Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
NAT static Cisco From Hua...

NAT static Cisco From Huawei

Created: Feb 17, 2021 12:37:11Latest reply: Feb 19, 2021 23:08:02 750 17 2 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hello guys how are you.

 

Need your help.

 

So, have a cisco router and we are preparing the configuration to migrate to the new huawei AR6300 routers.

however I'm having trouble configuring NAT static on the huawei router.

 

 

Cisco Config

 

crypto map map_outside 4 ipsec-isakmp

 description to_iBASIS_IPX_Rotterdam

set peer 62.93.151.236

set transform-set aes-sha

 set pfs group2

match address 111

 

 

interface Tunnel6

description to_iBASIS_GRX_Interconnect - Rotterdam

ip address 216.168.174.13 255.255.255.254

ip mtu 1380

ip nat outside

ip virtual-reassembly

tunnel source FastEthernet0/2/0

tunnel destination 172.16.173.3

!

interface Tunnel7

description to_iBASIS_LSX_Interconnect - Rotterdam

ip address 216.168.174.21 255.255.255.254

ip nat outside

ip virtual-reassembly

tunnel source FastEthernet0/2/0

tunnel destination 172.16.8.1

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.100

description "Ligacao Huawei-GRX para DNS"

encapsulation dot1Q 100

ip address 10.85.0.8 255.255.255.240

ip nat inside

ip virtual-reassembly

vrrp 3 ip 10.85.0.7

vrrp 3 priority 150

!

interface FastEthernet0/0.106

description "Ligacao huawei_SLAVE CP"

encapsulation dot1Q 106

ip address 172.21.21.203 255.255.255.248

vrrp 4 ip 172.21.21.201

vrrp 4 priority 150

!

interface FastEthernet0/1

description Interliagacao rtr_fw-grx-gprs-1

ip address 172.21.21.66 255.255.255.252

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/2/0

description "Ligacao ISP"

ip address 41.221.194.45 255.255.255.252

duplex auto

speed auto

crypto map map_outside

 

 

 

So I Have nat inside and outside, in cisco its easy to configure on the interface , like you se  up in red and yellow.

 

ip nat inside source static 10.85.0.170 41.221.193.199

ip nat inside source static 10.85.0.171 41.221.193.200

ip nat outside source static 41.221.193.199 10.85.0.170

ip nat outside source static 41.221.193.200 10.85.0.171

 

access-list 111 permit ip host 41.221.194.45 host 172.16.173.3

access-list 111 permit ip host 41.221.194.45 host 172.16.8.1

 

 

Huawei confi

 

interface GigabitEthernet0/0/1.100

description "Ligacao Huawei-GRX para DNS"

dot1q termination vid 100

ip address 10.85.0.8 255.255.255.240

vrrp vrid 3 virtual-ip 10.85.0.7

vrrp vrid 3 priority 150

nat static global 41.221.193.199 inside 10.85.0.170 netmask 255.255.255.255

nat static global 41.221.193.200 inside 10.85.0.171 netmask 255.255.255.255

#

interface GigabitEthernet0/0/1.106

description "Ligacao huawei_SLAVE CP"

dot1q termination vid 106

ip address 172.21.21.203 255.255.255.248

vrrp vrid 4 virtual-ip 172.21.21.201

vrrp vrid 4 priority 150

#

interface GigabitEthernet0/0/1.2511

description OAM-ROUTER-BG-CVM

dot1q termination vid 2511

ip address 10.21.1.11 255.255.255.224

#

interface GigabitEthernet0/0/2

undo portswitch

description Interliagacao rtr_fw-grx-gprs-1

ip address 172.21.21.66 255.255.255.252

nat static global 41.221.193.199 inside 10.85.0.170 netmask 255.255.255.255

nat static global 41.221.193.200 inside 10.85.0.171 netmask 255.255.255.255

#

interface GigabitEthernet0/0/3

undo portswitch

description "Ligacao ISP"

ip address 41.221.194.45 255.255.255.252

ipsec policy map_outside

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface GigabitEthernet0/0/9

#

interface GigabitEthernet0/0/10

description VirtualPort

#

interface XGigabitEthernet0/0/0

#

interface NULL0

#

interface Tunnel0/0/0

description to_iBASIS_GRX_Interconnect - Rotterdam

ip address 216.168.174.13 255.255.255.254

tunnel-protocol gre

source GigabitEthernet0/0/3

destination 172.16.173.3

#

interface Tunnel0/0/1

description to_iBASIS_LSX_Interconnect - Rotterdam

ip address 216.168.174.21 255.255.255.254

tunnel-protocol gre

source GigabitEthernet0/0/3

destination 172.16.8.1

#

 

 

So in router Huawei, I'm not realizing how to put the static NAt settings exactly the same as the Cisco router.

 

I would appreciate your help in trying to do that.

 

Thanks in advance.


Like (2) Dislike (0) Favorite(0) Share Report
Previous: NQA binding static route
Next: Easy learn IPv6 Network protocols modification (1) NDP
Featured Answers

Recommended answer

(1) (0)
chenhui
Admin Created Feb 18, 2021 11:21:40

Hi @yannickmonteiro_27
############# Cisco ###################
ip nat inside source static 10.85.0.170 41.221.193.199
ip nat inside source static 10.85.0.171 41.221.193.200
ip nat outside source static 41.221.193.199 10.85.0.170
ip nat outside source static 41.221.193.200 10.85.0.171
######################################
The Cisco configuration allows the inside host and internet host could access each other independently.
For huawei device, the static NAT is directionless, if you want to configure the NAT with direction, you might use the 'nat server'
The translated configuration is listed below:
############# Huawei ##################
nat static global 41.221.193.199 inside 10.85.0.170
nat static global 41.221.193.200 inside 10.85.0.171
######################################
View more
  • x
  • convention:

yannickmonteiro_27
yannickmonteiro_27 Created Feb 18, 2021 11:54:25 (0) (0)
I appreciated your comment, in this case I undestand the trnaslation inside.

Cisco
ip nat inside source static 10.85.0.170 41.221.193.199
ip nat inside source static 10.85.0.171 41.221.193.200
Huawei
nat static global 41.221.193.199 inside 10.85.0.170
nat static global 41.221.193.200 inside 10.85.0.171

but the translation outside
ip nat outside source static 41.221.193.199 10.85.0.170
ip nat outside source static 41.221.193.200 10.85.0.171

how is it?  
chenhui
chenhui Reply yannickmonteiro_27  Created Feb 18, 2021 14:45:26 (0) (0)
As far as I know, Cisco 'ip nat inside' only allows the internal host visit the internet, in the opposite direction, it's blocked. Which to say, it's impossible to visit the internal host from the internet. While 'ip nat outside' will fill that blank.
But for Huawei routers, the 'nat static' allows the internal host and internet host access each other using the single command.  
chenhui
chenhui Reply chenhui  Created Feb 18, 2021 14:46:13 (0) (0)
In other words, the 'ip nat outside' is redundant, and no translation is required.  
All Answers
(1) (0)
2#
olive.zhao
olive.zhao Admin Created Feb 17, 2021 12:42:47

Hello, dear!
It's nice to meet you in the community.
We're working on your problem. Please be patient.
View more
  • x
  • convention:

Adriale
Adriale Created Feb 17, 2021 14:18:00 (0) (0)
:)  
(0) (0)
3#
yannickmonteiro_27
yannickmonteiro_27 Created Feb 17, 2021 12:47:20

hello @olive.zhao, thank you
View more
  • x
  • convention:
(1) (0)
4#
DDSN
DDSN Admin Created Feb 17, 2021 12:57:59

Hi yannickmonteiro_27,
You can refer to
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100087043&id=EN-US_TASK_0176365495&lang=en
View more
  • x
  • convention:
(0) (0)
5#
yannickmonteiro_27
yannickmonteiro_27 Created Feb 17, 2021 13:36:44

Posted by DDSN at 2021-02-17 12:57 Hi yannickmonteiro_27,You can refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100087043 ...
hello @DDSN, i will try and tell the results.

thank you
View more
  • x
  • convention:
(0) (0)
6#
yannickmonteiro_27
yannickmonteiro_27 Created Feb 17, 2021 15:44:48

Dear @DDSN

based on your link, i configure like this, can you check if is correct

acl number 3001
rule 5 permit ip source 41.221.193.199 0.0.0.0
rule 10 permit ip source 41.221.193.200 0.0.0.0



interface Tunnel0/0/1
description to_iBASIS_GRX_Interconnect - Rotterdam
ip address 216.168.174.13 255.255.255.254
tunnel-protocol gre
source GigabitEthernet0/0/3
destination 172.16.173.3
nat outbound 3001

interface inside
interface GigabitEthernet0/0/2
undo portswitch
description Interliagacao rtr_fw-grx-gprs-1
ip address 172.21.21.66 255.255.255.252
nat static global 41.221.193.199 inside 10.85.0.170 netmask 255.255.255.255
nat static global 41.221.193.200 inside 10.85.0.171 netmask 255.255.255.255
View more
  • x
  • convention:

user_4000619
user_4000619 Created Feb 18, 2021 00:18:55 (0) (0)
 
(1) (0)
7#
Popeye_Wang
Popeye_Wang Admin Created Feb 18, 2021 06:52:25

Posted by yannickmonteiro_27 at 2021-02-17 15:44 Dear @DDSNbased on your link, i configure like this, can you check if is correctacl number 3001 rul ...
Hi,
The addresses defined in the ACL should be the intranet address (pre-NAT address).
View more
  • x
  • convention:

yannickmonteiro_27
yannickmonteiro_27 Created Feb 18, 2021 10:06:52 (0) (0)
Hi, @Popeye_Wang,

This is the private IP - 10.80.0.170
This is the Public IP - 41.221.193.199

so in this case how shoud be the ACL? Can you help

I have windows mantenence in February 19, and i have some doubts how to use these commands on the huawei router.

Using NAT static, I think that when using acl and outbound we are talking about PAT.

this is NAT static from CIsco, the actual configuration
ip nat inside source static 10.85.0.170 41.221.193.199

ip nat inside source stat 
yannickmonteiro_27
yannickmonteiro_27 Created Feb 18, 2021 10:07:53 (0) (0)
ip nat inside source static 10.85.0.171 41.221.193.200

ip nat outside source static 41.221.193.199 10.85.0.170

ip nat outside source static 41.221.193.200 10.85.0.171

and I'm not able to figure out how to translate to huawei, putting in interfaces like NAT inside or outside  
(1) (0)
8#
chenhui
chenhui Admin Created Feb 18, 2021 11:21:40

Hi @yannickmonteiro_27
############# Cisco ###################
ip nat inside source static 10.85.0.170 41.221.193.199
ip nat inside source static 10.85.0.171 41.221.193.200
ip nat outside source static 41.221.193.199 10.85.0.170
ip nat outside source static 41.221.193.200 10.85.0.171
######################################
The Cisco configuration allows the inside host and internet host could access each other independently.
For huawei device, the static NAT is directionless, if you want to configure the NAT with direction, you might use the 'nat server'
The translated configuration is listed below:
############# Huawei ##################
nat static global 41.221.193.199 inside 10.85.0.170
nat static global 41.221.193.200 inside 10.85.0.171
######################################
View more
  • x
  • convention:

yannickmonteiro_27
yannickmonteiro_27 Created Feb 18, 2021 11:54:25 (0) (0)
I appreciated your comment, in this case I undestand the trnaslation inside.

Cisco
ip nat inside source static 10.85.0.170 41.221.193.199
ip nat inside source static 10.85.0.171 41.221.193.200
Huawei
nat static global 41.221.193.199 inside 10.85.0.170
nat static global 41.221.193.200 inside 10.85.0.171

but the translation outside
ip nat outside source static 41.221.193.199 10.85.0.170
ip nat outside source static 41.221.193.200 10.85.0.171

how is it?  
chenhui
chenhui Reply yannickmonteiro_27  Created Feb 18, 2021 14:45:26 (0) (0)
As far as I know, Cisco 'ip nat inside' only allows the internal host visit the internet, in the opposite direction, it's blocked. Which to say, it's impossible to visit the internal host from the internet. While 'ip nat outside' will fill that blank.
But for Huawei routers, the 'nat static' allows the internal host and internet host access each other using the single command.  
chenhui
chenhui Reply chenhui  Created Feb 18, 2021 14:46:13 (0) (0)
In other words, the 'ip nat outside' is redundant, and no translation is required.  
(0) (0)
9#
chenhui
chenhui Admin Created Feb 18, 2021 11:22:30

BTW, you are strongly recommended to hide your public IP due to the network security consideration.
View more
  • x
  • convention:

user_4000619
user_4000619 Created Feb 19, 2021 03:48:05 (0) (0)
 
(0) (0)
10#
Sarma
Sarma Created Feb 19, 2021 23:08:02

thank you
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.