All_about_network

So this is an article I was not really thinking to write but after certain experience I decided to put some light into this topic. Even though this is explained in the documentation (even though very chaotically) I put here some simple and easily adjustable examples of NAT/NAPT or if you want PAT.

So first thing you need to know is that Network Address Translation without Port Address Translation is a not thinkable. NAT is always using PAT (even if it is sometimes 1:1 PAT) so that is why is proper to use abbreviation NAPT which stands for network address and port translation. There are various flame-wars about this simple principle but the point of this is that even 1:1 nat could under some circumstances change your TCP ports. This being said I can focus on the quick and easy NAPT on ar 19 and 29 (and generally on routers in Huawei/H3C/3Com portfolios)

Step No.1 Create an nat ACL

#
acl number 3111 name nat
rule 5 permit ip
#

The question why is this necessary is already partly explained in the code itself. It is here to define what should be done with the incoming traffic from the LAN. Important note here is as this NAT is ALC based you can do some very interesting things e.g. nat just some IPs or just some protocols or just some destinations. The limits of what when and how will be nated lies solely on the flexibility of the ACL which is great.

Now when you decided what will be translated and what won’t it is time to place your nat policy on the outbound interface.

#
interface Virtual-Ethernet0
nat outbound 3111
#

Ok this command will do the trick. Kind of easy huh? So we could end here but this would result in dynamic NAT without any control. So what can we do more? First thing we can do is a port forwarding (for maybe some DMZ services like mail etc).

As this is surprising enough you will just need one line of code to achieve this for every port you want to forward. In our case the outer address is 10.0.3.2 and the DMZ server’s address is 192.168.2.10

#
interface Ethernet0
nat outbound 3111
nat server protocol tcp global 10.0.3.2 ftp inside 192.168.2.10 ftp
ip address 10.0.3.2 255.255.255.252
#

The should be one question raised right now – as FTP transfer actually uses two ports will this really work. And the answer is: Surprisingly yes it is working even without defining the other port. Originally in the config was port 21 but VRP changed it to well-known service ftp which will happen even with other well-known ports like 80,23,etc. I think there could be one problem rising and that is if you run different service than ftp on port 21 but I think this is not something happening often.

There is one last command you could probably use. It is statical binding between inside and outside addresses. It can be used if you want e.g. translate ftp and web as one outside IP and the rest of the LAN’s traffic as the other etc. There can be much more reasons e.g. not using a nat address group pool (which is very good idea if you run bigger network which is behind NAT).
Well anyway static binding NAT is done by this command:

#
nat static 192.168.2.2 10.0.3.2
#

And the NAT address pool command is done this way:

#
nat address-group 1 10.0.3.2 10.0.3.3
#

and applying on the interface is done like this:

#
interface Ethernet0
nat outbound 2001 address-group 1
#

This is much more then I wanted to write about this simple topic but i just got too into it.. I hope this will be useful quick guide for NAT on Huawei howto.

Update: I forgot to mention one important thing on the 19-X and 29-X series there is not possible to create NAT over loopback interface. This might save somebody a lot of time…