FAQ-配置NAT后,如何禁止指定内网IP不能访问指定网址

发布时间:  2014-09-17 浏览次数:  284 下载次数:  0
问题描述
配置NAT后,如何禁止指定内网IP不能访问指定网址?
解决方案
在设备与内网连接的接口入方向配置流策略,禁止源IP为指定网段,目的IP为指定网址的报文通过。
如图16-2所示,Router的出接口GE0/0/1的IP地址为200.100.1.2/24,接口Eth0/0/1的IP地址为192.168.0.1/24。连接Router出接口GE0/0/1的对端IP地址为200.100.1.1/24。内网用户通过Router的出接口GE0/0/1做Easy IP地址转换访问外网。
图16-2 出接口做EASY IP组网图

原配置如下:
#
sysname Router  //修改设备名称
#                                                                               
acl number 2000  //配置允许进行NAT转换的内网地址段192.168.0.0/24
rule 5 permit source 192.168.0.0 0.0.0.255                                     
#                                                                               
interface Ethernet0/0/1                                                         
ip address 192.168.0.1 255.255.255.0  //配置内网网关地址                          
#                                                                               
interface GigabitEthernet0/0/1                                                  
ip address 200.100.1.2 255.255.255.0                                           
nat outbound 2000  //在出接口GE0/0/1上做Easy IP 方式的NAT
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 200.100.1.1  //配置默认路由,保证出接口到对端路由可达
#                                                                               

现在需要禁止IP地址为192.168.0.16~192.168.0.31的PC访问211.1.1.6,配置如下:
[Router] acl 3000
[Router-acl-adv-3000] rule deny ip destination 211.1.1.6 0.0.0.0 source 192.168.0.16 0.0.0.15
[Router-acl-adv-3000] quit
[Router] traffic classifier c1
[Router-classifier-c1] if-match acl 3000
[Router-classifier-c1] quit
[Router] traffic behavior b1
[Router-behavior-b1] deny
[Router-behavior-b1] quit
[Router] traffic policy p1
[Router-trafficpolicy-p1] classifier c1 behavior b1
[Router-trafficpolicy-p1] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] traffic-policy p1 inbound

END