一、Source NAT
对于不需要做NAT的网段(比如IPSec×××),需要先关闭这些地址的NAT(如果没有则跳过)
set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16
set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24
set security nat source rule-set trust-untrust rule no-nat then source-nat off
对于需要上网或者所有的网段(做地址转换的网段),做source-nat
首先定义一个地址池(要转换的公网地址):
set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32
set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32
配置NAT规则匹配源、目、转换地址池
set security nat source rule-set trust-untrust from zone trust
set security nat source rule-set trust-untrust to zone untrust
//匹配特定的地址进行转换(没有特定可省略)
set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0