No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NAT Server using port range to one host

Publication Date:  2018-03-29 Views:  195 Downloads:  0
Issue Description

The requirement is to translate incoming requests to port range 1000-2000 and port 3000 to the private IP address of the server.

 


Checking the documentation, we find that the configuration commands for NAT server and NAT static can support a port range on the global side.

However, this range does not achieve the required result. The function of these parameters is to map a range of ports to a range of inside hosts, and one port will be mapped to one host.

 

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ]vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]


Solution

For this requirement it is possible to use the acl parameter to specify which ports will be mapped from the global address to the inside address.

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

 

Configuration process

1. Create the ACL to permit the required destination ports to be mapped

 

[Huawei] acl 3999

[Huawei-acl-adv-3999] rule permit tcp destination-port range 1000 2000

[Huawei-acl-adv-3999] permit tcp destination-port eq 3000

 

2. Configure the NAT Server function on the global interface

 

[Huawei--GigabitEthernet0/0/4] nat server global current-interface inside 10.0.0.100 acl 3999

 

 

Test configuration

#                                                                              

acl number 3999                                                                

 rule 5 permit tcp destination-port range 1000 2000                            

 rule 10 permit tcp destination-port eq 3000                                   

# 

interface Vlanif1                                                              

 ip address 10.0.0.1 255.255.255.0                                             

# 

interface GigabitEthernet0/0/4                                                 

 ip address 1.1.1.1 255.255.255.252                                            

 nat server global current-interface inside 10.0.0.100 acl 3999                

# 

 

 

Test results

After sending TCP packets to 1.1.1.1:1000 and 1.1.1.1:3000 the NAT sessions can be observed

 

<Huawei>display nat session destination 1.1.1.1

  NAT Session Table Information:

     Protocol          : TCP(6)

     SrcAddr  Port Vpn : 1.1.1.2         50000

     DestAddr Port Vpn : 1.1.1.1         3000

     NAT-Info

       New SrcAddr     : ----

       New SrcPort     : ----

       New DestAddr    : 10.0.0.100

       New DestPort    : ----

     Protocol          : TCP(6)

     SrcAddr  Port Vpn : 1.1.1.2         50000

     DestAddr Port Vpn : 1.1.1.1         1001

     NAT-Info

       New SrcAddr     : ----

       New SrcPort     : ----

       New DestAddr    : 10.0.0.100

       New DestPort    : ----

  Total : 2


Precaution

After configuring NAT Server with ACL, other NAT server configurations cannot be added for the same global IP.

 

The reason is that NAT Server sessions are matched using binary bitwise operations to check IP addresses and protocols. And since the “nat server acl” command does not specify the global port, it will first match the traffic flow for any port, and then it will use the ACL to filter sessions.

 

It is still possible to configure NAT Outbound on the same interface, or to configure NAT Server using other available public IP addresses.

END