华为端口回流解决方法 (内网用户通过域名或公网IP访问内部服务器的解决办法)
isp R4路由配置:
dis current-configuration
[V200R003C00]
dhcp enable
interface GigabitEthernet0/0/0
ip address 3.3.3.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 9.9.9.9 255.255.255.0
dhcp select interface
return
公司出口路由器R5配置:
dis current-configuration
[V200R003C00]
acl number 2000
rule 5 permit source 192.168.0.0 0.0.0.255
acl number 3000 //用于解决端口回流acl
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 3.3.3.8 0
nat address-group 1 3.3.3.5 3.3.3.6 /公司申请的公司地址池
interface GigabitEthernet0/0/0
ip address 3.3.3.3 255.255.255.0
nat static protocol tcp global 3.3.3.8 www inside 192.168.0.100 www
//映射内部服务器到申请的外网地址3.3.3.8 这个地址是公司申请的单独一个公网地址
nat outbound 2000 address-group 1 //内网用户上网
interface GigabitEthernet0/0/1 //出口路由的内网口
ip address 2.2.2.1 255.255.255.0
nat server protocol tcp global 3.3.3.8 www inside 192.168.0.100 www //解决端口回流
nat outbound 3000 //解决端口回流
ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
ip route-static 192.168.0.0 255.255.255.0 2.2.2.2
return
核心交换机配置 :
dis current-configuration
sysname Huawei
vlan batch 2 100
dhcp enable
diffserv domain default
drop-profile default
ip pool vlan1
gateway-list 192.168.0.1
network 192.168.0.0 mask 255.255.255.0
interface Vlanif1
ip address 192.168.0.1 255.255.255.0
dhcp select global
interface Vlanif2
ip address 2.2.2.2 255.255.255.0
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1
eth-trunk 1
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
锐捷(正常端口映射再尾部加上permit-inside)
ip nat inside source static tcp 服务器ip 80 公网ip 80 permit-inside
h3c
在出口路由器下联的内网口上打上;:
nat hairpin enable