一、Source NAT

对于不需要做NAT的网段(比如IPSec×××),需要先关闭这些地址的NAT(如果没有则跳过

set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16

set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24

set security nat source rule-set trust-untrust rule no-nat then source-nat off

 

对于需要上网或者所有的网段(做地址转换的网段),做source-nat

首先定义一个地址池(要转换的公网地址):

set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32

set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32

 

配置NAT规则匹配源、目、转换地址池

set security nat source rule-set trust-untrust from zone trust

set security nat source rule-set trust-untrust to zone untrust

 

//匹配特定的地址进行转换(没有特定可省略)

set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0