评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置VPN用户的NAT示例
组网需求
如图2-14所示,NAT-Device连接两个VPN实例,分别为VPNA和VPNB。其中,NAT-Device的出接口GE0/2/0的对端IP地址为202.100.1.2/24。要求让VPNA和VPNB通过NAT方式访问外网。
数据准备
- NAT实例的名称nat1和索引号1
- NAT-Device的NAT转换地址池名称address-group1、地址池编号1、IP地址段采用easy-ip方式
- ACL的名称3001
- 应用NAT引流策略的接口号GE0/2/0以及接口下的IP地址202.100.1.2/24
操作步骤
- 配置NAT基本功能。
- 配置VPN实例vpna、vpnb。
[~NAT-Device] ip vpn-instance vpna [*NAT-Device-vpn-instance-vpna] ipv4-family [*NAT-Device-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [*NAT-Device-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity [*NAT-Device-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity [*NAT-Device-vpn-instance-vpna-af-ipv4] commit [~NAT-Device-vpn-instance-vpna-af-ipv4] quit [~NAT-Device] ip vpn-instance vpnb [*NAT-Device-vpn-instance-vpnb] ipv4-family [*NAT-Device-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2 [*NAT-Device-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 export-extcommunity [*NAT-Device-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 import-extcommunity [*NAT-Device-vpn-instance-vpnb-af-ipv4] commit [~NAT-Device-vpn-instance-vpnb-af-ipv4] quit
- 配置NAT引流策略:配置基于ACL流分类规则,地址访问控制列表号为3001,ACL规则的编号为1、2,只有内部网段地址为192.168.1.0/24、192.168.2.0/24的主机可以访问Internet。
[~HUAWEI] acl 3001 [*NAT-Device-acl4-advance-3001] rule 1 permit ip vpn-instance vpna source 192.168.1.0 0.0.0.255 [*NAT-Device-acl4-advance-3001] rule 2 permit ip vpn-instance vpnb source 192.168.2.0 0.0.0.255 [*NAT-Device-acl4-advance-3001] commit [~NAT-Device-acl4-advance-3001] quit
- 应用NAT引流策略:在出接口GE0/2/0视图下应用ACL用户的流分类策略。
[~NAT-Device] interface gigabitEthernet 0/2/0 [~NAT-Device-GigabitEthernet0/2/0] ip address 202.100.1.1 24 [*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3001 instance nat1 [*NAT-Device-GigabitEthernet0/2/0] commit [~NAT-Device-GigabitEthernet0/2/0] quit
- 配置连接vpna、vpnb的接口。
[~NAT-Device] interface GigabitEthernet 0/2/1 [~NAT-Device-GigabitEthernet0/2/1] ip binding vpn-instance vpna Info: All IPv4 and IPv6 related configurations on this interface are removed. [*NAT-Device-GigabitEthernet0/2/1] ip address 172.16.1.1 255.255.255.0 [*NAT-Device-GigabitEthernet0/2/1] commit [~NAT-Device-GigabitEthernet0/2/1] quit [~NAT-Device] interface GigabitEthernet 0/2/2 [~NAT-Device-GigabitEthernet0/2/2] ip binding vpn-instance vpnb Info: All IPv4 and IPv6 related configurations on this interface are removed. [*NAT-Device-GigabitEthernet0/2/2] ip address 172.16.2.1 255.255.255.0 [*NAT-Device-GigabitEthernet0/2/2] commit [~NAT-Device-GigabitEthernet0/2/2] quit
- 配置静态路由。
- 验证配置结果。
分别在VPNA和VPNB的主机上ping 202.100.1.2,检查配置是否成功。
说明:
配置注意事项:- 配置NAT的ACL时必须要指定VPN实例。
- 配置VPN实例到公网的路由,也需要配置从公网到VPN实例的路由。
- 配置示例没有给出两侧路由器的配置,请根据实际情况自行配置。
NAT-Device的配置文件
# sysname NAT-Device # nat instance nat1 id 1 simple-configuration # nat address-group 1 group-id 1 unnumbered interface GigabitEthernet0/2/0 # acl number 3001 rule 1 permit ip vpn-instance vpna source 192.168.1.0 0.0.0.255 rule 2 permit ip vpn-instance vpnb source 192.168.2.0 0.0.0.255 # interface GigabitEthernet 0/2/0 undo shutdown ip address 202.10.1.2 24 nat bind acl 3001 instance nat1 # # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # interface GigabitEthernet0/2/1 ip binding vpn-instance vpna ip address 172.16.1.1 255.255.255.0 # interface GigabitEthernet0/2/2 ip binding vpn-instance vpnb ip address 172.16.2.1 255.255.255.0 # ip route-static 192.168.1.0 255.255.255.0 vpn-instance vpna 172.16.1.2 ip route-static 192.168.2.0 255.255.255.0 vpn-instance vpnb 172.16.2.2 ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 202.100.1.2 public ip route-static vpn-instance vpnb 0.0.0.0 0.0.0.0 202.100.1.2 public # return
