组网需求
如图1所示,某公司A区和B区的私网用户和互联网相连,路由器上接口GigabitEthernet3/0/0的公网地址为202.169.10.1/24,对端运营商侧地址为202.169.10.2/24。A区用户希望使用公网地址池中的地址(202.169.10.100~202.169.10.200)采用NAT方式替换A区内部的主机地址(网段为192.168.20.0/24),访问因特网。B区用户希望结合B区的公网IP地址比较少的情况,使用公网地址池(202.169.10.80~202.169.10.83)采用IP地址和端口的替换方式替换B区内部的主机地址(网段为10.0.0.0/24),访问因特网。
配置思路
配置动态地址转换的思路如下:
1. 配置接口IP地址、缺省路由和在WAN侧接口下配置NAT Outbound,实现内部主机访问外网服务功能。
操作步骤
1. 在Router上配置接口IP地址
<Huawei> system-view [Huawei] sysname Router [Router] vlan 100 [Router-vlan100] quit [Router] interface vlanif 100 [Router-Vlanif100] ip address 192.168.20.1 24 [Router-Vlanif100] quit [Router] interface ethernet 2/0/0 [Router-Ethernet2/0/0] port link-type access [Router-Ethernet2/0/0] port default vlan 100 [Router-Ethernet2/0/0] quit [Router] vlan 200 [Router-vlan200] quit [Router] interface vlanif 200 [Router-Vlanif200] ip address 10.0.0.1 24 [Router-Vlanif200] quit [Router] interface ethernet 2/0/1 [Router-Ethernet2/0/1] port link-type access [Router-Ethernet2/0/1] port default vlan 200 [Router-Ethernet2/0/1] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] ip address 202.169.10.1 24 [Router-GigabitEthernet3/0/0] quit
2. 在Router上配置缺省路由,指定下一跳地址为202.169.10.2
[Router] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
3. 在Router上配置NAT Outbound
[Router] nat address-group 1 202.169.10.100 202.169.10.200 [Router] nat address-group 2 202.169.10.80 202.169.10.83 [Router] acl 2000 [Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Router-acl-basic-2000] quit [Router] acl 2001 [Router-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 [Router-acl-basic-2001] quit [Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat [Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2 [Router-GigabitEthernet3/0/0] quit
4. 检查配置结果
# 在Router上执行命令display nat outbound,查看地址转换结果
# 在Router上执行命令ping,验证内网可以访问因特网
