nat server

Function

The nat server command configures a NAT server. You can specify global-address and global-port to allow users to access an intranet server of host-address and host-port.

The undo nat server command deletes NAT server configurations.

Format

nat server [ name ] [ vpn-instance vpn-instance-name1 ] [ zone zone-name ] protocol protocol-type global global-address [ global-address-end ] global-port [ global-port-end ] inside host-address [ host-address-end ] host-port [ host-port-end ] [ vrrp virtual-router-id ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ] [ unr-route ] [ description description ] [ nat-disable ]

nat server [ name ] [ vpn-instance vpn-instance-name1 ] [ zone zone-name ] [ protocol protocol-type ] global global-address [ global-address-end ] inside host-address [ host-address-end ] [ vrrp virtual-router-id ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ] [ unr-route ] [ description description ] [ nat-disable ]

nat server [ name ] [ vpn-instance vpn-instance-name1 ] [ zone zone-name ] protocol protocol-type global interface [ interface-name | interface-type interface-number ] [ global-port [ global-port-end ] ] inside host-address [ host-address-end ] [ host-port [ host-port-end ] ] [ vrrp virtual-router-id ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ] [ description description ] [ nat-disable ]

nat server [ name ] [ vpn-instance vpn-instance-name1 ] [ zone zone-name ] global interface [ interface-name | interface-type interface-number ] [ global-port [ global-port-end ] ] inside host-address [ host-address-end ] [ host-port [ host-port-end ] ] [ vrrp virtual-router-id ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ] [ description description ] [ nat-disable ]

nat server name name [ unr-route | nat-disable ]

undo nat server { name name [ unr-route | nat-disable ] | all }

Parameters

Parameter	Description	Value
name	Specifies the name of a NAT server.	The value is a string of 1 to 256 case-sensitive characters. The value can be a numeric string. The value cannot be all, vsys, or all-systems. In addition, the value cannot be name, global, protocol, vpn-instance, zone, or their prefixes. Use name as an example. The value cannot be n, na, nam, or name. The value must begin with a letter or digit.
global-address [ global-address-end ]	Specifies a public IP address. global-address and global-address-end are used to define an IP address range. global-address-end must be greater than global-address.	The value is in decimal dotted notation. Various models support different configurable IP address segments, as shown in the following figure. USG6510E/6510E-POE: 64 USG6530E: 256 USG6515E/6550E/6560E/6580E: 256 USG6525E/6555E/6565E/6575E-B/6585E/6605E-B: 256 USG6610E/6620E: 256 USG6615E/6625E: 256 USG6630E/6650E: 256 USG6635E/6655E: 256 USG6680E: 256 USG6712E/6716E: 256 USG6530E: 256
host-address [ host-address-end ]	Specifies the private address of an intranet server. host-address and host-address-end are used to define an IP address range. host-address-end must be greater than global-address. If global-address-end is specified, host-address-end must also be specified. Each private address is mapped to a single public address. If private addresses outnumber public addresses, excess private addresses cannot be translated into public addresses. If global-port-end is specified, host-address-end must also be specified. Each private port is mapped to a single public port. If private ports outnumber public ports, excess private ports cannot be translated into public ports.	The value is in decimal dotted notation.
protocol protocol-type	Specifies the number or type of a protocol run on ports. You can specify TCP, UDP, SCTP, or ICMP. global-port, global-port-end, host-port, and host-port-end can be specified only after the protocol protocol-type parameter is set. After you set the parameter, you must configure both the public and private interfaces.	The value can be 1, 6, 17, 41, 47, 50, or 51 if it is entered in the format of an integer. The value can be tcp, udp, sctp, or icmp if it is entered in the format of a name.
global-port	Specifies the number of a public port that an intranet server uses to provide services.	The value can be a protocol type or an integer ranging from 0 to 65535. If global-port is set to 0 and host-port is specified, the private port number is translated into a public port number the same as host-port. For example, global-port is set to 0 and host-port is set to 1, the private port number is translated into 1.
global-port-end	Specifies the number of a public port that an intranet server uses to provide services. global-port-end and global-port are used to define a port range. global-port-end must be greater than global-port.	The value is an integer ranging from 1 to 65535.
host-port	Specifies the number of a private port that an intranet server uses to provide services.	The value can be a protocol type or an integer ranging from 0 to 65535. If host-port is set to 0 and global-port is specified, the public port number is translated into a private port number the same as global-port. For example, host-port is set to 0 and global-port is set to 1, the private port number is translated into 1.
host-port-end	Specifies the number of a private port that an intranet server uses to provide services. host-port-end and host-port are used to define a port range. host-port-end must be greater than host-port.	The value is an integer ranging from 1 to 65535.
vpn-instance vpn-instance-name1	Specifies the name of a VPN instance. The VPN instance name is manually created, not the one created in the virtual system.	It must be the name of an existing VPN instance. The value is a string of 1 to 31 characters.
vpn-instance vpn-instance-name2	Specifies the name of a VPN instance. The VPN instance name is manually created, not the one created in the virtual system.	It must be the name of an existing VPN instance. The value is a string of 1 to 31 characters.
zone zone-name	Specifies the name of a security zone.	It is a string case insensitive characters. The length of a name without spaces ranges from 1 to 32 characters. The length of a name with spaces ranges from 3 to 34 characters. If a name contains spaces, the name must be enclosed with quotation marks (for example, "group for test"). The name cannot contain any question marks (?) or hyphens (-).
no-reverse	Disables the system from creating a reverse entry. If this parameter is not specified, both a server-map entry and its reverse entry are created.	-
interface-type interface-number	Specifies the type and number of an interface on a FW.	-
vrrp virtual-router-id	Specifies the ID of a VRRP backup group. Only the USG6510E/6510E-POE/6530E do not support this parameter.	It is an integer that ranges from 1 to 255.
unr-route	Delivers the UNR route to prevent routing loops. If both unr-route and nat-disable are configured, the creation of UNR route entries is not affected.	By default, no UNRs are delivered.
description description	Specifies a description of a NAT server.	The value is a case-sensitive text of 1 to 31 characters.
all	Indicates all NAT servers in the system. For example, if you run the undo nat server all command in the root system, only the NAT servers in the root system but not in the virtual system are deleted.	-
nat-disable	Reserves the NAT server configuration. However, the NAT server does not take effect.	The NAT server function is enabled by default.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the NAT server is not configured.

If neither the name or the ID of the NAT server is configured, the system randomly assigns a name and an ID to the NAT server. The name and ID are the same.

The nat server command specifies an intranet server that provides services for Internet users. The server can be a WWW, FTP, Telnet, or POP3 server.

If multiple NAT servers with the same public and private IP addresses are configured on the device, the device preferentially matches the NAT server with the most accurate matching rule. If the following two NAT servers are configured on the device:

[sysname] nat server 1 global 10.10.1.1 inside 192.168.1.2 
[sysname] nat server 2 protocol tcp global 10.10.1.1 888 inside 192.168.1.2 444

After receiving a packet destined for 10.10.1.1, the FW searches the Server-Map table for the NAT server with a more accurate matching rule, that is, the second NAT server. If the packet matches the second NAT server, the device translates the destination IP address and port number of the packet and then forwards the packet. If the packet does not match the second NAT server, the device matches the first NAT server, translates the destination IP address of the packet, and forwards the packet.

The VRRP keyword is used to specify the traffic direction and implement load balancing on dual-system hot backup networks. Configuration suggestions are as follows:

Active/standby backup: The system automatically binds the NAT server global address to the VRRP group with the minimum VRID. Therefore, the VRRP keyword is not required.
Load balancing:
- If the NAT server global address is not on the same network segment as the VRRP group address, you do not need to configure the VRRP keyword.
- If the NAT server global address is on the same network segment as the VRRP group address, you do not need to manually configure the VRRP keyword. The system automatically binds the NAT server global address to the VRRP group with the minimum VRID so that traffic is transmitted on the master device in the VRRP group. If multiple VRRP groups exist, you need to configure VRRP keywords to bind the NAT server global address to a VRRP group, so that the traffic can be transmitted on the master device in a specified VRRP group.

After receiving a packet initiated by an Internet user to access the global address of the NAT server, the FW cannot find a matching session entry for the packet in the session table and forwards the packet to the router based on the default route. After receiving the packet, the router searches for its routing table for a route and sends the packet to the FW. In this way, the packet is circularly forwarded between the FW and router, causing a routing loop.

You can set unr-route to configure a UNR route. Like a black-hole route, the UNR route can prevent a routing loop and be imported to a dynamic routing protocol, such as OSPF. The upstream and downstream routers can receive the route to the public address.

If the NAT Server global address and the WAN interface address are in different networks, a black-hole route is required. If they are in the same network, a black-hole route is recommended.

If global-address in the global { global-address [ global-address-end ] | interface interface-type interface-number } command is an interface IP address or interface interface-type interface-number is specified, the FW will not generate black-hole routes, and unr-route is not required.

If the nat server command is used but no UNR is configured, run the nat server name name unr-route command and keep other configurations unchanged. In this manner, users can flexibly configure UNRs.

Example

# Configure two NAT Servers named for_web and for_ftp to specify the WWW server IP address as 192.168.10.10 and FTP server IP address as 192.168.10.11, so that users can access the WWW server through http://10.110.10.10:8080 and the FTP server through ftp://10.110.10.10.

<sysname> system-view
[sysname] nat server for_web protocol tcp global 10.110.10.10 8080 inside 192.168.10.10 www
[sysname] nat server for_ftp protocol tcp global 10.110.10.10 ftp inside 192.168.10.11 ftp