华为防火墙NAT配置访问外网

AR1模拟外网，配置一个IP，在配置一个LoopBack地址，AR1的配置如下：

interface GigabitEthernet0/0/0
 ip address 100.100.100.1 255.255.255.0 
#
interface LoopBack1
 ip address 200.200.200.1 255.255.255.0 

USG的配置如下：

#配置内网接口，开启DHCP

interface GigabitEthernet0/0/0
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
 dhcp server gateway-list 192.168.10.1
 dhcp server dns-list 8.8.8.8

#将GigabitEthernet0/0/0加入到Trust区域

firewall zone trust
 add interface GigabitEthernet0/0/0

#配置外网接口

interface GigabitEthernet0/0/1
 ip address 100.100.100.2 255.255.255.0
#将GigabitEthernet0/0/1加入到Untrust区域

firewall zone untrust
 add interface GigabitEthernet0/0/1

#开启域间包过滤规则，

policy interzone trust untrust outbound
 policy 0
  action permit
  policy source 192.168.10.0 0.0.0.255
#配置缺省路由，确保局域网用户访问Internet路由可达

 ip route-static 0.0.0.0 0.0.0.0 100.100.100.1

#配置NAT，实现局域网用户能够访问Internet

nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 192.168.10.0 0.0.0.255
  easy-ip GigabitEthernet0/0/1

验证结果：

#PC1可以ping通100.100.100.1和200.200.200.1

PC>ping 100.100.100.1
Ping 100.100.100.1: 32 data bytes, Press Ctrl_C to break
From 100.100.100.1: bytes=32 seq=1 ttl=254 time=47 ms
From 100.100.100.1: bytes=32 seq=2 ttl=254 time=31 ms
From 100.100.100.1: bytes=32 seq=3 ttl=254 time=47 ms
From 100.100.100.1: bytes=32 seq=4 ttl=254 time=31 ms
From 100.100.100.1: bytes=32 seq=5 ttl=254 time=31 ms

--- 100.100.100.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/37/47 ms

PC>ping 200.200.200.1
Ping 200.200.200.1: 32 data bytes, Press Ctrl_C to break
From 200.200.200.1: bytes=32 seq=1 ttl=254 time=62 ms
From 200.200.200.1: bytes=32 seq=2 ttl=254 time=46 ms
From 200.200.200.1: bytes=32 seq=3 ttl=254 time=47 ms
From 200.200.200.1: bytes=32 seq=4 ttl=254 time=47 ms
From 200.200.200.1: bytes=32 seq=5 ttl=254 time=63 ms

--- 200.200.200.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 46/53/63 ms

#防火墙上的会话

<SRG>display firewall session table
13:15:06  2014/03/18
 Current Total Sessions : 3
  icmp  ×××:public --> public 192.168.10.2:29142[100.100.100.2:2065]-->200.200.200.1:2048
  icmp  ×××:public --> public 192.168.10.2:29398[100.100.100.2:2066]-->200.200.200.1:2048
  icmp  ×××:public --> public 192.168.10.2:29654[100.100.100.2:2067]-->200.200.200.1:2048

转载于:https://blog.51cto.com/wcrichard/1553021