|
|
一、组网需求:
4 g* t9 F* N: j' }0 r$ b某公司平台和办公网的私网用户和互联网相连,路由器上接口GigabitEthernet0/0/0的公网地址为202.169.10.1/24,对端运营商侧地址为202.169.10.2/24。% T9 H/ x, U7 n' } }
允许使用公网IP地址比较少(222.249.230.1),所以使用no-pat转换方式(只转换数据包的IP地址,并不使用端口号)平台的NAT方式替换A部门内部的主机地址{网段为192.168.(100-110).0/24},访问因特网。
& e2 E* D+ W7 S. Q# m/ w允许使用公网IP地址比较少(222.249.230.1),所以使用pat转换方式(同时转换数据包中的IP地址和端口号)办公网的NAT替换内部的主机地址(网段为192.168.0.0/22),访问因特网。: T" y) F# }- X0 q. J
1、网络拓扑
: X( [; D" X9 f8 Y. O略
, Z( _6 y0 Q5 P: T! h2 `. g, m- j7 {- n+ n& {
2、配置思路
7 I+ p- d9 E& Z7 E0 R) v6 L! Q' I配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
& o% ^- W- O. d$ D( b二、操作步骤. G5 g5 U. O! J+ I1 }4 |
1、配置云平台、办公网主机IP地址,网关分别是192.168.(100-110).254、192.168.0.18 ?+ m$ K' J7 J6 A" {) [- S
2、在SWA上配置vlan4 A& @$ r; B7 _( a. G( P/ B& I4 X& t# f
<Huawei>system-view
8 c% t* r" C0 H1 C+ i6 p[Huawei]sysname SW
" g# h; v4 }& J/ n1 w9 \6 R[SW]vlan (100-110)
. H; T, a T& E2 x" n/ W[SW-vlan(100-110)]q, S9 p' h6 X* V) x* H/ }
[SW]interface Ethernet0/0/1' \: D0 g; f2 d9 j: s' l* U
[SW-Ethernet0/0/1]port link-type access- {3 H: k$ W6 U
[SW-Ethernet0/0/1]port default vlan 100
; {( k' }3 J/ S[SW-Ethernet0/0/1]q
, \3 V7 b, z! V: @7 Z, c[SW]interface Ethernet 0/0/2
+ G# x6 {! {" R5 q' e" `6 ?/ |[SW-Ethernet0/0/2]port link-type trunk
( Z2 U( D) {% @[SW-Ethernet0/0/2]port trunk allow-pass vlan all
: j- h' M* J8 R6 R# o+ u: b4 e: S[SW-Ethernet0/0/2]q# \0 \& G d! Z; J l3 T7 Q
3、在SWB上配置vlan
8 ]0 w# ]: F& @- S4 B1 k! a# L[Huawei]sysname SW1
3 P+ {; ^1 p5 H( Z3 W[SW1]vlan 200
5 A$ z) H! R0 O( K( e" K, r[SW1-vlan200]q
* t' }* v" E. q# P& k[SW1]interface Ethernet0/0/1
! J2 y( E* L' Q2 T* P- d[SW1-Ethernet0/0/1]port link-type access 9 i8 U9 ]% b! K( i
[SW1-Ethernet0/0/1]port default vlan 200) s$ f' |4 e4 ?3 d! R1 m
[SW1-Ethernet0/0/1]q
* c1 t \, h9 f& {; P F# c[SW1]interface Ethernet 0/0/24 u" u* Q5 @! B4 T& U ]
[SW1-Ethernet0/0/2]port link-type trunk 3 d. b* m% c) N
[SW1-Ethernet0/0/2]port trunk allow-pass vlan all
w4 F& o& N+ }" l" r4 H6 Z[SW1-Ethernet0/0/2]q
, |8 [# X! z( s. r4 X9 r4、在Router上配置接口IP地址/ k1 p2 L/ l: N; u
<Huawei>system-view . N% w$ p% p3 Z o4 b
[Huawei]sysname Router
7 J7 N) Y7 F1 |; m& A( U[Router]vlan batch 100 200
- w9 L+ q' F6 T2 N& c[Router]interface Vlanif 100
* _- l* @# Q; n& d; A' J[Router-Vlanif100]ip address 192.168.20.1 24/ d. {1 M% P2 t& L
[Router-Vlanif100]q* y ]% I% @/ J* m) J
[Router]interface Vlanif 200! ~: H: V+ k0 I! |
[Router-Vlanif200]ip address 10.0.0.1 246 u: r7 s2 t# ]3 `0 L
[Router-Vlanif200]q
+ y9 y* O+ E+ ^2 g. [$ P[Router]interface Ethernet 0/0/0
1 k5 |; D/ B$ z/ i. S[Router-Ethernet0/0/0]port link-type trunk
4 Y# ]( T" ^1 ?3 K, p% x, f: k& d[Router-Ethernet0/0/0]port trunk allow-pass vlan all ! u6 \9 {; X% j1 p: w
[Router-Ethernet0/0/0]q
3 X/ x7 D4 A% I' L5 g. J( H[Router]interface Ethernet 0/0/1( B3 n) Z; ~% K# h/ p* G/ h; |' ]
[Router-Ethernet0/0/1]port link-type trunk
; Z' B0 N" f" ~7 W[Router-Ethernet0/0/1]port trunk allow-pass vlan all
1 f) X1 E! }1 _& S6 C+ L[Router-Ethernet0/0/1]q' b) z' x; P/ k f8 A4 X% e
[Router]interface GigabitEthernet 0/0/0% G$ S2 \$ N) A4 V5 u
[Router-GigabitEthernet0/0/0]ip address 202.169.10.1 244 E! l/ d$ V6 h; {) J
[Router-GigabitEthernet0/0/0]q
) `4 {8 ?: z" x( i4 q. A- d- Z4 l这时候主机就可以ping通网关了
+ P/ s) x K4 B; h7 y& x0 v6 C; Y5、在Router上配置缺省路由,指定下一跳为202.169.10.2
6 H4 K# E: O& }* [/ G7 s+ t* E[Router]ip route-static 0.0.0.0 0.0.0.0 202.169.10.28 w( J& @1 r. k. b
6、在Router上配置NAT Outbound(记住在出接口上应用)
# C% t0 N" @+ w1 g4 O$ ^[Router]nat address-group 1 202.169.10.100 202.169.10.2007 ~+ `5 v- T: f* T( L
[Router]nat address-group 2 202.169.10.201 202.169.10.2022 p! G- h* [0 g+ D
[Router]acl number 3001/ D5 }( Y- M7 W( Y2 w$ `6 A
[Router-acl-adv-3001]rule 5 permit ip source 192.168.20.0 0.0.0.255
1 R% R8 V c2 M4 k8 V[Router-acl-adv-3001]q
5 q" u/ q2 L. W9 N) q8 X, K# S; [[Router]acl number 3002! e+ H# W# t& m5 H! P
[Router-acl-adv-3002]rule 5 permit ip source 10.0.0.0 0.0.0.255, b0 H( o, q7 E1 T" y1 S" l; @6 E
[Router-acl-adv-3002]q T6 E" [6 R4 b9 x! }4 y8 s
[Router]interface GigabitEthernet 0/0/0
7 j7 O8 V( S" b" ?% O[Router-GigabitEthernet0/0/0]nat outbound 3001 address-group 1 no-pat
% @9 q+ \" z4 Q' q2 ~8 {, i, b; W( U[Router-GigabitEthernet0/0/0]nat outbound 3002 address-group 2
' K5 R' f" `9 `4 n/ e- `1 \! p[Router-GigabitEthernet0/0/0]q% V ^( d" O5 W0 y K7 X( j
[Router]ip soft-forward enhance enable
% [0 Y( n$ L, j/ l; s9 a7 o如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable使能设备产生的控制报文的增强转发功能,这样,私网的源地址才能通过NAT转换为公网地址。
2 H1 s I/ T v" c7、查看结果: ^% S* y+ A& f- c/ j
[Router]display nat outbound
4 ?) c% V; a" b. t, f7 q NAT Outbound Information:0 u. a. @1 ~3 g
--------------------------------------------------------------------------
+ C! o! ?6 L! r( J Interface Acl Address-group/IP/Interface Type
0 o v6 t0 @: H --------------------------------------------------------------------------
( f8 W z) _3 e GigabitEthernet0/0/0 3001 1 no-pat
8 a' {5 a' e1 ] GigabitEthernet0/0/0 3002 2 pat
4 a+ W7 S* E( r4 Z$ A. i --------------------------------------------------------------------------
7 {: h1 o& f7 _% G2 r Total : 2/ u- J f$ I3 o1 z
[Router]ping -a 192.168.20.1 202.169.10.2
# b. B9 S% F+ R4 S E. \- ? s PING 202.169.10.2: 56 data bytes, press CTRL_C to break7 m+ N4 Q" C( q$ j# ^
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
) \7 e {: B0 \# b Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms0 J' z( m0 m: s
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms& @" c- o5 R2 @: V6 Q2 a r: J
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms0 n( {. R8 s6 S- j
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
* e- f% F. P- |3 A0 x1 H8 [1 u
8 f- J! |3 A \1 J( ]4 ?' K --- 202.169.10.2 ping statistics ---
( B' Z* N& w& b 5 packet(s) transmitted
! ^ V8 d, O2 k% D+ x. ^4 u0 m 5 packet(s) received
6 m! `3 P( R( N- V+ ?- T9 X 0.00% packet loss4 L3 U9 L/ F R. V
round-trip min/avg/max = 10/10/10 ms
6 @5 L% G$ |8 \# r- b3 Q 2 V/ D& S! L8 n! v, _' I' c
[Router]ping -a 10.0.0.1 202.169.10.2& P7 q8 ^5 [3 n" i' v1 p8 H1 l0 V
PING 202.169.10.2: 56 data bytes, press CTRL_C to break* c! ]' X5 w- G! u" X
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms, U3 k* P/ w9 B3 n" w
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms! ?7 W, I. o9 E% n" J9 i
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
% t0 u3 b- M0 B' O* A Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms8 s/ u7 p6 Z `' B6 H7 k
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
9 p4 w7 m6 E$ g9 z X- p( K- g% G) ]
--- 202.169.10.2 ping statistics ---
2 b* |8 G" ~4 o6 E) O8 O2 T# f 5 packet(s) transmitted$ ~; q Z% e+ s# W) ]
5 packet(s) received" H- O; N9 o" u; T8 B3 t8 R" L
0.00% packet loss
7 l. Y% \3 w) v( G: \0 f0 T round-trip min/avg/max = 10/10/10 ms
2 q# N# k* q! Y8、查看NAT映射表项
* [ l k+ Y: T2 a, ~[Router]display nat session all verbose
/ q' w$ i+ e. Y0 I: G, L1 W————————————————. ?! N8 Z: t0 k5 O5 b
版权声明:本文为CSDN博主「友人a笔记」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。; K+ r( c3 l8 ~0 K8 Q) q
原文链接:https://blog.csdn.net/tladagio/article/details/80725043
/ {- h# G1 |+ H+ A# |- s |
|
发表于 2022-3-15 11:50:24