PAT mode.
When you specify a NAT address group, follow these restrictions and guidelines:
 An address group cannot be used by both the nat inbound and nat outbound commands.
 An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.
 When a port range and port block parameters are specified in the NAT address group, this command
configures a dynamic NAT444 rule. Packets matching the ACL permit rule are processed by dynamic
NAT444.
When you specify an ACL, follow these restrictions and guidelines:
 An ACL can be used by only one outbound dynamic NAT rule on an interface.
 If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can
contain no ACL.
 If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the
ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all
packets.
 Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those
without ACLs. The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher
ACL number represents a higher priority.
The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified
VPN instance must be the VPN instance to which the NAT interface belongs.

Examples
# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source
10.110.10.0 0.0.0.255
[Sysname-acl-ipv4-basic-2001] rule deny
[Sysname-acl-ipv4-basic-2001] quit
# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10
202.110.10.12
[Sysname-address-group-1] quit
# Configure an outbound dynamic PAT rule on interface GigabitEthernet 1/0/1 to translate the source
addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat outbound 2001 address-
group 1
[Sysname-GigabitEthernet1/0/1] quit
Or
# Configure an outbound NO-PAT rule on interface GigabitEthernet 1/0/1 to translate the source
addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat outbound 2001 address-
group 1 no-pat
[Sysname-GigabitEthernet1/0/1] quit
Or
# Enable Easy IP to use the IP address of GigabitEthernet 1/0/1 as the translated address.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet 1/0/1] nat outbound 2001
[Sysname-GigabitEthernet 1/0/1] quit
Or
# Configure an outbound NO-PAT rule on GigabitEthernet 1/0/1 to translate the source addresses of
outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address
translation.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat outbound 2001 address-
group 1 no-pat reversible

You might also like