Prohibiting intranet users from accessing the Internet on the USG series


Configure a security policy whose security zone originates from the intranet or IP matching conditions to prohibit intranet users from accessing the Internet.

Other related questions:
What is the difference between the Static NAT and NAT Server on AR router?
The difference between NAT Server and NAT Static configuration is: NAT Server to access the Internet from intranet, only do address replace, but NAT Static for network address; active access outside the network will also replace the address and port number.

Configure NAT on the AR to permit Internet access and allow external users to access internal servers
Huawei AR routers support outbound NAT and NAT server to allow the intranet users to access the Internet and external users to access internal servers. The figure on the right page shows the networking diagram. Eth2/0/0 on the router connects to the internal network and its intranet IP address is GE3/0/0 on the router connects to the external network and its extranet IP address is The internal server has an internal IP address and an external IP address The internal host with the IP address wants to access the internal server. The configuration details are as follows: 1. Configure IP addresses for interfaces on the router. [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 24 [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address 24 [Huawei-GigabitEthernet3/0/0] quit 2. Configure a default route with next-hop address on the router. [Huawei] ip route-static 3. Configure outbound NAT in Easy IP mode to allow internal users to access external networks. [Huawei] acl 2000 [Huawei-acl-basic-2000] rule 5 permit source [Huawei-acl-basic-2000] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat outbound 2000 4. Configure the NAT server to allow external users to access the internal servers. [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat server protocol tcp global www inside 8080 [Huawei-GigabitEthernet3/0/0] quit Note: The command that configures the NAT server function takes effect on Layer 3 interfaces, excluding Loopback and NULL interfaces.

Prohibiting the extranet from pinging the intranet on the USG6000
Add a security policy to prohibit ICMP packets from the extranet to the intranet.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top