3.2.14. nat

NAT configuration.

vrouter running config# vrf <vrf> nat

source-rule

A rule to change the source address/port of outgoing packets.

vrouter running config# vrf <vrf> nat
vrouter running nat# source-rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...   outbound-interface [not] <string> \
...   translate-to map MAP output-address \
...     address VALUE port PORT \
...       port-range START END \
...     address-range START END port PORT \
...       port-range START END

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> nat source-rule <uint64> id

packets (state only)

Packets.

vrouter> show state vrf <vrf> nat source-rule <uint64> packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> nat source-rule <uint64> bytes

protocol

Match a protocol.

protocol [not] VALUE

not

Invert the match.

not

VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
icmp ICMP protocol.
all All protocols.

destination

Match a destination attribute.

destination \
     address [not] VALUE \
     port [not] VALUE

address

Match this destination address or prefix.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<A.B.C.D> An IPv4 address.
<A.B.C.D/M> An IPv4 prefix: address and CIDR mask.

port

Match this destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.

source

Match a source attribute.

source \
     address [not] VALUE \
     port [not] VALUE

address

Match this source address or prefix.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<A.B.C.D> An IPv4 address.
<A.B.C.D/M> An IPv4 prefix: address and CIDR mask.

port

Match this source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>

not

Invert the match.

not

<string> (mandatory)

The interface to match.

<string>

translate-to

Translate to.

translate-to map MAP output-address \
     address VALUE port PORT \
       port-range START END \
     address-range START END port PORT \
       port-range START END

map

Translate a whole network of addresses onto another network of addresses. All ‘one’ bits in the mask are filled in from the new address. All bits that are zero in the mask are filled in from the original address.

map MAP
MAP An IPv4 prefix: address and CIDR mask.

output-address

Translate to the address found on the outgoing interface.

output-address

address

Translate to an address and port/port range.

address VALUE port PORT \
     port-range START END
VALUE (mandatory)

Translate to an address.

VALUE
VALUE An IPv4 address.
port

Translate to a port.

port PORT
PORT A 16-bit port number used by a transport protocol such as TCP or UDP.
port-range

Translate to a port range.

port-range START END
START (mandatory)

Port range start.

START
START A 16-bit port number used by a transport protocol such as TCP or UDP.
END (mandatory)

Port range end.

END
END A 16-bit port number used by a transport protocol such as TCP or UDP.

address-range

Translate to an address range and port/port range.

address-range START END port PORT \
     port-range START END
START (mandatory)

Address range start.

START
START An IPv4 address.
END (mandatory)

Address range end.

END
END An IPv4 address.
port

Translate to a port.

port PORT
PORT A 16-bit port number used by a transport protocol such as TCP or UDP.
port-range

Translate to a port range.

port-range START END
START (mandatory)

Port range start.

START
START A 16-bit port number used by a transport protocol such as TCP or UDP.
END (mandatory)

Port range end.

END
END A 16-bit port number used by a transport protocol such as TCP or UDP.

destination-rule

A rule to change the destination address/port of incoming packets.

vrouter running config# vrf <vrf> nat
vrouter running nat# destination-rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...   inbound-interface [not] <string> \
...   translate-to map MAP \
...     address VALUE port PORT \
...       port-range START END \
...     address-range START END port PORT \
...       port-range START END

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> nat destination-rule <uint64> id

packets (state only)

Packets.

vrouter> show state vrf <vrf> nat destination-rule <uint64> packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> nat destination-rule <uint64> bytes

protocol

Match a protocol.

protocol [not] VALUE

not

Invert the match.

not

VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
icmp ICMP protocol.
all All protocols.

destination

Match a destination attribute.

destination \
     address [not] VALUE \
     port [not] VALUE

address

Match this destination address or prefix.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<A.B.C.D> An IPv4 address.
<A.B.C.D/M> An IPv4 prefix: address and CIDR mask.

port

Match this destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.

source

Match a source attribute.

source \
     address [not] VALUE \
     port [not] VALUE

address

Match this source address or prefix.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<A.B.C.D> An IPv4 address.
<A.B.C.D/M> An IPv4 prefix: address and CIDR mask.

port

Match this source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>

not

Invert the match.

not

<string> (mandatory)

The interface to match.

<string>

translate-to

Translate to.

translate-to map MAP \
     address VALUE port PORT \
       port-range START END \
     address-range START END port PORT \
       port-range START END

map

Translate a whole network of addresses onto another network of addresses. All ‘one’ bits in the mask are filled in from the new address. All bits that are zero in the mask are filled in from the original address.

map MAP
MAP An IPv4 prefix: address and CIDR mask.

address

Translate to an address and port/port range.

address VALUE port PORT \
     port-range START END
VALUE (mandatory)

Translate to an address.

VALUE
VALUE An IPv4 address.
port

Translate to a port.

port PORT
PORT A 16-bit port number used by a transport protocol such as TCP or UDP.
port-range

Translate to a port range.

port-range START END
START (mandatory)

Port range start.

START
START A 16-bit port number used by a transport protocol such as TCP or UDP.
END (mandatory)

Port range end.

END
END A 16-bit port number used by a transport protocol such as TCP or UDP.

address-range

Translate to an address range and port/port range.

address-range START END port PORT \
     port-range START END
START (mandatory)

Address range start.

START
START An IPv4 address.
END (mandatory)

Address range end.

END
END An IPv4 address.
port

Translate to a port.

port PORT
PORT A 16-bit port number used by a transport protocol such as TCP or UDP.
port-range

Translate to a port range.

port-range START END
START (mandatory)

Port range start.

START
START A 16-bit port number used by a transport protocol such as TCP or UDP.
END (mandatory)

Port range end.

END
END A 16-bit port number used by a transport protocol such as TCP or UDP.