防火墙配置rbm主备,参考官网案列
内网地址192.168.1.10--->2.2.2.2转换目的192.168.1.10--->192.168.2.10再转换源1.1.1.5--->192.168.2.10
防火墙是rbm主备结合vrrp组网:
全局nat配置:
对于“DNAT规则”或者“SNAT+DNAT规则”,不能将目的安全域作为报文的过滤条件。
[Device] nat global-policy
[Device-nat-global-policy] rule name rule1
[Device-nat-global-policy-rule-rule1] destination-ip host 2.2.2.2
[Device-nat-global-policy-rule-rule1] source-zone trust
[Device-nat-global-policy-rule-rule1] source-ip subnet 192.168.1.0 24
DeviceA-nat-global-policy-rule-rule1] action snat address-group 1 vrrp 2
[Device-nat-global-policy-rule-rule1] action dnat ip-address 192.168.2.10 vrrp 1
[Device-nat-global-policy-rule-rule1] quit
[DeviceA] nat address-group 1
[DeviceA-address-group-1] address 1.1.1.5 1.1.1.10
[DeviceA-address-group-1] vrrp vrid 2
[DeviceA-address-group-1] quit
安全策略配置:
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-1-trust-trust] source-zone trust
[Device-security-policy-ip-1-trust-trust] destination-zone untrust
[Device-security-policy-ip-1-trust-trust] source-ip test
[Device-security-policy-ip-1-trust-trust] action pass
[Device-security-policy-ip-1-trust-trust] quit
[Device-security-policy-ip] quit
[Device] object-group ip address test
[Device-obj-grp-ip-test] 0 network subnet 192.168.1.0 255.255.255.0
对于“DNAT规则”或者“SNAT+DNAT规则”,不能将目的安全域作为报文的过滤条件。
要结合vrrp编号:
DeviceA-nat-global-policy-rule-rule1] action snat address-group 1 vrrp 2
[Device-nat-global-policy-rule-rule1] action dnat ip-address 192.168.2.10 vrrp 1
测试的nat的debug
RBM_P<H3C>*Dec 20 00:45:54:605 2023 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/0-in-config) Protocol: ICMP
192.168.1.10:11021 - 2.2.2.5: 2048(VPN: 0) ------>
192.168.1.10:11021 - 192.168.2.10: 2048(VPN: 0)
*Dec 20 00:45:54:606 2023 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/1-out-config) Protocol: ICMP
192.168.1.10:11021 - 192.168.2.10: 2048(VPN: 0) ------>
1.1.1.10: 4 - 192.168.2.10: 2048(VPN: 0)
*Dec 20 00:45:54:606 2023 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/1-in-session) Protocol: ICMP
192.168.2.10: 4 - 1.1.1.10: 0(VPN: 0) ------>
192.168.2.10:11021 - 192.168.1.10: 0(VPN: 0)
*Dec 20 00:45:54:606 2023 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/0-out-session) Protocol: ICMP
192.168.2.10:11021 - 192.168.1.10: 0(VPN: 0) ------>
2.2.2.5:11021 - 192.168.1.10: 0(VPN: 0)
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作