某局点comwareV7 FW nat server不成功

组网如图:

现场需要实现1.1.1.1通过访问10.0.0.1的6023端口转换成1.1.1.1访问10.0.0.1的23端口，即只转地址不转端口

问题现象

访问不通

问题排查

Debug发现命中黑洞路由被丢弃

解决方案

在FW的外网口g1/0/1与内网口g1/0/2分别绑定vpn实例，并且在g1/0/1配置跨VPN实例的nat，这样黑洞路由就可以由VPN加以隔离

interface GigabitEthernet1/0/1

 port link-mode route

 combo enable copper

 ip binding vpn-instance vpn1

 ip address 1.1.1.2 255.255.255.0

 nat server protocol tcp global 10.0.0.1 6023 vpn-instance vpn1 inside 10.0.0.1 23 vpn-instance vpn2 rule ServerRule_1

 [fw]int GigabitEthernet  1/0/2

[fw-GigabitEthernet1/0/2]di thi

interface GigabitEthernet1/0/2

 port link-mode route

 combo enable copper

 ip binding vpn-instance vpn2

 ip address 10.0.0.2 255.255.255.0

安全策略记得放，为了简约全放通（nat server先转地址，再匹配策略，所以只用放通vpn2即可）

Security-policy ip

 rule 2 name 2

  action pass

  vrf vpn2

跨VPN路由记得要写（只用写VPN2到VPN1的路由即可，正向因为先转地址，再匹配路由，所以直接会从VPN1过渡到VPN2，从而从VPN2的路由表中查路由）

ip route-static vpn-instance vpn2 1.1.1.0 24 vpn-instance vpn1 1.1.1.1

配置完成之后，在RT1上测试，可以通过10.0.0.1的6023端口登录到RT2

<rt1>telnet  10.0.0.1 6023

Trying 10.0.0.1 ...

Press CTRL+K to abort

Connected to 10.0.0.1 ...

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

<rt2>

[fw]display  session table ipv4 verbose

Slot 1:

Initiator:

  Source      IP/port: 1.1.1.1/1370

  Destination IP/port: 10.0.0.1/6023

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn1/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/1

  Source security zone: Untrust

Responder:

  Source      IP/port: 10.0.0.1/23

  Destination IP/port: 1.1.1.1/1370

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn2/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/2

  Source security zone: Trust

State: TCP_ESTABLISHED

Application: XWINDOWS

Rule ID: 2

Rule name: 2

Start time: 2022-09-03 08:23:08  TTL: 1191s

Initiator->Responder:            0 packets          0 bytes

Responder->Initiator:            0 packets          0 bytes