- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 新华三人才研学中心
- 关于我们
60-MSR系列路由器教育网双出口NAT服务器的典型配置举例
本章节下载: 60-MSR系列路由器教育网双出口NAT服务器的典型配置举例 (143.29 KB)
MSR系列路由器双出口NAT服务器的典型配置举例
|
Copyright © 2014 杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
目 录
本文档介绍使用NAT功能实现内网与外网双出口互联的典型配置案例。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解NAT网络地址转换特性。
如图1所示,局域网通过MSR路由器连接ISP 1与ISP 2,现要求通过在MSR上配置NAT功能以实现:
· 局域网通过GigabitEthernet5/1访问ISP 1,通过GigabitEthernet5/0访问ISP 2。
· ISP 2的主机和局域网内部主机能够直接或通过域名test.lan.cn访问局域网服务器。
图1 MSR系列路由器教育网双出口NAT服务器的典型配置举例
为了使局域网服务器能够对内对外提供访问,要在MSR路由器各个接口配置静态地址转换映射。通过配置动态地址转换,使局域网主机能够访问ISP 2,ISP 1和局域网服务器,最后配置局域网服务器的策略路由,使服务器能够访问ISP 1。
本举例是在Release 2311版本上进行配置和验证的。
MSR路由器配置:
# 配置接口IP地址。
<Router> system-view
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] ip address 192.168.86.2 255.255.0.0
[Router-GigabitEthernet0/0]quit
[Router] interface gigabitethernet 5/0
[Router-GigabitEthernet5/0] port link-mode route
[Router-GigabitEthernet5/0] ip address 202.2.2.2 255.255.255.0
[Router-GigabitEthernet5/0] quit
[Router] interface gigabitethernet 5/1
[Router-GigabitEthernet5/1] port link-mode route
[Router-GigabitEthernet5/1] ip address 211.1.1.2 255.255.255.0
[Router-GigabitEthernet5/1] quit
# 配置静态地址转换映射。
[Router] nat static 192.168.34.55 211.1.1.4
# 使配置的静态地址转换在接口上生效。
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] nat outbound static
[Router-GigabitEthernet0/0] quit
[Router] interface gigabitethernet 5/0
[Router-GigabitEthernet5/0] nat outbound static
[Router-GigabitEthernet5/0] quit
[Router] interface gigabitethernet 5/1
[Router-GigabitEthernet5/1] nat outbound static
[Router-GigabitEthernet5/1] quit
# 配置局域网服务器域名test.lan.cn对应的内网IP地址为192.168.34.55/16。
[Router] ip host test.lan.cn 192.168.34.55
# 配置ISP 1地址池1,公网地址从211.1.1.50到211.1.1.100
[Router] nat address-group 1 211.1.1.50 211.1.1.100
# 创建ACL 2000,允许局域网192.168.0.0/16网段的主机访问ISP 1和ISP 2。
[Router] acl number 2000
[Router-acl-basic-2000] rule 10 permit source 192.168.0.0 0.0.255.255
[Router-acl-basic-2000] quit
# 在接口GigabitEthernet5/1上配置ACL 2000与IP地址池1相关联,实现NAT转换。
[Router] interface gigabitethernet 5/1
[Router-GigabitEthernet5/1] nat outbound 2000 address-group 1
[Router-GigabitEthernet5/1] quit
# 配置ISP 2地址池2,公网地址从202.2.2.50到202.2.2.100。
[Router] nat address-group 2 202.2.2.50 202.2.2.100
# 创建ACL 2000,允许局域网192.168.0.0/16网段的主机访问ISP 2。
[Router] acl number 2000
[Router-acl-basic-2000] rule 10 permit source 192.168.0.0 0.0.255.255
[Router-acl-basic-2000] quit
# 在接口GigabitEthernet5/0上配置ACL 2000与IP地址池2相关联,实现NAT转换。
[Router] interface gigabitethernet 5/0
[Router-GigabitEthernet5/0] nat outbound 2000 address-group 2
[Router-GigabitEthernet5/0] quit
# 创建ACL 3000,使内网192.168.0.0/16能够访问192.168.34.55/16的主机地址。
[Router] acl number 3000
[Router-acl-adv-3000] rule 10 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.34.55 0
[Router-acl-adv-3000] quit
# 在接口GigabitEthernet0/0上配置ACL 3000,实现NAT。
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] nat outbound 3000
[Router-GigabitEthernet0/0] quit
# 创建ACL 2222,允许主机地址192.168.34.55/16通过。
[Router] acl number 2222
[Router-acl-basic-2222] rule 0 permit source 192.168.34.55 0
[Router-acl-basic-2222] quit
# 配置策略aaa,匹配模式为permit,节点序列号为2,匹配ACL 2222,应用下一跳MSR接口GigabitEthernet5/1地址211.1.1.1/24。
[Router] policy-based-route aaa permit node 2
[Router-pbr-aaa-5] if-match acl 2222
[Router-pbr-aaa-5] apply ip-address next-hop 211.1.1.1
[Router-pbr-aaa-5] quit
# 创建ACL 3333,使主机地址192.168.34.55/16到目的网段192.168.0.0/16,用于策略路由拒绝节点。
[Router] acl number 3333
[Router-acl-adv-3333] rule 0 permit ip source 192.168.34.55 0 destination 192.168.0.
0 0.0.255.255
[Router-acl-adv-3333] quit
# 配置策略aaa,匹配模式为deny,节点序列号为3,匹配ACL 3333。
[Router] policy-based-route aaa deny node 3
[Router-pbr-aaa-3] if-match acl 3333
[Router-pbr-aaa-3] quit
# 在接口GigabitEthernet0/0上应用策略路由aaa。
[Router] interface gigabitethernet0/0
[Router-GigabitEthernet0/0] ip policy-based-route aaa
[Router-GigabitEthernet0/0] quit
(1) 验证局域网内部主机是否与外界进行通信。
# 局域网内部主机Host ping服务器IP地址211.1.1.4/24,能够ping通。
C:\Documents and Settings\Administrator> ping 211.1.1.4
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 211.1.1.4: bytes=32 time=8 ms ttl=127
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=127
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=127
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=127
Ping statistics for 211.1.1.4:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
# 局域网内部主机Host ping ISP 1的IP地址,能够ping通。
C:\Documents and Settings\Administrator> ping 211.1.1.1
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 211.1.1.1: bytes=32 time=8 ms ttl=254
Reply from 211.1.1.1: bytes=32 time=1 ms ttl=254
Reply from 211.1.1.1: bytes=32 time=1 ms ttl=254
Reply from 211.1.1.1: bytes=32 time=1 ms ttl=254
Ping statistics for 211.1.1.1:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
# 局域网内部主机Host ping ISP 2的IP地址,能够ping通。
C:\Documents and Settings\Administrator> ping 202.2.2.1
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 202.2.2.1: bytes=32 time=8 ms ttl=254
Reply from 202.2.2.1: bytes=32 time=1 ms ttl=254
Reply from 202.2.2.1: bytes=32 time=1 ms ttl=254
Reply from 202.2.2.1: bytes=32 time=1 ms ttl=254
Ping statistics for 202.2.2.1:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
(2) 局域网内部主机和ISP 2内部主机是否与局域网服务器通信
# 局域网内部主机Host ping 服务器域名test.lan.cn,能够ping通。
C:\Documents and Settings\Administrator> ping test.lan.cn
Pinging 192.168.34.55 with 32 bytes of data:
Reply from 192.168.34.55: bytes=32 time=8 ms ttl=255
Reply from 192.168.34.55: bytes=32 time=1 ms ttl=255
Reply from 192.168.34.55: bytes=32 time=1 ms ttl=255
Reply from 192.168.34.55: bytes=32 time=1 ms ttl=255
Ping statistics for 192.168.34.55:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
# ISP 2内部主机ping服务器域名test.lan.cn,能够ping通。
C:\Documents and Settings\Administrator> ping test.lan.cn
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 211.1.1.4: bytes=32 time=8 ms ttl=125
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=125
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=125
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=125
Ping statistics for 211.1.1.4:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
#
nat address-group 1 211.1.1.50 211.1.1.100
nat address-group 2 202.2.2.50 202.2.2.100
#
acl number 2000
rule 10 permit source 192.168.0.0 0.0.255.255
acl number 2222
rule 0 permit source 192.168.34.55 0
#
acl number 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.34.55 0
acl number 3333
rule 0 permit ip source 192.168.34.55 0 destination 192.168.0.0 0.0.255.255
#
policy-based-route aaa deny node 3
if-match acl 3333
policy-based-route aaa permit node 2
if-match acl 2222
apply ip-address next-hop 211.1.1.1
#
interface GigabitEthernet0/0
port link-mode route
nat outbound static
nat outbound 3000
ip address 192.168.86.2 255.255.0.0
ip policy-based-route aaa
#
interface GigabitEthernet5/0
port link-mode route
nat outbound 2000 address-group 2
nat outbound static
ip address 202.2.2.2 255.255.255.0
tcp mss 1420
#
interface GigabitEthernet5/1
port link-mode route
nat outbound static
nat outbound 2000 address-group 1
ip address 211.1.1.2 255.255.255.0
tcp mss 1420
#
ip route-static 0.0.0.0 0.0.0.0 202.2.2.1
#
nat static 192.168.34.55 211.1.1.4
#
· H3C MSR 系列路由器 命令参考(V5)-R2311
· H3C MSR 系列路由器 配置指导(V5)-R2311
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
售前咨询
售后咨询
人工在线咨询
