H3C防火墻F100-C-G2的NAT配置

------------------------------------------------------------------------H3C防火墻F100-C-G2的NAT配置1.Firewall的配置#指定GigabitEthernet1/0/1端口的電口被激活，使用雙絞線連接<H3C>system-view[H3C]interfacegigabitethernet1/0/1[H3C-GigabitEthernet1/0/1]comboenablecopper[H3C-GigabitEthernet1/0/1]quit#按照組網(wǎng)圖配置各接口的IP地址。<Sysname>system-view[Sysname]interfacegigabitethernet1/0/1[Sysname-GigabitEthernet1/0/1]portlink-moderoute[Sysname-GigabitEthernet1/0/1]ipaddress10.110.10.10255.255.255.0[Sysname-GigabitEthernet1/0/1]quit[Sysname]interfacegigabitethernet1/0/2[Sysname-GigabitEthernet1/0/2]portlink-moderoute[Sysname-GigabitEthernet1/0/2]ipaddress202.38.1.1255.255.255.0[Sysname-GigabitEthernet1/0/2]quit#創(chuàng)建安全域，并將不同的接口加入不同的安全域。[Sysname]security-zonenameTrust[Sysname-security-zone-Trust]importinterfacegigabitethernet1/0/1[Sysname-security-zone-Trust]quit[Sysname]security-zonenameUntrust[Sysname-security-zone-Untrust]importinterfacegigabitethernet1/0/2[Sysname-security-zone-Untrust]quit#配置訪問控制列表2001，僅允許內(nèi)部網(wǎng)絡中10.110.10.0/24網(wǎng)段的用戶可以訪問Internet。[Sysname]aclnumber2001[Sysname-acl-basic-2001]rulepermitsource10.110.10.00.0.0.255[Sysname-acl-basic-2001]ruledeny[Sysname-acl-basic-2001]quit#配置域間策略，應用ACL2001進行報文過濾。[Sysname]zone-pairsecuritysourceTrustdestinationUntrust[Sysname-zone-pair-security-Trust-Untrust]packet-filter2001[Sysname-zone-pair-security-Trust-Untrust]quit#配置IP地址池1，包括兩個公網(wǎng)地址202.38.1.2和202.38.1.3。[Sysname]nataddress-group1[Sysname-address-group-1]address202.38.1.2202.38.1.3[Sysname-address-group-1]quit#在出接口GigabitEthernet1/0/2上配置ACL2001與IP地址池1相關聯(lián)。NO-PAT方式：進行源地址轉(zhuǎn)換，不轉(zhuǎn)換源端口[Sysname]interfacegigabitethernet1/0/2[Sysname-GigabitEthernet1/0/2]natoutbound2001address-group1no-pat[Sysname-GigabitEthernet1/0/2]quitPAT方式：進行源地址轉(zhuǎn)換，同時轉(zhuǎn)換源端口[Sysname]interfacegigabitethernet1/0/2[Sysname-GigabitEthernet1/0/2]natoutbound2001address-group1[Sysname]interfacegigabitethernet1/0/2PAT方式：進行源地址轉(zhuǎn)換，但不轉(zhuǎn)換源端口[Sysname-GigabitEthernet1/0/2]natoutbound2001address-group1port-preserved[Sysname-GigabitEthernet1/0/2]quit6.3驗證配置(1)上述配置完成后，內(nèi)網(wǎng)主機可以訪問外網(wǎng)服務器。通過查看如下顯示信息，可以驗證上述配置成功，以PAT方式為例。[Sysname]displaynatall[Sysname]displaynatsessionverbose<Sysname>displaycurrent-configuration2．如果不行的話，需要如下配置iproute-static0.0.0.00.0.0.010.110.10.10[H3C]security-zoneintra-zonedefaultpermit//配置同一安全域內(nèi)接口間報文處理的缺省動作為permit[H3C]object-policyipTrust-Untrust//創(chuàng)建Trust到Untrst的地址對象策略[H3C-object-policy-ip-Trust-Untrust]rule0pass//規(guī)則為允許[H3C-object-policy-ip-Trust-Untrust]quit[H3C]zone-pairsecuritysourceTrustdestinationUntrust//放通Turst到Untrust的域間策略[H3C-zone-pair-security-Trust-Untrust]object-policyapplyipTrust-Untrust//引用Trust到Untrst的地址對象策略[H3C-object-policy-ip-Trust-Untrust]quit

G1/0/1192.168.G1/0/1192.168.88.88/24G1/0/2192.168.123.254/23(1)指定GigabitEthernet1/0/1端口的電口被激活，使用雙絞線連接system-viewinterfacegigabitethernet1/0/1comboenablecopperquit(2)按照組網(wǎng)圖配置各接口的IP地址。system-viewinterfacegigabitethernet1/0/1portlink-moderouteipaddress192.168.88.88255.255.255.0quitinterfacegigabitethernet1/0/2portlink-moderouteipaddress192.168.123.254255.255.255.0quit(3)#創(chuàng)建安全域，并將不同的接口加入不同的安全域。security-zonenameTrustimportinterfacegigabitethernet1/0/2quitsecurity-zonenameUntrustimportinterfacegigabitethernet1/0/1quit(4)#配置訪問控制列表2001，僅允許內(nèi)部網(wǎng)絡中192.168.123.0/23網(wǎng)段的用戶可以訪問Internet。aclnumber2001rulepermitsource192.168.123.00.0.0.127quit(5)#配置域間策略，應用ACL2001進行報文過濾。zone-pairsecuritysourceTrustdestinationUntrustpacket-filter2001quit(6)#配置IP地址池1，包括兩個公網(wǎng)地址192.168.88.88和192.168.89。nataddress-group1address192.168.88.88192.168.88.89quit(7)#在出接口GigabitEthernet1/0/2上配置ACL2001與IP地址池1相關聯(lián)。PAT方式：進行源地址轉(zhuǎn)換，同時轉(zhuǎn)換源端口interfacegigabitethernet1/0/1natoutbound2001add