华为Router 动态NAT地址转换配置
作者:互联网
华为Router 动态NAT地址转换配置
友人a笔记 2018-06-19 11:01:13 27479 收藏 63
分类专栏: # 防火墙 文章标签: 华为 nat
版权
防火墙
专栏收录该内容
15 篇文章0 订阅
订阅专栏
一、组网需求:
某公司A部门和B部门的私网用户和互联网相连,路由器上接口GigabitEthernet0/0/0的公网地址为202.169.10.1/24,对端运营商侧地址为202.169.10.2/24。
A部门允许使用公网IP地址比较多(202.169.10.100~202.169.10.200),所以使用no-pat转换方式(只转换数据包的IP地址,并不使用端口号)的NAT方式替换A部门内部的主机地址(网段为192.168.20.0/24),访问因特网。
B部门允许使用公网IP地址比较少(202.169.10.201~202.169.10.202),所以使用pat转换方式(同时转换数据包中的IP地址和端口号)的NAT替换B区内部的主机地址(网段为10.0.0.0/24),访问因特网。
1、网络拓扑
2、配置思路
配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
二、操作步骤
1、配置A、B部门主机IP地址,网关分别是192.168.20.1、10.0.0.1
2、在SWA上配置vlan
<Huawei>system-view
[Huawei]sysname SWA
[SWA]vlan 100
[SWA-vlan100]q
[SWA]interface Ethernet0/0/1
[SWA-Ethernet0/0/1]port link-type access
[SWA-Ethernet0/0/1]port default vlan 100
[SWA-Ethernet0/0/1]q
[SWA]interface Ethernet 0/0/2
[SWA-Ethernet0/0/2]port link-type trunk
[SWA-Ethernet0/0/2]port trunk allow-pass vlan all
[SWA-Ethernet0/0/2]q
3、在SWB上配置vlan
[Huawei]sysname SWB
[SWB]vlan 200
[SWB-vlan200]q
[SWB]interface Ethernet0/0/1
[SWB-Ethernet0/0/1]port link-type access
[SWB-Ethernet0/0/1]port default vlan 200
[SWB-Ethernet0/0/1]q
[SWB]interface Ethernet 0/0/2
[SWB-Ethernet0/0/2]port link-type trunk
[SWB-Ethernet0/0/2]port trunk allow-pass vlan all
[SWB-Ethernet0/0/2]q
4、在Router上配置接口IP地址
<Huawei>system-view
[Huawei]sysname Router
[Router]vlan batch 100 200
[Router]interface Vlanif 100
[Router-Vlanif100]ip address 192.168.20.1 24
[Router-Vlanif100]q
[Router]interface Vlanif 200
[Router-Vlanif200]ip address 10.0.0.1 24
[Router-Vlanif200]q
[Router]interface Ethernet 0/0/0
[Router-Ethernet0/0/0]port link-type trunk
[Router-Ethernet0/0/0]port trunk allow-pass vlan all
[Router-Ethernet0/0/0]q
[Router]interface Ethernet 0/0/1
[Router-Ethernet0/0/1]port link-type trunk
[Router-Ethernet0/0/1]port trunk allow-pass vlan all
[Router-Ethernet0/0/1]q
[Router]interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0]ip address 202.169.10.1 24
[Router-GigabitEthernet0/0/0]q
这时候主机就可以ping通网关了
5、在Router上配置缺省路由,指定下一跳为202.169.10.2
[Router]ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
6、在Router上配置NAT Outbound(记住在出接口上应用)
[Router]nat address-group 1 202.169.10.100 202.169.10.200
[Router]nat address-group 2 202.169.10.201 202.169.10.202
[Router]acl number 3001
[Router-acl-adv-3001]rule 5 permit ip source 192.168.20.0 0.0.0.255
[Router-acl-adv-3001]q
[Router]acl number 3002
[Router-acl-adv-3002]rule 5 permit ip source 10.0.0.0 0.0.0.255
[Router-acl-adv-3002]q
[Router]interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0]nat outbound 3001 address-group 1 no-pat
[Router-GigabitEthernet0/0/0]nat outbound 3002 address-group 2
[Router-GigabitEthernet0/0/0]q
[Router]ip soft-forward enhance enable
如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable使能设备产生的控制报文的增强转发功能,这样,私网的源地址才能通过NAT转换为公网地址。
7、查看结果
[Router]display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/0 3001 1 no-pat
GigabitEthernet0/0/0 3002 2 pat
--------------------------------------------------------------------------
Total : 2
[Router]ping -a 192.168.20.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
[Router]ping -a 10.0.0.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
8、查看NAT映射表项
[Router]display nat session all verbose
————————————————
版权声明:本文为CSDN博主「友人a笔记」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/tladagio/article/details/80725043
标签:10,10.2,56,Ethernet0,202.169,华为,NAT,Router 来源: https://www.cnblogs.com/xig112635/p/15123312.html