How to configure port mapping on an AR that acts as a twice NAT server

12

For details about how to configure port mapping of twice NAT server on an AR, see "Internet Access > NAT > Example for Configuring NAT to Connect Intranet Users to the Internet, Provide the Web Server, and Enable Intranet Users to Access an Internal Web Server Using Domain Names" in the Typical Configuration Examples.

Other related questions:
How to locate the mapping failure problem after the NAT server based on the IP address and port number is configured on an AR
After the NAT server based on IP address + port number mapping, the mapping fails. Use the following method: 1. Check whether the internal network server can be accessed. You can access the internal server through the intranet. 2. Check whether there are reachable routes from the external host and internal server to the NAT server. 3. Check whether the NAT server is correctly configured. 4. Check whether the mapped external port number is available. Replace the external port to determine whether you can access the internal server. 5. Run the display nat session command on the NAT server to check whether there are entries before and after mapping, and obtain packets to check whether the NAT server translates the address of data packets of external user access.

Can the AR router implement one-to-one mapping of multiple port numbers?
AR router can configure NAT static and NAT port to achieve one to one mapping. For example: NAT server TCP global 1.1.1.2 21 inside 10.3.0.30 21 server.

How to configure all-port mapping on the AR

Procedure

# Configure the NAT server on a public network interface to map all TCP ports with public IP address 1.1.1.1 to all ports with private IP address 192.168.0.1.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1

More information

If an enterprise has two or more allocatable public IP addresses and an internal server needs to provide services for public network users, all-port mapping can be configured for one public IP address. If you do not specify the range of port numbers open to public network users in the nat server command, all ports of the internal server are mapped to the same public IP address. That is, the server provides all types of services to public network users using all ports with the public IP address. If the IP address of a public network interface is used to provide services to public network users, configuring all-port mapping on this interface will cause failures of public network users to access the web interface or other services on the AR router, because all port numbers associated with the IP address are mapped to the internal server. Therefore, if only one public IP address is available, you are advised to configure mapping of specific port numbers. All-port mapping allows multiple ports to be mapped at one time, but this configuration lowers the network security because all ports are open to the public network.
How do I configure batch port mapping

When a private IP address and a range of consecutive port numbers need to be mapped to a public IP address and a range of consecutive port numbers, you can reference an ACL to complete batch port mapping configuration.

On the private network shown in the right figure, multiple consecutive ports of a server need to be open to users on the public network. The private IP address of the server is 192.168.2.2/24, its server port is in the range of 2000-4000 or 5000, and its public IP address is 202.1.22.3/24. The interconnected IP address on the carrier network is 202.1.22.10. The private IP address and ports 2000-4000 and 5000 of the internal server need to be mapped to public IP address 202.1.22.3 and corresponding ports.

Procedure

  1. Set the IP address for the interface.

    <Huawei> system view
    [Huawei] sysname Router
    [Router] vlan 100
    [Router-vlan100] quit
    [Router] interface vlanif 100
    [Router-Vlanif100] ip address 192.168.2.1 24
    [Router-Vlanif100] quit
    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access 
    [Router-Ethernet2/0/0] port default vlan 100
    [Router-Ethernet2/0/0] quit 
    [Router] interface GigabitEthernet 1/0/0
    [Router-GigabitEthernet1/0/0] ip address 202.1.22.4 24
    [Router-GigabitEthernet1/0/0] quit 
  2. Create an ACL that matches the port numbers to be mapped.

    [Router] acl number 3001
    [Router-acl-adv-3001] rule 5 permit tcp destination-port range 2000 4000
    [Router-acl-adv-3001] rule 5 permit tcp destination-port eq 5000
    [Router-acl-adv-3001] quit
    
  3. Configure NAT server and reference the ACL.

    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] nat server global 202.1.22.3 inside 192.168.2.2 acl 3001
    [Router-GigabitEthernet1/0/0] quit 
  4. Configure a default route on the router, with 202.1.22.10 as the next-hop address.

    [Router] ip route-static 0.0.0.0 0.0.0.0 202.1.22.10
    

More information

. Referencing an ACL to batch configure port mapping completes the mapping of consecutive port numbers and reduces the configuration workload. You do not need to run the nat server command on interfaces one by one. Additionally, to change the range of port numbers, you only need to change the ACL rules for future maintenance. One public IP address can be used for batch port mapping configuration only once. If other internal servers need to provide services for public network users, use other public IP addresses for port mapping configuration.


If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top