A-A+
H3C路由器NAT配置的组网需求/拓扑/软件的示例
【组网需求】
一个公司拥有202.38.1.1/24至202.38.1.3/24三个公网IP地址,内部网址为172.16.1.0/24。互联地址用的是192.168.1.0/30网段。通过配置NAT使得仅内部网络中1172.16.1.0/24网段的用户可以访问Internet。
【拓扑和软件】
本文实验采用的交换机是H3C模拟器,下载地址如下: http://forum.h3c.com/forum.php? mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6% 8B%9F%E5%99%A8 有兴趣的朋友可以在H3C官网论坛上去下载,里面有非常详细的使用说明以及自定义拓扑的方法。
【配置文本】
- R1:
- acl number 2001
- rule 0 permit source 172.16.1.0 0.0.0.255
- rule 5 deny
- #
- interface Serial0/6/0
- link-protocol ppp
- nat outbound 2001 address-group 1
- ip address 202.38.1.1 255.255.255.0
- #
- interface Serial0/6/1
- link-protocol ppp
- ip address 192.168.1.1 255.255.255.252
- #
- interface Serial0/6/2
- link-protocol ppp
- #
- interface Serial0/6/3
- link-protocol ppp
- #
- #
- ip route-static 0.0.0.0 0.0.0.0 202.38.1.4
- ip route-static 172.16.1.0 255.255.255.0 192.168.1.2
- R2
- #
- interface Serial0/6/0
- link-protocol ppp
- ip address 202.38.1.4 255.255.255.0
- #
- interface Serial0/6/1
- link-protocol ppp
- #
- interface Serial0/6/2
- link-protocol ppp
- #
- interface Serial0/6/3
- link-protocol ppp
- #
- interface NULL0
- #
- interface LoopBack0
- ip address 2.2.2.2 255.255.255.255
- #
- ip route-static 0.0.0.0 0.0.0.0 202.38.1.1
- R3:
- interface Serial0/6/1
- link-protocol ppp
- ip address 192.168.1.2 255.255.255.252
- #
- interface Serial0/6/2
- link-protocol ppp
- #
- interface Serial0/6/3
- link-protocol ppp
- #
- interface NULL0
- #
- interface LoopBack0
- ip address 172.16.1.1 255.255.255.255
- #
- ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
【实验过程】
- <R3>ping -a 172.16.1.1 -c 1000 2.2.2.2
- PING 2.2.2.2: 56 data bytes, press CTRL_C to break
- Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=254 time=19 ms
- Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=254 time=30 ms
- Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=254 time=10 ms
- Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=254 time=10 ms
- Request time out
- Reply from 2.2.2.2: bytes=56 Sequence=6 ttl=254 time=15 ms
- Reply from 2.2.2.2: bytes=56 Sequence=7 ttl=254 time=15 ms
- Reply from 2.2.2.2: bytes=56 Sequence=8 ttl=254 time=5 ms
- <R1>dis nat se
- <R1>dis nat server
- <R1>dis nat session 当前的NAT 会话
- There are currently 1 NAT session:
- Protocol GlobalAddr Port InsideAddr Port DestAddr Port
- 1 202.38.1.3 12288 172.16.1.1 1280 2.2.2.2 1280
- VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:59
字段 描述
Protocol 协议类型
GlobalAddr Port 转换后的外部源地址和源端口
InsideAddr Port 转换前的内部源地址和源端口
DestAddr Port 目的地址和端口
VPN 转换表项所属MPLS VPN实例的名称
status 表项的状态特征
TTL 表项的生命周期,单位为小时:分钟:秒钟
Left 表项的剩余的存活时间,单位为小时:分钟:秒钟
- <R1>
- <R1>t d
- % Current terminal debugging is on
- <R1>t m
- % Current terminal monitor is on
- <R1>deb
- <R1>debugging nat pa
- <R1>debugging nat packet
- NAT packet debugging is enabled
- <R1>
- *Mar 6 14:28:06:578 2013 R1 NAT/7/debug:
- (Serial0/6/0-out :)Pro : ICMP
- ( 172.16.1.1: 1280 - 2.2.2.2: 1280) ------>
- ( 202.38.1.3:12288 - 2.2.2.2: 1280)
- *Mar 6 14:28:06:578 2013 R1 NAT/7/debug:
- (Serial0/6/0-in :)Pro : ICMP
- ( 2.2.2.2: 1280 - 202.38.1.3:12288) ------>
- ( 2.2.2.2: 1280 - 172.16.1.1: 1280)
- *Mar 6 14:28:06:781 2013 R1 NAT/7/debug:
- (Serial0/6/0-out :)Pro : ICMP
- ( 172.16.1.1: 1280 - 2.2.2.2: 1280) ------>
- ( 202.38.1.3:12288 - 2.2.2.2: 1280)
- *Mar 6 14:28:06:797 2013 R1 NAT/7/debug:
- (Serial0/6/0-in :)Pro : ICMP
- ( 2.2.2.2: 1280 - 202.38.1.3:12288) ------>
- ( 2.2.2.2: 1280 - 172.16.1.1: 1280)
- *Mar 6 14:28:07:00 2013 R1 NAT/7/debug: