Huawei AR1200 NAT configuration

Download as PDF

A short NAT (Network Address Translation) description based on AR1200 documentation:

Huawei AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance.

Static NAT

The number of private addresses is equal to the number of public addresses, so it does not save pull of public addresses.


Maps a public address to multiple private addresses.

Internal Server

Hosts in the public network can access an internal server.

Easy IP

Takes a public IP address of the interface as the source address after NAT is performed.

Twice NAT

Translates both the source and destination addresses. Using in the scenario where IP addresses of hosts on private and public networks overlap.

NAT multi-instance

Allows users on private networks to access the public network and allows users in different VPNs to access the public network through the same egress. In addition, users in the VPNs with the same IP address can access the public network. Supports association between VPNs and NAT server, and allows users on the public network to access hosts in the VPNs. This function is applicable when IP addresses of multiple VPNs overlap.

Let’s try to configure NAT based on the below topology:

  1. Users from LAN can access internet using a pull of public addresses.
  2. Users from LAN can access internet using a public IP of WAN interface.
  3. Users from internet can access internal FTP server

Huawei AR1200 NAT configuration topology

Configure IP addresses and default routing based on the above topology:

interface Vlanif100
 ip address
interface Vlanif200
 ip address
interface Ethernet0/0/0
 port link-type access
 port default vlan 100
interface Ethernet0/0/1
 port link-type access
 port default vlan 200
interface GigabitEthernet0/0/0
 ip address
interface GigabitEthernet0/0/1
 ip address
ip route-static

interface GigabitEthernet0/0/0
 ip address

Configure outbound NAT on labnario router for hosts in both LANs:

[labnario]acl number 2000
[labnario-acl-basic-2000] rule 5 permit source

[labnario]acl number 2500
[labnario-acl-basic-2500] rule 5 permit source

[labnario]nat address-group 1

[labnario]interface GigabitEthernet 0/0/0
[labnario-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat
[labnario-GigabitEthernet0/0/0]nat outbound 2500
[labnario-GigabitEthernet0/0/0]display this
interface GigabitEthernet0/0/0
 ip address
 nat outbound 2000 address-group 1 no-pat 
 nat outbound 2500

No-pat indicates one-to-one NAT, that is, only the IP address is translated and the port number is not translated.

Configure NAT server on labnario router to let external users to have FTP access to internal FTP server:

[labnario-GigabitEthernet0/0/0]nat server protocol tcp global ftp inside ftp

Enable the NAT ALG function for FTP packets:

[labnario]nat alg ftp enable

[labnario]display nat alg 

NAT Application Level Gateway Information:
  Application            Status
  dns                    Disabled
  ftp                    Enabled
  rtsp                   Disabled
  sip                    Disabled

After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT server. The application protocol cannot work without the NAT ALG function.

Let’s check if our NAT is configured properly:

[labnario]display nat outbound 
 NAT Outbound Information:
 Interface                     Acl     Address-group/IP/Interface      Type
 GigabitEthernet0/0/0         2000                              1    no-pat
 GigabitEthernet0/0/0         2500              easyip
  Total : 2

[labnario]dis nat server

  Nat Server Information:
  Interface  : GigabitEthernet0/0/0
    Global IP/Port     : 
    Inside IP/Port     :
    Protocol : 6(tcp)   
    VPN instance-name  : ----                            
    Acl number         : ----
    Description : ----

  Total :    1

Unfortunately, even NAT commands are supported by eNSP simulator, it does not mean that NAT is supported as a whole. Internal hosts cannot communicate with internet and internal FTP server is not available for public users as well. But this is what I wanted to show you. You can check this NAT configuration on real devices. It should work properly.


7 thoughts on “Huawei AR1200 NAT configuration

  1. foxnet1

    If i use 2 ISP, how i can use “nat server” for external port translation to internal server? If i wrote “nat server protocol tcp current-interface PORT inside PORT” on main ISP interface, all work. But if i wrote same command on secondary ISP interface, nothing work. Telnet established connection, but data not transmitted.
    If i monitored traffic via wireshark, i see:
    SYN – source external host, destination internal server
    SYN,ACK – source internal server, destination external host
    TCP Acked unseen fragment – source external host, destination internal server

    But if i try established connection via main ISP, all connection established OK.

    Finally. If i change default gateway from main ISP to secondary ISP, then “nat server” on secondary ISP work fine! But on main ISP stop working with same symptoms.

    Sorry for my bad english) can you help me?

    1. labnario Post author

      it is difficult to analyze the problem without having configuration of this device. Do you use 2 ISPs at the same time or one is only for backup?

      1. foxnet1

        I use secondary ISP only as standalone connection. And use his as static translation in internal network. I can send the necessary part of the list configuration.
        I can send more information on your mail?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s