ENSP华为路由器出口NAT实验设计-电子发烧友网

1:实验需求

公司拥有多个部门且位于不同网段，各部门均有访问Internet的需求。现要求用户通过二层交换机和路由器访问外部网络，且要求路由器作为用户的网关。

我们按照图示的IP地址进行配置，最终的结果是PC1和PC2可以ping通公网地址192.169.1.2.

2:网络拓补图

这里多说一句哈，华为的ENSP模拟器有的路由器NAT配置了不生效，我在这里使用的是AR1220系列。

3：实验过程

CORE

sy
Entersystemview,returnuserviewwithCtrl+Z.
[Huawei]undoinfo-centerenable
Info:Informationcenterisdisabled.
[Huawei]sysnameCORE
[CORE]vlanbatch23100//创建vlan23100备用
Info:Thisoperationmaytakeafewseconds.Pleasewaitforamoment...done.

[CORE]dhcpenable//全局使能DHCP
Info:Theoperationmaytakeafewseconds.Pleasewaitforamoment.done.

[CORE]interfaceVlanif2//进入vlanif接口配置IP，DHCP的方式是基于接口
[CORE-Vlanif2]ipaddress192.168.2.25424
[CORE-Vlanif2]dhcpselectinterface
[CORE-Vlanif2]quit

[CORE]interfaceVlanif3
[CORE-Vlanif3]ipadd192.168.3.25424
[CORE-Vlanif3]dhcpselectinterface
[CORE-Vlanif3]quit

[CORE]interfaceVlanif100
[CORE-Vlanif100]ipadd192.168.100.224
[CORE-Vlanif100]quit

[CORE]interfaceGigabitEthernet0/0/1//设置终端链路类型access
[CORE-GigabitEthernet0/0/1]portlink-typeaccess
[CORE-GigabitEthernet0/0/1]portdefaultvlan2
[CORE-GigabitEthernet0/0/1]quit

[CORE]interfaceGigabitEthernet0/0/2
[CORE-GigabitEthernet0/0/2]portlink-typeaccess
[CORE-GigabitEthernet0/0/2]portdefaultvlan3
[CORE-GigabitEthernet0/0/2]quit

[CORE]interfaceGigabitEthernet0/0/3//设置链路终端类型，设置为access,路由器才能识别，或者trunk端口设置PVID。
[CORE-GigabitEthernet0/0/3]portlink-typeaccess
[CORE-GigabitEthernet0/0/3]portdefaultvlan100
[CORE-GigabitEthernet0/0/3]quit

[CORE]iproute-static0.0.0.00.0.0.0192.168.100.1//写一条默认路由，下一跳地址是对端的路由器

ROUTER

sy
system-view
Entersystemview,returnuserviewwithCtrl+Z.
[Huawei]undoinfo-centerenable
Info:Informationcenterisdisabled.
[Huawei]sysnameROUter

[ROUter]interfaceGigabitEthernet0/0/1//我们配置内网的IP接口
[ROUter-GigabitEthernet0/0/1]ipadd192.168.100.124
[ROUter-GigabitEthernet0/0/1]quit

[ROUter]iproute-static192.168.0.016192.168.100.2//我们配置到内网的回程路由，即192.168.X.X均可以匹配
[ROUter]iproute-static0.0.0.00.0.0.0192.169.1.2//设置一条默认路由去公网

[ROUter]interfaceGigabitEthernet0/0/0//配置公网的IP地址
[ROUter-GigabitEthernet0/0/0]ipaddress192.169.1.124
[ROUter-GigabitEthernet0/0/0]quit

[ROUter]acl2000//建基本ACL2000
[ROUter-acl-basic-2000]rulepermitsource192.168.0.00.0.255.255//允许192.168.X.X的网段
[ROUter-acl-basic-2000]quit

[ROUter]interfaceGigabitEthernet0/0/0//进入外网接口，调用acl2000
[ROUter-GigabitEthernet0/0/0]natoutbound2000//nat引用
[ROUter-GigabitEthernet0/0/0]quit


[ROUter]displaynatsessionall//这里我们可以看到NAT会话
NATSessionTableInformation:

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08890
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10259

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08888
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10257

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08889
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10258

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08887
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10256

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08886
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10255

公网路由器

sy
system-view//我们给它设置一个测试用的IP地址
[Huawei]interfaceGigabitEthernet0/0/0
[Huawei-GigabitEthernet0/0/0]ipadd192.169.1.224
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ping192.169.1.1//测试和公司公网IP的连通性
PING192.169.1.1:56databytes,pressCTRL_Ctobreak
Replyfrom192.169.1.1:bytes=56Sequence=1ttl=255time=90ms
Replyfrom192.169.1.1:bytes=56Sequence=2ttl=255time=20ms
Replyfrom192.169.1.1:bytes=56Sequence=3ttl=255time=30ms
Replyfrom192.169.1.1:bytes=56Sequence=4ttl=255time=30ms
Replyfrom192.169.1.1:bytes=56Sequence=5ttl=255time=20ms

---192.169.1.1pingstatistics---
5packet(s)transmitted
5packet(s)received
0.00%packetloss
round-tripmin/avg/max=20/38/90ms

[Huawei]

测试

我们使用PC1和PC2分别ping公网地址，如下图所示