No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NAT Server using port range to one host

Publication Date:  2018-03-29 Views:  525 Downloads:  0
Issue Description

The requirement is to translate incoming requests to port range 1000-2000 and port 3000 to the private IP address of the server.


Checking the documentation, we find that the configuration commands for NAT server and NAT static can support a port range on the global side.

However, this range does not achieve the required result. The function of these parameters is to map a range of ports to a range of inside hosts, and one port will be mapped to one host.


nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ]vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]


For this requirement it is possible to use the acl parameter to specify which ports will be mapped from the global address to the inside address.

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]


Configuration process

1. Create the ACL to permit the required destination ports to be mapped


[Huawei] acl 3999

[Huawei-acl-adv-3999] rule permit tcp destination-port range 1000 2000

[Huawei-acl-adv-3999] permit tcp destination-port eq 3000


2. Configure the NAT Server function on the global interface


[Huawei--GigabitEthernet0/0/4] nat server global current-interface inside acl 3999



Test configuration


acl number 3999                                                                

 rule 5 permit tcp destination-port range 1000 2000                            

 rule 10 permit tcp destination-port eq 3000                                   

interface Vlanif1                                                              

 ip address                                             

interface GigabitEthernet0/0/4                                                 

 ip address X.X.1.1                                            

 nat server global current-interface inside acl 3999                



Test results

After sending TCP packets to X.X.1.1:1000 and X.X.1.1:3000 the NAT sessions can be observed


<Huawei>display nat session destination X.X.1.1

  NAT Session Table Information:

     Protocol          : TCP(6)

     SrcAddr  Port Vpn : X.X.1.2         50000

     DestAddr Port Vpn : X.X.1.1         3000


       New SrcAddr     : ----

       New SrcPort     : ----

       New DestAddr    :

       New DestPort    : ----

     Protocol          : TCP(6)

     SrcAddr  Port Vpn : X.X.1.2         50000

     DestAddr Port Vpn : X.X.1.1         1001


       New SrcAddr     : ----

       New SrcPort     : ----

       New DestAddr    :

       New DestPort    : ----

  Total : 2


After configuring NAT Server with ACL, other NAT server configurations cannot be added for the same global IP.


The reason is that NAT Server sessions are matched using binary bitwise operations to check IP addresses and protocols. And since the “nat server acl” command does not specify the global port, it will first match the traffic flow for any port, and then it will use the ACL to filter sessions.


It is still possible to configure NAT Outbound on the same interface, or to configure NAT Server using other available public IP addresses.