beautypg.com

Configuring nat logging, Introduction to nat logging, Enabling nat logging – H3C Technologies H3C S12500 Series Switches User Manual

Page 117: Exporting nat logs

background image

103

Configuring NAT logging

Introduction to NAT logging

With NAT logging enabled, a NAT device logs IP address translation information such as the source IP

address, source port number, destination IP address, destination port number, translated source IP
address, translated source port number and user operations.
As multiple internal users share the same external IP address or the same range of external IP addresses

when accessing external networks through a NAT device, it is hard to identify each of the users. The NAT

logging function helps in tracking access of internal users to external networks, thus enhancing network
security.
Note that NAT logging logs only access of internal network users to external networks. It does not log

access of external users to internal servers.

Enabling NAT logging

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable NAT logging.

nat log enable [ acl acl-number ]

Disabled by default.

3.

Enable NAT logging.

Enable logging of NAT

session establishment events:
nat log flow-begin

Enable logging for active NAT

sessions and set the logging

interval:
nat log flow-active minutes

Use either command.
By default:

No log is generated when a NAT

session is established.

Logging for active NAT sessions is

disabled by default.

Exporting NAT logs

NAT logs can be exported to either the information center or the log server:

To the information center—NAT logs are converted into system logs and exported to the local
switch’s information center. Depending on the configuration of the information center, NAT logs are

then exported to their final destination. Up to 10 NAT logs can be exported to the information

center at one time.

To the log server—NAT logs are encapsulated into UDP packets and sent to the log server, as

shown in

Figure 48

. The output NAT logs can be in several versions, each with a different UDP

packet format. Only version 1 is used. A UDP packet is composed of a header and one or more

NAT logs.

NOTE:

NAT logs can be exported to the information center or the log server. If you configure both destinations,
the system automatically exports NAT logs to the information center, rather than to the log server.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: