Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
NAT rules with ACL in NE4...

NAT rules with ACL in NE40E and how to APPLY them

Created: Oct 10, 2021 09:13:11Latest reply: Oct 13, 2021 14:58:16 261 5 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hello team for your exceptional support!


I want to create the below nat pools in Huawei NE40E router.


#
ip nat pool net-64 1.1.1.1 1.1.1.10 prefix-length 23
ip nat pool net-65 2.2.2.1 2.2.2.10 prefix-length 23
...
...
...
#
ip nat inside source list 64 pool net-64 overload
ip nat inside source list 65 pool net-65 overload
...
...


In Huawei documentation has the below


Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat instance instance-name [ id id ]

    The NAT instance view is displayed.

  3. Use the non-easy IP or easy IP mode to configure a NAT address pool.

  • Run the nat address-group address-group-name [ group-id id ] [ start-address { mask { address-mask-length | address-mask } | end-address } ] [ vpn-instance vpn-instance-name ] [ no-pat ] command.

    When the nat address-group command is used to create a NAT address pool, the group-id parameter needs to be specified. The group-id parameter specifies the ID of a NAT address pool, which uniquely identifies a NAT address pool.

    The nat address-group command configures a range of public IP addresses in a single public IP address pool. The configuration modes are as follows:

  • In non-Easy IP mode, create a NAT address pool with network segment addresses or enter a NAT address pool.



In the same NAT instance i must create the NAT pools with tha same nat-addr-group ??


for example:

nat instance 1
  nat address-group nat-addr-group-1 group-id 1 1.1.1 1.1.1.10 
  nat address-group nat-addr-group-1 group-id 2.2.2.1 2.2.2.10
  ...
  ...


And Last how can i match the nat-address-group with a ACL and apply in a inbound or outbound Interface ?


thank you all

Giorgos


Like (0) Dislike (0) Favorite(0) Share Report
Previous: SRv6 functional details
Next: ensp com port 2000 conflict. please modify com port
Featured Answers

Recommended answer

(0) (0)
fuzi_yao
Admin Created Oct 10, 2021 09:18:37

Hi george2018,
ACLs can be bound to external interfaces. I will give you a configuration method for binding NAT instances to ACLs.

#
sysname NATA
#
nat instance nat1 id 1 simple-configuration
location slot 1
#
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
#
acl number 3001
rule 1 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet 2/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
nat bind acl 3001 address-group address-group1
#
interface GigabitEthernet 2/0/0
undo shutdown
ip address 192.168.10.1 255.255.255.0
#
return
View more
  • x
  • convention:

george2018
george2018 Created Oct 10, 2021 10:49:03 (0) (0)
Thank you Fuzi for your answer.

Something last. If I have more than one (1) nat address-group that i need to match it later with an ACL, how can implement that?
Under the same Instance but with different group id ?

thank you very much!  
fuzi_yao
fuzi_yao Reply george2018  Created Oct 10, 2021 11:43:40 (0) (0)
bro,
You can also run the following command to bind an ACL to a NAT instance:
[~HUAWEI] nat instance cpe1 id 1
[~HUAWEI-nat-instance-cpe1] commit
[~HUAWEI-nat-instance-cpe1] quit
[~HUAWEI] interface GigabitEthernet1/0/1
[~HUAWEI-GigabitEthernet1/0/1] nat bind acl 3000 instance cpe1  
fuzi_yao
fuzi_yao Reply george2018  Created Oct 10, 2021 11:46:16 (0) (0)
Of course, you can also refer to the following link, which contains multiple NAT configuration cases.
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100168834&id=EN-US_TASK_0172374651&lang=en  
All Answers
(0) (0)
2#
fuzi_yao
fuzi_yao Admin Created Oct 10, 2021 09:18:37

Hi george2018,
ACLs can be bound to external interfaces. I will give you a configuration method for binding NAT instances to ACLs.

#
sysname NATA
#
nat instance nat1 id 1 simple-configuration
location slot 1
#
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
#
acl number 3001
rule 1 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet 2/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
nat bind acl 3001 address-group address-group1
#
interface GigabitEthernet 2/0/0
undo shutdown
ip address 192.168.10.1 255.255.255.0
#
return
View more
  • x
  • convention:

george2018
george2018 Created Oct 10, 2021 10:49:03 (0) (0)
Thank you Fuzi for your answer.

Something last. If I have more than one (1) nat address-group that i need to match it later with an ACL, how can implement that?
Under the same Instance but with different group id ?

thank you very much!  
fuzi_yao
fuzi_yao Reply george2018  Created Oct 10, 2021 11:43:40 (0) (0)
bro,
You can also run the following command to bind an ACL to a NAT instance:
[~HUAWEI] nat instance cpe1 id 1
[~HUAWEI-nat-instance-cpe1] commit
[~HUAWEI-nat-instance-cpe1] quit
[~HUAWEI] interface GigabitEthernet1/0/1
[~HUAWEI-GigabitEthernet1/0/1] nat bind acl 3000 instance cpe1  
fuzi_yao
fuzi_yao Reply george2018  Created Oct 10, 2021 11:46:16 (0) (0)
Of course, you can also refer to the following link, which contains multiple NAT configuration cases.
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100168834&id=EN-US_TASK_0172374651&lang=en  
(0) (0)
3#
Unicef
Unicef MVE Created Oct 13, 2021 14:58:16

Good answer
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.