FAQ-如果域间NAT策略中配置了多条策略,报文的匹配原则是什么

发布时间:  2014-09-19 浏览次数:  162 下载次数:  0
问题描述
如果域间NAT策略中配置了多条策略,报文的匹配原则是什么?
解决方案
如果域间NAT策略中配置了多条策略,设备将会按照策略的显示顺序对报文进行匹配,与策略的编号无关。
例如,Trust和Untrust域间Outbound方向的NAT策略中配置了多条策略:
[USG9000-nat-policy-interzone-trust-untrust-outbound] display this
#                                                                               
nat-policy interzone trust untrust outbound                                     
policy 3                                                                       
action source-nat                                                              
policy source 172.16.1.0 0.0.0.255                                             
address-group 1                                                                
                                                                                
policy 1                                                                       
action source-nat                                                              
policy source 172.16.1.0 0.0.0.255                                             
address-group 2                                                                
#                                                                               
return
设备收到从Trust区域向Untrust区域流动的报文后,根据报文的源IP地址,首先查找policy 3中定义的源地址规则,如果匹配,将使用地址池1中定义的地址进行转换,不再进行后续的查找;如果没有匹配policy 3中定义的源地址规则,则继续在policy 1中查找,如果匹配,将使用地址池2中定义的地址进行转换,不再进行后续的查找;依此类推。如果所有策略都没有匹配,则不会进行地址转换处理;如果匹配到动作为no-nat的策略,也不会进行地址转换处理。

        说明:您可以根据实际需求,使用policy move命令来调整策略的顺序。例如,将policy 1调整到policy 3之前的操作如下:
[USG9000-nat-policy-interzone-trust-untrust-outbound] policy move 1 before 3
调整后的顺序如下:
[USG9000-nat-policy-interzone-trust-untrust-outbound] display this
#                                                                               
nat-policy interzone trust untrust outbound                                     
policy 1                                                                       
action source-nat                                                              
policy source 172.16.1.0 0.0.0.255                                             
address-group 2                                                                
                                                                                
policy 3                                                                       
action source-nat                                                              
policy source 172.16.1.0 0.0.0.255                                             
address-group 1                                                                
#                                                                               
return

END