华为路由器 动态NAT地址转换配置
一、组网需求:某公司平台和办公网的私网用户和互联网相连,路由器上接口GigabitEthernet0/0/0的公网地址为202.169.10.1/24,对端运营商侧地址为202.169.10.2/24。
允许使用公网IP地址比较少(222.249.230.1),所以使用no-pat转换方式(只转换数据包的IP地址,并不使用端口号)平台的NAT方式替换A部门内部的主机地址{网段为192.168.(100-110).0/24},访问因特网。
允许使用公网IP地址比较少(222.249.230.1),所以使用pat转换方式(同时转换数据包中的IP地址和端口号)办公网的NAT替换内部的主机地址(网段为192.168.0.0/22),访问因特网。
1、网络拓扑
略
2、配置思路
配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
二、操作步骤
1、配置云平台、办公网主机IP地址,网关分别是192.168.(100-110).254、192.168.0.1
2、在SWA上配置vlan
<Huawei>system-view
sysname SW
vlan (100-110)
q
interfaceEthernet0/0/1
port link-type access
port default vlan 100
q
interfaceEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan all
q
3、在SWB上配置vlan
sysname SW1
vlan 200
q
interface Ethernet0/0/1
port link-type access
port default vlan 200
q
interface Ethernet 0/0/2
port link-type trunk
port trunk allow-pass vlan all
q
4、在Router上配置接口IP地址
<Huawei>system-view
sysname Router
vlan batch 100 200
interface Vlanif 100
ip address 192.168.20.1 24
q
interface Vlanif 200
ip address10.0.0.1 24
q
interface Ethernet 0/0/0
port link-type trunk
port trunkallow-pass vlan all
q
interface Ethernet 0/0/1
port link-type trunk
port trunk allow-passvlan all
q
interfaceGigabitEthernet0/0/0
ip address202.169.10.1 24
q
这时候主机就可以ping通网关了
5、在Router上配置缺省路由,指定下一跳为202.169.10.2
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
6、在Router上配置NAT Outbound(记住在出接口上应用)
nat address-group 1 202.169.10.100 202.169.10.200
nat address-group 2 202.169.10.201 202.169.10.202
acl number 3001
rule 5 permitip source192.168.20.0 0.0.0.255
q
acl number 3002
rule5 permitip source10.0.0.0 0.0.0.255
q
interfaceGigabitEthernet 0/0/0
nat outbound 3001 address-group 1 no-pat
nat outbound 3002 address-group 2
q
ip soft-forward enhance enable
如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable使能设备产生的控制报文的增强转发功能,这样,私网的源地址才能通过NAT转换为公网地址。
7、查看结果
displaynat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/0 3001 1 no-pat
GigabitEthernet0/0/0 3002 2 pat
--------------------------------------------------------------------------
Total : 2
ping -a 192.168.20.1 202.169.10.2
PING 202.169.10.2: 56data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
ping -a 10.0.0.1 202.169.10.2
PING 202.169.10.2: 56data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
8、查看NAT映射表项
display nat session all verbose
————————————————
版权声明:本文为CSDN博主「友人a笔记」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/tladagio/article/details/80725043
页:
[1]