技术干货
AR路由器-配置动态地址转换示例
更新时间:2022-08-31
配置动态地址转换示例 如图1所示,某公司A区和B区的私网用户和互联网相连,路由器上接口GigabitEthernet3/0/0的公网地址为2.2.2.1/24,对端运营商侧地址为2.2.2.2/24。A区用户希望使用公网地址池中的地址(2.2.2.100~2.2.2.200)采用NAT方式替换A区内部的主机地址(网段为192.168.20.0/24),访问因特网。B区用户希望结合B区的公网IP地址比较少的情况,使用公网地址池(2.2.2.80~2.2.2.83)采用IP地址和端口的替换方式替换B区内部的主机地址(网段为10.0.0.0/24),访问因特网。 配置思路 配置动态地址转换的思路如下: 配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。 在Router上配置接口IP地址 [Router] interface vlanif 100 // LAN1 [Router-Vlanif100] ip address 192.168.20.1 24 [Router-Vlanif100] quit [Router] interface vlanif 200 // LAN2 [Router-Vlanif200] ip address 10.0.0.1 24 [Router] interface gigabitethernet 3/0/0 // WAN [Router-GigabitEthernet3/0/0] ip address 2.2.2.1 24 [Router-GigabitEthernet3/0/0] quit
在Router上配置NAT Outbound [Router] nat address-group 1 2.2.2.100 2.2.2.200 //动态地址池1 [Router] nat address-group 2 2.2.2.80 2.2.2.83 //动态地址池2 [Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Router-acl-basic-2000] quit [Router] acl 2001 [Router-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 [Router-acl-basic-2001] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat [Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2 [Router-GigabitEthernet3/0/0] quit
说明: 如果需要在Router上执行ping -a source-ip-address命令通过指定发送ICMP ECHO-REQUEST报文的源IP地址来验证内网用户可以访问因特网,需要配置命令ip soft-forward enhance enable(v2r5开始版本默认开启)
验证配置结果 # 在Router上执行命令display nat outbound,查看地址转换结果。 <Router> display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- GigabitEthernet3/0/0 2000 1 no-pat GigabitEthernet3/0/0 2001 2 pat ----------------------------------------------------------------- Total : 2
# 在Router上执行命令ping,验证内网可以访问因特网。 <Router> ping -a 192.168.20.1 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms
<Router> ping -a 10.0.0.1 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms Router的配置文件 # sysname Router # vlan batch 100 200 # acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 # acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 # nat address-group 1 2.2.2.100 2.2.2.200 nat address-group 2 2.2.2.80 2.2.2.83 # interface Vlanif100 ip address 192.168.20.1 255.255.255.0 # interface Vlanif200 ip address 10.0.0.1 255.255.255.0 # interface Ethernet2/0/0 port link-type access port default vlan 100 # interface Ethernet2/0/1 port link-type access port default vlan 200 # interface GigabitEthernet3/0/0 ip address 2.2.2.1 255.255.255.0 nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 # ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 # return |
