FAQ-如何通过配置NATServer实现公网用户访问私网服务器

发布时间:  2015-02-11 浏览次数:  138 下载次数:  0
问题描述
如何通过配置NATServer实现公网用户访问私网服务器?
解决方案
适用产品和版本:
      框式交换机V100R006C00及之后版本

组网需求:
      如图1-6所示,SPU板插在Switch的5号槽位。A公司提供了WWW Server供公网用户访问。其中,WWW Server的私网IP地址为192.168.20.2:8080,对外公布的地址为202.169.10.5。B公司在VPN中,提供FTP Server供公网用户访问,FTP Server的私网IP地址为10.0.0.3,对外公布的地址为202.169.10.33。

现在希望公网用户通过公网地址访问A公司的WWW Server和B公司的FTP Server。

图1-6 配置内部服务器组网图




配置思路:
      采用如下思路配置NAT Server:
1. 配置从交换机引流到SPU。
2. 配置NAT Server,实现公网用户通过公网地址访问A公司的WWW Server和B公司的FTP Server。
3. 使能FTP的NAT ALG功能,实现FTP报文的NAT转换。

操作步骤:

1. 通过接口聚合方式的二层引流,配置从Switch引流到SPU。GE2/0/2为流量的入接口,GE2/0/1和GE2/0/3为流量的出接口。

# 配置Switch
<HUAWEI> system-view 
[HUAWEI] vlan batch 101 to 103 
[HUAWEI] interface eth-trunk 1 
[HUAWEI-Eth-Trunk1] port link-type trunk 
[HUAWEI-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 
[HUAWEI-Eth-Trunk1] quit 
[HUAWEI] interface gigabitethernet 2/0/1 
[HUAWEI-GigabitEthernet2/0/1] port link-type trunk 
[HUAWEI-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 
[HUAWEI-GigabitEthernet2/0/1] quit 
[HUAWEI] interface gigabitethernet 2/0/2 
[HUAWEI-GigabitEthernet2/0/2] port link-type trunk 
[HUAWEI-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 
[HUAWEI-GigabitEthernet2/0/2] quit    
[HUAWEI] interface gigabitethernet 2/0/3 
[HUAWEI-GigabitEthernet2/0/3] port link-type trunk 
[HUAWEI-GigabitEthernet2/0/3] port trunk allow-pass vlan 103 
[HUAWEI-GigabitEthernet2/0/3] quit    
[HUAWEI] interface xgigabitethernet 5/0/0 
[HUAWEI-XGigabitEthernet5/0/0] eth-trunk 1 
[HUAWEI-XGigabitEthernet5/0/0] quit 
[HUAWEI] interface xgigabitethernet 5/0/1 
[HUAWEI-XGigabitEthernet5/0/1] eth-trunk 1 
[HUAWEI-XGigabitEthernet5/0/1] quit
# 在SPU上配置接口IP地址和接口VLAN
<SPU> system-view 
[SPU] interface eth-trunk 1 
[SPU-Eth-Trunk1] quit 
[SPU] interface eth-trunk 1.1 
[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination 
[SPU-Eth-Trunk1.1] dot1q termination vid 101 
[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0     
[SPU-Eth-Trunk1.1] arp broadcast enable 
[SPU-Eth-Trunk1.1] quit 
[SPU] interface eth-trunk 1.2 
[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination 
[SPU-Eth-Trunk1.2] dot1q termination vid 102 
[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0    
[SPU-Eth-Trunk1.2] arp broadcast enable 
[SPU-Eth-Trunk1.2] quit 
[SPU] ip vpn-instance vpn_b 
[SPU-vpn-instance-vpn_b] route-distinguisher 0:1 
[SPU-vpn-instance-vpn_b] quit 
[SPU] interface eth-trunk 1.3 
[SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination 
[SPU-Eth-Trunk1.3] dot1q termination vid 103 
[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b 
[SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0     
[SPU-Eth-Trunk1.3] arp broadcast enable 
[SPU-Eth-Trunk1.3] quit 
[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2 202.169.10.2 
[SPU] interface xgigabitethernet 0/0/1 
[SPU-XGigabitEthernet0/0/1] eth-trunk 1 
[SPU-XGigabitEthernet0/0/1] quit 
[SPU] interface xgigabitethernet 0/0/2 
[SPU-XGigabitEthernet0/0/2] eth-trunk 1 
[SPU-XGigabitEthernet0/0/2] quit

2. 在SPU上配置内部服务器

[SPU] interface eth-trunk 1.2 
[SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 
[SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b

3. 在SPU上使能FTP的NAT ALG功能

[SPU] nat alg ftp enable

4. 检查配置结果

在SPU上执行命令display nat server interface eth-trunk 1.2,查看NAT Server的配置信息。
[SPU] display nat server interface eth-trunk 1.2
Nat Server Information:
  Interface  : Eth-Trunk1.2
    Global IP/Port     : 202.169.10.5/80(www)
    Inside IP/Port     : 192.168.20.2/8080
    Protocol : 6(tcp)
    VPN instance-name  : ----
    Description : ---- 

    Global IP/Port     : 202.169.10.33/21(ftp)
    Inside IP/Port     : 10.0.0.3/21(ftp)
    Protocol : 6(tcp)
    VPN instance-name  : vpn_b

  Total :    2  

配置完成后,公网用户能够通过公网地址访问A公司的WWW Server和B公司的FTP Server。

配置文件
  • SPU的配置文件
#
sysname SPU
#
ip vpn-instance vpn_b
route-distinguisher 0:1
#
nat alg ftp enable
#
interface Eth-Trunk1
#
interface Eth-Trunk1.1
control-vid 101 dot1q-termination
dot1q termination vid 101
ip address 192.168.20.1 255.255.255.0 
arp broadcast enable
#
interface Eth-Trunk1.2
control-vid 102 dot1q-termination
dot1q termination vid 102
ip address 202.169.10.1 255.255.255.0 
arp broadcast enable
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b
#
interface Eth-Trunk1.3
control-vid 103 dot1q-termination
dot1q termination vid 103
ip binding vpn-instance vpn_b
ip address 10.0.0.1 255.255.255.0 
arp broadcast enable
#
interface XGigabitEthernet0/0/1
eth-trunk 1
#
interface XGigabitEthernet0/0/2
eth-trunk 1
#
ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
#
return
  •  交换机的配置文件
#
vlan batch 101 to 103
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 101 to 103
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet2/0/2
port link-type trunk
port trunk allow-pass vlan 102

interface GigabitEthernet2/0/3
port link-type trunk
port trunk allow-pass vlan 103

interface XGigabitEthernet5/0/0
eth-trunk 1
#
interface XGigabitEthernet5/0/1
eth-trunk 1
#
return

END