H3C SecPath Series High-End Firewalls

Size: px
Start display at page:

Download "H3C SecPath Series High-End Firewalls"

Transcription

1 H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210 SECPATH1000FE-CMW520-F3171 SECBLADEII-CMW520-F3171 Document version: 6PW

2 Copyright , Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, H3CS, H3CIE, H3CNE, Aolynk,, H 3 Care,, IRF, NetPilot, Netflow, SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C SecPath Series High-End Firewalls documentation set includes 10 configuration guides, which describe the software features for the H3C SecPath Series High-End Firewalls and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. The NAT and ALG Configuration Guide describes how to configure NAT and application layer protocol detection. This preface includes: Audience Conventions Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the H3C SecPath Series High-End Firewalls Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

4 Convention &<1-n> Description The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Boldface Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device. Represents a security card, such as a firewall card, a load-balancing card, or a NetStream card. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at

5 Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical support Documentation feedback You can your comments about product documentation to We appreciate your comments.

6 Contents Configuring NAT 1 Overview 1 Introduction to NAT 1 NAT control 2 NAT operation 2 Low-priority address pool 5 Configuring NAT in the Web interface 6 Configuration overview 6 Creating an address pool 7 Configuring dynamic NAT 8 Creating a static address mapping 9 Enabling static NAT on an interface 11 Creating an internal server 11 Configuring ACL-based NAT on the internal server 14 Configuring a DNS mapping 14 NAT configuration example 15 Internal server configuration example 18 Configuring NAT at the CLI 21 NAT configuration task list at the CLI 21 Configuring address translation 22 Configuring static NAT 22 Configuring dynamic NAT 23 Configuring an internal server 25 Configuring ACL-based NAT on an internal server 26 Configuring DNS mapping 26 Displaying and maintaining NAT 26 One-to-one static NAT configuration example 27 Dynamic NAT configuration example 27 Common internal server configuration example 28 NAT DNS mapping configuration example 29 Troubleshooting NAT 30 Symptom 1 30 Solution 30 Symptom 2 31 Solution 31 Configuration guidelines 31 Configuring NAT-PT 32 Overview 32 Application scenario 32 Basic concepts 32 Implementing NAT-PT 33 NAT-PT limitations 34 Protocols and standards 34 NAT-PT configuration task list 35 NAT-PT configuration task list on the IPv6 side 35 NAT-PT configuration task list on the IPv4 side 35 Configuring NAT-PT 35 Configuration prerequisites 35 i

7 Enabling NAT-PT 36 Configuring a NAT-PT prefix 36 Configuring IPv4/IPv6 address mappings on the IPv6 side 36 Configuring IPv4/IPv6 address mappings on the IPv4 side 38 Setting the ToS field after NAT-PT translation 39 Setting the Traffic Class field after NAT-PT translation 39 Configuring static NAPT-PT mappings of IPv6 servers 40 Displaying and maintaining NAT-PT 40 NAT-PT configuration examples 41 Configuring dynamic mapping on the IPv6 side 41 Configuring static mappings on the IPv4 side and the IPv6 side 42 Troubleshooting NAT-PT 44 Symptom 44 Solution 44 Configuring ALG 45 ALG overview 45 Configuring ALG in the Web interface 47 ALG configuration examples in the Web interface 47 FTP ALG configuration example 47 SIP/H.323 ALG configuration example 51 NBT ALG configuration example 54 Enabling ALG at the CLI 58 ALG configuration examples at the CLI 58 FTP ALG configuration example 58 SIP/H.323 ALG configuration example 59 NBT ALG configuration example 59 Index 61 ii

8 Configuring NAT Overview Introduction to NAT Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a small number of public IP addresses are used to enable a large number of internal hosts to access the Internet. Thus, NAT effectively alleviates the depletion of IP addresses. NOTE: A private or internal IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique. According to RFC 1918, three blocks of IP addresses are reserved for private networks: In Class A: to , In Class B: to , In Class C: to No host with an IP address in the three ranges exists on the Internet. You can use those IP addresses in an enterprise network freely without requesting them from an ISP or a registration center. In addition to translating private addresses to public addresses, NAT can also perform address translation between any two networks. In this document, the two networks refer to an internal network and an external network. Typically, a private network is an internal network, and a public network is an external network. Figure 1 NAT operation Direction Before NAT After NAT Outbound Host Src : Dst : NAT Src : Dst : Server Src : Dst : Intranet Internet Src : Dst : The internal host with an IP address of sends an IP packet to the external server with an IP address of through the NAT device. 2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the external network. Then it translates the private address to the globally unique public address and then forwards the packet to the server on the external network. Meanwhile, the NAT device adds the mapping of the two addresses into its NAT table. 3. The external server responds to the internal host with an IP packet whose destination IP address is Upon receiving the packet, the NAT device checks the IP header, looks into its NAT 1

9 table for the mapping, replaces the destination address with the private address of , and then sends the new packet to the internal host. The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is and is unaware of the private address As such, NAT hides the private network from the external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages: As NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to the application protocol packets when the contained IP address or port number needs to be translated. For example, you cannot encrypt an FTP connection, or its port command cannot work correctly. Network debugging becomes more difficult. For example, when a host in a private network tries to attack other networks, it is harder to pinpoint the attacking host as the host IP address has been hidden. NAT control In practice, an enterprise needs to allow some hosts in the internal network to access external networks and prohibit others. This can be achieved through the NAT control mechanism. If a source IP address is among addresses denied, the NAT device does not translate the address. In addition, the NAT device only translates private addresses to specified public addresses. NAT control can be achieved through an access control list (ACL) and an address pool. Only packets matching the ACL rules are served by NAT. An address pool is a collection of consecutive public IP addresses for address translation. You can specify an address pool based on the number of available public IP addresses, the number of internal hosts, and network requirements. The NAT device selects an address from the address pool as the public address of an IP packet. NAT operation Basic NAT As depicted in Figure 1, when an internal host accesses an external network, the NAT device uses a public IP address to replace the private source IP address. In Figure 1, NAT uses the IP address of the outgoing interface as the public IP address. All internal hosts use the same public IP address to access external networks and only one host is allowed to access external networks at a given time. A NAT device can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, the NAT device chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks simultaneously. NOTE: The number of public IP addresses that a NAT device needs is usually far less than the number of internal hosts because not all internal hosts access external networks at the same time. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours. 2

10 NAPT Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT or address multiplexing. NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 2 Diagram for NAPT operation Direction Outbound Before NAT :1111 After NAT :1001 Outbound Outbound : : : :1003 Host A Packet 1 Src : :1111 Packet 1 Src : : Packet 2 Src : :2222 NAT Packet 2 Src : :1002 Server Host B Packet 3 Src : :1111 Intranet Internet Packet 3 Src : : As shown in Figure 2, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 1 and 3 are from different internal addresses but have the same source port number. NAPT maps the three IP packets to the same external address but with different source port numbers. Therefore, the packets can still be differentiated. When receiving the response packets, the NAT device forwards them to the corresponding hosts according to the destination addresses and port numbers. NAPT can better utilize IP address resources, enabling more internal hosts to access the external network at the same time. NAPT supports the following NAT mapping behavior modes: Endpoint-Independent Mapping In this mode, the NAT device uses entries, each of which comprises the source IP address, source port number, and protocol type to translate addresses and filter packets. The same NAPT mapping applies to packets sent from the same internal IP address and port to any external IP address and port. The NAT device also allows external hosts to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT devices. Address and Port-Dependent Mapping In this mode, the NAT device uses entries each comprising the source IP address, source port number, protocol type, destination IP address, and destination port number to translate addresses and filter packets. For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAPT mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers. The NAT device allows the hosts only on the corresponding external networks where these destination addresses reside to access the internal network. This mode is secure but inconvenient for communication among hosts that connect to different NAT devices. 3

11 Internal server NAT hides the internal network structure, including the identities of internal hosts. However, some internal hosts such as an internal Web server or FTP server may need to be accessed by external hosts. NAT satisfies this need by supporting internal servers. You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like :8080 as an internal Web server's external address and port number. In Figure 3, when the NAT device receives a packet destined for the public IP address of an internal server, it looks in the NAT entries and translates the destination address and port number in the packet to the private IP address and port number of the internal server. When the NAT device receives a response packet from the internal server, it translates the source private IP address and port number of the packet into the public IP address and port number of the internal server. Figure 3 Internal server operation Direction Inbound Before NAT :8080 After NAT :8080 Server Dst : :8080 Dst : :8080 NAT Intranet Internet Src : :8080 Src : :8080 Host DNS mapping Generally, the DNS server and users that need to access internal servers reside on the public network. You can specify an external IP address and port number for an internal server on the public network interface of a NAT device, so that external users can access the internal server using its domain name or pubic IP address. In Figure 4, an internal host wants to access an internal Web server by using its domain name, when the DNS server is located on the public network. Typically, the DNS server replies with the public address of the internal server to the host and thus the host cannot access the internal server. The DNS mapping feature can solve the problem. Figure 4 Operation of NAT DNS mapping 4

12 A DNS mapping entry records the domain name, public address, public port number, and protocol type of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name in the message against the DNS mapping entries. If a match is found, the private address of the internal server is found and the interface replaces the public IP address in the reply with the private IP address. Then, the host can use the private address to access the internal server. Easy IP Easy IP uses the public IP address of an interface on the firewall as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed. NAT support for VPNs NAT allows users from different VPNs to access external networks through the same outbound interface, and allows the VPN users to use the same private address space. 1. Upon receiving a request from an MPLS VPN to an external network, NAT replaces the private source IP address and port number with a public IP address and port number, and records the MPLS VPN information, such as the protocol type and router distinguisher (RD). 2. When the response packet arrives, NAT replaces the public destination IP address and port number with the internal IP address and port number, and sends the packet to the target VPN. This feature can also apply to internal servers so that external users can access an internal host of a VPN. For example, suppose a host in VPN 1 needs to provide Web services for the Internet. It has a private address of To achieve this purpose, configure NAT to use as the public IP address of the host so that the Internet users can use this IP address to access Web services on the host. NAT allows hosts in multiple VPNs to access each other by using the VPN information carried in the external IP address. Low-priority address pool An address pool is a set of consecutive public IP addresses used for dynamic NAT. A NAT gateway selects addresses from the address pool and uses them as the translated source IP addresses. When two devices in a stateful failover implementation carry out NAT, identical address pools must be configured on both devices, to make sure that service traffic is successfully taken over by the other device if one device fails. However, if the devices select the same IP addresses from their address pool and assign them the same port numbers, reverse sessions on the two devices are the same. As a result, session data cannot be backed up between the devices. To solve the problem, the low-priority address pool attribute is introduced to NAT. You can configure address pools on the two devices to have different priorities. For example, suppose that two addresses pools, through (A), and through (B), are configured on the two devices. You can configure A as the low-priority address pool on a device and configure B as the low-priority address pool on the other device. Because addresses in the low-priority address pool are not selected by NAT. The two devices use different addresses as translated source addresses, and thus session data can be backed up successfully. NOTE: For more information about stateful failover, see High Availability Configuration Guide. 5

13 Configuring NAT in the Web interface Configuration overview Configuring address translation A NAT gateway can be configured with or dynamically generate mapping entries to translate between internal and external network addresses. Generally, address translation can be classified into the following types: Dynamic NAT A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface's address) to access the external network. Dynamic NAT is applicable when a large number of internal users need to access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Table 1 Dynamic NAT configuration task list Task Creating an address pool Configuring dynamic NAT Remarks Required for configuring NAPT and NO-PAT. Required. Configure dynamic NAT on an interface. Static NAT The mapping relationships between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Table 2 Static NAT configuration task list Task Creating a static address mapping Enabling static NAT on an interface Remarks Required. Static NAT supports two modes, one-to-one and net-to-net. Required. Configure static NAT on an interface. Configuring an internal server Table 3 Internal server configuration task list Task Creating an internal server Remarks Required. After you map the private IP address/port number of an internal server to a public IP address/port number, hosts in external networks can access the server located in the private network. 6

14 Task Configuring a DNS mapping Remarks Optional. The DNS mapping feature enables an internal host to use the domain name to access an internal server located on the same private network, while the DNS server resides on the public network. IMPORTANT: Up to 16 DNS mappings are supported on the firewall. Creating an address pool Select Firewall > NAT Policy > Dynamic NAT from the navigation tree to enter the page shown in Figure 5. In the Address Pool field where all NAT address pools are displayed, click Add to enter the Add NAT Address Pool page shown in Figure 6. Figure 5 Dynamic NAT configuration page Figure 6 Adding a NAT address pool Table 4 Configuration items Item Index Start IP Address Description Specify the index of an address pool. Specify the start IP address of the address pool. 7

15 Item End IP Address Description Specify the end IP address of the address pool. The end IP address must be identical to or higher than the start IP address. Configure the address pool as a low-priority or a non low-priority address pool. Low priority IMPORTANT: This configuration item is applicable to the stateful failover networking only. You cannot configure the same address pool as the low-priority address pool on the local and peer devices. Configuring dynamic NAT NOTE: If Easy IP is configured on an interface or the public IP address is the same as the IP address of the interface, address translation cannot be associated with any VRRP group. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree to enter the page shown in Figure 5. In the Dynamic NAT field where all dynamic NAT policies are displayed, click Add to enter the Add Dynamic NAT page shown in Figure 7. Figure 7 Adding dynamic NAT Table 5 Configuration items Item Interface Description Specify an interface on which dynamic NAT is to be enabled. Specify an ACL for dynamic NAT. You cannot associate an ACL with multiple NAT address pools, or associate an ACL with both Easy IP and an address pool. ACL IMPORTANT: On some devices, the rules of an ACL applied on an interface cannot conflict with one another, that is, rules with the same source IP address, destination IP address, and VPN instance are considered as a conflict. In a basic ACL (numbering 2000 to 2999), rules with the same source IP address and VPN instance are considered as a conflict. 8

16 Item Address Transfer Description Select an address translation mode: PAT Refers to NAPT. In this mode, associating an ACL with an address pool translates both IP addresses and port numbers. No-PAT Refers to many-to-many NAT. In this mode, associating an ACL with an address pool translates only IP addresses. Easy IP In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address, and uses an ACL to match IP packets. Only one mode can be selected for an address pool. Specify the index of a NAT address pool for dynamic NAT. Address Pool Index Global VPN Instance Enable track to VRRP VRRP Group Port Preserved The NAT address pool must have been configured through NAT address configuration. If Easy IP is selected for Address Transfer, you do not need to enter an address pool index. Specify the name of the instance to which the external IP addresses (that is, the NAT address pool) belong. Configure whether to associate dynamic NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate dynamic NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, Make sure that each address pool on an interface is associated with one VRRP group only; otherwise, the system associates the address pool with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Specify whether to preserve the source port information when NAT is configured. Creating a static address mapping Select Firewall > NAT Policy > Static NAT from the navigation tree to enter the page, as shown in Figure 8. In the Static Address Mapping field where static address mappings are displayed, click Add to enter the Add Static Address Mapping page shown in Figure 9. 9

17 Figure 8 Static NAT configuration page Figure 9 Adding static address mapping Table 6 Configuration item Item Internal VPN Instance Internal IP Address Global VPN Instance Global IP Address Network Mask Description Specify a name of the VPN instance to which the internal IP addresses belong. If no internal VPN instance is specified, this indicates that the internal address is a common private network address. Enter an internal IP address for the static address mapping. Specify a name of the VPN instance to which the external IP addresses belong. If no global VPN instance is specified, this indicates that the external address is a common public network address. Enter a public IP address for the static address mapping. Specify the network mask for internal and public IP addresses. If the network mask is specified, net-to-net static NAT is implemented. If no network mask is specified, the default mask is used. In this case, one-to-one static NAT is delivered. 10

18 Item Description Specify the ACL number. ACL If the acl-number argument is specified, the device performs NAT for the packets matching a specific ACL rule, and no longer matches the packets against the interzone policy. Enabling static NAT on an interface Select Firewall > NAT Policy > Static NAT from the navigation tree to enter the page shown in Figure 8. In the Interface Static Translation field where static NAT entries configured for interfaces are displayed, click Add to enter the Enable Interface Static Translation page shown in Figure 10. Figure 10 Enabling interface static translation Table 7 Configuration items Item Interface Name Enable track to VRRP VRRP Group Description Select an interface to which static NAT is applied. Configure whether to associate static NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate static NAT on an interface with a VRRP group. When two network devices implement both stateful failover and dynamic NAT, Make sure the public address of an internal server on an interface is associated with one VRRP group only; otherwise, the system associates the public address with the VRRP group having the highest group ID. To ensure normal switchovers between the two devices, you need to add the devices to the same VRRP group, and associate dynamic NAT with the VRRP group. Creating an internal server Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 11. In the Internal Server field where all internal server information is displayed, click Add to enter the Add Internal Server page shown in Figure

19 Figure 11 Internal server configuration page Figure 12 Adding an internal server 12

20 Table 8 Configuration items Item Interface Protocol Type Global VPN Instance External IP Address Description Specify an interface to which the internal server policy is applied. Select or specify the type of the protocol to be carried by IP. Specify a name of the VPN instance to which the external address belongs. If no global VPN instance is specified, this indicates that the external IP address is a common public network address that does not belong to any VPN instance. Specify the public IP address for the internal server. You can enter an IP address, or use the IP address of an interface. Specify the global port number(s) for the internal server. Global Port Internal VPN Instance Internal IP This option is available when 6(TCP) or 17(UDP) is selected as the protocol type. You can: Use the single box to specify a global port. Use the double boxes to specify a range of global ports each of which has a one-to-one correspondence with the specified internal IP address. The number you entered in the right box should be higher than that in the left box. If you use the single box and specify a port of 0, all types of services are provided. This configuration indicates a static connection between external IP addresses and internal IP addresses. Specify a name of the VPN instance to which the internal server belongs. If no internal VPN instance is specified, this indicates that the internal server is a common private network server that does not belong to any VPN instance. Specify the internal IP address(es) for the internal server. Single box Used to specify an internal IP address when 6(TCP) or 17(UDP) is not selected for the protocol type or you specify a single global port. Double boxes Used to specify a range of internal IP addresses each of which has a one-to-one correspondence with a port in the specified range. The IP address in the right box must be higher than that in the left box, and the number of addresses must be identical to the number of specified global ports. Specify the internal port number of the internal server. Internal Port This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you enter 0 in the field, all types of services are provided. This configuration indicates a static connection between internal addresses and external addresses. Specify the ACL number ACL Enable track to VRRP VRRP Group If the acl-number argument is specified, the device performs NAT for the packets matching a specific ACL rule, and no longer matches the packets against the interzone policy. Configure whether to associate the internal server on an interface with a VRRP group, and specify the VRRP group to be associated if you associate the internal server on an interface with a VRRP group. When two network devices deliver both stateful failover and dynamic NAT, to ensure normal switchovers between the two devices, you need to add devices to the same VRRP group, and associate dynamic NAT with the VRRP group. 13

21 Configuring ACL-based NAT on the internal server Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 11. In the Internal Server Based on ACL area, click Add to enter the ADD Internal Server Based on ACL page shown in Figure 13. Figure 13 Adding an internal server based on ACL Table 9 Configuration items Item Interface Protocol type ACL Internal VPN Instance Internal IP Internal Port Description Specify an interface to which the internal server policy is applied. Select the protocol number. Enter the number of an ACL referenced by the internal server policy. Select the Internal VPN Instance option, and select the VPN instance to which the internal server belongs. If the internal server does not belong to any VPN instance, do not select the option. Enter the internal IP address of the internal server. Enter the port number of the internal server. This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you enter 0 in the field, all types of services are provided. The value 0 indicates that a static connection exists between the internal address and external address. Configuring a DNS mapping Select Firewall > NAT Policy > Internal Server from the navigation tree to enter the page shown in Figure 11. In the DNS-MAP field where all DNS mappings are displayed, click Add to enter the Add DNS-MAP page shown in Figure

22 Figure 14 Adding the DNS-MAP Table 10 Configuration items Item Protocol Global IP Global Port Domain Description Select the protocol supported by an internal server. Specify the external IP address of the internal server. Specify the port number of the internal server. Specify the domain name of the internal server. NAT configuration example Network requirements As shown in Figure 15, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. Figure 15 Network diagram Configuration procedure # Configure an ACL to permit internal users in subnet /24 to access the Internet. Select Firewall > ACL from the navigation tree, click Add, and then perform the following operations, as shown in Figure

23 Figure 16 Defining ACL 2001 Enter 2001 in ACL Number. Select Config in Match Order. Click Apply. Click the icon in the Operation column corresponding to ACL 2001 to enter the ACL 2001 configuration page, click Add, and then perform the following operations, as shown in Figure 17. Figure 17 Configuring ACL 2001 to permit users on network /24 to access the Internet Select Permit in Operation. Select the Source IP Address box and then enter Enter in Source Wildcard. Click Apply. Click Add on the ACL 2001 configuration page and perform the following operations, as shown in Figure

24 Figure 18 Configuring ACL 2001 to prohibit other users to access the Internet Select Deny for Operation. Click Apply. # Configure a NAT address pool. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree, click Add, and then perform the following operations, as shown in Figure 19. Figure 19 Configuring NAT address pool 0 Enter 0 in Index. Enter in Start IP Address. Enter in End IP Address. Click Apply. # Configure dynamic NAT. Click Add in the Dynamic NAT field and perform the following operations, as shown in Figure

25 Figure 20 Configuring dynamic NAT Select GigabitEthernet0/1 for Interface. Enter 2001 in ACL. Select PAT for Address Transfer. Enter 0 in Address Pool Index. Click Apply. Internal server configuration example Network requirements As shown in Figure 21, a company provides two Web servers and one FTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for the Web server 1 is /16, and for the Web server 2 is /16. The company has three public IP addresses from /24 through /24. Specifically, the company has the following requirements: External hosts can access internal servers using public address /24. Port 8080 is used for Web server 2. Figure 21 Network diagram 18

26 Configuration procedure # Configure the FTP server. Select Firewall > NAT Policy > Internal Server from the navigation tree, click Add in the Internal Server field, and then perform the following operations, as shown in Figure 22. Figure 22 Configuring an internal FTP server Select GigabitEthernet0/1 for Interface. Select 6(TCP) for Protocol Type. Select the option next to Assign IP Address, and then enter in Global IP. Select the upper option next to Global Port and enter 21. Enter in Internal IP. Enter 21 in Internal Port. Click Apply. # Configure the Web server 1. Click Add in the Internal Server field and perform the following operations, as shown in Figure

27 Figure 23 Configuring internal Web server 1 Select GigabitEthernet0/1 for Interface. Select 6(TCP) for Protocol Type. Select the option next to Assign IP Address, and then enter for Global IP. Select the upper option next to Global Port and enter 80. Enter in Internal IP. Enter 80 in Internal Port. Click Apply. # Configure Web server 2. Click Add in the Internal Server field and perform the following operations, as shown in Figure

28 Figure 24 Configuring internal Web server 2 Select GigabitEthernet0/1 for Interface. Select 6(TCP) for Protocol Type. Select the option next to Assign IP Address, and then enter for Global IP. Select the upper option next to Global Port and enter Enter in Internal IP. Enter 80 in Internal Port. Click Apply. Configuring NAT at the CLI NAT configuration task list at the CLI Task Configuring address translation Configuring an internal server Configuring static NAT Configuring dynamic NAT Remarks Either is required Required Configuring ACL-based NAT on the internal server Configuring a DNS mapping Optional Optional 21

29 NOTE: If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and reboot the device (or use the reset nat session command to manually clear the relevant NAT entries), to avoid problems. The following problems may occur: After you delete the NAT-related configuration, address translation can still work for sessions already created; if you configure NAT when NAT is running, the same configuration may have different results because of different configuration orders. If Easy IP is configured on an interface or the public IP address is the same as the IP address of the interface, address translation cannot be associated with any VRRP group. Configuring address translation A NAT device can be configured with or dynamically generate mappings to translate between internal and external network addresses. Address translation can be classified into the following types: Static NAT Mappings between external and internal network addresses are manually configured. Static NAT can meet fixed access requirements of a few users. Dynamic NAT A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This association defines what packets can use the addresses in the address pool (or the interface's address) to access the external network. Dynamic NAT is applicable to the network environment where a large number of internal users need to access external networks. An IP address is selected from the associated address pool to translate an outgoing packet. After the session terminates, the selected IP address is released. Both static NAT and dynamic NAT support NAT multiple-instance as long as the VPN instance of an IP address is provided. Configuring static NAT You need to configure static NAT in system view, and make it effective in interface view. Static NAT supports two modes: one-to-one and net-to-net. Configuring one-to-one static NAT One-to-one static NAT translates a private IP address into a public IP address. To configure one-to-one static NAT: Step Command 1. Enter system view. system-view 2. Configure a one-to-one static NAT mapping. nat static [ acl-number ] local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] 3. Enter interface view. interface interface-type interface-number 4. Enable static NAT on the interface. nat outbound static [ track vrrp virtual-router-id ] Configuring net-to-net static NAT Net-to-net static NAT translates a private network into a public network. 22

30 To configure net-to-net static NAT: Step Command 1. Enter system view. system-view 2. Configure a net-to-net static NAT mapping. nat static [ acl-number ] net-to-net local-network [ vpn-instance local-name ] global-network [ vpn-instance global-name ] { netmask-length netmask } 3. Return to system view. quit 4. Enter interface view. interface interface-type interface-number 5. Enable static NAT on the interface. nat outbound static Configuring dynamic NAT Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an interface) on an interface. To select the address of an interface as the translated address, use Easy IP. To select an address from an address pool as the translated address, use No-PAT or NAPT for dynamic address translation. No-PAT is used in many-to-many address translation but does not translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating also TCP/UDP port numbers. Typically, a NAT entry is configured on the outbound interface of the NAT device. If it is the first packet and an address pool is associated with an outbound interface, NAT determines whether to translate the packet based on the ACL. If yes, NAT chooses an address from the associated address pool or gets the associated interface address, performs address translation, and then saves the address mapping in the address translation table. All subsequent packets from the internal host are serviced by NAT directly according to the mapping entry. Configuration prerequisites Configure an ACL to specify IP addresses permitted to be translated. For more information about ACL, see Access Control Configuration Guide. Decide whether to use an interface's IP address as the translated source address. Determine a public IP address pool for address translation. Decide whether to translate port information. Configuring NAT address pools You can configure NAT address pools in two ways: Configure an address pool that consists of a set of consecutive addresses. Configure an address group that can contain several members. Each member specifies an address pool that consists of a set of consecutive addresses. The address pools of members may not be consecutive. The NAT device selects an IP address from a specified NAT address pool as the source address of a packet. To configure an address pool: 23

31 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an address pool. nat address-group group-number start-address end-address Not necessary when the router provides only Easy IP, where an interface's public IP address is used as the translated IP address. To configure an address group: Step Command 1. Enter system view. system-view 2. Create an address group and enter its view. nat address-group group-number 3. Add a member to the address group. address start-address end-address NOTE: Address pools must not overlap. The IP address pools of address group members must not overlap with each other or with other address pools. Configuring Easy IP Easy IP allows the firewall to use the IP address of one of its interfaces as the source address of NATed packets. To configure Easy IP: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Enable Easy IP by associating an ACL with the IP address of the interface. nat outbound [ acl-number ] [ track vrrp virtual-router-id ] Configuring No-PAT With a specific ACL associated with an address pool or interface address, No-PAT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, without using the port information. To configure No-PAT: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure No-PAT by associating an ACL with an IP address pool on the outbound interface for translating only IP addresses. nat outbound [ acl-number ] address-group group-number [ vpn-instance vpn-instance-name ] no-pat [ track vrrp virtual-router-id ] 24

32 Configuring NAPT With a specific ACL associated with an address pool or interface address, NAPT translates the source address of a packet permitted by the ACL into an IP address of the address pool or the interface address, with using the port information. To configure NAPT: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure NAPT by associating an ACL with an IP address pool on the outbound interface for translating both IP address and port number. nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ port-preserved ] ] [ track vrrp virtual-router-id ] Configuring an internal server Introduction to internal server To configure an internal server, you need to map an external IP address and port number to the internal server. This is done through executing the nat server command on an interface. Internal server configurations include external network information (external IP address global-address), internal network information (internal IP address local-address), and internal server protocol type. Both internal servers and their external IP addresses can support L3VPN. If an internal server belongs to an L3VPN, you also need to specify the vpn-instance-name argument. Without this argument specified, the internal server does not belong to any VPN. Configuring a common internal server After mapping the internal IP address of a common internal server to an external IP address, hosts in external networks can access the server located in the internal network. To configure a common internal server: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure a common internal server. nat server [ acl-number ] [ index ] protocol pro-type global { global-address interface interface-type interface-number current-interface } global-port1 global-port2 [ vpn-instance global-name ] inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] CAUTION: The firewall supports using the interface address as the external address of an internal server, which is the Easy IP feature. If you want to specify an interface, the interface must be a loopback interface and must already exist. If you configure an internal server using Easy IP but do not configure an IP address for the interface, the internal server configuration does not take effect. 25

33 Configuring ACL-based NAT on an internal server This feature maps the destination address of an ACL-permitted packet to the internal server address or the internal server IP address/port number. To configure ACL-based NAT on an internal server: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure an internal server based on ACL. nat server protocol pro-type global acl-number inside local-address [ local-port ] [ vpn-instance local-name ] Configuring DNS mapping With DNS mapping, an internal host can access an internal server on the same private network by using the domain name of the internal server when the DNS server resides on the public network. To configure a DNS mapping: Step Command 1. Enter system view. system-view 2. Configure a DNS mapping. nat dns-map domain domain-name protocol pro-type ip global-ip port global-port Displaying and maintaining NAT Task Command Remarks Display information about NAT address pools. Display all NAT configuration information. Display the NAT configuration information. Display DNS mapping configuration information. Display the internal server information. Display static NAT information. Display NAT statistics. display nat address-group [ group-number ] [ { begin exclude include } regular-expression ] display nat all [ { begin exclude include } regular-expression ] display nat bound [ { begin exclude include } regular-expression ] display nat dns-map [ { begin exclude include } regular-expression ] display nat server [ { begin exclude include } regular-expression ] display nat static [ { begin exclude include } regular-expression ] display nat statistics [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view 26

34 One-to-one static NAT configuration example Network requirements As shown in Figure 25, an internal host /24 uses public address to access the Internet. Figure 25 Network diagram GE0/ /24 GE0/ /16 Internet Host /24 SecPath Server Configuration procedure # Configure the IP addresses for the interfaces. (Details not shown.) # Configure a one-to-one static NAT mapping <SecPath> system-view [SecPath] nat static # Enable static NAT on interface GigabitEthernet 0/2. [SecPath] interface gigabitethernet 0/2 [SecPath-GigabitEthernet0/2] nat outbound static [SecPath-GigabitEthernet0/2] quit Dynamic NAT configuration example Network requirements As shown in Figure 26, a company has three public IP addresses ranging from /24 to /24, and a private network segment of /16. Specifically, the company requires that the internal users in subnet /24 can access the Internet through NAT. Figure 26 Network diagram Configuration procedure # As shown in Figure 26, configure the IP addresses for the interfaces. (Details not shown.) # Configure address pool 1. <SecPath> system-view 27

35 [SecPath] nat address-group # Configure ACL 2001, permitting only users from network segment /24 to access the Internet. [SecPath] acl number 2001 [SecPath-acl-basic-2001] rule permit source [SecPath-acl-basic-2001] rule deny [SecPath-acl-basic-2001] quit # Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 0/2. No-PAT [SecPath] interface gigabitethernet 0/2 [SecPath-GigabitEthernet0/2] nat outbound 2001 address-group 1 no-pat [SecPath-GigabitEthernet0/2] quit NAPT [SecPath] interface gigabitethernet 0/2 [SecPath-GigabitEthernet0/2] nat outbound 2001 address-group 1 [SecPath-GigabitEthernet0/2] quit Common internal server configuration example Network requirements As shown in Figure 27, a company provides two Web servers, one FTP server, and one SMTP server for external users to access. The internal network address is /16. The internal address for the FTP server is /16, for Web server 1 is /16, for Web server 2 is /16, and for the SMTP server /16. The company has three public IP addresses ranging from /24 to /24. Specifically, the company has the following requirements: External hosts can access internal servers with public address /24. Port 8080 is used for Web server 2. Figure 27 Network diagram /16 Web server /16 Web server 2 GE0/ /16 GE0/ /24 Internet SecPath Host FTP server /16 SMTP server /16 Configuration procedure # As shown in Figure 27, configure the IP addresses for the interfaces. (Details not shown.) # Enter interface GigabitEthernet 0/2 view. <SecPath> system-view [SecPath] interface gigabitethernet 0/2 28

36 # Configure the internal FTP server. [SecPath-GigabitEthernet0/2] nat server protocol tcp global inside ftp # Configure the internal Web server 1. [SecPath-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal Web server 2. [SecPath-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal SMTP server. [SecPath-GigabitEthernet0/2] nat server protocol tcp global smtp inside smtp [SecPath-GigabitEthernet0/2] quit # Bind the NAT service interface 5/1 with GigabitEthernet 0/2. [SecPath] interface nat 5/1 [SecPath-NAT5/1] nat binding interface gigabitethernet 0/2 [SecPath-NAT5/1] quit NAT DNS mapping configuration example Network requirements As shown in Figure 28, a company provides Web and FTP services to external users, and uses internal IP network segment /16. The IP addresses of the Web and FTP servers are /16 and /16 respectively. The company has three public addresses /24 through /24. The DNS server is at /24. The public IP address is used to provide services to external users. External users can use the public address or domain name of internal servers to access them. Internal users can access the internal servers by using their domain names. Figure 28 Network diagram /16 Web server /16 FTP server /24 DNS server GE0/ /16 GE0/ /24 Internet SecPath Host A /16 Host B /24 Configuration procedure # As shown in Figure 28, configure the IP addresses for the interfaces. (Details not shown.) # Enter the view of interface GigabitEthernet 0/2. <SecPath> system-view 29

37 [SecPath] interface gigabitethernet 0/2 # Configure the internal Web server. [SecPath-GigabitEthernet0/2] nat server protocol tcp global inside www # Configure the internal FTP server. [SecPath-GigabitEthernet0/2] nat server protocol tcp global inside ftp [SecPath-GigabitEthernet0/2] quit # Configure two DNS mapping entries: map the domain name of the Web server to , and ftp.server.com of the FTP server to [SecPath] nat dns-map domain protocol tcp ip port www [SecPath] nat dns-map domain ftp.server.com protocol tcp ip port ftp [SecPath] quit Verifying the configuration # Display the DNS mapping configuration information. <SecPath> display nat dns-map NAT DNS mapping information: There are currently 2 NAT DNS mapping(s) Domain-name: Global-IP : Global-port: 80(www) Protocol : 6(TCP) Domain-name: ftp.server.com Global-IP : Global-port: 21(ftp) Protocol : 6(TCP) Host A and Host B can use the domain name to access the Web server, and use ftp.server.com to access the FTP server. Troubleshooting NAT Symptom 1 Solution Abnormal translation of IP addresses 1. Enable debugging for NAT. Try to locate the problem based on the debugging display. 2. Use other commands, if necessary, to further identify the problem. 3. Pay special attention to the source address after the address translation and make sure that this address is the address that you intend to change. If not, there may be an address pool bug. 4. Make sure a route is available between the destination network and the address pool segment. 30

38 5. Be aware of the possible effects that the firewall or the ACLs have on NAT, and note the route configurations. Symptom 2 Solution The internal server functions abnormally. 1. Verify the internal server host is properly configured. 2. Verify the router is correctly configured with respect to the internal server parameters, such as the internal server IP address. 3. Use the display acl command to verify that the firewall permits external access to the internal network. For more information about firewall, see Attack Protection Configuration Guide. Configuration guidelines 1. When you configure address pools, note the following: An address pool cannot include addresses in other address pools or IP addresses of interfaces with Easy IP enabled. Low-priority address pools cannot include addresses in non low-priority address pools or IP address of interfaces with Easy IP enabled. 2. If 6(TCP) or 17(UDP) is not selected as the protocol type when you configure an internal server, you can only configure the mapping between Internal IP and Global IP. In this case, the Internal Port and Global Port options are not available. 3. The address pool, dynamic NAT, static NAT, and internal server configurations can be modified through Web pages. Note that the modification you make takes effect after the former configuration is removed by the system. 31

39 Configuring NAT-PT NOTE: The NAT-PT configuration is available only at the command line interface (CLI). Overview Application scenario Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network. As shown in Figure 29, NAT-PT runs on the device between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can communicate without changing their configurations. Figure 29 Network diagram Basic concepts NAT-PT mechanism There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: Static mapping Static mappings are manually configured for translation between IPv6 and IPv4 addresses. Dynamic mapping Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses. Different from static mappings, dynamic mappings are not fixed one-to-one mappings between IPv6 and IPv4 addresses. NAPT-PT Network Address Port Translation Protocol Translation (NAPT-PT) realizes the TCP/UDP port number translation besides static or dynamic address translation. With NAPT-PT, different IPv6 addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different 32

40 NAT-PT prefix port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address translation and save IPv4 addresses. The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases: Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device will translate source and destination IPv6 addresses of the packet into IPv4 addresses. After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the translated source IPv6 address is the configured NAT-PT prefix. Implementing NAT-PT Session initiated by an IPv6 host Figure 30 NAT-PT implementation (session initiated by an IPv6 host) NAT-PT works as follows: 1. Determines whether to perform NAT-PT or not. Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device considers that the packet needs to be forwarded to the IPv4 network and NAT-PT needs to be performed. 2. Translates the source IP address. The NAT-PT device translates the source IPv6 address of the packet into an IPv4 address according to the static or dynamic mapping on the IPv6 side. 3. Translates the destination IP address. The NAT-PT device translates the destination IPv6 address of the packet into an IPv4 address according to the static mapping, if configured, on the IPv4 network side. Without any static mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is translated into that IPv4 address. Otherwise, the translation fails. 4. Forwards the packet and stores the mappings. After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses, the NAT-PT device forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT device. 5. Forwards the reply packet according to the stored mappings. 33

41 Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT device swaps the source and destination IPv4 addresses according to the stored mappings and forwards the packet to the IPv6 host. Session initiated by an IPv4 host The NAT-PT implementation process for a session initiated by an IPv4 host is as follows: 1. Determines whether to perform NAT-PT or not. Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT device checks the destination IPv4 address in the packet against the static mappings configured on the IPv6 network side. If a match is found, the device considers that the packet needs to be forwarded to the IPv6 network and NAT-PT needs to be performed. 2. Translates the source IP address. The NAT-PT device translates the source IPv4 address of the packet into an IPv6 address according to the static or dynamic mapping on the IPv4 side. If no mapping is configured on the IPv4 side, the source IPv4 address with the first configured NAT-PT prefix is used as the translated source IPv6 address. 3. Translates the destination IP address. The NAT-PT device translates the destination IPv4 address of the packet into an IPv6 address according to the static mapping on the IPv6 side. 4. Forwards the packet and stores the mappings. After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses, the NAT-PT device forwards the packet to the IPv6 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT device. 5. Forwards the reply packet according to the stored mappings. Upon receiving a reply packet from the IPv6 host to the IPv4 host, the NAT-PT device swaps the source and destination IPv6 addresses according to the stored mappings and forwards the packet to the IPv4 host. NAT-PT limitations NAT-PT has the following limitations: In NAT-PT translation, the request and response packets of a session must be processed by the same NAT-PT device. The Options field in the IPv4 packet header cannot be translated. NAT-PT does not provide end-to-end security. Therefore, NAT-PT is not recommended in some applications. For example, tunneling is recommended in the case where an IPv6 host needs to communicate with another IPv6 host across an IPv4 network. Currently, NAT-PT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS), File Transfer Protocol (FTP), and other protocols that employ the network layer protocol but have no address information in the protocol messages. Protocols and standards RFC 2765, Stateless IP/ICMP Translation Algorithm RFC 2766, Network Address Translation - Protocol Translation (NAT-PT) 34

42 NAT-PT configuration task list NAT-PT configuration task list on the IPv6 side Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Enabling NAT-PT Configuring a NAT-PT prefix Configuring IPv4/IPv6 address mappings on the IPv6 side Configuring a static mapping on the IPv4 side Setting the ToS field after NAT-PT translation Remarks Required. Required. Required. Optional. If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address. Optional. NAT-PT configuration task list on the IPv4 side Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Enabling NAT-PT Configuring a NAT-PT prefix Configuring IPv4/IPv6 address mappings on the IPv4 side Configuring IPv4/IPv6 address mappings on the IPv4 side Configuring static NAPT-PT mappings of IPv6 servers Setting the Traffic Class field after NAT-PT translation Remarks Required. Required. Optional. If no IPv4/IPv6 address mapping is configured, the source IPv4 address added with the first configured NAT-PT prefix is used as the translated source IPv6 address. Required. Complete either task. Optional. Configuring NAT-PT Configuration prerequisites Before implementing NAT-PT, you need to: Enable IPv6 on the firewall. For more information, see Network Management Configuration Guide. Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT. 35

43 Enabling NAT-PT After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the firewall can implement translation between IPv4 and IPv6 addresses. To enable NAT-PT: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable NAT-PT on the interface. natpt enable Disabled by default NOTE: The natpt enable command enables both NAT-PT and Address Family Translation (AFT). For information about AFT, see VPN Configuration Guide. Do not configure NAT-PT and AFT on a same device. Configuring a NAT-PT prefix Step Command 1. Enter system view. system-view 2. Configure a NAT-PT prefix. natpt prefix natpt-prefix [ interface interface-type interface-number [ nexthop ipv4-address ] ] CAUTION: The NAT-PT prefix must not be the same as the IPv6 address prefix of the NAT-PT enabled interface on the IPv6 network. To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt v6bound dynamic command, you must cancel the referenced configuration first. Configuring IPv4/IPv6 address mappings on the IPv6 side IPv4/IPv6 address mappings on the IPv6 side can be static or dynamic. Configuring a static mapping on the IPv6 side A static mapping on the IPv6 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address. If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static mapping, the source IPv6 address is translated into the corresponding IPv4 address. If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static mapping, the destination IPv4 address is translated into the corresponding IPv6 address. To configure a static IPv4/IPv6 address mapping on the IPv6 side: 36

44 Step Command 1. Enter system view. system-view 2. Configure a static IPv4/IPv6 address mapping on the IPv6 side. natpt v6bound static ipv6-address ipv4-address Configuring a dynamic mapping policy on the IPv6 side A dynamic IPv4/IPv6 mapping policy on the IPv6 side is that if the source IPv6 address matches a specified IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4 address of a specified interface. The firewall provides the following dynamic mapping policies: Policy 1 Associate an IPv6 ACL with an address pool. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address in the specified address pool. Policy 2 Associate an IPv6 ACL with an interface address. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into the IPv4 address of the specified interface. Policy 3 Associate a NAT-PT prefix with an address pool. If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in the specified address pool. Policy 4 Associate a NAT-PT prefix with an interface address. If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into the IPv4 address of the specified interface. To use policy 1 or 3, you must configure a NAT-PT address pool first. A NAT-PT address pool is a group of contiguous IPv4 addresses and is used to translate an IPv6 address into an IPv4 address dynamically. When an IPv6 packet is sent from an IPv6 network to an IPv4 network, if policy 1 or 3 is set, the NAT-PT device will select an IPv4 address from the NAT-PT address pool as the source IPv4 address of the IPv6 packet. To configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a NAT-PT address pool. natpt address-group group-number start-ipv4-address end-ipv4-address Required for the first type and third type in which the source IPv6 address is translated into an IPv4 address in the specified address pool. This configuration is not needed in the second type and fourth type. 37

45 Step Command Remarks 3. Configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side. Associate an IPv6 ACL with an address pool: natpt v6bound dynamic acl6 number acl-number address-group address-group [ no-pat ] Associate an IPv6 ACL with an interface address: natpt v6bound dynamic acl6 number acl-number interface interface-type interface-number Associate a NAT-PT prefix with an address pool: natpt v6bound dynamic prefix natpt-prefix address-group address-group [ no-pat ] Associate a NAT-PT prefix with an interface address: natpt v6bound dynamic prefix natpt-prefix interface interface-type interface-number Use one of the commands. NOTE: The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with the natpt prefix command. If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses, and the end IPv4 address in the address pool is used for NAPT-PT. For ACL configuration, see Access Control Configuration Guide. Configuring IPv4/IPv6 address mappings on the IPv4 side IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic. Configuring a static mapping on the IPv4 side A static IPv4/IPv6 address mapping on the IPv4 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address. If the source IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches a static IPv4/IPv6 address mapping, the source IPv4 address is translated into the corresponding IPv6 address. If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4 address. To configure a static IPv4/IPv6 address mapping on the IPv4 side: Step Command 1. Enter system view. system-view 2. Configure a static IPv4/IPv6 address mapping on the IPv4 side. natpt v4bound static ipv4-address ipv6-address 38

46 Configuring a dynamic mapping policy on the IPv4 side A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches a specified ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address. To configure a dynamic IPv4/IPv6 mapping policy on the IPv4 side: Step Command 1. Enter system view. system-view 2. Configure a dynamic IPv4/IPv6 source address mapping policy on the IPv4 side. natpt v4bound dynamic acl number acl-number prefix natpt-prefix NOTE: The natpt-prefix argument specified in the natpt v6bound dynamic acl number acl-number prefix natpt-prefix command must have been configured with the natpt prefix command. For more information about ACL, see Access Control Configuration Guide. Setting the ToS field after NAT-PT translation You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. To set the ToS field in packets after NAT-PT translation: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the ToS field in IPv4 packets translated from IPv6 packets to 0. natpt turn-off tos By default, the value of the ToS field of IPv4 packets is the same as that of the Traffic Class field in corresponding IPv6 packets. Setting the Traffic Class field after NAT-PT translation You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. To set the Traffic Class field in packets after NAT-PT translation: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0. natpt turn-off traffic-class By default, the value of the Traffic Class field of IPv6 packets is the same as that of the ToS field in corresponding IPv4 packets. 39

47 Configuring static NAPT-PT mappings of IPv6 servers Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of the IPv6 server. Upon receiving an access request to an IPv6 server from an IPv4 host, the NAT-PT device checks the destination address and port number of the packet against the static address/port mapping of the IPv6 server. If they match, the firewall translates the source IPv4 address of the packet into the corresponding IPv6 address according to the IPv4/IPv6 address mapping on the IPv4 side, and translates the destination IPv4 address and port number in the request to the corresponding IPv6 address and port number according to the static address/port mapping of the IPv6 server. When you configure a static address/port mapping of an IPv6 server, you need to specify the following: Protocol type, that is, the type of the transport layer protocol used by the server. It can be TCP or UDP. IPv4 address and port number of the server. They are used by IPv4 hosts to access the server. IPv6 address and port number of the server. To configure a static NAPT-PT mapping for an IPv6 server: Step Command 1. Enter system view. system-view 2. Configure a static address and port number mapping for an IPv6 server. natpt v4bound static v6server protocol protocol-type ipv4-address ipv4-port-number ipv6-address ipv6-port-number Displaying and maintaining NAT-PT Task Command Remarks Display all NAT-PT configuration information. Display NAT-PT address pool configuration information. Display the static and dynamic NAT-PT address mappings. Display NAT-PT statistics information. display natpt all [ { begin exclude include } regular-expression ] display natpt address-group [ { begin exclude include } regular-expression ] display natpt address-mapping [ { begin exclude include } regular-expression ] display natpt statistics [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view Available in any view Clear all NAT-PT statistics information. reset natpt statistics Available in user view 40

48 NAT-PT configuration examples Configuring dynamic mapping on the IPv6 side Network requirements As shown in Figure 31, SecPath C with IPv6 address 2001::2/64 on an IPv6 network wants to access SecPath A with IPv4 address /24 on an IPv4 network, whereas SecPath A cannot actively access SecPath C. To meet the preceding requirements, you need to configure SecPath B that is deployed between the IPv4 network and IPv6 network as a NAT-PT device, and configure dynamic mapping policies on the IPv6 side on SecPath B so that IPv6 hosts can access IPv4 hosts but IPv4 hosts cannot access IPv6 hosts. Figure 31 Network diagram Configuring SecPath B (NAT-PT device) # Configure interface addresses and enable NAT-PT on the interfaces. <SecPathB> system-view [SecPathB] ipv6 [SecPathB] interface GigabitEthernet 0/1 [SecPathB-GigabitEthernet0/1] ip address [SecPathB-GigabitEthernet0/1] natpt enable [SecPathB-GigabitEthernet0/1] quit [SecPathB] interface GigabitEthernet 0/2 [SecPathB-GigabitEthernet0/2] ipv6 address 2001::1/64 [SecPathB-GigabitEthernet0/2] natpt enable [SecPathB-GigabitEthernet0/2] quit # Configure a NAT-PT prefix. [SecPathB] natpt prefix 3001:: # Configure a NAT-PT address pool. [SecPathB] natpt address-group # Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts. [SecPathB] natpt v6bound dynamic prefix 3001:: address-group 1 Configuring SecPath A on the IPv4 side # Configure a static route to subnet /24. <SecPathA> system-view [SecPathA] ip route-static Configuring SecPath C on the IPv6 side # Enable IPv6. 41

49 <SecPathC> system-view [SecPathC] ipv6 # Configure a static route to the subnet with the NAT-PT prefix. [SecPathC] ipv6 route-static 3001:: ::1 Verifying the configuration If you carry out the ping ipv6 3001::0800:0002 command on SecPath C after completing the configurations, response packets can be received. You can see on SecPath B the established NAT-PT session. <SecPathB>display session table verbos Initiator: Source IP/Port : 2001::0002/32768 Dest IP/Port : 3001::0800:0002/43984 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : /0 Dest IP/Port : /12289 VPN-Instance/VLAN ID/VLL ID: Pro: ICMPv6(58) App: unknown State: ICMP-CLOSED Start time: :41:29 TTL: 26s Root Zone(in): Zone(out): Received packet(s)(init): 5 packet(s) 520 byte(s) Received packet(s)(reply): 5 packet(s) 420 byte(s) Configuring static mappings on the IPv4 side and the IPv6 side Network requirements As shown in Figure 32, SecPath C with IPv6 address 2001::2/64 on an IPv6 network can communicate with SecPath A with IPv4 address /24 on an IPv4 network. To meet the preceding requirement, you need to configure SecPath B that is deployed between the IPv4 network and IPv6 network as a NAT-PT device, and configure static mappings on the IPv4 side and IPv6 side on SecPath B, so that SecPath A and SecPath C can communicate with each other. Figure 32 Network diagram Configuring SecPath B # Configure interface addresses and enable NAT-PT on the interfaces. <SecPathB> system-view [SecPathB] ipv6 [SecPathB] interface GigabitEthernet 0/1 42

50 [SecPathB-GigabitEthernet0/1] ip address [SecPathB-GigabitEthernet0/1] natpt enable [SecPathB-GigabitEthernet0/1] quit [SecPathB] interface GigabitEthernet 0/2 [SecPathB-GigabitEthernet0/2] ipv6 address 2001::1/64 [SecPathB-GigabitEthernet0/2] natpt enable [SecPathB-GigabitEthernet0/2] quit # Configure a NAT-PT prefix. [SecPathB] natpt prefix 3001:: # Configure a static IPv4/IPv6 mapping on the IPv4 side. [SecPathB] natpt v4bound static ::5 # Configure a static IPv4/IPv6 mapping on the IPv6 side. [SecPathB] natpt v6bound static 2001:: Configuring SecPath A # Configure a static route to subnet /24. <SecPathA> system-view [SecPathA] ip route-static Configuring SecPath C on the IPv6 side # Enable IPv6. <SecPathC> system-view [SecPathC] ipv6 # Configure a static route to the subnet with the NAT-PT prefix. [SecPathC] ipv6 route-static 3001:: ::1 Verifying the configuration After the above configurations, using the ping command on SecPath A can receive responses, and you can view the following NAT-PT session information on SecPath B using the display command. [SecPathB]display session table verbose Initiator: Source IP/Port : /2048 Dest IP/Port : /1 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 2001::0002/33024 Dest IP/Port : 3001::0005/1 VPN-Instance/VLAN ID/VLL ID: Pro: ICMP(1) App: unknown State: ICMP-CLOSED Start time: :08:44 TTL: 10s Root Zone(in): Zone(out): Received packet(s)(init): 5 packet(s) 420 byte(s) Received packet(s)(reply): 5 packet(s) 520 byte(s) Using the ping ipv6 3001::5 command on SecPath C can receive response packets, and you can view the following NAT-PT session information on SecPath B by using the display command. [SecPathB]display session table verbose 43

51 Initiator: Source IP/Port : 2001::0002/32768 Dest IP/Port : 3001::0005/43986 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : /0 Dest IP/Port : /43986 VPN-Instance/VLAN ID/VLL ID: Pro: ICMPv6(58) App: unknown State: ICMP-CLOSED Start time: :09:48 TTL: 25s Root Zone(in): Zone(out): Received packet(s)(init): 5 packet(s) 520 byte(s) Received packet(s)(reply): 5 packet(s) 420 byte(s) Troubleshooting NAT-PT Symptom Solution NAT-PT fails when a session is initiated on the IPv6 side. Enable debugging for NAT-PT and locate the fault according to the debugging information of the firewall. During debugging, check whether the source address of a packet is translated successfully. If not, it is possible that the address pool has no sufficient IP addresses. You can configure a larger address pool, or use NAPT-PT to perform NAT-PT. 44

52 Configuring ALG ALG overview The application level gateway (ALG) feature is used to process application layer packets. Usually, Network Address Translation (NAT) translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which, if not translated, may cause problems. For example, a File Transfer Protocol (FTP) application involves both data connection and control connection, and data connection establishment dynamically depends on the payload information of the control connection. ALG can process the payload information to make sure that the corresponding data connections can be established. ALG can work with NAT and Application Specific Packet Filter (ASPF) to implement the following functions: Address translation: Resolving the source IP address, port, protocol type (TCP or UDP), and remote IP address information in packet payloads. Data connection detection: Extracting information required for data connection establishment and establishing data connections for data exchange. Application layer status checking: Inspecting the status of the application layer protocol in packets. If the status is right, updating the packet state machine and performing further processing; otherwise, dropping packets with incorrect states. Support for the functions depends on the application layer protocol. ALG can be used to process packets of the following protocols: Internet Control Message Protocol (ICMP) File Transfer Protocol (FTP) Domain Name System (DNS) Real Time Streaming Protocol (RTSP) H.323, including Registration, Admission, Status (RAS), H.225, and H.245 Session Initiation Protocol (SIP) SQLNET (a language in Oracle) Point-to-Point Tunneling Protocol (PPTP) Internet Locator Service (ILS) Network Basic Input/Output System (NBT) MSN/QQ Trivial File Transfer Protocol (TFTP) Skinny Client Control Protocol (SCCP) 45

53 GPRS Tunneling Protocol (GTP) The following describes the FTP operation on an ALG-enabled device. As shown in Figure 33, the host in the outside network accesses the FTP server in the inside network in passive mode through the ALG-enabled device. Figure 33 Network diagram for ALG-enabled FTP application in PASV mode Inside network NAT Outside network FTP server Device FTP-ALG enabled Host FTP_CMD( PASV ) FTP_CMD( PASV ) FTP_EnterPassive( IP1, Port1 ) ALG IP1, Port > IP2, Port2 FTP_EnterPassive( IP2, Port2 ) FTP_Connet(IP2, Port2) FTP_Connet(IP1, Port1) The communication process includes the following stages: 1. Establishing a control connection The host sends a TCP connection request to the server. If a TCP connection is established, the server and the host enter the user authentication stage. 2. Authenticating the user The host sends to the server an authentication request, which contains the FTP commands (user and password) and the contents. When the request passes through the ALG-enabled device, the commands in the payload of the packet will be resolved and used to check whether the state machine transition is going on correctly. If not, the request will be dropped. In this way, ALG protects the server against clients that send packets with state machine errors or log into the server with illegal user accounts. An authentication request with a correct state is forwarded by the ALG-enabled device to the server, which authenticates the host according to the information in the packet. 3. Establishing a data connection If the host passes the authentication, a data connection is established between it and the server. If the host is accessing the server in passive mode, the data connection process is different. In passive mode, the server sends to the host a PASV response using its private network address and port number (IP1, Port1). When the response arrives at the ALG-enabled device, the device resolves the packet and translates the server s private network address and port number into the server s public network address and port number (IP2, Port2) respectively. Then, the device uses the public network address and port number to establish a data connection with the host. 4. Exchanging data 46

54 The host and the FTP server exchange data through the established data connection. Configuring ALG in the Web interface By default, the ALG function is enabled for all protocols. From the navigation tree, select Firewall > ALG to enter the page as shown in Figure 34. Figure 34 ALG configuration page To add selected application protocols, select them in the Optional Application Protocols list and click the << button. Then the protocols will be added to the Selected Application Protocols list. To remove selected application protocols, select them in the Selected Application Protocols list and click the >> button. Then the protocols will be removed to the Optional Application Protocols list. ALG configuration examples in the Web interface The following examples describe only ALG-related configurations, assuming that other required configurations on the server and client have been done. FTP ALG configuration example Network requirements As shown in Figure 35, a company uses the private network segment /24, and has four public network addresses: , , , and The company wants to provide FTP services to the outside. Configure NAT and ALG on the SecPath so that hosts on the external network can access the FTP server on the internal network. 47

55 Figure 35 Network diagram FTP server Local: Global: /24 SecPath GE0/ /24 Internet Host Configuration procedure 1. Enable FTP ALG: By default, the FTP ALG function is enabled, and this step is optional. a. Select Firewall > ALG from the navigation tree. The Application Layer Inspection tab appears, as shown in Figure 36. b. Select ftp in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list. c. Click OK. Figure 36 Configuring FTP ALG 2. Configure an ACL: # Create a basic ACL: a. Select Firewall > ACL from the navigation tree and then click Add. b. Create ACL 2001 as shown in Figure 37: Enter 2001 in the ACL Number field. Select Config as the match order. c. Click Apply. 48

56 Figure 37 Adding ACL 2001 # Configure an ACL rule. a. Click the icon for ACL 2001 and then click Add. b. Select Permit as the operation, as shown in Figure 38: c. Click Apply. Figure 38 Adding an ACL rule 3. Configure dynamic NAT and the internal server: # Configure the address pool: a. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree and then click Add in the Address Pool area. b. Add a NAT address pool as shown in Figure 39: Enter 1 in the Index field. Enter as the start IP address. Enter as the end IP address. c. Click Apply. 49

57 Figure 39 Adding a NAT address pool # Configure dynamic NAT: a. In the Dynamic NAT area, click Add. b. Configure dynamic NAT as shown in Figure 40: Select GigabitEthernet0/1. Enter 2001 for the ACL field. Select PAT as the address translation. Enter 1 as the address pool index. c. Click Apply. Figure 40 Configuring dynamic NAT # Configure the internal FTP server: a. Select Firewall > NAT > Internal Server from the navigation tree and then click Add in the Internal Server area. b. Configure an internal FTP server as shown in Figure 41: Select GigabitEthernet0/1. Select 6(TCP) as the protocol type, Enter as the external IP address. Enter 21 as the global port. Enter as the internal IP address. Enter 21 as the internal port. c. Click Apply. 50

58 Figure 41 Configuring an internal FTP server SIP/H.323 ALG configuration example The H.323 ALG configuration is similar to the SIP ALG configuration. This example describes the SIP ALG configuration. Network requirements As shown in Figure 42, a company uses the private network segment /24, and has four public network addresses: , , , and SIP UA 1 is on the internal network and SIP UA 2 is on the external network. Configure NAT and ALG on the SecPath so that SIP UA 1 and SIP UA 2 can communicate by using their aliases, and SIP UA 1 selects an IP address from the range to when registering with the SIP server on the external network. Figure 42 Network diagram Configuration procedure 1. Enable SIP ALG: 51

59 By default, the SIP ALG function is enabled, and this step is optional. a. Select Firewall > ALG from the navigation tree. The Application Layer Inspection tab appears, as shown in Figure 43. b. Select sip in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list. c. Click OK. Figure 43 Configuring SIP ALG 2. Configure an ACL: # Create a basic ACL: a. Select Firewall > ACL from the navigation tree and then click Add. b. Create ACL 2001 as shown in Figure 44: Enter 2001 in the ACL Number field. Select Config as the match order. c. Click Apply. Figure 44 Adding ACL

60 # Create ACL rules: a. Click the icon for ACL 2001 and then click Add. b. Crate an ACL rule as shown in Figure 45: Select Permit as the operation. Select Source IP Address, and enter as the source IP address, and as the source wildcard. c. Click Apply. Figure 45 Configuring an ACL rule to permit packets sourced from /24 d. Click Add. e. Select Deny as the operation, as shown in Figure 46. f. Click Apply. Figure 46 Configuring an ACL rule to deny packets 3. Configure dynamic NAT: # Configure the address pool: a. Select Firewall > NAT Policy > Dynamic NAT from the navigation tree, and then click Add in the Address Pool area. b. Add a NAT address pool as shown in Figure 47: Enter 1 in the Index field. Enter as the start IP address. Enter as the end IP address. c. Click Apply. 53

61 Figure 47 Configuring a NAT address pool # Configure dynamic NAT: a. In the Dynamic NAT area, click Add. b. Configure dynamic NAT as shown in Figure 48: Select GigabitEthernet0/1. Enter 2001 for the ACL field. Select PAT as the address translation. Enter 1 as the address pool index. c. Click Apply. Figure 48 Configuring dynamic NAT NBT ALG configuration example Network requirements As shown in Figure 49, a company using the private network segment /24 wants to provide NBT services to the outside. Configure NAT and ALG on the SecPath so that Host A uses as its external IP address, the WINS server uses as its external IP address, and Host B can access the WINS server and Host A by using host names. 54

62 Figure 49 Network diagram Configuration procedure 1. Enable NBT ALG: By default, the NBT ALG function is enabled, and this step is optional. a. Select Firewall > ALG from the navigation tree. The Application Layer Inspection tab appears, as shown in Figure 50. b. Select nbt in the Optional Application Protocols list and click the << button to add it to the Selected Application Protocols list. c. Click OK. Figure 50 Configuring NBT ALG 2. Configure static NAT and the internal server: # Configure a static address mapping: a. Select Firewall > NAT > Static NAT from the navigation tree, and then click Add in the Static Address Mapping area. b. Configure a static address mapping as shown in Figure 51: Enter as the internal IP address. Enter as the global IP address. c. Click Apply. 55

63 Figure 51 Configuring a static address mapping # Configure static NAT for interface GigabitEthernet 0/1: a. In the Interface Static Translation area, click Add. b. Select GigabitEthernet0/1, as shown in Figure 52. c. Click Apply. Figure 52 Configuring interface static translation # Configure the internal WINS server: a. Select Firewall > NAT > Internal Server from the navigation tree and then click Add in the Internal Server area. b. Configure an interval WINS server as shown in Figure 53: Select GigabitEthernet0/1. Select 17(UDP) as the protocol type, Enter as the external IP address. Enter 137 as the global port. Enter as the internal IP address. Enter 137 as the internal port. c. Click Apply. 56

64 Figure 53 Configuring an internal WINS server d. In the Internal Server area, click Add. e. Configure an interval WINS server, which is similar to the configuration shown in Figure 53: Select GigabitEthernet0/1. Select 17(UDP) as the protocol type, Enter as the external IP address. Enter 138 as the global port. Enter as the internal IP address. Enter 138 as the internal port. f. Click Apply. g. In the Internal Server area, click Add. h. Configure an interval WINS server, which is similar to the configuration shown in Figure 53: Select GigabitEthernet0/1. Select 6(TCP) as the protocol type. Enter as the external IP address. Enter 139 as the global port. Enter as the internal IP address. Enter 139 as the internal port. i. Click Apply. 57

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Configuration Guide Part number:5998-2649 Document version: 6PW100-20110909 Legal and notice information Copyright 2011 Hewlett-Packard Development Company,

More information

HP Firewalls and UTM Devices

HP Firewalls and UTM Devices HP Firewalls and UTM Devices NAT and ALG Configuration Guide Part number: 5998-4166 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls Attack Protection Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series OpenFlow Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 213x Document version: 6W101-20151130 Copyright 2015, Hangzhou H3C

More information

HP High-End Firewalls

HP High-End Firewalls HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2639 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information

More information

H3C SecBlade SSL VPN Card

H3C SecBlade SSL VPN Card H3C SecBlade SSL VPN Card Super Administrator Web Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW105-20130801 Copyright 2003-2013, Hangzhou H3C Technologies

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls Attack Protection Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

H3C Intelligent Management Center v7.3

H3C Intelligent Management Center v7.3 H3C Intelligent Management Center v7.3 inode Installation Guide (Mac OS) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: inode PC 7.3 (E0501) Document version: 5PW101-20161224

More information

H3C SecPath Series Firewalls and UTM Devices

H3C SecPath Series Firewalls and UTM Devices H3C SecPath Series Firewalls and UTM Devices Attack Protection Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F100 series: ESS 5132 F1000-A-EI: Feature 3722

More information

H3C Intelligent Management Center v7.3

H3C Intelligent Management Center v7.3 H3C Intelligent Management Center v7.3 inode Installation Guide (Windows) New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: inode PC 7.3 (E0511) Document version: 5PW102-20170711 Copyright

More information

H3C S5130-EI Switch Series

H3C S5130-EI Switch Series H3C S5130-EI Switch Series OpenFlow Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 311x Document version: 6W102-20180323 Copyright 2016-2018, New H3C Technologies

More information

H3C SecPath Series Firewalls and UTM Devices

H3C SecPath Series Firewalls and UTM Devices H3C SecPath Series Firewalls and UTM Devices High Availability Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F100 series: ESS 5132 F1000-A-EI: Feature 3722

More information

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd.  Manual Version: 5W H3C SecPath UTM Series Configuration Examples Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 5W101-20100520 Copyright 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors

More information

H3C S5120-HI Switch Series

H3C S5120-HI Switch Series H3C S5120-HI Switch Series Layer 3 - IP Routing Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 52xx Document version: 6W101-20140523 Copyright 2013-2014,

More information

H3C S5130-EI Switch Series

H3C S5130-EI Switch Series H3C S5130-EI Switch Series OpenFlow Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 311x Document version: 6W102-20180323 Copyright 2016-2018, New H3C Technologies

More information

H3C S5120-SI Switch Series

H3C S5120-SI Switch Series H3C S5120-SI Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1513 Document version: 6W100-20130425 Copyright 2013, Hangzhou

More information

H3C Intelligent Management Center

H3C Intelligent Management Center H3C Intelligent Management Center TACACS+ Authentication Manager Administrator Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: IMC TAM 7.3 (E0501) Document version: 5PW105-20170515

More information

H3C S6300 Switch Series

H3C S6300 Switch Series H3C S6300 Switch Series OpenFlow Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2416 Document version: 6W100-20150126 Copyright 2015, Hangzhou H3C

More information

H3C S12500-X & S12500X-AF Switch Series

H3C S12500-X & S12500X-AF Switch Series H3C S12500-X & S12500X-AF Switch Series Layer 3 IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1135 and later Document version: 6W101-20151130

More information

H3C S7500E Switch Series

H3C S7500E Switch Series H3C S7500E Switch Series Comware 7 EVB Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 7557 and later versions Document version: 6W100-20170831 Copyright

More information

SecBlade Firewall Cards NAT Configuration Examples

SecBlade Firewall Cards NAT Configuration Examples SecBlade Firewall Cards NAT Configuration Examples Keywords: NAT, PAT, private IP address, public IP address, IP address pool Abstract: This document describes the characteristics, applications scenarios,

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series IP Multicast Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2210 Document version: 6W100-20110915 Copyright 2011, Hangzhou

More information

H3C License Server. Installation Guide. Hangzhou H3C Technologies Co., Ltd. Document version: 5W

H3C License Server. Installation Guide. Hangzhou H3C Technologies Co., Ltd.   Document version: 5W H3C License Server Installation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5W201-20151123 Copyright 2015, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2220 Document version: 6W100-20130810 Copyright 2013,

More information

H3C Firewall Devices. High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd.

H3C Firewall Devices. High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd. H3C Firewall Devices High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F5020/F5040 firewalls M9006/M9010/M9014 security gateways

More information

H3C S6300 Switch Series

H3C S6300 Switch Series H3C S6300 Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2416 Document version: 6W100-20150126 Copyright 2015,

More information

H3C MSR Router Series

H3C MSR Router Series H3C MSR Router Series Comware 7 OpenFlow Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0615P08 Document version: 6W201-20180803 Copyright 2017-2018,

More information

H3C S6520XE-HI Switch Series

H3C S6520XE-HI Switch Series H3C S6520XE-HI Switch Series EVPN Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017, New H3C Technologies

More information

H3C S5130-HI Switch Series

H3C S5130-HI Switch Series H3C S5130-HI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1111 Document version: 6W100-20150615 Copyright 2015,

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series High Availability Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series MCE Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou

More information

H3C S7500E-XS Switch Series

H3C S7500E-XS Switch Series H3C S7500E-XS Switch Series Layer 3 IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2418P05 Document version: 6W100-20150702 Copyright 2015

More information

H3C S5500-HI Switch Series

H3C S5500-HI Switch Series H3C S5500-HI Switch Series ACL and QoS Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5501 Document version: 6W100-20140103 Copyright 2014, Hangzhou

More information

H3C Transceiver Modules and Network Cables

H3C Transceiver Modules and Network Cables H3C Transceiver Modules and Network Cables Installation Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Document version: 6W101-20171101 Copyright 2017, New H3C Technologies Co., Ltd. and its

More information

H3C S5120-SI Switch Series

H3C S5120-SI Switch Series H3C S5120-SI Switch Series Layer 3 - IP Routing Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1505 Document version: 6W101-20111108 Copyright 2011,

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series MPLS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright 2011, Hangzhou

More information

H3C SR6600/SR6600-X Routers

H3C SR6600/SR6600-X Routers H3C SR6600/SR6600-X Routers Comware 7 ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6600_SR6600X-CMW710-R7607 Document version: 20170401-6W100

More information

H3C S7500E-X Switch Series

H3C S7500E-X Switch Series H3C S7500E-X Switch Series EVPN Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S7500EX-CMW710-R7523P01 Document version: 6W100-20160830 Copyright 2016, Hangzhou

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series MPLS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1201 and Later Document version: 6W101-20120903 Copyright 2012, Hangzhou

More information

H3C MSR Series Routers

H3C MSR Series Routers H3C MSR Series Routers ACL and QoS Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0007 Document version: 6W100-20140320 Copyright 2014, Hangzhou

More information

H3C S12500-X Switch Series

H3C S12500-X Switch Series H3C S12500-X Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: R1003 and later Document version: 6W101-20150515 Copyright 2014-2015,

More information

H3C SR6600/SR6600-X Routers

H3C SR6600/SR6600-X Routers H3C SR6600/SR6600-X Routers Layer 3 - IP Services Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6602X-CMW710-R7103 SR6600X-CMW710-R7103-RSE3 SR6600-CMW710-R7103-RPE3

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 2150 and later Document version: 6W101-20170608 Copyright

More information

H3C S6520XE-HI Switch Series

H3C S6520XE-HI Switch Series H3C S6520XE-HI Switch Series EVPN Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017, New H3C Technologies

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright

More information

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series Layer 3 IP Services Configuration Guide H3C S5560S-EI Switch Series H3C S5130S-HI Switch Series H3C S5130S-EI Switch Series H3C S5110V2

More information

H3C WX3000E Series Wireless Switches

H3C WX3000E Series Wireless Switches H3C WX3000E Series Wireless Switches Switching Engine Layer 2 Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: WX3000-CMW520-R3507P26 Document version: 6W101-20140714

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series ACL and QoS Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 2150 and later Document version: 6W101-20170608 Copyright 2016-2017,

More information

H3C S5130-HI Switch Series

H3C S5130-HI Switch Series H3C S5130-HI Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1111 Document version: 6W100-20150615 Copyright 2015, Hangzhou

More information

H3C S7500E-XS Switch Series

H3C S7500E-XS Switch Series H3C S7500E-XS Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S7500EXS-CMW710-R7523P01 Document version: 6W100-20160830

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series IP Multicast Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2109 Document version: 6W100-20140128 Copyright 2014, Hangzhou

More information

H3C SR6600/SR6600-X Routers

H3C SR6600/SR6600-X Routers H3C SR6600/SR6600-X Routers Layer 2 - LAN Switching Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6602X-CMW710-R7103 SR6600X-CMW710-R7103-RSE3 SR6600-CMW710-R7103-RPE3

More information

HP 5120 EI Switch Series

HP 5120 EI Switch Series HP 5120 EI Switch Series Layer 3 - IP Routing Configuration Guide Part number: 5998-1793 Software version: Release 2220 Document version: 6W100-20130810 Legal and notice information Copyright 2013 Hewlett-Packard

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright 2011,

More information

H3C S9500E Series Routing Switches

H3C S9500E Series Routing Switches H3C S9500E Series Routing Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S9500E-CMW520-R1728 Document version: 6W170-20120306 Copyright

More information

H3C MSR Series Routers

H3C MSR Series Routers H3C MSR Series Routers Probe Command Reference(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0007 Document version: 6W100-20140320 Copyright 2014, Hangzhou H3C

More information

H3C S6520XE-HI Switch Series

H3C S6520XE-HI Switch Series H3C S6520XE-HI Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017,

More information

H3C S5130-HI Switch Series

H3C S5130-HI Switch Series H3C S5130-HI Switch Series IP Multicast Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software versions: Release 1118P02 and Release 1122 Document version: 6W102-20180323 Copyright

More information

H3C S5120-HI Switch Series

H3C S5120-HI Switch Series H3C S5120-HI Switch Series IP Multicast Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5501 Document version: 6W100-20140103 Copyright 2014, Hangzhou

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou

More information

H3C S3600V2 Switch Series

H3C S3600V2 Switch Series H3C S3600V2 Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2101 Document version: 6W100-20110905 Copyright 2011,

More information

H3C S9500E Series Routing Switches

H3C S9500E Series Routing Switches H3C S9500E Series Routing Switches IRF Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S9500E-CMW520-R1725 Document version: 6W170-20111118 Copyright 2011,

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2210 Document version: 6W100-20110915 Copyright 2011,

More information

H3C S3100V2 Switch Series

H3C S3100V2 Switch Series H3C S3100V2 Switch Series IP Multicast Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5203P05 and Release 5203P12 Document version: 6W101-20150530

More information

H3C S9800 Switch Series

H3C S9800 Switch Series H3C S9800 Switch Series IP Multicast Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 213x Document version: 6W101-20151130 Copyright 2015, Hangzhou

More information

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module About the HP 830 Series Switch and HP 10500/7500 20G Unified Module s Part number: 5998-3903 Software version: 3308P29 (HP 830 Series Switch) 2308P29 (HP 10500/7500 20G Unified Module) Document version:

More information

About the Configuration Guides for HP Unified

About the Configuration Guides for HP Unified About the Configuration Guides for HP Unified Wired-W Products HP 830 Unified Wired-W PoE+ Switch Series HP 850 Unified Wired-W Appliance HP 870 Unified Wired-W Appliance HP 11900/10500/7500 20G Unified

More information

HP MSR Router Series. IPX Configuration Guide(V5) Part number: Software version: CMW520-R2513 Document version: 6PW

HP MSR Router Series. IPX Configuration Guide(V5) Part number: Software version: CMW520-R2513 Document version: 6PW HP MSR Router Series IPX Configuration Guide(V5) Part number: 5998-8183 Software version: CMW520-R2513 Document version: 6PW106-20150808 Legal and notice information Copyright 2015 Hewlett-Packard Development

More information

H3C S6520XE-HI Switch Series

H3C S6520XE-HI Switch Series H3C S6520XE-HI Switch Series IP Multicast Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: Release 1108 Document version: 6W100-20171228 Copyright 2017, New H3C

More information

H3C S6800 Switch Series

H3C S6800 Switch Series H3C S6800 Switch Series OpenFlow Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2609 and later Document version: 6W103-20190104 Copyright 2019, New H3C Technologies

More information

H3C S3100V2-52TP Switch

H3C S3100V2-52TP Switch H3C S3100V2-52TP Switch IP Multicast Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2111P02, Release 2112 Document version: 6W101-20180228 Copyright 2016-2018,

More information

H3C SecBlade SSL VPN Card

H3C SecBlade SSL VPN Card H3C SecBlade SSL VPN Card License Registration and Activation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW100-20101220 Copyright 2010, Hangzhou H3C Technologies Co.,

More information

HP A5120 EI Switch Series IRF. Command Reference. Abstract

HP A5120 EI Switch Series IRF. Command Reference. Abstract HP A5120 EI Switch Series IRF Command Reference Abstract This document describes the commands and command syntax options available for the HP A Series products. This document is intended for network planners,

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series Layer 2 - LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S10500-CMW710-R7178 Document version: 6W100-20160118 Copyright

More information

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5) H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual

More information

H3C S5500-HI Switch Series

H3C S5500-HI Switch Series H3C S5500-HI Switch Series Layer 3 - IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 52xx Document version: 6W102-20131220 Copyright 2013,

More information

H3C SR8800-F Routers. Comware 7 BRAS Services Configuration Guide. New H3C Technologies Co., Ltd.

H3C SR8800-F Routers. Comware 7 BRAS Services Configuration Guide. New H3C Technologies Co., Ltd. H3C SR8800-F Routers Comware 7 BRAS Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: SR8800FS-CMW710-R7655P05 or later Document version: 6W100-20170825

More information

H3C SR6600/SR6600-X Routers

H3C SR6600/SR6600-X Routers H3C SR6600/SR6600-X Routers Interface Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6600X-CMW520-R3103 SR6602-CMW520-R3103 SR6602X_MCP-CMW520-R3103 SR6600-CMW520-R3103-RPE

More information

H3C S6800 Switch Series

H3C S6800 Switch Series H3C S6800 Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2609 and later Document version: 6W103-20190104 Copyright 2019,

More information

HP 5820X & 5800 Switch Series IRF. Command Reference. Abstract

HP 5820X & 5800 Switch Series IRF. Command Reference. Abstract HP 5820X & 5800 Switch Series IRF Command Reference Abstract This document describes the commands and command syntax options available for the HP 5820X & 5800 Series products. This document is intended

More information

H3C S5130-HI Switch Series

H3C S5130-HI Switch Series H3C S5130-HI Switch Series Layer 3 - IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1111 Document version: 6W100-20150615 Copyright 2015,

More information

H3C WA4320-ACN-PI Access Point

H3C WA4320-ACN-PI Access Point H3C WA4320-ACN-PI Access Point Installation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5W100-20151110 Copyright 2015, Hangzhou H3C Technologies Co., Ltd. and its licensors

More information

H3C S7500E Switch Series

H3C S7500E Switch Series H3C S7500E Switch Series Comware 7 OpenFlow Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 7577P01 and later versions Document version: 6W100-20190110 Copyright

More information

H3C S5120-SI Switch Series

H3C S5120-SI Switch Series H3C S5120-SI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1505 Document version: 6W101-20111108 Copyright 2011,

More information

HP 5920 & 5900 Switch Series

HP 5920 & 5900 Switch Series HP 5920 & 5900 Switch Series OpenFlow Command Reference Part number: 5998-4679a Software version: Release 23xx Document version: 6W101-20150320 Legal and notice information Copyright 2015 Hewlett-Packard

More information

H3C SR6600 Routers. ACL and QoS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C SR6600 Routers. ACL and QoS Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C SR6600 Routers ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6600-CMW520-R2603 Document version: 20110627-C-1.11 Copyright 2007-2011, Hangzhou

More information

H3C S12500 Series Routing Switches

H3C S12500 Series Routing Switches H3C S12500 Series Routing Switches Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S12500-CMW710-R7128 Document version: 6W710-20121130 Copyright 2012,

More information

H3C S9500E Series Routing Switches

H3C S9500E Series Routing Switches H3C S9500E Series Routing Switches IP Multicast Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S9500E-CMW520-R1828P04 Document version: 6W182-20140823 Copyright

More information

H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C S5120-EI Series Ethernet Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W102-20100722 Product Version: Release 2202 Copyright 2009-2010,

More information

H3C S5130-EI Switch Series

H3C S5130-EI Switch Series H3C S5130-EI Switch Series Layer 3 IP Routing Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 31xx Document version: 6W102-20150731 Copyright 2014-2015,

More information

HP 10500/ G Unified Wired-WLAN Module

HP 10500/ G Unified Wired-WLAN Module HP 10500/7500 20G Unified Wired-WLAN Module Fundamentals Configuration Guide Part number: 5998-3914 Software version: 2308P29 (HP 10500/7500 20G Unified Wired-WLAN Module) Document version: 6W102-20131112

More information

H3C S6300 Switch Series

H3C S6300 Switch Series H3C S6300 Switch Series Layer 3 IP Routing Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 23xx Document version: 6W101-20150407 Copyright 2014-2015,

More information

H3C S5120-HI Switch Series

H3C S5120-HI Switch Series H3C S5120-HI Switch Series Layer 3 - IP Services Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 52xx Document version: 6W101-20140523 Copyright 2013-2014,

More information

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C S7500E Series Ethernet Switches Network Management and Monitoring Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100722-C-1.01 Product Version: Release

More information

H3C MSR Series Routers

H3C MSR Series Routers H3C MSR Series Routers Layer 3 - IP Routing Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0007 Document version: 6W100-20140320 Copyright

More information

H3C S9500 Series Routing Switches

H3C S9500 Series Routing Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08194S-20081225-C-1.24 Product Version: S9500-CMW310-R1648 Copyright 2007-2008, Hangzhou H3C Technologies Co., Ltd.

More information

H3C S3100V2-52TP Switch

H3C S3100V2-52TP Switch H3C S3100V2-52TP Switch Layer 3 IP Services Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2111P02, Release 2112 Document version: 6W101-20180228 Copyright

More information

H3C S5120-EI Series Ethernet Switches. Layer 3 - IP Services. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5120-EI Series Ethernet Switches. Layer 3 - IP Services. Configuration Guide. Hangzhou H3C Technologies Co., Ltd. H3C S5120-EI Series Ethernet Switches Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W102-20100722 Product Version: Release 2202 Copyright

More information