一、组网需求:
某公司A部门和B部门的私网用户和互联网相连,路由器上接口GigabitEthernet0/0/0的公网地址为202.169.10.1/24,对端运营商侧地址为202.169.10.2/24。
A部门允许使用公网IP地址比较多(202.169.10.100~202.169.10.200),所以使用no-pat转换方式(只转换数据包的IP地址,并不使用端口号)的NAT方式替换A部门内部的主机地址(网段为192.168.20.0/24),访问因特网。
B部门允许使用公网IP地址比较少(202.169.10.201~202.169.10.202),所以使用pat转换方式(同时转换数据包中的IP地址和端口号)的NAT替换B区内部的主机地址(网段为10.0.0.0/24),访问因特网。
1、网络拓扑
2、配置思路
配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
二、操作步骤
1、配置A、B部门主机IP地址,网关分别是192.168.20.1、10.0.0.1
2、在SWA上配置vlan
<Huawei>system-view [Huawei]sysname SWA [SWA]vlan 100 [SWA-vlan100]q [SWA]interface Ethernet0/0/1 [SWA-Ethernet0/0/1]port link-type access [SWA-Ethernet0/0/1]port default vlan 100 [SWA-Ethernet0/0/1]q [SWA]interface Ethernet 0/0/2 [SWA-Ethernet0/0/2]port link-type trunk [SWA-Ethernet0/0/2]port trunk allow-pass vlan all [SWA-Ethernet0/0/2]q
3、在SWB上配置vlan
[Huawei]sysname SWB [SWB]vlan 200 [SWB-vlan200]q [SWB]interface Ethernet0/0/1 [SWB-Ethernet0/0/1]port link-type access [SWB-Ethernet0/0/1]port default vlan 200 [SWB-Ethernet0/0/1]q [SWB]interface Ethernet 0/0/2 [SWB-Ethernet0/0/2]port link-type trunk [SWB-Ethernet0/0/2]port trunk allow-pass vlan all [SWB-Ethernet0/0/2]q
4、在Router上配置接口IP地址
<Huawei>system-view [Huawei]sysname Router [Router]vlan batch 100 200 [Router]interface Vlanif 100 [Router-Vlanif100]ip address 192.168.20.1 24 [Router-Vlanif100]q [Router]interface Vlanif 200 [Router-Vlanif200]ip address 10.0.0.1 24 [Router-Vlanif200]q [Router]interface Ethernet 0/0/0 [Router-Ethernet0/0/0]port link-type trunk [Router-Ethernet0/0/0]port trunk allow-pass vlan all [Router-Ethernet0/0/0]q [Router]interface Ethernet 0/0/1 [Router-Ethernet0/0/1]port link-type trunk [Router-Ethernet0/0/1]port trunk allow-pass vlan all [Router-Ethernet0/0/1]q
[Router]interface GigabitEthernet 0/0/0 [Router-GigabitEthernet0/0/0]ip address 202.169.10.1 24 [Router-GigabitEthernet0/0/0]q
这时候主机就可以ping通网关了
5、在Router上配置缺省路由,指定下一跳为202.169.10.2
[Router]ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
6、在Router上配置NAT Outbound(记住在出接口上应用)
[Router]nat address-group 1 202.169.10.100 202.169.10.200 [Router]nat address-group 2 202.169.10.201 202.169.10.202 [Router]acl number 3001 [Router-acl-adv-3001]rule 5 permit ip source 192.168.20.0 0.0.0.255 [Router-acl-adv-3001]q [Router]acl number 3002 [Router-acl-adv-3002]rule 5 permit ip source 10.0.0.0 0.0.0.255 [Router-acl-adv-3002]q [Router]interface GigabitEthernet 0/0/0 [Router-GigabitEthernet0/0/0]nat outbound 3001 address-group 1 no-pat [Router-GigabitEthernet0/0/0]nat outbound 3002 address-group 2 [Router-GigabitEthernet0/0/0]q [Router]ip soft-forward enhance enable
如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable使能设备产生的控制报文的增强转发功能,这样,私网的源地址才能通过NAT转换为公网地址。
7、查看结果
[Router]display nat outbound NAT Outbound Information: -------------------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type -------------------------------------------------------------------------- GigabitEthernet0/0/0 3001 1 no-pat GigabitEthernet0/0/0 3002 2 pat -------------------------------------------------------------------------- Total : 2
[Router]ping -a 192.168.20.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
[Router]ping -a 10.0.0.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/10/10 ms
8、查看NAT映射表项
[Router]display nat session all verbose
