No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Firewall Packet Filtering Configuration Does Not Take Effect Due to Incorrect ACL Configuration on the AR

Firewall Packet Filtering Configuration Does Not Take Effect Due to Incorrect ACL Configuration on the AR


ACL, access control policy, NAT, firewall


The firewall packet filtering policy on the AR does not take effect due to incorrect ACL parameter configuration.

Problem Description

As shown in Figure 1-1, the router functions as the enterprise egress. The firewall function is configured on the router to control host access from the Internet to the internal server of the enterprise. The NAT function is configured on the router to translate the IP address of the internal server to the public address

Figure 22-17  ACL-based access control

The related configuration file is as follows:

nat static protocol tcp global ip inside ip the one-to-one mapping from the private address to public address
acl number 3000//Configure a rule to forbid the PC using the address to send IP packets to
interface Ethernet0/0/1 
ip address 
firewall enable 
packet-filter 3000 inbound//Perform packet filtering in the inbound direction.

However, the ACL rule does not take effect, and the PC can still access the internal server.


The invalid ACL policy is caused by improper firewall configuration or ACL configuration.

  1. Check whether the firewall function is enabled.

    The firewall enable commandexists in the configuration file. Run the display firewall zone command to view the configuration of the specified security zone. The command output shows that the firewall function is enabled; therefore, invalid ACL rule is not caused by the firewall configuration.

  2. Check whether the ACL rule is correct.

    Check the ACL rule. The configuration file of the router shows that the ACL rule forbids the PC to send IP packets to the public IP address However, the NAT function configured on the router to translate the public address to the internal address Therefore, the rule must be configured to forbid the PC to send IP packets to the IP address Modify the ACL rule as follows:

    acl number 3000
    rule 1 deny ip source 0 destination 0
    rule 2 permit ip

    After the modification, the PC cannot access the internal server.

    Therefore, the firewall packet filtering function does not take effect because the ACL rule is incorrectly configured.

Root Cause

After NAT and the firewall are configured on the AR, the NAT function for incoming packets takes effect before the firewall function. The private address of the internal server that is translated by NAT must be specified as the destination address in the ACL rule. If the public address before the NAT ( is used as the destination address, the ACL rule is invalid.


When the firewall and NAT functions are configured on the AR simultaneously, pay attention to the sequence in which the functions take effect:

  • In the inbound direction: The NAT function takes effect first.
  • In the outbound direction: The firewall function takes effect first.
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 452117

Downloads: 4311

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next