Good day!
Solution
For this requirement, it is possible to use the ACL parameter to specify which ports will be mapped from the global address to the inside address.
nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]
Configuration process
1. Create the ACL to permit the required destination ports to be mapped.
[Huawei] acl 3999
[Huawei-acl-adv-3999] rule permit tcp destination-port range 1000 2000
[Huawei-acl-adv-3999] permit tcp destination-port eq 3000
2. Configure the NAT Server function on the global interface.
[Huawei--GigabitEthernet0/0/4] nat server global current-interface inside 10.0.0.100 acl 3999
Test configuration
#
acl number 3999
rule 5 permit tcp destination-port range 1000 2000
rule 10 permit tcp destination-port eq 3000
#
interface Vlanif1
ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/4
ip address 1.1.1.1 255.255.255.252
nat server global current-interface inside 10.0.0.100 acl 3999
#
Test results
After sending TCP packets to 1.1.1.1:1000 and 1.1.1.1:3000 the NAT sessions can be observed:
<Huawei>display nat session destination 1.1.1.1
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 1.1.1.2 50000
DestAddr Port Vpn : 1.1.1.1 3000
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 10.0.0.100
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 1.1.1.2 50000
DestAddr Port Vpn : 1.1.1.1 1001
NAT-Info
New SrcAddr : ----
NeW SrcPort : ----
New DestAddr : 10.0.0.100
New DestPort : ----
Total : 2
Precaution
After configuring the NAT Server with ACL, other NAT server configurations cannot be added for the same global IP.
The reason is that the NAT Server sessions are matched using binary bitwise operations to check the IP addresses and protocols. And since the 'nat server acl' command does not specify the global port, it will first match the traffic flow for any port and only then will it use the ACL to filter sessions.
It is still possible to configure the NAT Outbound on the same interface, or to configure the NAT Server using other available public IP addresses.