華為Router 動態NAT地址轉換配置
華為Router 動態NAT地址轉換配置
友人a筆記 2018-06-19 11:01:13 27479 收藏 63
分類專欄: # 防火牆 文章標籤: 華為 nat
版權
防火牆
專欄收錄該內容
15 篇文章0 訂閱
訂閱專欄
一、組網需求:
某公司A部門和B部門的私網使用者和網際網路相連,路由器上介面GigabitEthernet0/0/0的公網地址為202.169.10.1/24,對端運營商側地址為202.169.10.2/24。
A部門允許使用公網IP地址比較多(202.169.10.100~202.169.10.200),所以使用no-pat轉換方式(只轉換資料包的IP地址,並不使用埠號)的NAT方式替換A部門內部的主機地址(網段為192.168.20.0/24),訪問因特網。
B部門允許使用公網IP地址比較少(202.169.10.201~202.169.10.202),所以使用pat轉換方式(同時轉換資料包中的IP地址和埠號)的NAT替換B區內部的主機地址(網段為10.0.0.0/24),訪問因特網。
1、網路拓撲
2、配置思路
配置介面IP地址、預設路由和在WAN側介面下配置NAT Outbound,實現內部主機訪問外網服務功能。
二、操作步驟
1、配置A、B部門主機IP地址,閘道器分別是192.168.20.1、10.0.0.1
2、在SWA上配置vlan
<Huawei>system-view
[Huawei]sysname SWA
[SWA]vlan 100
[SWA-vlan100]q
[SWA]interface Ethernet0/0/1
[SWA-Ethernet0/0/1]port link-type access
[SWA-Ethernet0/0/1]port default vlan 100
[SWA-Ethernet0/0/1]q
[SWA]interface Ethernet 0/0/2
[SWA-Ethernet0/0/2]port link-type trunk
[SWA-Ethernet0/0/2]port trunk allow-pass vlan all
[SWA-Ethernet0/0/2]q
3、在SWB上配置vlan
[Huawei]sysname SWB
[SWB]vlan 200
[SWB-vlan200]q
[SWB]interface Ethernet0/0/1
[SWB-Ethernet0/0/1]port link-type access
[SWB-Ethernet0/0/1]port default vlan 200
[SWB-Ethernet0/0/1]q
[SWB]interface Ethernet 0/0/2
[SWB-Ethernet0/0/2]port link-type trunk
[SWB-Ethernet0/0/2]port trunk allow-pass vlan all
[SWB-Ethernet0/0/2]q
4、在Router上配置介面IP地址
<Huawei>system-view
[Huawei]sysname Router
[Router]vlan batch 100 200
[Router]interface Vlanif 100
[Router-Vlanif100]ip address 192.168.20.1 24
[Router-Vlanif100]q
[Router]interface Vlanif 200
[Router-Vlanif200]ip address 10.0.0.1 24
[Router-Vlanif200]q
[Router]interface Ethernet 0/0/0
[Router-Ethernet0/0/0]port link-type trunk
[Router-Ethernet0/0/0]port trunk allow-pass vlan all
[Router-Ethernet0/0/0]q
[Router]interface Ethernet 0/0/1
[Router-Ethernet0/0/1]port link-type trunk
[Router-Ethernet0/0/1]port trunk allow-pass vlan all
[Router-Ethernet0/0/1]q
[Router]interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0]ip address 202.169.10.1 24
[Router-GigabitEthernet0/0/0]q
這時候主機就可以ping通網關了
5、在Router上配置預設路由,指定下一跳為202.169.10.2
[Router]ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
6、在Router上配置NAT Outbound(記住在出介面上應用)
[Router]nat address-group 1 202.169.10.100 202.169.10.200
[Router]nat address-group 2 202.169.10.201 202.169.10.202
[Router]acl number 3001
[Router-acl-adv-3001]rule 5 permit ip source 192.168.20.0 0.0.0.255
[Router-acl-adv-3001]q
[Router]acl number 3002
[Router-acl-adv-3002]rule 5 permit ip source 10.0.0.0 0.0.0.255
[Router-acl-adv-3002]q
[Router]interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0]nat outbound 3001 address-group 1 no-pat
[Router-GigabitEthernet0/0/0]nat outbound 3002 address-group 2
[Router-GigabitEthernet0/0/0]q
[Router]ip soft-forward enhance enable
如果需要在Router上執行ping -a source-ip-address命令通過指定傳送ICMP ECHO-REQUEST報文的源IP地址來驗證內網使用者可以訪問因特網,需要配置命令ip soft-forward enhance enable使能裝置產生的控制報文的增強轉發功能,這樣,私網的源地址才能通過NAT轉換為公網地址。
7、檢視結果
[Router]display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/0 3001 1 no-pat
GigabitEthernet0/0/0 3002 2 pat
--------------------------------------------------------------------------
Total : 2
[Router]ping -a 192.168.20.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
[Router]ping -a 10.0.0.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
8、檢視NAT對映表項
[Router]display nat session all verbose
————————————————
版權宣告:本文為CSDN博主「友人a筆記」的原創文章,遵循CC 4.0 BY-SA版權協議,轉載請附上原文出處連結及本宣告。
原文連結:https://blog.csdn.net/tladagio/article/details/80725043