Configuration Methods

Application Limitations
NAT Network Between the iClient S100 and HWT-IVS1800
NAT Network Between the HWT-IVS1800 and the Upper-Level Video and Image Management Platform
NAT-based Networking of the HWT-IVS1800 and Cameras

Application Limitations

NAT must be configured on the firewall and the network communication must be normal. There is no requirement on the networking mode (such as bypass or direct connection) that involves access through the firewall.
The client cannot be directly connected to cameras to obtain media streams.
In NAT networking, networks can be classified as extranets or intranets. All intranets must be connected through the same extranet for communication. For example, all campus intranets are connected through the private network, which functions as an extranet.
When selecting or configuring a firewall, you are advised to ensure that the firewall bandwidth is twice the maximum concurrent video traffic traversing the firewall. Otherwise, the forwarding performance of the firewall may be insufficient to support a large number of burst streams, causing packet loss or delay. This will further lead to video stuttering or artifacts.
Only compatible devices can be connected. For details, see the HWT-IVS1800 Compatibility List. If an incompatible device is connected, you can submit customization requirements or perform verification by yourself.
In the scenario where cameras are on the intranet and registered passively:
- The iClient S100 does not allow users to add multiple cameras with the same IP address.
- Cameras to be connected through ONVIF (passive registration) must support NAT.
Figure 5-51 Overall network diagram

NAT Network Between the iClient S100 and HWT-IVS1800

iClient S100 on an Extranet and HWT-IVS1800 on an Intranet

Network

If the iClient S100 is on an extranet and the HWT-IVS1800 is on an intranet, you need to translate the IP address and port number of the HWT-IVS1800 to an extranet IP address and port number for the iClient S100 to access, as shown in Figure 5-52.

Figure 5-52 iClient S100 on an extranet and HWT-IVS1800 on an intranet

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

NAT based on IP address translation is relatively simple. In addition to IP address NAT on the firewall, the ports in the data plan need to be allowed in both directions. For details about how to allow ports, see the firewall documentation.

Table 5-29 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
iClient S100	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	Nginx HTTPS: 18531 MU RTSP: 554 OMU HTTPS: 8443	Nginx HTTPS: 18531 MU RTSP: 554 OMU HTTPS: 8443
HWT-IVS1800	Yes	Nginx: 192.168.10.10 MU: 192.168.10.10 IMGU: 192.168.10.10	Nginx: 10.10.10.10 MU: 10.10.10.10 IMGU: 10.10.10.10	NGINX: 18531 MU: 554 OMU: 8443	NGINX: 18531 MU: 554 OMU: 8443 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-53.

Figure 5-53 Configuring NAT information

The parameters to be set vary depending on the scenario where the iClient S100 is connected to the HWT-IVS1800.

If the HWT-IVS1800 deployed in single- or dual-address mode is connected to the iClient S100 only through the northbound interface, set the parameters described in Table 5-30.

Table 5-30 Parameter description

Module	Parameter	Description
PUBLIC	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
NatRtspServerPort	Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.

Module

Parameter

Description

PUBLIC

NNatIP

Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatRtspServerPort

Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.

If the HWT-IVS1800 deployed in dual-address mode is connected to the iClient S100 only through the southbound interface, set the parameters described in Table 5-31.

Table 5-31 Parameter description

Module

Parameter

Description

PUBLIC

SNatIP

Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatSRtspPort

Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.

If the HWT-IVS1800 deployed in dual-address mode is connected to the iClient S100 through both the southbound and northbound interfaces, set the parameters described in Table 5-30 and Table 5-31.

Log in to the iClient S100 again and add the HWT-IVS1800.
When adding a device, use the HWT-IVS1800 IP address and port number translated on the firewall.

iClient S100 on an Intranet and HWT-IVS1800 on an Extranet

Network

If the iClient S100 is on an intranet and the HWT-IVS1800 is on an extranet, you need to configure the network route and firewall to connect the iClient S100 to the HWT-IVS1800.

The following describes how to configure firewall NAT. On the firewall, you need to translate the IP address of the server running the iClient S100 to an extranet IP address so that they can use the HWT-IVS1800 extranet IP address and port number to log in to the iClient S100 to view live and recorded video and perform other service operations, as shown in Figure 5-54.

Figure 5-54 iClient S100 on an intranet and HWT-IVS1800 on an extranet

Data Plan

Table 5-32 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
iClient S100	Yes	172.16.10.30	10.10.10.30	58097, 58103, 58102	58097, 58103, 58102
Firewall	Yes (optional) You can either configure NAT or use routers and switches to implement the network connection between the iClient S100 and video and image management platform.	172.16.10.30	10.10.10.30	58097	58097
HWT-IVS1800	No	-	-	-	-

Require Configuration on the NE

Pre-NAT IP Address

Post-NAT IP Address

Pre-NAT Port Number

Post-NAT Port Number

iClient S100

Yes

172.16.10.30

10.10.10.30

58097, 58103, 58102

Firewall

Yes (optional)

You can either configure NAT or use routers and switches to implement the network connection between the iClient S100 and video and image management platform.

172.16.10.30

10.10.10.30

58097

HWT-IVS1800

(Optional) Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of the computer running the client
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.10) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

iClient S100 and HWT-IVS1800 on Different Intranets

Network

If the iClient S100 and HWT-IVS1800 are on different intranets, you need to configure NAT for the iClient S100 and HWT-IVS1800 respectively.

After NAT is configured for the iClient S100 and HWT-IVS1800, you can use the extranet HWT-IVS1800 IP address to log in to the iClient S100 to view live and recorded video and perform other service operations, as shown in Figure 5-55.

Figure 5-55 iClient S100 and HWT-IVS1800 on different intranets

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-33 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
iClient S100	Yes	172.16.10.30	10.10.10.30	58097	58097
Firewall 1	Yes (optional) You can either configure NAT or use routers and switches to implement the network connection between the iClient S100 and video and image management platform.	172.16.10.30	10.10.10.30	58097	58097
Firewall 2	Yes	192.168.10.10	10.10.10.10	Nginx HTTPS: 18531 MU RTSP: 554	Nginx HTTPS: 18531 MU RTSP: 554
	Yes	Nginx: 192.168.10.10 MU: 192.168.10.10	Nginx: 10.10.10.10 MU: 10.10.10.10	NGINX: 18531 MU: 554	NGINX: 18531 MU: 554 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

(Optional) Configuring NAT on Firewall 1

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of the computer running the client
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.10) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on Firewall 2

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-56.

Figure 5-56 Configuring NAT information

The parameters to be set vary depending on the scenario where the iClient S100 is connected to the HWT-IVS1800.

If the HWT-IVS1800 deployed in single- or dual-address mode is connected to the iClient S100 only through the northbound interface, set the parameters described in Table 5-34.

Table 5-34 Parameter description

Module	Parameter	Description
PUBLIC	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
NatRtspServerPort	Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.

Module

Parameter

Description

PUBLIC

NNatIP

Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatRtspServerPort

Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.

If the HWT-IVS1800 deployed in dual-address mode is connected to the iClient S100 only through the southbound interface, set the parameters described in Table 5-35.

Table 5-35 Parameter description

Module

Parameter

Description

PUBLIC

SNatIP

Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatSRtspPort

Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.

If the HWT-IVS1800 deployed in dual-address mode is connected to the iClient S100 through both the southbound and northbound interfaces, set the parameters described in Table 5-34 and Table 5-35.

Log in to the iClient S100 again and add HWT-IVS1800 devices.
When adding a device, use the HWT-IVS1800 IP address and port number translated on the firewall.

NAT Network Between the HWT-IVS1800 and the Upper-Level Video and Image Management Platform

Upper-Level Video and Image Management Platform on an Extranet and HWT-IVS1800 on an Intranet

Context

Network

If the upper-level video and image management platform is on an extranet and the HWT-IVS1800 is on an intranet, the HWT-IVS1800 cannot be registered with the upper-level video and image management platform. To solve this problem, you can configure NAT by translating the IP address and port number of the HWT-IVS1800 to those on an extranet, as shown in Figure 5-57.

Figure 5-57 Upper-level video and image management platform on an extranet and HWT-IVS1800 on an intranet

Protocols That Support NAT

Table 5-36 Protocols that support NAT

Registration Type	Protocol	Support NAT	Procedure
Passive registration	ONVIF	Yes	ONVIF
Passive registration	RESTful	Yes	RESTful
Proactive registration	GB/T 28181	Yes	Static NAT

ONVIF

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-37 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	MU RTSP: 554 OCG HTTPS: 8079 HTTP: 80	MU RTSP: 554 OCG HTTPS: 8079 HTTP: 80
	Yes	MU: 192.168.10.10 OCG: 192.168.10.10	MU: 10.10.10.10 OCG: 10.10.10.10	MU: 554	MU: 554 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-58.

Figure 5-58 Configuring NAT information

The parameters to be set vary depending on the scenario where the HWT-IVS1800 is connected to the upper-level video and image management platform.

If the HWT-IVS1800 deployed in single- or dual-address mode is connected to the upper-level video and image management platform only through the northbound interface, set the parameters described in Table 5-38.

Table 5-38 Parameter description

Module	Parameter	Description
PUBLIC	OCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of northbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	NatRtspServerPort	Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
	OCGListeningAdapter	Select eth1. This parameter is involved only in dual-address mode. By default, this parameter is not involved in single-address mode.

If the HWT-IVS1800 deployed in dual-address mode is connected to the upper-level video and image management platform only through the southbound interface, set the parameters described in Table 5-39.

In dual-address mode, the HWT-IVS1800 cannot be connected to the upper-level video and image management platform through the southbound and northbound interfaces simultaneously.

Table 5-39 Parameter description

Module	Parameter	Description
PUBLIC	OCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of northbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
	OCGListeningAdapter	Select eth0.

RESTful

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-40 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	MU RTSP: 554 UDP: 21200 to 22231 Nginx HTTPS: 18531	MU RTSP: 554 UDP: 21200 to 22231 Nginx HTTPS: 18531 NOTE: The UDP port of the MU on the firewall must be the same as that set on the HWT-IVS1800. If the default UDP port of the MU has been occupied on the firewall and cannot be changed on the firewall, you need to change the default port on the OMU portal and configure the new port on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	MU: 192.168.10.10 SMU: 192.168.10.10 IMGU: 192.168.10.10	MU: 10.10.10.10 SMU: 10.10.10.10 IMGU: 10.10.10.10	MU: 554	MU: 554 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-59.

Figure 5-59 Configuring NAT information

The parameters to be set vary depending on the scenario where the HWT-IVS1800 is connected to the upper-level video and image management platform.

If the HWT-IVS1800 deployed in single- or dual- address mode is connected to the upper-level video and image management platform only through the northbound interface, set the parameters described in Table 5-41.

Table 5-41 Parameter description

Module	Parameter	Description
PUBLIC	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
NatRtspServerPort	Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall.

Module

Parameter

Description

PUBLIC

NNatIP

Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatRtspServerPort

Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall.

If the HWT-IVS1800 deployed in dual-address mode is connected to the upper-level video and image management platform only through the southbound interface, set the parameters described in Table 5-42.

In dual-address mode, the HWT-IVS1800 cannot be connected to the upper-level video and image management platform through the southbound and northbound interfaces simultaneously.

Table 5-42 Parameter description

Module

Parameter

Description

PUBLIC

SNatIP

Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatSRtspPort

Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall.

GB/T 28181

Dynamic NAT

Application Scenario

The HWT-IVS1800 on an intranet is connected to the upper-level video and image management platform on an extranet (without fixed IP addresses) through GB/T 28181.

Assume that the HWT-IVS1800 on an intranet is connected to the video and image management platform on the Internet through a router (with the LAN port of the router connected to the HWT-IVS1800 and the WAN port of the router connected to the Internet), and the IP address of the WAN port is dynamically allocated by the carrier. In this scenario, the router will dynamically translate the source IP address (IP address of the LAN port) into the IP address of the WAN port.

Data Plan

Table 5-43 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	No	-	-	-	-
Firewall	Yes	192.168.10.10	-	MU TCP: 11400 to 11465 UDP: 21200 to 21719 PCG UDP: 5061	Dynamically generated by the router or firewall.
HWT-IVS1800	Yes	MU: 192.168.10.10 PCG: 192.168.10.10	-	PCG: 5061	-

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.
Configure NAT information, as shown in Figure 5-60.
Figure 5-60 Configuring NAT information

Table 5-44 describes the parameters.
Table 5-44 Parameter description
Module

Parameter

Description

PCG

PCGSipRport

Set this parameter to 1.

Module	Parameter	Description
PCG	PCGSipRport	Set this parameter to 1.

Static NAT

Prerequisites

You have set PCGSipRport to 1 by referring to Configuring NAT on the HWT-IVS1800.

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-45 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	MU TCP: 11400 to 11529 UDP: 21200 to 22231 PCG UDP: 5061	MU TCP: 11400 to 11529 UDP: 21200 to 22231 PCG UDP: 5061 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	MU: 192.168.10.10 PCG: 192.168.10.10	MU: 10.10.10.10 PCG: 10.10.10.10	PCG: 5061	PCG: 5061 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-61.

Figure 5-61 Configuring NAT information

The parameters to be set vary depending on the scenario where the HWT-IVS1800 is connected to the upper-level video and image management platform.

If the HWT-IVS1800 deployed in single- or dual- address mode is connected to the upper-level video and image management platform only through the northbound interface, set the parameters described in Table 5-46.

Table 5-46 Parameter description

Module	Parameter	Description
MU	TcpSendMediaPort	Start TCP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 65 port numbers. The value range is [10000,30000], and [n,n+65] cannot contain port 18531. The value n indicates the start port number.
MU	UdpSendMediaPort	Start UDP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 519 port numbers. The value range is [10000,30000], and [n,n+519] cannot contain port 18531. The value n indicates the start port number.
PUBLIC	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
PUBLIC	PCGNNatPort	Post-NAT port number of the PCG of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 5061.

If the HWT-IVS1800 deployed in dual-address mode is connected to the upper-level video and image management platform only through the southbound interface, set the parameters described in Table 5-47.

In dual-address mode, the HWT-IVS1800 cannot be connected to the upper-level video and image management platform through the southbound and northbound interfaces simultaneously.

Table 5-47 Parameter description

Module	Parameter	Description
MU	TcpSendMediaPort	Start TCP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 65 port numbers. The value range is [10000,30000], and [n,n+65] cannot contain port 18531. The value n indicates the start port number.
MU	UdpSendMediaPort	Start UDP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 519 port numbers. The value range is [10000,30000], and [n,n+519] cannot contain port 18531. The value n indicates the start port number.
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	PCGNNatPort	Post-NAT southbound port number of the PCG of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 5061.
	PCGListeningAdapter	Network adapter for listening on the GB/T 28181 service of the HWT-IVS1800, which must be set to the southbound network adapter eth0.

Upper-Level Video and Image Management Platform on an Intranet and HWT-IVS1800 on an Extranet

Context

Network

If the upper-level video and image management platform is on an intranet and the HWT-IVS1800 is on an extranet, the HWT-IVS1800 cannot be directly registered with the upper-level video and image management platform. To solve this problem, you need to configure NAT for the upper-level video and image management platform by translating the IP address and port number of the upper-level video and image management platform to those on the extranet, as shown in Figure 5-62.

Figure 5-62 Upper-level video and image management platform on an intranet and HWT-IVS1800 on an extranet

Protocols That Support NAT

Table 5-48 Protocols that support NAT

Registration Type	Protocol	Support NAT	Procedure
Passive registration	ONVIF	No	-
Passive registration	RESTful	Yes	RESTful
Proactive registration	GB/T 28181	Yes	GB/T 28181

RESTful

Data Plan

Table 5-49 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall	Yes	For details, see the product documentation of the upper-level video and image management platform.
HWT-IVS1800	No	-	-	-	-

GB/T 28181

Data Plan

Table 5-50 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall	Yes	For details, see the product documentation of the upper-level video and image management platform.
HWT-IVS1800	No	-	-	-	-

Upper-Level Video and Image Management Platform and HWT-IVS1800 on Different Intranets

Context

Network

If the upper-level video and image management platform and HWT-IVS1800 are on different intranets, the HWT-IVS1800 cannot be directly registered with the upper-level video and image management platform. To solve this problem, you need to configure NAT for the upper-level video and image management platform and HWT-IVS1800 by translating their IP addresses and port numbers to those on the extranet, as shown in Figure 5-63.

Figure 5-63 Upper-level video and image management platform and HWT-IVS1800 on different intranets

Protocols That Support NAT

Table 5-51 Protocols that support NAT

Registration Type	Protocol	Support NAT	Procedure
Passive registration	ONVIF	No	-
Passive registration	RESTful	Yes	RESTful
Proactive registration	GB/T 28181	Yes	Static NAT

RESTful

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-52 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall 1	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall 2	Yes	192.168.10.10	10.10.10.10	MU RTSP: 554 UDP: 21200 to 22231 Nginx HTTPS: 18531 IMGU TCP: 9554	MU RTSP: 554 UDP: 21200 to 22231 Nginx HTTPS: 18531 IMGU TCP: 9554 NOTE: The UDP port of the MU on the firewall must be the same as that set on the HWT-IVS1800. If the default UDP port of the MU has been occupied on the firewall and cannot be changed on the firewall, you need to change the default port on the OMU portal and configure the new port on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	MU: 192.168.10.10 SMU: 192.168.10.10 IMGU: 192.168.10.10	MU: 10.10.10.10 SMU: 10.10.10.10 IMGU: 10.10.10.10	MU: 554 IMGU: 9554	MU: 554 IMGU: 9554 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on Firewall 2

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-64.

Figure 5-64 Configuring NAT information

The parameters to be set vary depending on the scenario where the HWT-IVS1800 is connected to the upper-level video and image management platform.

If the HWT-IVS1800 deployed in single- or dual- address mode is connected to the upper-level video and image management platform only through the northbound interface, set the parameters described in Table 5-53.

Table 5-53 Parameter description

Module	Parameter	Description
PUBLIC	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
NatRtspServerPort	Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall.

Module

Parameter

Description

PUBLIC

NNatIP

Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatRtspServerPort

Post-NAT northbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall.

If the HWT-IVS1800 deployed in dual-address mode is connected to the upper-level video and image management platform only through the southbound interface, set the parameters described in Table 5-54.

In dual-address mode, the HWT-IVS1800 cannot be connected to the upper-level video and image management platform through the southbound and northbound interfaces simultaneously.

Table 5-54 Parameter description

Module

Parameter

Description

PUBLIC

SNatIP

Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.

NatSRtspPort

Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall.

GB/T 28181

Dynamic NAT

Application Scenario

The HWT-IVS1800 on an intranet is connected to the upper-level video and image management platform on an extranet (without fixed IP addresses) through GB/T 28181.

Data Plan

Table 5-55 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall 1	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall 2	Yes	192.168.10.10	-	MU TCP: 11400 to 11465 UDP: 21200 to 21719 PCG UDP: 5061	Dynamically generated by the router or firewall.
HWT-IVS1800	Yes	MU: 192.168.10.10 PCG: 192.168.10.10	-	PCG: 5061	-

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.
Configure NAT information, as shown in Figure 5-65.
Figure 5-65 Configuring NAT information

Table 5-56 describes the parameters.
Table 5-56 Parameter description
Module

Parameter

Description

PCG

PCGSipRport

Set this parameter to 1.

Module	Parameter	Description
PCG	PCGSipRport	Set this parameter to 1.

Static NAT

Prerequisites

You have set PCGSipRport to 1 by referring to Configuring NAT on the HWT-IVS1800.

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-57 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Upper-level video and image management platform	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall 1	Yes	For details, see the product documentation of the upper-level video and image management platform.
Firewall 2	Yes	192.168.10.10	10.10.10.10	MU TCP: 11400 to 11529 UDP: 21200 to 22231 PCG UDP: 5061	MU TCP: 11400 to 11529 UDP: 21200 to 22231 PCG UDP: 5061 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	MU: 192.168.10.10 PCG: 192.168.10.10	MU: 10.10.10.10 PCG: 10.10.10.10	PCG: 5061	PCG: 5061 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on Firewall 2

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-66.

Figure 5-66 Configuring NAT information

The parameters to be set vary depending on the scenario where the HWT-IVS1800 is connected to the upper-level video and image management platform.

If the HWT-IVS1800 deployed in single- or dual- address mode is connected to the upper-level video and image management platform only through the northbound interface, set the parameters described in Table 5-58.

Table 5-58 Parameter description

Module	Parameter	Description
MU	TcpSendMediaPort	Start TCP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 65 port numbers. The value range is [10000,30000], and [n,n+65] cannot contain port 18531. The value n indicates the start port number.
MU	UdpSendMediaPort	Start UDP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 519 port numbers. The value range is [10000,30000], and [n,n+519] cannot contain port 18531. The value n indicates the start port number.
PUBLIC	NNatIP	Northbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
PUBLIC	PCGNNatPort	Post-NAT port number of the PCG of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 5061.

If the HWT-IVS1800 deployed in dual-address mode is connected to the upper-level video and image management platform only through the southbound interface, set the parameters described in Table 5-59.

In dual-address mode, the HWT-IVS1800 cannot be connected to the upper-level video and image management platform through the southbound and northbound interfaces simultaneously.

Table 5-59 Parameter description

Module	Parameter	Description
MU	TcpSendMediaPort	Start TCP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 65 port numbers. The value range is [10000,30000], and [n,n+65] cannot contain port 18531. The value n indicates the start port number.
MU	UdpSendMediaPort	Start UDP port number of the MU of the HWT-IVS1800. After the setting, the system automatically occupies the port number specified by this parameter and the following 519 port numbers. The value range is [10000,30000], and [n,n+519] cannot contain port 18531. The value n indicates the start port number.
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	PCGNNatPort	Post-NAT southbound port number of the PCG of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 5061.
	PCGListeningAdapter	Network adapter for listening on the GB/T 28181 service of the HWT-IVS1800, which must be set to the southbound network adapter eth0.

NAT-based Networking of the HWT-IVS1800 and Cameras

Cameras on an Extranet and HWT-IVS1800 on an Intranet

Context

Network

If the camera is on an extranet and the HWT-IVS1800 is on an intranet, you need to translate the IP address and port number of the HWT-IVS1800 to an extranet IP address and port number for the client to access, as shown in Figure 5-52.

Figure 5-67 Cameras on an extranet and HWT-IVS1800 on an intranet

Protocols That Support NAT

Table 5-60 Protocols that support NAT

Registration Type	Protocol	Support NAT	Procedure
Passive registration	HWSDK	Yes	HWSDK (Passive Registration)
Passive registration	ONVIF	Yes	ONVIF
Proactive registration	HWSDK	Yes	HWSDK (Proactive Registration)
Proactive registration	GB/T 28181	Yes	GB/T 28181

HWSDK (Passive Registration)

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-61 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	No	-	-	--	-
Firewall	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 40002 TCP: 6060 and 6061 IMGU TCP: 9555 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: You can enable TCP and UDP ports as required. UDP ports are supported for voice intercom.	DCG: UDP: 40002 TCP: 6060 and 6061 IMGU TCP: 9555 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 IMGU: 192.168.10.10 MU: 192.168.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 IMGU: 10.10.10.10 MU: 10.10.10.10 OMU: 10.10.10.10	IMGU: 9555 MU: 554 OMU: 8481 and 8443 NGINX: 18531, 18533	IMGU: 9555 MU: 554 If the default TCP and UDP port numbers of the MU conflict with existing port numbers on the firewall, change the TCP and UDP port number ranges. Default southbound TCP port number range: 10000 to 10101 Default southbound UDP port number range: 12800 to 13599 OMU: 8481 and 8443 NGINX: 18531, 18533 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-68.

Figure 5-68 Configuring NAT information

Table 5-62 describes the parameters.

Table 5-62 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	IMGUSNatPort	Post-NAT southbound port number of the IMGU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 9555.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. The system uses this configuration value and the 101 ports that follow. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. The value n indicates the start port number.

ONVIF

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-63 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 40000 TCP: 40001 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599	DCG: UDP: 40000 TCP: 40001 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 MU: 192.168.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 MU: 10.10.10.10 OMU: 10.10.10.10	MU: 554 OMU: 8481 and 8443	MU: 554 If the default TCP and UDP port numbers of the MU conflict with existing port numbers on the firewall, change the TCP and UDP port number ranges. Default southbound TCP port number range: 10000 to 10101 Default southbound UDP port number range: 12800 to 13599 OMU: 8481 and 8443 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-69.

Figure 5-69 Configuring NAT information

Table 5-64 describes the parameters.

Table 5-64 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 101 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. The value n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. The value n indicates the start port number.
DCG	ONVIF_NAT	Set ONVIF_NAT to 1. The default value is 0. 0: no 1: yes Indicates whether to forcibly replace the IP address and port number obtained from the ONVIF capability set with those used for adding cameras.

HWSDK (Proactive Registration)

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-65 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 40002 TCP: 5060 and 5062 IMGU TCP: 9555 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: You can enable TCP and UDP ports as required. UDP ports are supported for voice intercom.	DCG: UDP: 40002 TCP: 5060 and 5062 IMGU TCP: 9555 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 IMGU: 192.168.10.10 MU: 192.168.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 IMGU: 10.10.10.10 MU: 10.10.10.10 OMU: 10.10.10.10	IMGU: 9555 MU: 554 OMU: 8481 and 8443 NGINX: 18531, 18533	IMGU: 9555 MU: 554 If the default TCP and UDP port numbers of the MU conflict with existing port numbers on the firewall, change the TCP and UDP port number ranges. Default southbound TCP port number range: 10000 to 10101 Default southbound UDP port number range: 12800 to 13599 OMU: 8481 and 8443 NGINX: 18531, 18533 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-70.

Figure 5-70 Configuring NAT information

Table 5-66 describes the parameters.

Table 5-66 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
	IMGUSNatPort	Post-NAT southbound port number of the IMGU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 9555.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 101 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. n indicates the start port number.

GB/T 28181

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-67 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	No	-	-	-	-
Firewall	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 5080 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599	DCG: UDP: 5080 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 MU: 192.168.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 MU: 10.10.10.10 OMU: 10.10.10.10	MU: 554 OMU: 8481 and 8443	MU: 554 If the default TCP and UDP port numbers of the MU conflict with existing port numbers on the firewall, change the TCP and UDP port number ranges. Default southbound TCP port number range: 10000 to 10101 Default southbound UDP port number range: 12800 to 13599 OMU: 8481 and 8443 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on the Firewall

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-71.

Figure 5-71 Configuring NAT information

Table 5-68 describes the parameters.

Table 5-68 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 101 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. The value n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. The value n indicates the start port number.

Cameras on an Intranet and HWT-IVS1800 on an Extranet

Context

Network

If cameras are on an intranet and the HWT-IVS1800 is on an extranet, you need to configure the network route and firewall to connect the cameras to the HWT-IVS1800.

Take the NAT configuration on the firewall as an example. On the firewall, translate camera IP addresses to those on an extranet so that the HWT-IVS1800 can connect to the cameras through their extranet IP addresses and port numbers, as shown in Figure 5-54.

Figure 5-72 Cameras on an intranet and HWT-IVS1800 on an extranet

Protocols That Support NAT

Table 5-69 Protocols that support NAT

Registration Type	Protocol	Support NAT	Procedure
Passive registration NOTE: The iClient S100 does not allow users to add multiple cameras with the same IP address.	ONVIF NOTE: must support NAT.	Yes	ONVIF
Proactive registration	HWSDK	Yes	HWSDK (Proactive Registration)
Proactive registration	GB/T 28181	Yes	GB/T 28181

ONVIF

Data Plan

Table 5-70 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	Yes	Static IP addresses must be configured for cameras. Post-NAT fixed IP addresses and port numbers must be configured for cameras. must support NAT. For details, see the camera product documentation.
Firewall	Yes	For details, see the camera product documentation.
HWT-IVS1800	Yes	-	-	-	-

Require Configuration on the NE

Pre-NAT IP Address

Post-NAT IP Address

Pre-NAT Port Number

Post-NAT Port Number

Cameras

Yes

Static IP addresses must be configured for cameras.
Post-NAT fixed IP addresses and port numbers must be configured for cameras.
must support NAT.

For details, see the camera product documentation.

Firewall

Yes

For details, see the camera product documentation.

HWT-IVS1800

Yes

Configurations on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.
Set ONVIF_NAT to 1, as shown in Figure 5-73.

In the port mapping on the firewall, the external RTSP port must be the same as the internal RTSP port. (You need to change the camera's RTSP port to the post-NAT port.)

Figure 5-73 Setting advanced parameters

HWSDK (Proactive Registration)

Data Plan

Table 5-71 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	Yes	Static IP addresses must be configured for cameras. Post-NAT fixed IP addresses and port numbers must be configured for cameras. For details, see the camera product documentation.
Firewall	Yes	For details, see the camera product documentation.
HWT-IVS1800	No	-	-	-	-

Require Configuration on the NE

Pre-NAT IP Address

Post-NAT IP Address

Pre-NAT Port Number

Post-NAT Port Number

Cameras

Yes

Static IP addresses must be configured for cameras.
Post-NAT fixed IP addresses and port numbers must be configured for cameras.

For details, see the camera product documentation.

Firewall

Yes

For details, see the camera product documentation.

HWT-IVS1800

GB/T 28181

Data Plan

Table 5-72 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	Yes	Static IP addresses must be configured for cameras. Post-NAT fixed IP addresses and port numbers must be configured for cameras. For details, see the camera product documentation.
Firewall	Yes	For details, see the camera product documentation.
HWT-IVS1800	No	-	-	-	-

Require Configuration on the NE

Pre-NAT IP Address

Post-NAT IP Address

Pre-NAT Port Number

Post-NAT Port Number

Cameras

Yes

Static IP addresses must be configured for cameras.
Post-NAT fixed IP addresses and port numbers must be configured for cameras.

For details, see the camera product documentation.

Firewall

Yes

For details, see the camera product documentation.

HWT-IVS1800

Cameras and HWT-IVS1800 on Different Intranets

Context

Network

If cameras and the HWT-IVS1800 are on different intranets, you need to configure NAT for the cameras and HWT-IVS1800 respectively. After NAT is configured for the cameras and HWT-IVS1800, the cameras can connect to the HWT-IVS1800 through its extranet IP address, as shown in Figure 5-55.

Figure 5-74 Cameras and HWT-IVS1800 on different intranets

Protocols That Support NAT

Table 5-73 Protocols that support NAT

Registration Type	Protocol	Support NAT	Procedure
Passive registration NOTE: The iClient S100 does not allow users to add multiple cameras with the same IP address.	ONVIF NOTE: must support NAT.	Yes	ONVIF
Proactive registration	HWSDK	Yes	HWSDK (Proactive Registration)
Proactive registration	GB/T 28181	Yes	GB/T 28181

ONVIF

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-74 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	Yes	must support NAT. Static IP addresses must be configured for cameras. For details, see the camera product documentation.
Firewall 1	Yes	For details, see the camera product documentation.
Firewall 2	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 40000 TCP: 40001 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599	DCG: UDP: 40000 TCP: 40001 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 MU: 192.168.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 MU: 10.10.10.10 OMU: 10.10.10.10	RTSP: 554 OMU: 8481 and 8443	RTSP: 554 OMU: 8481 and 8443 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on Firewall 2

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-75.

Figure 5-75 Configuring NAT information

Table 5-75 describes the parameters.

Table 5-75 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 101 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. The value n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. The value n indicates the start port number.
DCG	ONVIF_NAT	Set ONVIF_NAT to 1. The default value is 0. 0: no 1: yes Indicates whether to forcibly replace the IP address and port number obtained from the ONVIF capability set with those used for adding cameras.

HWSDK (Proactive Registration)

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-76 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	Yes	Static IP addresses must be configured for cameras. For details, see the camera product documentation.
Firewall 1	Yes	For details, see the camera product documentation.
Firewall 2	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 40002 TCP: 5060 and 5062 IMGU TCP: 9555 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599	DCG: UDP: 40002 TCP: 5060 and 5062 IMGU TCP: 9555 OMU HTTP: 8481 HTTPS: 8443 MU RTSP: 554 TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 IMGU: 192.168.10.10 MU: 10.10.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 IMGU: 10.10.10.10 MU: 10.10.10.10 OMU: 10.10.10.10	IMGU: 9555 MU: 554 OMU: 8481 and 8443 Nginx: 18531, 18533	IMGU: 9555 MU: 554 OMU: 8481 and 8443 Nginx: 18531, 18533 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on Firewall 2

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-76.

Figure 5-76 Configuring NAT information

Table 5-77 describes the parameters.

Table 5-77 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
	IMGUSNatPort	Post-NAT southbound port number of the IMGU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 9555.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 101 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. n indicates the start port number.

GB/T 28181

Data Plan

This section uses NAT mapping based on IP addresses and port translation as an example for data plan.

Table 5-78 Data plan

NE	Require Configuration on the NE	Pre-NAT IP Address	Post-NAT IP Address	Pre-NAT Port Number	Post-NAT Port Number
Cameras	Yes	Static IP addresses must be configured for cameras. For details, see the camera product documentation.
Firewall 1	Yes	For details, see the camera product documentation.
Firewall 2	Yes	192.168.10.10	10.10.10.10	DCG: UDP: 5080 OMU HTTP: 8481 HTTPS: 8443 MU TCP: 10000 to 10101 UDP: 12800 to 13599	DCG: UDP: 5080 OMU HTTP: 8481 HTTPS: 8443 MU TCP: 10000 to 10101 UDP: 12800 to 13599 NOTE: The TCP and UDP ports of the MU on the firewall must be the same as those set on the HWT-IVS1800. If the default TCP and UDP ports of the MU have been occupied on the firewall and cannot be changed on the firewall, you need to change the default ports on the OMU portal and configure the new ports on the firewall. For other ports, you only need to ensure that pre-NAT ports match post-NAT ports.
HWT-IVS1800	Yes	DCG: 192.168.10.10 MU: 192.168.10.10 OMU: 192.168.10.10	DCG: 10.10.10.10 MU: 192.168.10.10 OMU: 10.10.10.10	MU: 554 OMU: 8481 and 8443	MU: 554 OMU: 8481 and 8443 NOTE: If the port configured on the firewall is the default port of the module, you need to use the default value 0 on the OMU portal. If the port configured on the firewall is not the default port, the port specified here must be the same as the port configured on the firewall. In the alarm-linked email function, the HWT-IVS1800 accesses the email server as a client. If the email server is on an extranet, you need to enable the policy for the HWT-IVS1800 to access the SMTP port of the email server.

Configuring NAT on Firewall 2

Go to the firewall configuration page by referring to Logging In to the Firewall.
Configure NAT based on the data plan.
- IP address NAT:
  nat server name global Post-NAT IP address inside IP address of HWT-IVS1800
- IP address and port NAT
  - NAT of a single IP address and a single port
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT port number inside IP address Port number unr-route
  - NAT of a single IP address and multiple ports
    TCP: nat server name protocol tcp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
    
    UDP: nat server name protocol udp global Post-NAT IP address Post-NAT start port number Post-NAT end port number inside IP address Start port number End port number unr-route
In the preceding commands, name indicates the unique name of the NAT server. The requirements on the server name are as follows:
- It is a string of 1 to 256 case-sensitive characters and can be a combination of digits.
- It must start with a letter or digit.
- It cannot be all, vsys, or all-systems and cannot be name, global, protocol, vpn-instance, zone, or their first several characters. For example, the value cannot be n, na, or nam.
Run the display current-configuration command to view the NAT configuration on the firewall and determine whether the NAT configuration is correct.

To modify the NAT configuration on the firewall, run the undo nat server name command to delete the original NAT configuration and then re-configure NAT.

Configure a security policy on the firewall.

[FW] security-policy
[FW-policy-security] rule name rule_name
[FW-policy-security-rule-policy_sec1] source-zone untrust
[FW-policy-security-rule-policy_sec1] destination-zone trust
[FW-policy-security-rule-policy_sec1] destination-address video/image management platform IP address 32
[FW-policy-security-rule-policy_sec1] action permit
[FW-policy-security-rule-policy_sec1] quit

rule_name: name of a security policy. You can configure multiple security policies as required.
IP address of device in the Trust security zone: pre-NAT IP address of the intranet device. If there are multiple IP addresses, configure multiple security policies.

Optional: Configure NAT ALG.
Compared with the HWT-IVS1800+firewall NAT scheme, the firewall ALG scheme occupies fewer ports.
1. Configure port NAT.
  
  By default, SIP port 5060 is used. However, GB/T 28181 uses SIP port 5080. Therefore, you need to perform this step.
```
[FW]acl 2000
[FW-acl-basic-2000]rule permit
[FW-acl-basic-2000]quit
[FW]port-mapping sip port 5080 acl 2000
[FW]quit
```
2. Configure firewall NAT ALG to implement proper SIP packet forwarding.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect sip
[FW-interzone-trust-untrust] quit
```
3. Verify that the settings have taken effect.
  After the cameras are successfully registered, run the display firewall session table command on the firewall to view the session table. The following information indicates that the settings have taken effect:
```
Current Total Sessions : 2
sip VPN:public --> public X.X.X.X:2107-->10.10.10.10:5080[192.168.10.13:5080]
```
Configure a static route to the extranet IP address (for example, 10.10.10.90) on the router, with the next hop being the intranet IP address of the firewall. In this manner, the messages returned from an extranet can be forwarded to the firewall.
In most cases, you need to contact the network administrator to configure the static route.

Configuring NAT on the HWT-IVS1800

Log in to the OMU portal as the admin user. ( Logging In to the OMU portal)
Choose System > Advanced Configuration.

Configure NAT information, as shown in Figure 5-77.

Figure 5-77 Configuring NAT information

Table 5-79 describes the parameters.

Table 5-79 Parameter description

Module	Parameter	Description
PUBLIC	SNatIP	Southbound IP address of the HWT-IVS1800, which must be the same as the post-NAT IP address configured on the firewall.
	DCG_NAT_LIST	List of subnets, which is used by the HWT-IVS1800 to determine whether NAT needs to be configured for IP addresses of southbound devices. If no user-defined NAT subnet list is configured, the system performs NAT for all IP addresses except standard subnet addresses by default. The standard private network IP address ranges are as follows: Class A: 10.0.0.1 to 10.255.255.254 Class B: 172.16.0.1 to 172.31.255.254 Class C: 192.168.0.1 to 192.168.255.254 If a user-defined NAT subnet list is configured, the system performs NAT for all IP addresses (including standard private IP addresses) except those in the NAT subnet list. If there are multiple IP subnets, use semicolons (;) to separate them, for example, 192.168.1.0/24;192.168.2.0/24.
	NatSRtspPort	Post-NAT southbound port number of the MU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 554.
	OMUSHttpNatPort	Post-NAT southbound HTTP port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8481.
	OMUSHttpsNatPort	Post-NAT southbound HTTPS port number of the OMU of the HWT-IVS1800, which must be the same as the post-NAT port number configured on the firewall. The default port number is 8443.
MU	TcpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 101 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+101] cannot contain port 18531. The value n indicates the start port number.
MU	UdpRecvMediaPort	The port is used by the MU of the HWT-IVS1800 to receive media streams from cameras. After the setting, the system automatically occupies the port number specified by this parameter and the following 799 port numbers. If you change the port number, ensure that the new port number is different from those described in the product communication matrix. The value range is [10000,30000], and [n,n+799] cannot contain port 18531. The value n indicates the start port number.

Application Limitations
NAT Network Between the iClient S100 and HWT-IVS1800
NAT Network Between the HWT-IVS1800 and the Upper-Level Video and Image Management Platform
NAT-based Networking of the HWT-IVS1800 and Cameras