Got it

How to set up port forwarding range to 1 IP on AR1220E?

Created: Oct 12, 2016 07:46:25Latest reply: Dec 29, 2018 02:43:43 6358 5 1 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello, Community!


This post enquires about how to set up port forwarding range to 1 IP on AR1220E. Please check below-displayed information.


Huawei AR1220E


ISSUE DESCRIPTION


How to set up port forwarding range to 1 IP? I am trying to set up the asterisk behind of Huawei AR1220E (nat).

 

In the docs it says:


nat server protocol udp global current-interface XXXXX inside aster_ip XXXXX


However, I need to forward 10000:20000 UDP ports (RTP). How to run 10000 commands in the shell?

 

Thanks for assisting me on how to set up port forwarding range to 1 IP on AR1220E. I really hope to get some valuable help.

  • x
  • convention:

Featured Answers
StarOfWest
Created Aug 22, 2018 06:45:04

Good day!

Solution


For this requirement, it is possible to use the ACL parameter to specify which ports will be mapped from the global address to the inside address.

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

Configuration process

1. Create the ACL to permit the required destination ports to be mapped.

[Huawei] acl 3999

[Huawei-acl-adv-3999] rule permit tcp destination-port range 1000 2000

[Huawei-acl-adv-3999] permit tcp destination-port eq 3000


2. Configure the NAT Server function on the global interface.

[Huawei--GigabitEthernet0/0/4] nat server global current-interface inside 10.0.0.100 acl 3999

Test configuration
#                                                                              
acl number 3999                                                               
rule 5 permit tcp destination-port range 1000 2000                           
rule 10 permit tcp destination-port eq 3000                                   
#
interface Vlanif1                                                              
ip address 10.0.0.1 255.255.255.0                                             
#
interface GigabitEthernet0/0/4                                                
ip address 1.1.1.1 255.255.255.252                                            
nat server global current-interface inside 10.0.0.100 acl 3999               
#


Test results
After sending TCP packets to 1.1.1.1:1000 and 1.1.1.1:3000 the NAT sessions can be observed:

<Huawei>display nat session destination 1.1.1.1
  NAT Session Table Information:
     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 1.1.1.2         50000
     DestAddr Port Vpn : 1.1.1.1         3000
     NAT-Info
       New SrcAddr     : ----
       New SrcPort     : ----
       New DestAddr    : 10.0.0.100
       New DestPort    : ----
     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 1.1.1.2         50000
     DestAddr Port Vpn : 1.1.1.1         1001
     NAT-Info
       New SrcAddr     : ----
       NeW SrcPort     : ----
       New DestAddr    : 10.0.0.100
       New DestPort    : ----
  Total : 2


Precaution

After configuring the NAT Server with ACL, other NAT server configurations cannot be added for the same global IP.

The reason is that the NAT Server sessions are matched using binary bitwise operations to check the IP addresses and protocols. And since the 'nat server acl' command does not specify the global port, it will first match the traffic flow for any port and only then will it use the ACL to filter sessions.

It is still possible to configure the NAT Outbound on the same interface, or to configure the NAT Server using other available public IP addresses.
View more
  • x
  • convention:

All Answers
user_2790689
user_2790689 Created Oct 13, 2016 00:53:48

please wait.
View more
  • x
  • convention:

Busy_with_lazy_mind
Busy_with_lazy_mind Created Nov 1, 2016 18:16:46

Seems there's no good solution.
you can limite the port range on your voip device, and config specify nat static rule on AR.
View more
  • x
  • convention:

Fernandoizsa
Fernandoizsa Created Aug 21, 2018 19:28:21

  • x
  • convention:

StarOfWest
StarOfWest Created Aug 22, 2018 06:45:04

Good day!

Solution


For this requirement, it is possible to use the ACL parameter to specify which ports will be mapped from the global address to the inside address.

nat server protocol { tcp | udp } global { global-address | current-interface | interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

Configuration process

1. Create the ACL to permit the required destination ports to be mapped.

[Huawei] acl 3999

[Huawei-acl-adv-3999] rule permit tcp destination-port range 1000 2000

[Huawei-acl-adv-3999] permit tcp destination-port eq 3000


2. Configure the NAT Server function on the global interface.

[Huawei--GigabitEthernet0/0/4] nat server global current-interface inside 10.0.0.100 acl 3999

Test configuration
#                                                                              
acl number 3999                                                               
rule 5 permit tcp destination-port range 1000 2000                           
rule 10 permit tcp destination-port eq 3000                                   
#
interface Vlanif1                                                              
ip address 10.0.0.1 255.255.255.0                                             
#
interface GigabitEthernet0/0/4                                                
ip address 1.1.1.1 255.255.255.252                                            
nat server global current-interface inside 10.0.0.100 acl 3999               
#


Test results
After sending TCP packets to 1.1.1.1:1000 and 1.1.1.1:3000 the NAT sessions can be observed:

<Huawei>display nat session destination 1.1.1.1
  NAT Session Table Information:
     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 1.1.1.2         50000
     DestAddr Port Vpn : 1.1.1.1         3000
     NAT-Info
       New SrcAddr     : ----
       New SrcPort     : ----
       New DestAddr    : 10.0.0.100
       New DestPort    : ----
     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 1.1.1.2         50000
     DestAddr Port Vpn : 1.1.1.1         1001
     NAT-Info
       New SrcAddr     : ----
       NeW SrcPort     : ----
       New DestAddr    : 10.0.0.100
       New DestPort    : ----
  Total : 2


Precaution

After configuring the NAT Server with ACL, other NAT server configurations cannot be added for the same global IP.

The reason is that the NAT Server sessions are matched using binary bitwise operations to check the IP addresses and protocols. And since the 'nat server acl' command does not specify the global port, it will first match the traffic flow for any port and only then will it use the ACL to filter sessions.

It is still possible to configure the NAT Outbound on the same interface, or to configure the NAT Server using other available public IP addresses.
View more
  • x
  • convention:

4am
4am Created Dec 29, 2018 02:43:43

So the combination of the two technologies can help you solve the problem, NAT server and ACL.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.