2.17. nat¶
Note
requires a Product License.
NAT configuration.
vsr running config# vrf <vrf> nat
2.17.1. source-rule¶
A rule to change the source address/port of outgoing packets.
vsr running config# vrf <vrf> nat
vsr running nat# source-rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... outbound-interface [not] <string> \
... translate-to map MAP output-address \
... address VALUE port PORT \
... port-range START END \
... address-range START END port PORT \
... port-range START END
<uint64> |
Priority of the rule. High number means lower priority. |
description¶
A comment to describe the rule.
description <string>
protocol¶
Match a protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol types. |
destination¶
Match a destination attribute.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match this destination address or prefix.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match this destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match a source attribute.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match this source address or prefix.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match this source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
translate-to¶
Translate to.
translate-to map MAP output-address \
address VALUE port PORT \
port-range START END \
address-range START END port PORT \
port-range START END
map¶
Translate a whole network of addresses onto another network of addresses. All ‘one’ bits in the mask are filled in from the new address. All bits that are zero in the mask are filled in from the original address.
map MAP
MAP |
An IPv4 prefix: address and CIDR mask. |
output-address¶
Translate to the address found on the outgoing interface.
output-address
address¶
Translate to an address and port/port range.
address VALUE port PORT \
port-range START END
VALUE (mandatory)¶
Translate to an address.
VALUE
VALUE |
An IPv4 address. |
port¶
Translate to a port.
port PORT
PORT |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Translate to a port range.
port-range START END
START (mandatory)¶
Port range start.
START
START |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
END (mandatory)¶
Port range end.
END
END |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
address-range¶
Translate to an address range and port/port range.
address-range START END port PORT \
port-range START END
START (mandatory)¶
Address range start.
START
START |
An IPv4 address. |
END (mandatory)¶
Address range end.
END
END |
An IPv4 address. |
port¶
Translate to a port.
port PORT
PORT |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Translate to a port range.
port-range START END
START (mandatory)¶
Port range start.
START
START |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
END (mandatory)¶
Port range end.
END
END |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
counters (state only)¶
Counters.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> nat source-rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> nat source-rule <uint64> counters bytes
2.17.2. destination-rule¶
A rule to change the destination address/port of incoming packets.
vsr running config# vrf <vrf> nat
vsr running nat# destination-rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... inbound-interface [not] <string> \
... translate-to map MAP \
... address VALUE port PORT \
... port-range START END \
... address-range START END port PORT \
... port-range START END
<uint64> |
Priority of the rule. High number means lower priority. |
description¶
A comment to describe the rule.
description <string>
protocol¶
Match a protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol types. |
destination¶
Match a destination attribute.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match this destination address or prefix.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match this destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match a source attribute.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match this source address or prefix.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match this source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
translate-to¶
Translate to.
translate-to map MAP \
address VALUE port PORT \
port-range START END \
address-range START END port PORT \
port-range START END
map¶
Translate a whole network of addresses onto another network of addresses. All ‘one’ bits in the mask are filled in from the new address. All bits that are zero in the mask are filled in from the original address.
map MAP
MAP |
An IPv4 prefix: address and CIDR mask. |
address¶
Translate to an address and port/port range.
address VALUE port PORT \
port-range START END
VALUE (mandatory)¶
Translate to an address.
VALUE
VALUE |
An IPv4 address. |
port¶
Translate to a port.
port PORT
PORT |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Translate to a port range.
port-range START END
START (mandatory)¶
Port range start.
START
START |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
END (mandatory)¶
Port range end.
END
END |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
address-range¶
Translate to an address range and port/port range.
address-range START END port PORT \
port-range START END
START (mandatory)¶
Address range start.
START
START |
An IPv4 address. |
END (mandatory)¶
Address range end.
END
END |
An IPv4 address. |
port¶
Translate to a port.
port PORT
PORT |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Translate to a port range.
port-range START END
START (mandatory)¶
Port range start.
START
START |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
END (mandatory)¶
Port range end.
END
END |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
counters (state only)¶
Counters.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> nat destination-rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> nat destination-rule <uint64> counters bytes