配置动态地址转换示例
所示,某公司A区和B区的私网用户和互联网相连,路由器上接口GigabitEthernet3/0/0的公网地址为2.2.2.1/24,对端运营商侧地址为2.2.2.2/24。B区用户希望结合B区的公网IP地址比较少的情况,使用公网地址池(2.2.2.80~2.2.2.83)采用IP地址和端口的替换方式替换B区内部的主机地址(网段为10.0.0.0/24),访问因特网。使能设备产生的控制报文的增强转发
组网需求
如图5-18所示,某公司A区和B区的私网用户和互联网相连,路由器上接口GigabitEthernet3/0/0的公网地址为2.2.2.1/24,对端运营商侧地址为2.2.2.2/24。A区用户希望使用公网地址池中的地址(2.2.2.100~2.2.2.200)采用NAT方式替换A区内部的主机地址(网段为192.168.20.0/24),访问因特网。B区用户希望结合B区的公网IP地址比较少的情况,使用公网地址池(2.2.2.80~2.2.2.83)采用IP地址和端口的替换方式替换B区内部的主机地址(网段为10.0.0.0/24),访问因特网。
配置思路
配置动态地址转换的思路如下:
-
配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
操作步骤
- 在Router上配置接口IP地址
<Huawei> system-view [Huawei] sysname Router [Router] vlan 100 [Router-vlan100] quit [Router] interface vlanif 100 [Router-Vlanif100] ip address 192.168.20.1 24 [Router-Vlanif100] quit [Router] interface ethernet 2/0/0 [Router-Ethernet2/0/0] port link-type access [Router-Ethernet2/0/0] port default vlan 100 [Router-Ethernet2/0/0] quit [Router] vlan 200 [Router-vlan200] quit [Router] interface vlanif 200 [Router-Vlanif200] ip address 10.0.0.1 24 [Router-Vlanif200] quit [Router] interface ethernet 2/0/1 [Router-Ethernet2/0/1] port link-type access [Router-Ethernet2/0/1] port default vlan 200 [Router-Ethernet2/0/1] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] ip address 2.2.2.1 24 [Router-GigabitEthernet3/0/0] quit
- 在Router上配置缺省路由,指定下一跳地址为2.2.2.2
[Router] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
- 在Router上配置NAT Outbound
[Router] nat address-group 1 2.2.2.100 2.2.2.200 [Router] nat address-group 2 2.2.2.80 2.2.2.83 [Router] acl 2000 [Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Router-acl-basic-2000] quit [Router] acl 2001 [Router-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 [Router-acl-basic-2001] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat [Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2 [Router-GigabitEthernet3/0/0] quit
如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable使能设备产生的控制报文的增强转发功能,这样,私网的源地址才能通过NAT转换为公网地址。缺省情况下,设备产生的控制报文的增强转发功能处于使能状态。如果之前已经执行命令undo ip soft-forward enhance enable去使能增强转发功能,需要重新在系统视图下执行命令ip soft-forward enhance enable。
- 验证配置结果
# 在Router上执行命令display nat outbound,查看地址转换结果。
<Router> display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- GigabitEthernet3/0/0 2000 1 no-pat GigabitEthernet3/0/0 2001 2 pat ----------------------------------------------------------------- Total : 2
# 在Router上执行命令ping,验证内网可以访问因特网。
<Router> ping -a 192.168.20.1 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms<Router> ping -a 10.0.0.1 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms
配置文件
Router的配置文件
# sysname Router # vlan batch 100 200 # acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 # acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 # nat address-group 1 2.2.2.100 2.2.2.200 nat address-group 2 2.2.2.80 2.2.2.83 # interface Vlanif100 ip address 192.168.20.1 255.255.255.0 # interface Vlanif200 ip address 10.0.0.1 255.255.255.0 # interface Ethernet2/0/0 port link-type access port default vlan 100 # interface Ethernet2/0/1 port link-type access port default vlan 200 # interface GigabitEthernet3/0/0 ip address 2.2.2.1 255.255.255.0 nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 # ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 # return
开源鸿蒙跨平台开发社区汇聚开发者与厂商,共建“一次开发,多端部署”的开源生态,致力于降低跨端开发门槛,推动万物智联创新。
更多推荐
26
0- 0
已为社区贡献1条内容
所有评论(0)