NE20E-S4无法在内网通过公网地址访问内网服务器

发布时间:  2016-05-16 浏览次数:  197 下载次数:  0
问题描述

 1,组网概述

   某项目外网出口是两台NE40E-S4,分别连接电信和联通运营商实现外网的访问和内部服务器业务的发布,核心是两台S12708做堆叠,

下挂S5700作为服务器区业务的接入,内网用户需要通过公网地址1.1.1.84或者公网地址1.1.1.84对应的域名www.xx.com访问内网服务器192.168.6.194。

2,组网拓扑

3,配置脚本

 

 <NE20E_A>dis  cu
#
sysname NE20E_A
#
service-location 1
location slot 1 engine 0
#
service-instance-group groupa
service-location 1
#
nat instance 1 id 1
service-instance-group groupa
nat address-group group1 group-id 1 1.1.1.84 1.1.1.84
nat outbound 3001 address-group group1
nat server protocol tcp global 1.1.1.84 www inside 192.168.6.194 www

#
acl number 3001
rule 5 permit ip
#
traffic classifier c1 operator or
if-match acl 3001                 
#
traffic behavior b1
nat bind instance 1
#
traffic policy p1
share-mode
classifier c1 behavior b1
#
interface GigabitEthernet2/0/0
description TO_DianXin_ISP
undo shutdown
ip address 1.1.1.82 255.255.255.192
#
interface GigabitEthernet2/0/1
description TO_NE20E_B_GE2/0/1
undo shutdown
ip address 192.168.4.17 255.255.255.248
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/2
description TO_S12708_A_B_GE1/1/1/0
undo shutdown
ip address 192.168.4.4 255.255.255.248
traffic-policy p1 inbound
#                                        
ospf 1 router-id 1.1.1.82
default-route-advertise cost 100
import-route static
area 0.0.0.0
  network 192.168.4.4 0.0.0.0
  network 192.168.4.17 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.65
#
license
active nat session-table size 2 slot 1 engine 0
#

 

4,故障现象

内网用户无法通过公网地址1.1.1.84或者公网地址1.1.1.84对应的域名www.xx.com访问内网服务器192.168.6.194

 

处理过程

在NE20E-A上做双向nat可以解决问题 

 

根因

       由于NE20E-S4没有dns-nat-map功能,就上述的问题,出现这种情况的根本原因如下分析:

       当客户在内网通过www.xx.com访问内网服务器的时候,公网DNS将www.xx.com解析成公网地址1.1.1.84,那么内网用户去访问1.1.1.84的时候,NE20E-S4并不会把1.1.1.84地址转换成内网地址192.168.6.194,因为“nat server protocol tcp global 1.1.1.84 www inside 192.168.6.194 www ",这条命令仅仅是针对外网用户通过公网地址访问内网的。 

解决方案

在NE20E-A上做双向nat的配置脚本如下:

 <NE20E_A>dis  cu
#
sysname NE20E_A
#
service-location 1
location slot 1 engine 0
#
service-instance-group groupa
service-location 1
#
nat instance 1 id 1
service-instance-group groupa
nat address-group group1 group-id 1 1.1.1.84 1.1.1.84
nat outbound 3001 address-group group1
nat server protocol tcp global 1.1.1.84 www inside 192.168.6.194 www
nat instance 2 id 2
service-instance-group groupa
nat address-group group2 group-id 2 1.1.1.83 1.1.1.83
nat outbound 3101 address-group group2
#
acl number 3001
rule 5 permit ip
#
acl number 3101
rule 1 permit ip
#
traffic classifier c2 operator or
if-match acl 3101
traffic classifier c1 operator or
if-match acl 3001                 
#
traffic behavior b2
nat bind instance 2
traffic behavior b1
nat bind instance 1
#
traffic policy p1
share-mode
classifier c1 behavior b1
classifier c2 behavior b2
#
interface GigabitEthernet2/0/0
description TO_DianXin_ISP
undo shutdown
ip address 1.1.1.82 255.255.255.192
#
interface GigabitEthernet2/0/1
description TO_NE20E_B_GE2/0/1
undo shutdown
ip address 192.168.4.17 255.255.255.248
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/2
description TO_S12708_A_B_GE1/1/1/0
undo shutdown
ip address 192.168.4.4 255.255.255.248
traffic-policy p1 inbound
#                                        
ospf 1 router-id 1.1.1.82
default-route-advertise cost 100
import-route static
area 0.0.0.0
  network 192.168.4.4 0.0.0.0
  network 192.168.4.17 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.65
#
license
active nat session-table size 2 slot 1 engine 0
#

 

END