No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Using ACL in NAT to Filter Traffic

Using ACL in NAT to Filter Traffic

After an ACL is applied to NAT, the NAT device filters the traffic from the external network to the internal network.

A NAT device filters the traffic from external network to internal network. There are three NAT modes:
  • Endpoint-independent filtering

  • Address-dependent filtering

  • Address and port-dependent filtering

In Figure 4-10, PC-1 on the private network communicates with PC-2 and PC-3 on the external network through a NAT device. Datagram 1 is sent from PC-1 to PC-2. The source port number of the datagram is 1111 and the destination port number is 2222. The NAT device translates the source IP address to 10.169.10.1.

After PC-1 sends an access request to a PC on the external network, the PC on the external network transmits traffic to PC-1. The NAT device filters the traffic to PC-1. Datagram 2', datagram 3', and datagram 4' are sent in three scenarios.

  • Datagram 2' is sent from PC-3 to PC-1. The destination address of datagram 2' is different from that of datagram 1, and the destination port number is 1111. The datagram can pass the NAT device only when the endpoint-independent filtering mode is used.
  • Datagram 3' is sent from PC-2 to PC-1. The destination address of datagram 3' is the same as that of datagram 1, and the destination port number is 1111. The source port number of datagram 3' is 3333, which is different from that of datagram 1. The datagram can pass the NAT device only when the Address-dependent filtering or endpoint-independent filtering mode is used.
  • Datagram 4' is sent from PC-2 to PC-1. The destination address of datagram 4' is the same as that of datagram 1, and the destination port number is 1111. The source port number of datagram 4' is 2222, which is the same as that of datagram 1. The datagram can pass the NAT device when the address and port-dependent filtering mode is used. This is the default mode, so datagram 4' is always allowed to pass.
Figure 4-10  Using ACL in NAT to filter traffic

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95508

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next