Prohibiting intranet users from accessing the Internet on the USG series

4

Configure a security policy whose security zone originates from the intranet or IP matching conditions to prohibit intranet users from accessing the Internet.

Other related questions:
What is the difference between the Static NAT and NAT Server on AR router?
The difference between NAT Server and NAT Static configuration is: NAT Server to access the Internet from intranet, only do address replace, but NAT Static for network address; active access outside the network will also replace the address and port number.

Prohibiting the extranet from pinging the intranet on the USG6000
Add a security policy to prohibit ICMP packets from the extranet to the intranet.

Configure NAT on the AR to permit Internet access and allow external users to access internal servers
Huawei AR routers support outbound NAT and NAT server to allow the intranet users to access the Internet and external users to access internal servers. The figure on the right page shows the networking diagram. Eth2/0/0 on the router connects to the internal network and its intranet IP address is 192.168.20.1/24. GE3/0/0 on the router connects to the external network and its extranet IP address is 202.169.10.1/24. The internal server has an internal IP address 192.168.20.2/24 and an external IP address 202.169.10.5. The internal host with the IP address 192.168.20.3/24 wants to access the internal server. The configuration details are as follows: 1. Configure IP addresses for interfaces on the router. [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address 202.169.10.1 24 [Huawei-GigabitEthernet3/0/0] quit 2. Configure a default route with next-hop address 202.169.10.2 on the router. [Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 3. Configure outbound NAT in Easy IP mode to allow internal users to access external networks. [Huawei] acl 2000 [Huawei-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Huawei-acl-basic-2000] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat outbound 2000 4. Configure the NAT server to allow external users to access the internal servers. [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 [Huawei-GigabitEthernet3/0/0] quit Note: The command that configures the NAT server function takes effect on Layer 3 interfaces, excluding Loopback and NULL interfaces.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top