Troubleshooting NAT Access Issues for an Internal Web Server on a Huawei Router
This article explains why accessing an internal web server via its public NAT address fails, analyzes the current Huawei router configuration, and provides step‑by‑step NAT and ACL adjustments along with alternative access methods to resolve the issue.
The problem described is that the internal server is reachable using its local address (http://192.168.1.139:8081/test/test.html) but not via the public NAT address (http://112.83.127.77:8081/test/test.html), indicating a misconfiguration of NAT or related ACLs on the Huawei router.
Current configuration snippets include basic system settings, VLAN and interface definitions, and a NAT server rule:
snmp-agent local-engineid 800007DB03707BE8759119
snmp-agent
voice
drop illegal-mac alarm
vlan batch 4
set transceiver-monitoring disable
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
nat address-group 1 112.83.127.77 112.83.127.77
interface Vlanif4
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0/0
port link-type access
port default vlan 4
qos car inbound cir 3084
interface GigabitEthernet0/0/0
ip address 112.83.127.77 255.255.255.240
nat server protocol tcp global current-interface 8081 inside 192.168.1.139 8081
nat outbound 2000To resolve the issue, the article suggests re‑configuring NAT based on the desired access method. Five typical access scenarios for internal servers are listed, with the most relevant being the case where the internal server has no domain name and external users access it via the public IP; this requires a NAT server configuration on the router.
For this scenario, the recommended steps are:
Enable DNS ALG if the server has a domain name and DNS is external: nat alg dns enable and
nat dns-map abcdef.com 11.49.118.242 (internal server external IP) 80 tcp.
If the server has no domain name and is accessed via its public IP, create an ACL and traffic redirection policy to forward incoming traffic to the internal server:
acl number 3000
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 11.11.11.11 0
traffic classifier redirect operator or
if-match acl 3000
traffic behavior redirect
redirect ip-nexthop 11.11.11.1 # must specify next‑hop IP
traffic policy redirect
classifier redirect behavior redirectAfter applying the above NAT and ACL configuration, the external address http://112.83.127.77:8081/test/test.html should correctly forward to the internal server, restoring access for external users.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Practical DevOps Architecture
Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.