(Optional ) Configuring a NAT Traffic Diversion Policy on an Outbound Interface

After basic NAT functions are configured, configure a NAT traffic diversion policy on an outbound interface.

Context

The NAT-enabled router is deployed on the egress of an enterprise network, whereas NAT does not need to be performed for a great amount of traffic transmitted within the enterprise network. To prevent an inbound interface from enforcing a NAT traffic policy to direct intra-enterprise network traffic to a NAT service board for NAT processing, a NAT traffic policy can be configured on an outbound interface connected to a public network. This enables the device to match traffic only destined for a public network against the NAT traffic policy.

Procedure

Run system-view
The system view is displayed.
Configure a traffic classification rule.
1. Run either of the following commands:
  - For a basic ACL numbered from 2000 to 2999, run the acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ] command.
  - For an advanced ACL numbered from 3000 to 3999, run the acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ] command.
2. Run either of the following commands to create an ACL rule:
  - For a basic ACL numbered from 2000 to 2999, run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name ] ^*
  - For an advanced ACL numbered from 3000 to 3999, perform one of the following operations:
    1. If TCP is used, run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] ^* } | { fin [ ack | psh | rst | syn | urg ] ^* } | { psh [ fin | ack | rst | syn | urg ] ^* } | { rst [ fin | psh | ack | syn | urg ] ^* } | { syn [ fin | psh | rst | syn | urg ] ^* } | { urg [ fin | psh | rst | syn | urg ] ^* } } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    2. If UDP is used, run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    3. If ICMP is used, run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    4. If a protocol, different from the preceding ones, is used, run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
  ACL rules match against source IP addresses. The protocol number, source IP address, destination IP address, source port number, destination port number, VPN instance name, and fragment flag can be specified in ACL rules. The ACL rules require the consecutive subnet masks whose 0s or 1s must be consecutive, for example, 255.255.255.0.
  
  An ACL configured in the NAT diversion policy on an outbound interface contains multiple ACL rules. The ACL rules are used in ascending order by sequence number to match packets. Matching packets are distributed to a service board.
3. Run commit
  The configuration is committed.
4. Run quit
  Return to the system view.
Apply the traffic policy to an interface.
1. Run interface interface-type interface-number
  The interface view is displayed.
  The command can be configured on the following interfaces:
  GE main interface and its sub-interface
  Eth-Trunk main interface and its sub-interface
  Ethernet main interface and its sub-interface
  VLANIF interface
2. Run nat bind acl { acl-index | name acl-name } [ mode deny-forward ] instance instance-name
  The ACL is bound to the NAT instance.
3. Run commit
  The configuration is committed.