3.2.20. nat¶

Note

requires a Product License.

NAT configuration.

vsr running config# vrf <vrf> nat

source-rule¶

A rule to change the source address/port of outgoing packets.

vsr running config# vrf <vrf> nat
vsr running nat# source-rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   outbound-interface [not] <string> \
...   translate-to map MAP output-address \
...     address VALUE port PORT \
...       port-range START END \
...     address-range START END port PORT \
...       port-range START END

Priority of the rule. High number means lower priority.

description¶

A comment to describe the rule.

description <string>

protocol¶

Match a protocol.

protocol [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The protocol to match.

VALUE

VALUE

Protocol types.

destination¶

Match a destination attribute.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>

address¶

Match this destination address or prefix.

address [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The address to match.

VALUE

VALUE

Address type.

port¶

Match this destination port.

port [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group¶

Matches a set of addresses or networks.

group [not] <string>

not¶

Not match-set.

not

<string> (mandatory)¶

The name of the group.

<string>

source¶

Match a source attribute.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>

address¶

Match this source address or prefix.

address [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The address to match.

VALUE

VALUE

Address type.

port¶

Match this source port.

port [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group¶

Matches a set of addresses or networks.

group [not] <string>

not¶

Not match-set.

not

<string> (mandatory)¶

The name of the group.

<string>

mark¶

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>

not¶

Invert the match.

not

<0x0-0xffffffff> (mandatory)¶

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>

mask¶

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

outbound-interface¶

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>

not¶

Invert the match.

not

<string> (mandatory)¶

The interface to match.

<string>

translate-to¶

Translate to.

translate-to map MAP output-address \
     address VALUE port PORT \
       port-range START END \
     address-range START END port PORT \
       port-range START END

map¶

Translate a whole network of addresses onto another network of addresses. All ‘one’ bits in the mask are filled in from the new address. All bits that are zero in the mask are filled in from the original address.

map MAP

MAP	An IPv4 prefix: address and CIDR mask.

output-address¶

Translate to the address found on the outgoing interface.

output-address

address¶

Translate to an address and port/port range.

address VALUE port PORT \
     port-range START END

VALUE (mandatory)¶

Translate to an address.

VALUE

VALUE

An IPv4 address.

port¶

Translate to a port.

port PORT

PORT	A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Translate to a port range.

port-range START END

START (mandatory)¶

Port range start.

START

START

A 16-bit port number used by a transport protocol such as TCP or UDP.

END (mandatory)¶

Port range end.

END

END	A 16-bit port number used by a transport protocol such as TCP or UDP.

address-range¶

Translate to an address range and port/port range.

address-range START END port PORT \
     port-range START END

START (mandatory)¶

Address range start.

START

START

An IPv4 address.

END (mandatory)¶

Address range end.

END

END	An IPv4 address.

port¶

Translate to a port.

port PORT

PORT	A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Translate to a port range.

port-range START END

START (mandatory)¶

Port range start.

START

START

A 16-bit port number used by a transport protocol such as TCP or UDP.

END (mandatory)¶

Port range end.

END

END	A 16-bit port number used by a transport protocol such as TCP or UDP.

counters (state only)¶

Counters.

packets (state only)¶

Packets.

vsr> show state vrf <vrf> nat source-rule <uint64> counters packets

bytes (state only)¶

Bytes.

vsr> show state vrf <vrf> nat source-rule <uint64> counters bytes

destination-rule¶

A rule to change the destination address/port of incoming packets.

vsr running config# vrf <vrf> nat
vsr running nat# destination-rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   inbound-interface [not] <string> \
...   translate-to map MAP \
...     address VALUE port PORT \
...       port-range START END \
...     address-range START END port PORT \
...       port-range START END

Priority of the rule. High number means lower priority.

description¶

A comment to describe the rule.

description <string>

protocol¶

Match a protocol.

protocol [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The protocol to match.

VALUE

VALUE

Protocol types.

destination¶

Match a destination attribute.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>

address¶

Match this destination address or prefix.

address [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The address to match.

VALUE

VALUE

Address type.

port¶

Match this destination port.

port [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group¶

Matches a set of addresses or networks.

group [not] <string>

not¶

Not match-set.

not

<string> (mandatory)¶

The name of the group.

<string>

source¶

Match a source attribute.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>

address¶

Match this source address or prefix.

address [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The address to match.

VALUE

VALUE

Address type.

port¶

Match this source port.

port [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE

not¶

Invert the match.

not

VALUE (mandatory)¶

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group¶

Matches a set of addresses or networks.

group [not] <string>

not¶

Not match-set.

not

<string> (mandatory)¶

The name of the group.

<string>

mark¶

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>

not¶

Invert the match.

not

<0x0-0xffffffff> (mandatory)¶

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>

mask¶

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

inbound-interface¶

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>

not¶

Invert the match.

not

<string> (mandatory)¶

The interface to match.

<string>

translate-to¶

Translate to.

translate-to map MAP \
     address VALUE port PORT \
       port-range START END \
     address-range START END port PORT \
       port-range START END

map¶

Translate a whole network of addresses onto another network of addresses. All ‘one’ bits in the mask are filled in from the new address. All bits that are zero in the mask are filled in from the original address.

map MAP

MAP	An IPv4 prefix: address and CIDR mask.

address¶

Translate to an address and port/port range.

address VALUE port PORT \
     port-range START END

VALUE (mandatory)¶

Translate to an address.

VALUE

VALUE

An IPv4 address.

port¶

Translate to a port.

port PORT

PORT	A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Translate to a port range.

port-range START END

START (mandatory)¶

Port range start.

START

START

A 16-bit port number used by a transport protocol such as TCP or UDP.

END (mandatory)¶

Port range end.

END

END	A 16-bit port number used by a transport protocol such as TCP or UDP.

address-range¶

Translate to an address range and port/port range.

address-range START END port PORT \
     port-range START END

START (mandatory)¶

Address range start.

START

START

An IPv4 address.

END (mandatory)¶

Address range end.

END

END	An IPv4 address.

port¶

Translate to a port.

port PORT

PORT	A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range¶

Translate to a port range.

port-range START END

START (mandatory)¶

Port range start.

START

START

A 16-bit port number used by a transport protocol such as TCP or UDP.

END (mandatory)¶

Port range end.

END

END	A 16-bit port number used by a transport protocol such as TCP or UDP.

counters (state only)¶

Counters.

packets (state only)¶

Packets.

vsr> show state vrf <vrf> nat destination-rule <uint64> counters packets

bytes (state only)¶

Bytes.

vsr> show state vrf <vrf> nat destination-rule <uint64> counters bytes