NAT management

action destination-nat

This command performs translation of the address and port of the recipient for traffic that meets the specified criteria.

The use of a negative form (no) of the command sets the default value.

Syntax

action destination-nat { off | pool <NAME> | netmap <ADDR/LEN> }

no action destination-nat

Parameters

off – translation is disabled. Traffic that falls under the specified criteria will not be changed;

pool<NAME> – name of the pool that contains IP addresses and/or TCP/UDP ports set; For traffic that falls under the specified criteria, the IP address and TCP/UDP port of the recipient will be changed to values selected from the pool;

netmap <ADDR/LEN> – IP subnet used for broadcast. For traffic that falls under the specified criteria, the recipient's IP address will be changed to an IP address from the specified subnet. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

Default value

None

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

Example

esr(config-dnat-rule)# action destination-nat netmap 10.10.10.0/24

CODE

action source-nat

This command specifies the 'translation of source address and port' action type for the traffic meeting the requirements of 'match' command.

The use of a negative form (no) of the command sets the default value.

Syntax

action source-nat { off | pool <NAME> | netmap <ADDR/LEN> [static] | interface [FIRST_PORT – LAST_PORT] }

no action source-nat

Parameters

off – translation is disabled. Traffic that falls under the specified criteria will not be changed;

pool<NAME> – names the pool that contains IP addresses and/or TCP/UDP ports set; For traffic that falls under the specified criteria, the IP address and TCP/UDP port of the sender will be changed to values selected from the pool;

netmap <ADDR/LEN> – sets IP subnet used for broadcast. For traffic that falls under the specified criteria, the sender's IP address will be changed to an IP address from the specified subnet. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];

static - enable static NAT, available when using netmap;

interface [FIRST_PORT – LAST_PORT] – specify the translation to the interface IP address. For traffic that falls under the specified criteria, the IP address of the sender will be changed to the IP address of the interface to which this traffic was transmitted. If the range of TCP/UDP ports is additionally specified, the translation will also occur for the source TCP/UDP ports, the will be replaced to the specified range.

Default value

None

Required privilege level

10

Command mode

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# action source-nat netmap 10.10.10.0/24

CODE

description

This command sets the description.

The use of a negative form (no) of the command removes description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – interface description, set by a string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-DNAT-RULESET

CONFIG-SNAT-RULESET

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

CONFIG-DNAT-POOL

CONFIG-SNAT-POOL

Example

esr(config-snat-ruleset)# description "test ruleset"

CODE

enable

The command enables a configurable rule.

The use of a negative form (no) of the command disables the usage of a configurable rule.

Syntax

[no] enable

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# enable

CODE

from

This command restricts field of use of the rule group. The rules will be applied only to traffic coming from a certain zone or interface.

The use of a negative form (no) of the command removes restriction of field of use of the rule group.

Syntax

from { zone <NAME> | interface <IF> | tunnel <TUN> | default }

no from

Parameters

<NAME> – isolation zone name;

<IF> – an interface's name, specified in the form described in Section Types and naming order of router interfaces;

<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels.

default – denotes a group of rules for all traffic, the source of which did not fall under the criteria of other groups of rules.

The rule group with the 'default' value of the 'from' parameter can be only one.

Default value

None

Required privilege level

10

Command mode

CONFIG-DNAT-RULESET

Example

esr(config-dnat-ruleset)# from zone untrusted

CODE

ip address

This command sets the internal IP address which will replace a destination IP address.

The use of a negative form (no) of the command removes a specified IP address.

Syntax

ip address <ADDR>

no ip address

Parameters

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

Required privilege level

10

Command mode

CONFIG-DNAT-POOL

Example

esr(config-dnat-pool)# ip address 10.10.10.10

CODE

ip address-range

Set the range of external IP addresses which will replace a source IP address.

The use of a negative form (no) of the command removes a specified range of addresses.

Syntax

ip address-range <IP>[-<ENDIP>]

no ip address-range

Parameters

<IP> – IP address of the beginning of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ENDIP> – IP address of the end of the range, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. If IP address of the end of the range is not specified, only IP address of the beginning of the range is used as IP address for translation.

Required privilege level

10

Command mode

CONFIG-SNAT-POOL

Example

esr(config-snat-pool)# ip address-range 10.10.10.1-10.10.10.20

CODE

ip nat proxy-arp

This command allows the router to respond to the ARP requests for IP addresses from a specified pool. The function is necessary in order not to assign all IP addresses from the translation pool on the interface.

Syntax

ip nat proxy-arp <OBJ-GROUP-NETWORK-NAME>

no ip nat proxy-arp

Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

Default value

NAT Proxy ARP function is disabled.

Required privilege level

10

Command mode

CONFIG-GI

CONFIG-TE

CONFIG-SUBIF

CONFIG-QINQ-IF

CONFIG-PORT-CHANNEL

CONFIG-BRIDGE

CONFIG-CELLULAR-MODEM

CONFIG-LT

Example

esr(config-if-gi)# ip nat proxy-arp nat-pool

CODE

ip port

Sets the internal TCP/UDP port which will replace a destination TCP/UDP port.

The use of a negative form (no) of the command removes a specified TCP/UDP port.

Syntax

ip port <PORT>

no ip port

Parameters

<PORT> – TCP/UDP port, takes values of [1..65535].

Required privilege level

10

Command mode

CONFIG-DNAT-POOL

Example

esr(config-dnat-pool)# ip port 5000

CODE

ip port-range

Specify the range of external TCP/UDP ports which will replace a source TCP/UDP port.

The use of a negative form (no) of the command removes a specified range of ports.

Syntax

ip port-range <PORT>[-<ENDPORT>]

no ip port-range

Parameters

<PORT> – TCP/UDP port of the beginning of range, takes values of [1..65535];

<ENDPORT> – TCP/UDP port of the end of range, takes values of [1..65535]. If TCP/UDP port of the end of the range is not specified, only TCP/UDP port of the beginning of the range is used as TCP/UDP port for translation.

Required privilege level

10

Command mode

CONFIG-SNAT-POOL

Example

esr(config-snat-pool)# ip port-range 20-100

CODE

match destination-address

Set the profile of destination IP addresses for which the rule should work.

When using 'not' command, the rule will work for destination IP addresses which are not included in a specified profile. The use of a negative form (no) of the command cancels set action.

Syntax

match [not] destination-address <OBJ-GROUP-NETWORK-NAME>

no match destination-address

Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source IP address.

Default value

any

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match destination-address remote

CODE

match destination-address-port

This command sets the profile of IP address bundles and destination TCP/UDP ports for which the rule should work.

When using 'not' parameter, the rule will work for IP address bundles and destination TCP/UDP ports which are not included in a specified profile.

The use of a negative form (no) of the command cancels the assignment.

Syntax

match [not] destination-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>

no match destination-address

Parameters

<OBJ-GROUP-ADDRESS-PORT-NAME> – the name of the profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. When specifying the value 'any', the rule will not consider this filtering method.

Default value

any

Required privilege level

10

Command mode

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match destination-address local

CODE

match destination-port

This command sets the profile of destination TCP/UDP ports for which the rule should work.

When using 'not' command, the rule will work for destination TCP/UDP ports which are not included in a specified profile.

The use of a negative form (no) of the command cancels set action.

Syntax

match [not] destination-port <PORT-SET-NAME>

no match destination-port

Parameters

<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match destination-port ssh

CODE

match icmp

The command is used to configure ICMP parameters if it is selected by 'match protocol' command. It specifies the type and code of ICMP messages for which the rule should work.

When using 'not' command, the rule will work for all types and codes of ICMP messages excluding specified ones.

The use of a negative form (no) of the command sets the default value.

Syntax

match [not] icmp { <ICMP_TYPE> <ICMP_CODE> | <OPTION> }

no match icmp

Parameters

<ICMP_TYPE> – ICMP message type, takes values of [0..255];

<ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the “any” value, the rule will work for any ICMP message code;

<OPTION> – standard types of ICMP messages can take values:

administratively-prohibited;
alternate-address;
conversion-error;
dod-host-prohibited;
dod-network-prohibited;
echo;
echo-reply;
host-isolated;
host-precedence;
host-redirect;
host-tos-redirect;
host-tos-unreachable;
host-unknown;
host-unreachable;
information-reply;
information-request;
mask-reply;
mask-request;
network-redirect;
network-tos-redirect;
network-tos-unreachable;
network-unknown;
network-unreachable;
option-missing;
packet-too-big;
parameter-problem;
port-unreachable;
precedence;
protocol-unreachable;
reassembly-timeout;
router-advertisement;
router-solicitation;
source-quench;
source-route-failed;
time-exceeded;
timestamp-reply;
timestamp-request;
traceroute.

Default value

any any

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match icmp 2 any

CODE

match protocol

The command sets name or number of IP for which the rule should work.

When using 'not' parameter, the rule will work for all protocols except a specified one.

The use of a negative form (no) of the command cancels the assignment.

Syntax

match [not] protocol <TYPE>

no match protocol

match [not] protocol-id <ID>

no match protocol-id

Parameters

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.

When specifying the 'any' value, the rule will work for any protocols.

<ID> – IP identification number, takes values of [0x00-0xFF].

Default value

any

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match protocol udp

CODE

match source-address

The command specifies the profile of source IP addresses for which the rule should work.

When using 'not' command, the rule will work for destination IP addresses which are not included in a specified profile.

The use of a negative form (no) of the command cancels set action.

Syntax

match [not] source-address <OBJ-GROUP-NETWORK-NAME>

no match source-address

Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source IP address.

Default value

any

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match source-address local

CODE

match source-address-port

This command sets the profile of IP address bundles and source TCP/UDP ports for which the rule should trigger.

When using 'not' (match not) parameter, the rule will work for IP address bundles and source TCP/UDP ports which are not included in a specified profile.

The use of a negative form (no) of the command cancels the assignment.

Syntax

match [not] source-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
no match source-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>

Parameters

<OBJ-GROUP-ADDRESS-PORT-NAME> – the name of the profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. When specifying the value 'any', the rule will not consider this filtering method.

Default value

any

Required privilege level

10

Command mode

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match source-address-port admin

CODE

match source-port

The command sets the profile of source TCP/UDP ports for which the rule should work.

When using 'not' command, the rule will work for source TCP/UDP ports which are not included in a specified profile. The use of a negative form (no) of the command cancels set action.

Syntax

match [not] source-port <PORT-SET-NAME>

no match source-port

Parameters

<PORT-SET-NAME> – port profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Required privilege level

10

Command mode

CONFIG-DNAT-RULE

CONFIG-SNAT-RULE

Example

esr(config-snat-rule)# match source-port telnet

CODE

nat alg

This command enables the IP address translation feature in the application level headers.

The use of a negative form (no) of the command disables the IP address translation feature in the application level headers.

Syntax

[no] nat alg { <PROTOCOL> }

Parameters

<PROTOCOL> is an application-level protocol, in which headers address translation should work, takes the values [ftp, h323, pptp, netbios-ns, gre, sip, tftp].

Instead of a certain protocol you can use the 'all' key that enables IP address translation in all available protocols headers.

Default value

The IP address translation feature in application level headers is disabled.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# nat alg ftp

CODE

nat destination

This command allows you to enter the configuration mode of the destination address translation service (DNAT, Destination NAT).

The use of a negative form (no) of the command removes the configuration of the destination address translation service (DNAT, Destination NAT).

Syntax

[no] nat destination

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# nat destination
esr(config-dnat)#

CODE

nat source

This command allows you to enter the configuration mode of the source address translation service (SNAT, Source NAT).

The use of a negative form (no) of the command removes the configuration of the source address translation service (SNAT, Source NAT).

Syntax

[no] nat source

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# nat source
esr(config-snat)#

CODE

persistent

This command enables NAT persistent feature.

NAT persistent allows applications to use STUN (session traversal utilities for NAT) to establish a connection with devices behind the NAT gateway. This ensures that requests from the same internal address are translated to the same external address.

The use of a negative form (no) of the command sets the default value.

Syntax

[no] persistent

Parameters

The command does not contain parameters.

Default value

NAT persistent feature disabled.

Required privilege level

10

Command mode

CONFIG-SNAT-POOL

Example

esr(config-snat-pool)# persistent

CODE

pool

The command creates and assigns a pool of IP addresses and TCP / UDP ports with a specific name for the NAT service and changes the command mode to SNAT POOL or DNAT POOL.

If a pool is used in any group of rules, then it cannot be deleted.

The use of a negative form (no) of the command removes a specified NAT addresses pool.

Syntax

[no] pool <NAME>

Parameters

<NAME> – NAT addresses pool name, set by the string of up to 31 characters. If you use the command to delete, then specifying the value 'all' will delete all pools of IP addresses and TCP/UDP ports.

Required privilege level

10

Command mode

CONFIG-DNAT

CONFIG-SNAT

Example

esr(config-snat)# pool nat
esr(config-snat-pool)#

CODE

rearrange

This command changes the step between the created rules.

Syntax

rearrange <VALUE>

Parameters

<VALUE> – maximum between rules, takes values of [1..50].

Required privilege level

10

Command mode

CONFIG-DNAT-RULESET

CONFIG-SNAT-RULESET

Example

esr(config-dnat-ruleset)# rearrange 10

CODE

renumber rule

This command changes the rule number.

Syntax

renumber rule <CUR_ORDER> <NEW_ORDER>

Parameters

<CUR_ORDER> – current rule number, takes values of [1..10000].

<NEW_ORDER> – new rule number, takes values of [1..10000].

Required privilege level

10

Command mode

CONFIG-DNAT-RULESET

CONFIG-SNAT-RULESET

Example

esr(config-dnat-ruleset)# renumber rule 13 100

CODE

rule

This command creates a rule with a specific number and sets the command interface mode SNAT RULE or DNAT RULE. The rules are proceeded by the device in number ascending order.

The use of a negative form of the command (no) removes the rule by number or all rules.

Syntax

[no] rule <ORDER>

Parameters

<ORDER> – rule number, takes values of [1..10000]. If the command is used for removal, when specifying the 'all' value all rules will be removed.

Required privilege level

10

Command mode

CONFIG-DNAT-RULESET

CONFIG-SNAT-RULESET

Example

esr(config-snat-ruleset)# rule 10
esr(config-snat-rule)#

CODE

ruleset

This command is used to create a group of rules with a specific name and to enter the SNAT RULESET or DNAT RULESET command mode.

The use of a negative form (no) of the command removes a specified rule group.

Syntax

[no] ruleset <NAME>

Parameters

<NAME> – rule group name, set by the string of up to 31 characters. If the command is used for removal, when specifying the 'all' value all rule groups will be removed.

Required privilege level

10

Command mode

CONFIG-DNAT

CONFIG-SNAT

Example

esr(config-snat)# ruleset wan
esr(config-snat-ruleset)#

CODE

show ip nat alg

This command displays information about the functionality of IP address translation in application level headers.

Syntax

show ip nat alg

Parameters

The command does not contain parameters.

Required privilege level

1

Command mode

ROOT

Example

esr# show ip nat alg
ALG Status:
    FTP:   Enabled
    H.323: Disabled
    GRE:   Disabled
    PPTP:  Disabled
    SIP:   Disabled
    SNMP:  Disabled
    TFTP:  Disabled

CODE

show ip nat pool

This command displays pools of internal and external IP addresses and TCP/UDP ports.

Syntax

show ip nat <TYPE> pools

Parameters

<TYPE> – the type of pools to view:

source – external IP addresses and TCP/UDP ports;
destination – inxternal IP addresses and TCP/UDP ports;

Required privilege level

1

Command mode

ROOT

Example

esr# show nat source pools
   Pools
   ~~~~~
ID     Name                    Ip address          Port      Description   Persi
                                                   range                   stent
----   ---------------------   -----------------   -------   -----------   -----
0      outside                 25.56.48.11         2000 –    outside-poo   false
                                                   3000       l

CODE

show ip nat ruleset

This command scans all or selected groups of rules used by the NAT function.

Syntax

show ip nat <TYPE> ruleset [<NAME>]

Parameters

<TYPE> – rule group type:

source – rule group for sender's IP address and TCP/UDP port translation;
destination – rule group for receiver's IP address and TCP/UDP port translation;

[NAME] – rule group name, optional parameter. If the name is not specified, a list of all rule groups will be displayed.

Required privilege level

1

Command mode

ROOT

Example

esr# show ip nat source rulesets
   Rulesets
   ~~~~~~~~
ID     Name                               To                   Description
----   --------------------------------   ------------------   -----------------
0      factory                            zone 'untrusted'
1      test                               gigabitethernet      test
                                            1/0/1
esr# show ip nat source rulesets factory
Ruleset:           factory
Description:
To:                none
Rules:
------
Order:             10
Description:       replace 'source ip' by outgoing interface ip address
Matching pattern:
    Protocol:      any(0)
    Src-addr:      any
    Dest-addr:     any
Action:          interface port any
Status:            Enabled
--------------------------------------------------------------------------------

CODE

show ip nat translations

This command shows broadcast sessions. To view information about statistics, you should enable counters (see section IP firewall mode).

Syntax

show ip nat translations [ vrf <VRF> ] [ protocol <TYPE> ] [ inside-source-address <ADDR> ] [ outiside-source-address <ADDR> ] [ inside-destination-address <ADDR> ] [ outside-destination-address <ADDR> ] [ inside-source-port <PORT> ] [ outside-source-port <PORT> ] [ inside-destination-port <PORT> ] [ outside-destination-port <PORT> ] [ summary ]

Parameters

<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, NTP configuration will be displayed in a specified VRF.

summary – displays summary statistics for translation sessions;

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<PORT> – TCP/UDP port, takes values of [1..65535];

For Source NAT:

inside-source-address – key to specify the source IP address before translation;
inside-destination-address – key to specify destination IP address on routers input;
outside-source-address – key to specify the source IP address after translation;
outside-destination-address – key to specify destination IP address on routers output;
inside-source-port – key to specify source TCP/UDP port before translation;
outside-source-port – key to specify source TCP/UDP port after translation;
inside-destination-port – key to specify destination TCP/UDP port before translation;
outside-destination-port – key to specify destination TCP/UDP port after translation;

For Destination NAT

inside-source-address – key to specify source IP address on routers output;
inside-destination-address – key to specify destination IP address after translation;
outside-source-address – key to specify source IP address on routers input;
outside-destination-address – key to specify destination IP address before translation;
inside-source-port – key to specify source TCP/UDP port before translation;
outside-source-port – key to specify source TCP/UDP port after translation;
inside-destination-port – key to specify destination TCP/UDP port before translation;
outside-destination-port – key to specify destination TCP/UDP port after translation;

Required privilege level

1

Command mode

ROOT

Example 1

Source NAT

esr# show ip nat translations
Prot   Inside source  Inside destination Outside source Outside destination Pkts Bytes
----   ------------  -----------------   ------------   --------------     -----  -----
icmp   115.0.0.10         1.1.0.2         1.1.0.24          1.1.0.2          3    252

CODE

Example 2

Destination NAT

esr#  show ip nat translations
Prot   Inside source  Inside destination Outside source Outside destination Pkts Bytes
----   ------------  -----------------   ------------   --------------     -----  -----  icmp     1.1.0.2        115.0.0.10         1.1.0.2         1.1.0.16          --    --

CODE

show ip nat proxy-arp

This command displays the NAT Proxy ARP settings.

Syntax

show ip nat proxy-arp

Required privilege level

1

Command mode

ROOT

Example

esr# show nat proxy-arp
Interface     IP address range
-----------   ---------------------------------------------
gi1/0/15      115.0.0.15-115.0.0.100

CODE

to

This command restricts field of use of the rule group. The rules will be applied only to traffic coming to a certain zone or interface.

The use of a negative form (no) of the command removes restriction of field of use of the rule group.

Syntax

to { zone <NAME> | interface <IF> | tunnel <TUN> | default }

no to

Parameters

<NAME> – isolation zone name;

<IF> – an interface's name, specified in the form described in Section Types and naming order of router interfaces;

<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels.

default - denotes a group of rules for all traffic, the destination point of which did not fall under the criteria of other groups of rules.

The rule group with the 'default' value of the 'to' parameter can be only one.

Default value

None

Required privilege level

10

Command mode

CONFIG-SNAT-RULESET

Example

esr(config-snat)# ruleset test
esr(config-snat-ruleset)# to interface gigabitethernet 1/0/1

CODE