组网如下:
FW与MSR1建立OSPF,FW与MSR2建立OSPF
G1/0/1属于VPN1,G1/0/2属于VPN2
FW上配置OSPF属于不同的VPN实例,实现跨VPN实例的路由引入
并且FW配置静态NAT444,实现MSR1的10.0.0.1可以访问MSR2的11.11.11.11
关键配置:
MSR1与MSR2配置忽略,主要讲FW的配置
接口加入安全域
security-zone name Trust
import interface GigabitEthernet1/0/1
security-zone name Untrust
import interface GigabitEthernet1/0/2
本案例主要讲解路由相互引入问题,安全策略全通
security-policy ip
rule 0 name 0
action pass
vrf vpn1
rule 1 name 1
action pass
vrf vpn2
配置VPN实例
ip vpn-instance vpn1
route-distinguisher 10:11
ip vpn-instance vpn2
route-distinguisher 20:11
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip binding vpn-instance vpn1
ip address 10.0.0.2 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip binding vpn-instance vpn2
ip address 1.1.1.2 255.255.255.0
配置动态NAT444
nat address-group 0
port-range 1024 65535
address 2.2.2.3 2.2.2.3
接口g1/0/2配置静态nat 444
interface GigabitEthernet1/0/2
dis ip routing-table vpn-instance vpn2
手工写一条VPN1到VPN2的跨VPN实例的静态默认路由
ip route-static vpn-instance vpn1 0.0.0.0 0 vpn-instance vpn2 1.1.1.1
OSPF对下行MSR1发布默认路由0.0.0.0.对上发布NAT黑洞路由2.2.2.3
<H3C>display ip routing-table vpn-instance vpn2
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.1.1.0/24 Direct 0 0 1.1.1.2 GE1/0/2
1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
1.1.1.255/32 Direct 0 0 1.1.1.2 GE1/0/2
2.2.2.0/24 Static 60 0 0.0.0.0 NULL0
2.2.2.3/32 Direct 1 0 0.0.0.0 NULL0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
ospf 1 vpn-instance vpn1
default-route-advertise(对下发布默认路由)
area 0.0.0.0
network 10.0.0.2 0.0.0.0
ospf 2 vpn-instance vpn2
import-route direct(对上发布黑洞路由)
filter-policy 3900 export(配置路由过滤只发送2.2.2.3)
area 0.0.0.0
network 1.1.1.2 0.0.0.0
配置路由过滤ACL规则
acl advanced 3900
rule 0 permit ip source 2.2.2.3 0
配完成之后,在MSR1上可以看到默认路由
<H3C>dis ip routing-table
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 O_ASE2 150 1 10.0.0.2 GE0/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.0/24 Direct 0 0 10.0.0.1 GE0/0
10.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.255/32 Direct 0 0 10.0.0.1 GE0/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
在MSR2上可以看到NAT地址池2.2.2.3的路由
<H3C>dis ip routing-table
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.1.1.0/24 Direct 0 0 1.1.1.1 GE0/2
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
1.1.1.255/32 Direct 0 0 1.1.1.1 GE0/2
2.2.2.3/32 O_ASE2 150 1 1.1.1.2 GE0/2
11.11.11.11/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
并且MSR1可以ping通MSR2
<H3C>ping 11.11.11.11
Ping 11.11.11.11 (11.11.11.11): 56 data bytes, press CTRL+C to break
56 bytes from 11.11.11.11: icmp_seq=0 ttl=254 time=0.790 ms
56 bytes from 11.11.11.11: icmp_seq=1 ttl=254 time=0.563 ms
56 bytes from 11.11.11.11: icmp_seq=2 ttl=254 time=0.346 ms
56 bytes from 11.11.11.11: icmp_seq=3 ttl=254 time=0.604 ms
56 bytes from 11.11.11.11: icmp_seq=4 ttl=254 time=0.679 ms
FW的会话如下
<H3C>display nat session verbose
Slot 1:
Total sessions found: 0
<H3C>display nat session verbose
Slot 1:
Initiator:
Source IP/port: 10.0.0.1/10979
Destination IP/port: 11.11.11.11/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn1/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 11.11.11.11/1026
Destination IP/port: 2.2.2.3/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn2/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: 0
Start time: 2024-03-29 16:00:29 TTL: 28s
Initiator->Responder: 5 packets 420 bytes
Responder->Initiator: 5 packets 420 bytes
Total sessions found: 1
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作