How to configure the ACL when clients connect to the Internet through the NAT function on the AR

9

An ACL needs to be configured to permit or deny Internet access of some users when NAT is used on the AR for Internet access. The nat outbound command is used to associate an ACL with a NAT address pool. In this manner, the addresses specified in the ACL can be translated by using the NAT address pool. This command can only be configured on the Layer 3 interface of the AR, excluding loopback and NULL interfaces.
For example, select the addresses between 202.110.10.10 and 202.110.10.12 in NAT address pool 1 and configure hosts on the network segment 10.110.10.0/24 to use addresses in address pool 1 for many-to-one translation (use TCP/UDP port information).
<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] nat address-group 1 202.110.10.10 202.110.10.12
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] nat outbound 2001 address-group 1

Other related questions:
When modify the ACL of NAT configuration on AR router, whether the network will be broken?
AR router access control list ACL and interface address are associated, the NAT must be disabled by using command "undo NAT outbound acl-number" and then the ACL configuration can be can modified, it will lead network be broken.

How are packets processed when an ACL is used for each feature on an AR
When an ACL is applied to Telnet, the system can forward packets matching the permit rule through FTP, but cannot forward packets that match the deny rule or do not match any ACL rule through FTP. When an ACL is applied to Telnet, the system can forward packets matching the permit rule through Telnet, but cannot forward packets that match the deny rule or do not match any ACL rule through Telnet. When an ACL is applied to NAT, the system applies NAT to packets matching the permit rule, does not apply NAT to packets matching the deny rule, and forwards the packets that do not match any ACL rule. When an ACL is applied to a traffic policy, the system processes packets matching the permit rule based on the traffic policy, discards packets matching the deny rule, and directly forwards the packets that do not match any ACL rule. When an ACL is applied to packet filtering, the system forwards packets matching the permit rule, discards packets matching the deny rule, and applies the default rule to the packets that do not match any ACL rule. When an ACL is applied to port mapping, the system mirrors packets matching the permit rule, and do not mirror packets that match the deny rule or do not match any ACL rule. When an ACL is applied to the session log function, the system records logs about the packets matching the permit rule, and does not record logs about the packets that match the deny rule or do not match any ACL rule. When an ACL is applied to a blacklist, the system discards packets matching the permit or deny rule, and forwards the packets that do not match any ACL rule.

Whether AR router support to add a network segment through NAT to Internet ?
Yes, it is supported.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top