|
|
一、组网需求:9 q9 p- k! c/ q
某公司平台和办公网的私网用户和互联网相连,路由器上接口GigabitEthernet0/0/0的公网地址为202.169.10.1/24,对端运营商侧地址为202.169.10.2/24。
, X) t! b: w4 Z0 }, l# s7 {! V! {允许使用公网IP地址比较少(222.249.230.1),所以使用no-pat转换方式(只转换数据包的IP地址,并不使用端口号)平台的NAT方式替换A部门内部的主机地址{网段为192.168.(100-110).0/24},访问因特网。
7 L" }' }6 L% {/ ^+ b2 @允许使用公网IP地址比较少(222.249.230.1),所以使用pat转换方式(同时转换数据包中的IP地址和端口号)办公网的NAT替换内部的主机地址(网段为192.168.0.0/22),访问因特网。
. u. S: H: G! l' G3 L2 q1、网络拓扑
' v1 A: q2 ^, r4 T) C `略
( \% q2 P, ?$ B4 Z3 R2 b' k) ~' C+ m; B2 d
2、配置思路
2 [. t( T2 J; Q8 \配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
" i1 I Q: D' `8 k) R9 S二、操作步骤! A5 s. L$ Y* O) I& @4 p. S
1、配置云平台、办公网主机IP地址,网关分别是192.168.(100-110).254、192.168.0.1
* l* Y0 P& y# c) [' m, t2、在SWA上配置vlan
* U; ^9 ~3 s, E! `3 V; f3 |- G<Huawei>system-view
. R& N' v0 `: D- n[Huawei]sysname SW
# |1 B( i4 V# L* q- u[SW]vlan (100-110)
6 J! n# z, o8 [+ _2 N$ Q) B[SW-vlan(100-110)]q' F% h5 |7 Q: o2 |' L) I) T
[SW]interface Ethernet0/0/1
- I: Y8 J+ B8 y! a! t& m9 I- j[SW-Ethernet0/0/1]port link-type access
0 G7 E1 h) l) f- L[SW-Ethernet0/0/1]port default vlan 1000 g* M1 N" t2 H$ L+ M
[SW-Ethernet0/0/1]q. ^ X& Y6 ~0 L0 S9 t8 A$ E
[SW]interface Ethernet 0/0/2
" N$ }+ q6 n9 h1 v: [5 u8 e9 E[SW-Ethernet0/0/2]port link-type trunk
! Q1 f0 W$ c8 ?/ o[SW-Ethernet0/0/2]port trunk allow-pass vlan all
4 J. @5 P/ r1 k% @7 Y[SW-Ethernet0/0/2]q
9 E% }, I8 f2 t0 Y! W3、在SWB上配置vlan
5 r% i/ E3 D# x, w6 v4 Q3 D5 L/ `2 N# j[Huawei]sysname SW1
% T9 K% a x4 A% @' j[SW1]vlan 2004 q- ^+ J: D8 j3 S
[SW1-vlan200]q6 q* j2 c% q# j3 w4 I, j; Z
[SW1]interface Ethernet0/0/16 |4 c1 e! H: ^0 D
[SW1-Ethernet0/0/1]port link-type access ' m0 D, ^/ G& I; x0 i. {- q7 s2 D
[SW1-Ethernet0/0/1]port default vlan 2008 \, t( m2 _: O/ {2 G' I
[SW1-Ethernet0/0/1]q
# a; i* U% R- Z/ y( v% |$ P[SW1]interface Ethernet 0/0/29 y7 g4 v9 t* ?) G4 L
[SW1-Ethernet0/0/2]port link-type trunk ( p9 q0 e& Z% t* u( a
[SW1-Ethernet0/0/2]port trunk allow-pass vlan all % ]2 m/ [) J* i" T8 _) z0 x' ?0 ?
[SW1-Ethernet0/0/2]q' n( u, F1 S4 `9 ]) V
4、在Router上配置接口IP地址
s7 L4 P* t+ v1 A8 `9 A<Huawei>system-view
. K& @1 F% a8 g( T) n' |[Huawei]sysname Router; I/ Q* _% y2 h# O# v
[Router]vlan batch 100 200' a+ U1 j' s8 T1 X8 i
[Router]interface Vlanif 1009 D ]2 s+ S1 E" q5 H, ~, n* l
[Router-Vlanif100]ip address 192.168.20.1 24" @/ Y0 u9 i( J' r
[Router-Vlanif100]q4 {1 i7 P! O8 \; ~! A' U
[Router]interface Vlanif 200
. h# R, y3 w- g/ U9 v& Z, e[Router-Vlanif200]ip address 10.0.0.1 24
% ?8 P5 k H/ ~. N6 ^" m) r[Router-Vlanif200]q' `/ s8 b3 u4 b* r
[Router]interface Ethernet 0/0/0
% W9 Z0 L' m8 a$ I[Router-Ethernet0/0/0]port link-type trunk * H0 q( Z7 N: I! Y8 N
[Router-Ethernet0/0/0]port trunk allow-pass vlan all
' A6 g8 g! o+ Z[Router-Ethernet0/0/0]q; l5 {, G2 g) e2 ]: s0 M
[Router]interface Ethernet 0/0/1 e8 }7 H+ U. j& p$ y
[Router-Ethernet0/0/1]port link-type trunk
7 M. P8 ] i( ?* t; N( a[Router-Ethernet0/0/1]port trunk allow-pass vlan all7 X2 y! ~' n# T$ T: o5 Y
[Router-Ethernet0/0/1]q6 a K% ? a7 l* k) a" ?9 {
[Router]interface GigabitEthernet 0/0/0
+ e" m5 ~9 l d4 _5 K! K X* `[Router-GigabitEthernet0/0/0]ip address 202.169.10.1 24
4 N/ F8 Y1 i6 b[Router-GigabitEthernet0/0/0]q% f9 x$ q: I$ I
这时候主机就可以ping通网关了
* g& n$ G6 \1 h1 q- ?5 y5、在Router上配置缺省路由,指定下一跳为202.169.10.2
; Q0 T- Y7 y( J. S( b8 W[Router]ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
( [5 O c R6 `; N% c/ W6、在Router上配置NAT Outbound(记住在出接口上应用)% ?, M% p( j8 g8 j# ~: s
[Router]nat address-group 1 202.169.10.100 202.169.10.200
+ e, f9 b1 z0 R" L* c[Router]nat address-group 2 202.169.10.201 202.169.10.2027 j( o- `& q) I
[Router]acl number 30018 W* Q9 a# C8 o; o! e2 y/ ]
[Router-acl-adv-3001]rule 5 permit ip source 192.168.20.0 0.0.0.255
f/ U! O2 r* X& K[Router-acl-adv-3001]q
`4 ~* o+ m0 ~) s, a) u5 s/ P[Router]acl number 3002
! G! P! Z [* E0 ][Router-acl-adv-3002]rule 5 permit ip source 10.0.0.0 0.0.0.255- @6 ^6 F0 n( ]
[Router-acl-adv-3002]q
! M [# Q& U$ q4 \8 E[Router]interface GigabitEthernet 0/0/0
7 u; `# l+ Q# B, e/ `& _2 p[Router-GigabitEthernet0/0/0]nat outbound 3001 address-group 1 no-pat- q R* A9 G$ x$ f) d7 R+ d
[Router-GigabitEthernet0/0/0]nat outbound 3002 address-group 2
1 {2 Q1 x5 @( v7 p! Z[Router-GigabitEthernet0/0/0]q
8 k# l* F, R f& ?, f[Router]ip soft-forward enhance enable
7 o% N8 @4 Q$ Y+ j0 H' I( t如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable使能设备产生的控制报文的增强转发功能,这样,私网的源地址才能通过NAT转换为公网地址。
: x8 w3 ]6 X8 A q' O5 v! H# c7、查看结果
: D3 n/ \, I* ^! @[Router]display nat outbound
1 k8 _5 J Y/ ]4 W7 c NAT Outbound Information:- n& `$ F1 r1 l9 g9 G
--------------------------------------------------------------------------; C7 ~+ V% h& d2 M% r
Interface Acl Address-group/IP/Interface Type
2 f: }8 h' M) S. I; j5 F) S4 n& H --------------------------------------------------------------------------
4 r) i: r# q. v8 n' M GigabitEthernet0/0/0 3001 1 no-pat
" n i6 V: B a7 f GigabitEthernet0/0/0 3002 2 pat8 i) \* s, q8 A
--------------------------------------------------------------------------7 j Y. S; m" z" z$ |) x$ U
Total : 21 e3 t9 O# b5 f) {# e) ?* W8 ~
[Router]ping -a 192.168.20.1 202.169.10.21 p+ i2 C2 H2 z. d% R- j
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
; {: F/ ~) D. X g0 j& G Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
! v# [" y' K6 g- r* W Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
9 l8 X& q, i# ~ m Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms; Y6 J9 @7 }) t5 t6 X! M$ y: W! g5 R
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
* v( Z+ }4 \6 n9 a# C9 a- w2 t- c" P Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms9 |+ |3 G8 t/ r: g9 s: e+ @
+ X5 [0 U c5 K) k/ T1 C8 d; E7 q
--- 202.169.10.2 ping statistics ---: k! g& F# T8 X% V% I% Q4 V
5 packet(s) transmitted
3 P& f) Z; j2 l, W* }8 t6 M7 V 5 packet(s) received3 q- Y. |9 t n- u- d+ A+ n1 x6 y9 C
0.00% packet loss
8 i! B( x& D- a round-trip min/avg/max = 10/10/10 ms$ J, \" } ?- F/ {% B, H& R
4 l0 A, ^/ O% _8 v% Z6 k- i# p[Router]ping -a 10.0.0.1 202.169.10.2
6 N) `0 Y# Q, z1 ?, j3 Y3 Y5 N PING 202.169.10.2: 56 data bytes, press CTRL_C to break4 H1 g3 d$ {, {' y
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
9 F6 k% o% j1 @5 r: U* g5 | A Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
0 W$ y, D$ B0 f1 t" }) A& \# M3 W Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms& A+ k* H8 ?+ P4 [; `- A( n, G
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
- v) o W- r" f2 a" f, y! T Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
8 b4 b/ q) [! A0 n
" D0 Y1 D( [5 l! g* ?; | --- 202.169.10.2 ping statistics ---
" f" @4 {+ {+ K! Z0 D9 R& i( o 5 packet(s) transmitted5 b1 y: [3 D8 Y: H! ?
5 packet(s) received; M K6 X. _' r
0.00% packet loss
' k& i( D/ D: M$ E" A% G round-trip min/avg/max = 10/10/10 ms
# U4 C0 Q9 Q s5 ^5 R8、查看NAT映射表项
+ ]3 g6 d5 P. z+ l# V/ ][Router]display nat session all verbose- E. O6 b1 c7 x8 B# i
————————————————5 j0 n9 j6 P3 n# Q
版权声明:本文为CSDN博主「友人a笔记」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
6 s4 [9 T) x4 q$ @' E3 K$ Y原文链接:https://blog.csdn.net/tladagio/article/details/80725043
0 y' n3 k8 Y2 ]2 e* Q8 j |
|
发表于 2022-3-15 11:50:24