1. NAT-地址转换
组网:
图19 Nat
2. 使用出口公网地址做nat
version 1.74 适用版本vrp1.7
!
[Router] acl 2000 match-order auto
[Router-acl101] rule normal permit source
10.0.0.0 0.0.0.255
[Router-acl101] rule normal deny source
any
!
[Router] interface Ethernet0
[Router-Ethernet0] ip address 10.0.0.1
255.255.255.0
!
[Router] interface Ethernet1
[Router-Ethernet1] ip address 202.1.1.1
255.255.255.0
[Router-Ethernet1] nat outbound 2000
interface
!
[Router] ip route-static 0.0.0.0 0.0.0.0
202.1.1.2 preference 60
[Router] !
[Router] return
内部网络
INTERNET
华为产品维护资料
中低端路由器典型配置实例 2004/11/26
68
# 适用版本 vrp3.30
[Router] acl number 2000
[Router-acl101] rule 0 permit source
10.0.0.0 0.0.0.255
[Router-acl101] rule 1 deny
#
[Router] interface Ethernet0
[Router-Ethernet0] ip address 10.0.0.1
255.255.255.0
#
[Router] interface Ethernet1
[Router-Ethernet1] ip address 202.1.1.1
255.255.255.0
[Router-Ethernet1] nat outbound 2000
#
[Router] ip route-static 0.0.0.0 0.0.0.0
202.1.1.2 preference 60
[Router] #
[Router] return
华为产品维护资料
中低端路由器典型配置实例 2004/11/26
69
3. 使用地址池做nat
version 1.74 适用版本vrp1.7
[Router] nat address-group 1
202.1.1.1 202.1.1.6 pool1
!
[Router] acl 2000 match-order auto
[Router-acl101] rule normal permit source
10.0.0.0 0.0.0.255
[Router-acl101] rule normal deny source
any
!
[Router] interface Ethernet0
[Router-Ethernet0] ip address 10.0.0.1
255.255.255.0
!
[Router] interface Ethernet1
[Router-Ethernet1] ip address 202.1.1.1
255.255.255.0
[Router-Ethernet1] nat outbound 2000 pool
pool1
!
[Router] ip route-static 0.0.0.0 0.0.0.0
202.1.1.2 preference 60
!
return
[Router] nat address-group 1
202.218.130.2 202.218.130.5
适用版本 vrp3.30
#
[Router] acl number 2000
[Router-acl101] rule 0 permit source
10.0.0.0 0.0.0.255
[Router-acl101] rule 1 deny
#
[Router] interface Ethernet0/0
[Router-Ethernet0] ip address 10.0.0.1
255.255.255.0
#
[Router] interface Ethernet1/0
华为产品维护资料
中低端路由器典型配置实例 2004/11/26
70
[Router-Ethernet1] ip address 202.1.1.1
255.255.255.0
[Router-Ethernet1] nat outbound 2000
address-group 1
#
[Router] ip route-static 0.0.0.0 0.0.0.0
202.1.1.2 preference 60
#
return
4. 内部对外提供www,ftp 或者其他服务
以www 服务为例,除了3.1.1 和3.1.2 的配置,公网接口需要增加如下配置:
[Router-Ethernet1] nat server protocol tcp global 202.0.0.1 www inside
10.0.0.2 www (vrp3.30)
[Router-Ethernet1] nat server global 202.1.1.2 www inside 10.0.0.2 www tcp
(vrp1.74)
注意:如果需要其他用户可以ping 通内部对外提供服务的服务器,必须增加如下配置:
[Router-Ethernet1] nat server protocol icmp global 202.0.0.1 inside 10.0.0.2
(vrp3.30)
[Router-Ethernet1]nat server global 202.1.1.2 any inside 10.0.0.2 any icmp (vrp
1.74)
注意:内部用户不能使用公网地址来访问内部服务器,必须使用内网地址访问.
如上例子:10.0.0.0/24 网段的用户, 不能访问http://202.0.0.1, 而只能访问
http://10.0.0.2