Checking Whether the Correct ACL Rule Is Bound to Outbound NAT

Procedure

1. Run the display nat outbound command on the router to check whether outbound NAT is correctly configured on the outbound interface.

   <Huawei> display nat outbound 
    NAT Outbound Information:                                                      
    --------------------------------------------------------------------------     
    Interface                     Acl     Address-group/IP/Interface      Type     
    --------------------------------------------------------------------------     
    GigabitEthernet0/0/0         2000                        1.1.1.1    easyip     
    GigabitEthernet0/0/1         3000                              1       pat     
    --------------------------------------------------------------------------     
     Total : 2                                                                     

   The preceding command output shows that ACL 3000 is bound to outbound NAT configured on the NAT outbound interface GigabitEthernet0/0/1.

2. Check whether the rule of ACL 3000 is correctly configured. If the correct IP address, port number, or protocol type is not configured in the rule of ACL 3000, packets cannot be properly forwarded.

   Run the display acl 3000 command to check the configuration of outbound NAT associated with ACL 3000.

   [Huawei] display acl 3000 
   Advanced ACL 3000, 1 rule  
   Acl's step is 5  
    rule 5 permit tcp source 192.168.1.100 0

   The preceding ACL rule allows TCP packets with the source IP address 192.168.1.100 to pass through and NAT is performed for the packets.

3. If the ACL rule is incorrectly configured, reconfigure the ACL rule.

   Users on the network segment 192.168.1.0/24 want to access the Internet. Add a rule to ACL 3000 to allow IP packets with the source IP address 192.168.1.0/24 to pass through.

   [Huawei] system-view 
   [Huawei] acl 3000
   [Huawei-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255