FAQ-如何通过配置NATOutbound实现私网用户访问公网

发布时间:  2015-02-11 浏览次数:  112 下载次数:  0
问题描述
如何通过配置NATOutbound实现私网用户访问公网?
解决方案
适用产品和版本:
       框式交换机V100R006C00及之后版本

组网需求:
如图1-5所示,SPU板插在Switch的5号槽位。A公司和B公司内网络主机部署私网IP地址。A公司有100台主机,且有101个空闲公网IP地址(202.169.10.100~202.169.10.200);B公司在VPN中,且没有空闲公网IP地址。
现在希望A公司和B公司内主机能够访问Internet。

图1-5 配置NAT Outbound实现私网用户访问公网组网图



配置思路:

采用如下思路配置动态地址转换:
1. 配置从Switch引流到SPU。
2. 在Switch上为A公司主机配置带地址池的NAT Outbound,通过为每一台主机的私网IP地址映射一个公网IP地址的方式,实现A公司主机成功访问Internet。
3. 在Switch上为B公司主机配置不带地址池的Easy IP,通过为每一台主机的私网IP地址映射出接口公网IP地址的方式,实现B公司主机成功访问Internet。

操作步骤:

1. 通过接口聚合方式的二层引流,配置从Switch引流到SPU。GE2/0/1和GE2/0/3为流量的入接口,GE2/0/2为流量的出接口。

# 配置Switch
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 101 to 103
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk allow-pass vlan 101 to 103
[Switch-Eth-Trunk1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 101
[Switch-GigabitEthernet2/0/1] quit
[Switch] interface gigabitethernet 2/0/2
[Switch-GigabitEthernet2/0/2] port link-type trunk
[Switch-GigabitEthernet2/0/2] port trunk allow-pass vlan 102
[Switch-GigabitEthernet2/0/2] quit
[Switch] interface gigabitethernet 2/0/3
[Switch-GigabitEthernet2/0/3] port link-type trunk
[Switch-GigabitEthernet2/0/3] port trunk allow-pass vlan 103
[Switch-GigabitEthernet2/0/3] quit
[Switch] interface xgigabitethernet 5/0/0
[Switch-XGigabitEthernet5/0/0] eth-trunk 1
[Switch-XGigabitEthernet5/0/0] quit
[Switch] interface xgigabitethernet 5/0/1
[Switch-XGigabitEthernet5/0/1] eth-trunk 1
[Switch-XGigabitEthernet5/0/1] quit
# 在SPU上配置接口IP地址和接口所属VLAN
<HUAWEI> system-view
[HUAWEI] sysname SPU
[SPU] interface eth-trunk 1
[SPU-Eth-Trunk1] quit
[SPU] interface eth-trunk 1.1
[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination
[SPU-Eth-Trunk1.1] dot1q termination vid 101
[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0
[SPU-Eth-Trunk1.1] arp broadcast enable
[SPU-Eth-Trunk1.1] quit
[SPU] interface eth-trunk 1.2
[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination
[SPU-Eth-Trunk1.2] dot1q termination vid 102
[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0
[SPU-Eth-Trunk1.2] arp broadcast enable
[SPU-Eth-Trunk1.2] quit
[SPU] ip vpn-instance vpn_b
[SPU-vpn-instance-vpn_b] route-distinguisher 0:1
[SPU-vpn-instance-vpn_b] quit
[SPU] interface eth-trunk 1.3
[SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination
[SPU-Eth-Trunk1.3] dot1q termination vid 103
[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b
[SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0
[SPU-Eth-Trunk1.3] arp broadcast enable
[SPU-Eth-Trunk1.3] quit
[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2 202.169.10.2
[SPU] interface xgigabitethernet 0/0/1
[SPU-XGigabitEthernet0/0/1] eth-trunk 1
[SPU-XGigabitEthernet0/0/1] quit
[SPU] interface xgigabitethernet 0/0/2
[SPU-XGigabitEthernet0/0/2] eth-trunk 1
[SPU-XGigabitEthernet0/0/2] quit

2. 在SPU上配置NAT Outbound

[SPU] nat address-group 1 202.169.10.100 202.169.10.200    
[SPU] acl 2000 
[SPU-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 
[SPU-acl-basic-2000] quit 
[SPU] acl 2001 
[SPU-acl-basic-2001] rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255 
[SPU-acl-basic-2001] quit 
[SPU] interface eth-trunk 1.2 
[SPU-Eth-Trunk1.2] nat outbound 2000 address-group 1 no-pat 
[SPU-Eth-Trunk1.2] nat outbound 2001 
[SPU-Eth-Trunk1.2] quit

3. 检查配置结果

在SPU上执行命令display nat outbound interface eth-trunk 1.2,查看NAT Outbound的配置信息。
[SPU] display nat outbound interface eth-trunk 1.2
NAT Outbound Information:                                                                                                          
--------------------------------------------------------------------------                                                         
Interface                     Acl     Address-group/IP/Interface      Type                                                         
--------------------------------------------------------------------------                                                         
Eth-Trunk1.2                 2000                              1    no-pat                                                         
Eth-Trunk1.2                 2001                   202.169.10.1    easyip                                                         
--------------------------------------------------------------------------                                                         
  Total : 2                                                      
   
配置完成后,私网主机能够成功访问Internet。

以A公司为例,内部IP地址为192.168.20.2的主机Ping Internet上IP地址为202.169.10.2的设备,能够Ping通。
在SPU上执行命令display nat session destination 202.169.10.2可以查看NAT转换前后的源IP地址。
[SPU] display nat session destination 202.169.10.2
  The operation may take a few minutes, please wait...                                                                              
  NAT Session Table Information:                                                                                                    
     Protocol          : ICMP(1)                                                                                                    
     SrcAddr   Vpn     : 192.168.20.2                                                                                               
     DestAddr  Vpn     : 202.169.10.2                                                                                               
     Type Code IcmpId  : 8   0   44006                                                                                              
     NAT-Info                                                                                                                       
       New SrcAddr     : 202.169.10.100                                                                                             
       New DestAddr    : ----                                                                                                       
       New IcmpId      : ----                                                                                                       
                                                                                                                                    
  Total : 1                     
 
以B公司为例,内部IP地址为10.0.0.2的主机Ping Internet上IP地址为202.169.10.2的设备,能够Ping通。

在SPU上执行命令display nat session destination 202.169.10.2可以查看NAT转换前后的源IP地址。
[SPU] display nat session destination 202.169.10.2
  The operation may take a few minutes, please wait...                                                                              
  NAT Session Table Information:                                                                                                    
     Protocol          : ICMP(1)                                                                                                    
     SrcAddr   Vpn     : 10.0.0.2        vpn_b                                                                                      
     DestAddr  Vpn     : 202.169.10.2                                                                                               
     Type Code IcmpId  : 8   0   44028                                                                                              
     NAT-Info                                                                                                                       
       New SrcAddr     : 202.169.10.1                                                                                               
       New DestAddr    : ----                                                                                                       
       New IcmpId      : 10240                                                                                                      
                                                                                                                                    
  Total : 1          
         
配置文件:
 SPU的配置文件
#
sysname SPU
#
ip vpn-instance vpn_b
route-distinguisher 0:1
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255

nat address-group 1 202.169.10.100 202.169.10.200

interface Eth-Trunk1
#
interface Eth-Trunk1.1
control-vid 101 dot1q-termination
dot1q termination vid 101
ip address 192.168.20.1 255.255.255.0 
arp broadcast enable
#
interface Eth-Trunk1.2
control-vid 102 dot1q-termination
dot1q termination vid 102
ip address 202.169.10.1 255.255.255.0 
arp broadcast enable
nat outbound 2000 address-group 1 no-pat
nat outbound 2001     
#
interface Eth-Trunk1.3
control-vid 103 dot1q-termination
dot1q termination vid 103
ip binding vpn-instance vpn_b
ip address 10.0.0.1 255.255.255.0 
arp broadcast enable
#
interface XGigabitEthernet0/0/1
eth-trunk 1
#
interface XGigabitEthernet0/0/2
eth-trunk 1
#
ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
#
return
 交换机的配置文件
#
sysname Switch
#
vlan batch 101 to 103
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 101 to 103
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet2/0/2
port link-type trunk
port trunk allow-pass vlan 102

interface GigabitEthernet2/0/3
port link-type trunk
port trunk allow-pass vlan 103

interface XGigabitEthernet5/0/0
eth-trunk 1
#
interface XGigabitEthernet5/0/1
eth-trunk 1
#
return

END