本举例是在M9000-AI-E8的R9071版本上进行配置和验证的。
如下图所示:
某公司内网使用的IP地址为192.168.0.0/16。
该公司拥有202.38.1.2和202.38.1.3两个外网IP地址。
需要实现,内部网络中的192.168.1.0/24网段的用户可以访问Internet,其它网段的用户不能访问Internet。基于NAT444端口块动态映射方式复用两个外网地址202.38.1.2和202.38.1.3,外网地址的端口范围为1024~65535,端口块大小为300。当为某用户分配的端口块资源耗尽时,再为其增量分配1个端口块。
图-1 NAT444端口块动态映射配置组网图
# 配置接口IP地址、路由、安全域及域间策略保证网络可达,具体配置步骤略。
# 配置地址组0,包含两个外网地址202.38.1.2和202.38.1.3,外网地址的端口范围为1024~65535,端口块大小为300,增量端口块数为1。
<Device> system-view
[Device] nat address-group 0
[Device-address-group-0] address 202.38.1.2 202.38.1.3
[Device-address-group-0] port-range 1024 65535
[Device-address-group-0] port-block block-size 300 extended-block-number 1
[Device-address-group-0] quit
# 配置ACL 2000,仅允许对内部网络中192.168.1.0/24网段的用户报文进行地址转换。
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Device-acl-ipv4-basic-2000] quit
# 在接口GigabitEthernet1/0/2上配置出方向动态地址转换,允许使用地址组0中的地址对匹配ACL 2000的报文进行源地址转换,并在转换过程中使用端口信息。
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] nat outbound 2000 address-group 0
[Device-GigabitEthernet1/0/2] quit
# 以上配置完成后,Host A能够访问外网服务器,Host B和Host C无法访问外网服务器。通过查看如下显示信息,可以验证以上配置成功。
[Device] display nat all
NAT address group information:
Totally 1 NAT address groups.
Address group ID: 0
Port range: 1024-65535
Port block size: 300
Extended block number: 1
Address information:
Start address End address
202.38.1.2 202.38.1.3
Exclude address information:
Start address End address
--- ---
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: GigabitEthernet1/0/2
ACL: 2000
Address group ID: 0
Port-preserved: N NO-PAT: N Reversible: N
Config status: Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SCTP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
NAT link-switch recreate-session: Disabled
NAT configuration-for-new-connection: Disabled
# 通过以下显示命令,可以看到NAT会话数、当前可分配的动态端口块总数和已分配的动态端口块个数。
[Device] display nat statistics
Total session entries: 1
Session creation rate: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 430
Active static port block entries: 0
Active dynamic port block entries: 1
# 通过以下显示命令,可以看到生成的动态端口块表项信息。
[Device] display nat port-block dynamic
Slot 1:
Local VPN Local IP Global IP Port block Connections
--- 192.168.1.10 202.38.1.2 65224-65523 1
Total mappings found: 1
#
nat address-group 0
port-range 1024 65535
port-block block-size 300 extended-block-number 1
address 202.38.1.2 202.38.1.3
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.0.0
#
interface GigabitEthernet1/0/2
ip address 202.38.1.1 255.255.255.0
nat outbound 2000 address-group 0
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust