Configuring ACL and NAT on Huawei AR Routers to Restrict Web Access
This guide demonstrates how to configure ACL and NAT on Huawei AR series routers to block internal hosts from accessing external web interfaces and to restrict web management access to specific subnets, including step‑by‑step command examples and verification procedures.
This document provides detailed configuration steps for Huawei ARV200R002C00 (and later) routers to implement network access control using ACLs and NAT, preventing internal hosts from reaching external web interfaces.
Network Requirement 1 : Limit the internal address 192.168.1.12/24 from accessing any external WEB UI. The topology is illustrated in Figure 15‑3.
Router Configuration
#
dhcp enable // enable DHCP function
#
acl number 2000 // ACL allowing source 192.168.1.0/24
rule 5 permit source 192.168.1.0 0.0.0.255
#
acl number 3005 // ACL for packet filtering
description deny_souce_ip_www
rule 5 deny tcp source 192.168.1.12 0 destination-port eq www
rule 10 permit tcp source 192.168.1.12 0
#
ip pool pool1 // create global address pool
gateway-list 192.168.1.2 // DHCP client gateway
network 192.168.1.0 mask 255.255.255.0 // IP range for pool
dns-list 202.106.0.20 202.106.46.151 // DNS servers
#
interface Serial2/0/0
link-protocol ppp
ip address 219.143.125.234 255.255.255.252
nat outbound 2000 // enable NAT for 192.168.1.0/24
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
traffic-filter inbound acl 3005 // apply ACL on inbound traffic
dhcp select global // use global address pool
#
ip route-static 0.0.0.0 0.0.0.0 Serial2/0/0 // default route
#Verification: Execute display traffic-filter statistics on the router to view traffic statistics and confirm the ACL is effective.
Section 2 – Restricting External Users from Accessing WEB Management
Network Requirement 2 : RouterA’s GE1/0/0 connects to HostA. Only the 10.1.1.0/24 subnet should access the WEB management interface; all other subnets must be blocked. See Figure 15‑4.
Operational Steps
RouterA configuration:
#
http acl 2000
http server enable
acl number 2000 // match hosts allowed to access WEB management
rule 1 permit source 10.1.1.0 0.0.0.255
rule 10 deny
#
aaa
local-user huawei password cipher %@%@Dyb;#tOxsEBO@H@Jy'IX_:HK%@%@ // create local user huawei with encrypted password
local-user huawei service-type http // set access type to http
local-user huawei privilege level 3 // set privilege level
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 // IP for interface connecting to HostA
#Verification: HostA can access RouterA’s WEB management interface, while hosts from other subnets cannot.
Configuration Notes
Ensure the username and password used by HostA match the local‑user configuration on RouterA.
If an unauthorized host reaches the login page, clicking login will report an invalid IP address.
Practical DevOps Architecture
Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.