CLI方式:地址重叠的两个VPN之间互访典型配置
使用版本
本举例是在M9000-X06的E9900版本上进行配置和验证的。
组网需求
如下图所示,某公司两个部门由于需要业务隔而分属不同的VPN实例,且两个部门内部使用了相同的子网地址空间。现在要求这两个部门的主机Host A 和Host B之间能够通过NAT地址互相访问。
图-1 地址重叠的两个VPN之间互访配置组网图
配置思路
这是一个典型的两次NAT应用:两个VPN之间主机交互的报文的源IP地址和目的IP地址都需要转换,即需要在连接两个VPN的接口上先后进行两次NAT,这可以通过在NAT设备的两侧接口上分别配置静态地址转换实现。
为实现VPN之间互访,配置域间策略时,需要配置允许VPN实例报文通过,放行VPN实例间的流量。
配置步骤
# 配置接口IP地址、路由、安全域及域间策略,在域间策略中配置允许VPN实例报文通过,以保证网络可达,具体配置步骤略。
# 配置VPN 1内的IP地址192.168.1.2到VPN 2内的IP地址172.16.1.2之间的静态地址转换映射。
<Device> system-view
[Device] nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2
# 配置VPN 2内的IP地址192.168.1.2到VPN 1内的IP地址172.16.2.2之间的静态地址转换映射。
[Device] nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1
# 在接口GigabitEthernet1/0/2上配置静态地址转换。
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] nat static enable
[Device-GigabitEthernet1/0/2] quit
# 在接口GigabitEthernet1/0/1上配置静态地址转换。
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] nat static enable
[Device-GigabitEthernet1/0/1] quit
验证配置
# 以上配置完成后,Host A和Host B可以互通,且Host A的对外地址为172.16.1.2,Host B的对外地址为172.16.2.2。通过查看如下显示信息,可以验证以上配置成功。
[Device] display nat all
Static NAT mappings:
Totally 2 outbound static NAT mappings.
IP-to-IP:
Local IP : 192.168.1.2
Global IP : 172.16.1.2
Local VPN : vpn1
Global VPN : vpn2
Config status: Active
IP-to-IP:
Local IP : 192.168.1.2
Global IP : 172.16.2.2
Local VPN : vpn2
Global VPN : vpn1
Config status: Active
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet1/0/1
Config status: Active
Interface: GigabitEthernet1/0/2
Config status: Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SCTP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
NAT link-switch recreate-session: Disabled
NAT configuration-for-new-connection: Disabled
# 通过以下显示命令,可以看到Host A访问Host B时生成NAT会话信息。
[Device] display nat session verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.2/42496
Destination IP/port: 172.16.2.2/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn1/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.2/42496
Destination IP/port: 172.16.1.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn2/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Trust
State: ICMP_REPLY
Application: INVALID
Rule ID: -/-/-
Rule name:
Start time: 2012-08-16 09:30:49 TTL: 27s
Initiator->Responder: 5 packets 420 bytes
Responder->Initiator: 5 packets 420 bytes
Total sessions found: 1
配置文件
#
ip vpn-instance vpn1
#
ip vpn-instance vpn2
#
security-zone intra-zone default permit
#
nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2
nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1
#
interface GigabitEthernet1/0/1
ip binding vpn-instance vpn1
ip address 192.168.1.1 255.255.255.0
nat static enable
#
interface GigabitEthernet1/0/2
ip binding vpn-instance vpn2
ip address 192.168.1.1 255.255.255.0
nat static enable
#
security-zone name Trust
import ip 192.168.1.0 24 vpn-instance vpn1
import ip 192.168.1.0 24 vpn-instance vpn2
#