NAT management
action destination-nat
This command performs translation of the address and port of the recipient for traffic that meets the specified criteria.
The use of a negative form (no) of the command sets the default value.
Syntax
action destination-nat { off | pool <NAME> | netmap <ADDR/LEN> }
no action destination-nat
Parameters
off – translation is disabled. Traffic that falls under the specified criteria will not be changed;
pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set; For traffic that falls under the specified criteria, the IP address and TCP/UDP port of the recipient will be changed to values selected from the pool;
netmap <ADDR/LEN> – IP subnet used for broadcast. For traffic that falls under the specified criteria, the recipient's IP address will be changed to an IP address from the specified subnet. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
Default value
None
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
Example
esr(config-dnat-rule)# action destination-nat netmap 10.10.10.0/24
action source-nat
This command specifies the 'translation of source address and port' action type for the traffic meeting the requirements of 'match' command.
The use of a negative form (no) of the command sets the default value.
Syntax
action source-nat { off | pool <NAME> | netmap <ADDR/LEN> [static] | interface [FIRST_PORT – LAST_PORT] }
no action source-nat
Parameters
off – translation is disabled. Traffic that falls under the specified criteria will not be changed;
pool<NAME> – names the pool that contains IP addresses and/or TCP/UDP ports set; For traffic that falls under the specified criteria, the IP address and TCP/UDP port of the sender will be changed to values selected from the pool;
netmap <ADDR/LEN> – sets IP subnet used for broadcast. For traffic that falls under the specified criteria, the sender's IP address will be changed to an IP address from the specified subnet. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
static - enable static NAT, available when using netmap;
interface [FIRST_PORT – LAST_PORT] – specify the translation to the interface IP address. For traffic that falls under the specified criteria, the IP address of the sender will be changed to the IP address of the interface to which this traffic was transmitted. If the range of TCP/UDP ports is additionally specified, the translation will also occur for the source TCP/UDP ports, the will be replaced to the specified range.
Default value
None
Required privilege level
10
Command mode
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# action source-nat netmap 10.10.10.0/24
description
This command sets the description.
The use of a negative form (no) of the command removes description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – interface description, set by a string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-DNAT-RULESET
CONFIG-SNAT-RULESET
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
CONFIG-DNAT-POOL
CONFIG-SNAT-POOL
Example
esr(config-snat-ruleset)# description "test ruleset"
enable
The command enables a configurable rule.
The use of a negative form (no) of the command disables the usage of a configurable rule.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# enable
from
This command restricts field of use of the rule group. The rules will be applied only to traffic coming from a certain zone or interface.
The use of a negative form (no) of the command removes restriction of field of use of the rule group.
Syntax
from { zone <NAME> | interface <IF> | tunnel <TUN> | default }
no from
Parameters
<NAME> – isolation zone name;
<IF> – an interface's name, specified in the form described in Section Types and naming order of router interfaces;
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels.
default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules.
The rule group with the 'default' value of the 'from' parameter can be only one.
Default value
None
Required privilege level
10
Command mode
CONFIG-DNAT-RULESET
Example
esr(config-dnat-ruleset)# from zone untrusted
ip address
This command sets the internal IP address which will replace a destination IP address.
The use of a negative form (no) of the command removes a specified IP address.
Syntax
ip address <ADDR>
no ip address
Parameters
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Required privilege level
10
Command mode
CONFIG-DNAT-POOL
Example
esr(config-dnat-pool)# ip address 10.10.10.10
ip address-range
Set the range of external IP addresses which will replace a source IP address.
The use of a negative form (no) of the command removes a specified range of addresses.
Syntax
ip address-range <IP>[-<ENDIP>]
no ip address-range
Parameters
<IP> – IP address of the beginning of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<ENDIP> – IP address of the end of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. If IP address of the end of the range is not specified, only IP address of the beginning of the range is used as IP address for translation.
Required privilege level
10
Command mode
CONFIG-SNAT-POOL
Example
esr(config-snat-pool)# ip address-range 10.10.10.1-10.10.10.20
ip nat proxy-arp
This command allows the router to respond to the ARP requests for IP addresses from a specified pool. The function is necessary in order not to assign all IP addresses from the translation pool on the interface.
Syntax
ip nat proxy-arp <OBJ-GROUP-NETWORK-NAME>
no ip nat proxy-arp
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.
Default value
NAT Proxy ARP function is disabled.
Required privilege level
10
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-CELLULAR-MODEM
CONFIG-LT
Example
esr(config-if-gi)# ip nat proxy-arp nat-pool
ip port
Sets the internal TCP/UDP port which will replace a destination TCP/UDP port.
The use of a negative form (no) of the command removes a specified TCP/UDP port.
Syntax
ip port <PORT>
no ip port
Parameters
<PORT> – TCP/UDP port, takes values of [1..65535].
Required privilege level
10
Command mode
CONFIG-DNAT-POOL
Example
esr(config-dnat-pool)# ip port 5000
ip port-range
Specify the range of external TCP/UDP ports which will replace a source TCP/UDP port.
The use of a negative form (no) of the command removes a specified range of ports.
Syntax
ip port-range <PORT>[-<ENDPORT>]
no ip port-range
Parameters
<PORT> – TCP/UDP port of the beginning of range, takes values of [1..65535];
<ENDPORT> – TCP/UDP port of the end of range, takes values of [1..65535]. If TCP/UDP port of the end of the range is not specified, only TCP/UDP port of the beginning of the range is used as TCP/UDP port for translation.
Required privilege level
10
Command mode
CONFIG-SNAT-POOL
Example
esr(config-snat-pool)# ip port-range 20-100
match destination-address
Set the profile of destination IP addresses for which the rule should work.
When using 'not' command, the rule will work for destination IP addresses which are not included in a specified profile. The use of a negative form (no) of the command cancels set action.
Syntax
match [not] destination-address <OBJ-GROUP-NETWORK-NAME>
no match destination-address
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source IP address.
Default value
any
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match destination-address remote
match destination-address-port
This command sets the profile of IP address bundles and destination TCP/UDP ports for which the rule should work.
When using 'not' parameter, the rule will work for IP address bundles and destination TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] destination-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
no match destination-address
Parameters
<OBJ-GROUP-ADDRESS-PORT-NAME> – the name of the profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. When specifying the value 'any', the rule will not consider this filtering method.
Default value
any
Required privilege level
10
Command mode
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match destination-address local
match destination-port
This command sets the profile of destination TCP/UDP ports for which the rule should work.
When using 'not' command, the rule will work for destination TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command cancels set action.
Syntax
match [not] destination-port <PORT-SET-NAME>
no match destination-port
Parameters
<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match destination-port ssh
match icmp
The command is used to configure ICMP parameters if it is selected by 'match protocol' command. It specifies the type and code of ICMP messages for which the rule should work.
When using 'not' command, the rule will work for all types and codes of ICMP messages excluding specified ones.
The use of a negative form (no) of the command sets the default value.
Syntax
match [not] icmp { <ICMP_TYPE> <ICMP_CODE> | <OPTION> }
no match icmp
Parameters
<ICMP_TYPE> – ICMP message type, takes values of [0..255];
<ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the “any” value, the rule will work for any ICMP message code;
<OPTION> – standard types of ICMP messages can take values:
- administratively-prohibited;
- alternate-address;
- conversion-error;
- dod-host-prohibited;
- dod-network-prohibited;
- echo;
- echo-reply;
- host-isolated;
- host-precedence;
- host-redirect;
- host-tos-redirect;
- host-tos-unreachable;
- host-unknown;
- host-unreachable;
- information-reply;
- information-request;
- mask-reply;
- mask-request;
- network-redirect;
- network-tos-redirect;
- network-tos-unreachable;
- network-unknown;
- network-unreachable;
- option-missing;
- packet-too-big;
- parameter-problem;
- port-unreachable;
- precedence;
- protocol-unreachable;
- reassembly-timeout;
- router-advertisement;
- router-solicitation;
- source-quench;
- source-route-failed;
- time-exceeded;
- timestamp-reply;
- timestamp-request;
- traceroute.
Default value
any any
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match icmp 2 any
match protocol
The command sets name or number of IP for which the rule should work.
When using 'not' parameter, the rule will work for all protocols except a specified one.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] protocol <TYPE>
no match protocol
match [not] protocol-id <ID>
no match protocol-id
Parameters
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.
When specifying the 'any' value, the rule will work for any protocols.
<ID> – IP identification number, takes values of [0x00-0xFF].
Default value
any
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match protocol udp
match source-address
The command specifies the profile of source IP addresses for which the rule should work.
When using 'not' command, the rule will work for destination IP addresses which are not included in a specified profile.
The use of a negative form (no) of the command cancels set action.
Syntax
match [not] source-address <OBJ-GROUP-NETWORK-NAME>
no match source-address
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source IP address.
Default value
any
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match source-address local
match source-address-port
This command sets the profile of IP address bundles and source TCP/UDP ports for which the rule should trigger.
When using 'not' (match not) parameter, the rule will work for IP address bundles and source TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] source-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
no match source-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
Parameters
<OBJ-GROUP-ADDRESS-PORT-NAME> – the name of the profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. When specifying the value 'any', the rule will not consider this filtering method.
Default value
any
Required privilege level
10
Command mode
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match source-address-port admin
match source-port
The command sets the profile of source TCP/UDP ports for which the rule should work.
When using 'not' command, the rule will work for source TCP/UDP ports which are not included in a specified profile. The use of a negative form (no) of the command cancels set action.
Syntax
match [not] source-port <PORT-SET-NAME>
no match source-port
Parameters
<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
10
Command mode
CONFIG-DNAT-RULE
CONFIG-SNAT-RULE
Example
esr(config-snat-rule)# match source-port telnet
nat alg
This command enables the IP address translation feature in the application level headers.
The use of a negative form (no) of the command disables the IP address translation feature in the application level headers.
Syntax
[no] nat alg { <PROTOCOL> }
Parameters
<PROTOCOL> is an application-level protocol, in which headers address translation should work, takes the values [ftp, h323, pptp, netbios-ns, gre, sip, tftp].
Instead of a certain protocol you can use the 'all' key that enables IP address translation in all available protocols headers.
Default value
The IP address translation feature in application level headers is disabled.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# nat alg ftp
nat destination
This command allows you to enter the configuration mode of the destination address translation service (DNAT, Destination NAT).
The use of a negative form (no) of the command removes the configuration of the destination address translation service (DNAT, Destination NAT).
Syntax
[no] nat destination
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# nat destination
esr(config-dnat)#
nat source
This command allows you to enter the configuration mode of the source address translation service (SNAT, Source NAT).
The use of a negative form (no) of the command removes the configuration of the source address translation service (SNAT, Source NAT).
Syntax
[no] nat source
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# nat source
esr(config-snat)#
persistent
This command enables NAT persistent feature.
NAT persistent allows applications to use STUN (session traversal utilities for NAT) to establish a connection with devices behind the NAT gateway. This ensures that requests from the same internal address are translated to the same external address.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] persistent
Parameters
The command does not contain parameters.
Default value
NAT persistent feature disabled.
Required privilege level
10
Command mode
CONFIG-SNAT-POOL
Example
esr(config-snat-pool)# persistent
pool
The command creates and assigns a pool of IP addresses and TCP / UDP ports with a specific name for the NAT service and changes the command mode to SNAT POOL or DNAT POOL.
If a pool is used in any group of rules, then it cannot be deleted.
The use of a negative form (no) of the command removes a specified NAT addresses pool.
Syntax
[no] pool <NAME>
Parameters
<NAME> – NAT addresses pool name, set by the string of up to 31 characters. If you use the command to delete, then specifying the value 'all' will delete all pools of IP addresses and TCP/UDP ports.
Required privilege level
10
Command mode
CONFIG-DNAT
CONFIG-SNAT
Example
esr(config-snat)# pool nat
esr(config-snat-pool)#
rearrange
This command changes the step between the created rules.
Syntax
rearrange <VALUE>
Parameters
<VALUE> – maximum between rules, takes values of [1..50].
Required privilege level
10
Command mode
CONFIG-DNAT-RULESET
CONFIG-SNAT-RULESET
Example
esr(config-dnat-ruleset)# rearrange 10
renumber rule
This command changes the rule number.
Syntax
renumber rule <CUR_ORDER> <NEW_ORDER>
Parameters
<CUR_ORDER> – current rule number, takes values of [1..10000].
<NEW_ORDER> – new rule number, takes values of [1..10000].
Required privilege level
10
Command mode
CONFIG-DNAT-RULESET
CONFIG-SNAT-RULESET
Example
esr(config-dnat-ruleset)# renumber rule 13 100
rule
This command creates a rule with a specific number and sets the command interface mode SNAT RULE or DNAT RULE. The rules are proceeded by the device in number ascending order.
The use of a negative form of the command (no) removes the rule by number or all rules.
Syntax
[no] rule <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..10000]. If the command is used for removal, when specifying the 'all' value all rules will be removed.
Required privilege level
10
Command mode
CONFIG-DNAT-RULESET
CONFIG-SNAT-RULESET
Example
esr(config-snat-ruleset)# rule 10
esr(config-snat-rule)#
ruleset
This command is used to create a group of rules with a specific name and to enter the SNAT RULESET or DNAT RULESET command mode.
The use of a negative form (no) of the command removes a specified rule group.
Syntax
[no] ruleset <NAME>
Parameters
<NAME> – rule group name, set by the string of up to 31 characters. If the command is used for removal, when specifying the 'all' value all rule groups will be removed.
Required privilege level
10
Command mode
CONFIG-DNAT
CONFIG-SNAT
Example
esr(config-snat)# ruleset wan
esr(config-snat-ruleset)#
show ip nat alg
This command displays information about the functionality of IP address translation in application level headers.
Syntax
show ip nat alg
Parameters
The command does not contain parameters.
Required privilege level
1
Command mode
ROOT
Example
esr# show ip nat alg
ALG Status:
FTP: Enabled
H.323: Disabled
GRE: Disabled
PPTP: Disabled
SIP: Disabled
SNMP: Disabled
TFTP: Disabled
show ip nat pool
This command displays pools of internal and external IP addresses and TCP/UDP ports.
Syntax
show ip nat <TYPE> pools
Parameters
<TYPE> – the type of pools to view:
- source – external IP addresses and TCP/UDP ports;
- destination – inxternal IP addresses and TCP/UDP ports;
Required privilege level
1
Command mode
ROOT
Example
esr# show nat source pools
Pools
~~~~~
ID Name Ip address Port Description Persi
range stent
---- --------------------- ----------------- ------- ----------- -----
0 outside 25.56.48.11 2000 – outside-poo false
3000 l
show ip nat ruleset
This command scans all or selected groups of rules used by the NAT function.
Syntax
show ip nat <TYPE> ruleset [<NAME>]
Parameters
<TYPE> – rule group type:
- source – rule group for sender's IP address and TCP/UDP port translation;
- destination – rule group for receiver's IP address and TCP/UDP port translation;
[NAME] – rule group name, optional parameter. If the name is not specified, a list of all rule groups will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show ip nat source rulesets
Rulesets
~~~~~~~~
ID Name To Description
---- -------------------------------- ------------------ -----------------
0 factory zone 'untrusted'
1 test gigabitethernet test
1/0/1
esr# show ip nat source rulesets factory
Ruleset: factory
Description:
To: none
Rules:
------
Order: 10
Description: replace 'source ip' by outgoing interface ip address
Matching pattern:
Protocol: any(0)
Src-addr: any
Dest-addr: any
Action: interface port any
Status: Enabled
--------------------------------------------------------------------------------
show ip nat translations
This command shows broadcast sessions. To view information about statistics, you should enable counters (see section IP firewall mode).
Syntax
show ip nat translations [ vrf <VRF> ] [ protocol <TYPE> ] [ inside-source-address <ADDR> ] [ outiside-source-address <ADDR> ] [ inside-destination-address <ADDR> ] [ outside-destination-address <ADDR> ] [ inside-source-port <PORT> ] [ outside-source-port <PORT> ] [ inside-destination-port <PORT> ] [ outside-destination-port <PORT> ] [ summary ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, NTP configuration will be displayed in a specified VRF.
summary – displays summary statistics for translation sessions;
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<PORT> – TCP/UDP port, takes values of [1..65535];
For Source NAT:
- inside-source-address – key to specify the source IP address before translation;
- inside-destination-address – key to specify destination IP address on routers input;
- outside-source-address – key to specify the source IP address after translation;
- outside-destination-address – key to specify destination IP address on routers output;
- inside-source-port – key to specify source TCP/UDP port before translation;
- outside-source-port – key to specify source TCP/UDP port after translation;
- inside-destination-port – key to specify destination TCP/UDP port before translation;
- outside-destination-port – key to specify destination TCP/UDP port after translation;
For Destination NAT
- inside-source-address – key to specify source IP address on routers output;
- inside-destination-address – key to specify destination IP address after translation;
- outside-source-address – key to specify source IP address on routers input;
- outside-destination-address – key to specify destination IP address before translation;
- inside-source-port – key to specify source TCP/UDP port before translation;
- outside-source-port – key to specify source TCP/UDP port after translation;
- inside-destination-port – key to specify destination TCP/UDP port before translation;
- outside-destination-port – key to specify destination TCP/UDP port after translation;
Required privilege level
1
Command mode
ROOT
Example 1
Source NAT
esr# show ip nat translations
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- ------------ ----------------- ------------ -------------- ----- -----
icmp 115.0.0.10 1.1.0.2 1.1.0.24 1.1.0.2 3 252
Example 2
Destination NAT
esr# show ip nat translations
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- ------------ ----------------- ------------ -------------- ----- ----- icmp 1.1.0.2 115.0.0.10 1.1.0.2 1.1.0.16 -- --
show ip nat proxy-arp
This command displays the NAT Proxy ARP settings.
Syntax
show ip nat proxy-arp
Required privilege level
1
Command mode
ROOT
Example
esr# show nat proxy-arp
Interface IP address range
----------- ---------------------------------------------
gi1/0/15 115.0.0.15-115.0.0.100
to
This command restricts field of use of the rule group. The rules will be applied only to traffic coming to a certain zone or interface.
The use of a negative form (no) of the command removes restriction of field of use of the rule group.
Syntax
to { zone <NAME> | interface <IF> | tunnel <TUN> | default }
no to
Parameters
<NAME> – isolation zone name;
<IF> – an interface's name, specified in the form described in Section Types and naming order of router interfaces;
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels.
default - denotes a group of rules for all traffic, the destination point of which did not fall under the criteria of other groups of rules.
The rule group with the 'default' value of the 'to' parameter can be only one.
Default value
None
Required privilege level
10
Command mode
CONFIG-SNAT-RULESET
Example
esr(config-snat)# ruleset test
esr(config-snat-ruleset)# to interface gigabitethernet 1/0/1