• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

VPN实例与非VPN实例业务通过NAT互通方法

2019-11-24 发表
  • 1关注
  • 2收藏 4086浏览
程咪 九段
粉丝:24人 关注:1人

问题描述

VPN实例与非VPN实例业务通过NAT互通方法

解决方法

VPN实例与非VPN实例业务通过NAT互通方法

1 配置需求或说明

1.1  配置需求及实现的效果

三台路由器A B C串联,A设备属于非VPN实例,C设备属于VPN实例,C没有A的路由。要求在B设备上配置NAT,实现A可以访问C

2 组网图


3 配置步骤

3.1  配置设备地址、路由  

3.1.1  配置A路由器地址、路由

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C]

[H3C]int g0/0

[H3C-GigabitEthernet0/0] ip address 192.168.1.10 255.255.255.0

[H3C-GigabitEthernet0/0]quit

[H3C] ip route-static 0.0.0.0 0 192.168.1.1

[H3C]save force

3.1.2  配置B路由器地址

<H3C>system-view

[H3C]ip vpn-instance  1

[H3C-vpn-instance-1]route-distinguisher 1:1

[H3C-vpn-instance-1]vpn-target 1:1 import-extcommunity

[H3C-vpn-instance-1]vpn-target 1:1 export-extcommunity

[H3C-vpn-instance-1]quit

[H3C]int g0/0

[H3C-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0

[H3C-GigabitEthernet0/0]quit

[H3C]int g0/1

[H3C-GigabitEthernet0/1]ip binding vpn-instance 1

[H3C-GigabitEthernet0/1]ip address 192.168.2.1 255.255.255.0

[H3C-GigabitEthernet0/1]quit

[H3C] ip route-static 0.0.0.0 0 vpn-instance 1 192.168.2.10

[H3C] ip route-static vpn-instance 1 192.168.1.0 24 192.168.1.10 public

3.2  配置C路由器地址

<H3C>system-view

[H3C]int g0/0

[H3C-GigabitEthernet0/0] ip address 192.168.2.10 255.255.255.0

[H3C-GigabitEthernet0/0]quit

[H3C]save force

3.3  配置B设备NAT

[H3C]acl advanced  3000

[H3C-acl-ipv4-adv-3000]rule 0 permit ip    //无需携带VPN实例。携带实例后,匹配不上规则

[H3C-acl-ipv4-adv-3000]quit

[H3C] nat address-group 1

[H3C-address-group-1] address 192.168.2.100 192.168.2.100

[H3C-address-group-1]quit

[H3C]int g0/1

[H3C-GigabitEthernet0/1]nat outbound 3000 address-group 1 vpn-instance 1

[H3C-GigabitEthernet0/1]quit

[H3C]save force

 

4 Debug NAT分析、总结

4.1  B路由器G0/1接口配置nat outbound时,不携带vpn-instance1

A 无法pingC。三台设备debug ip packetB设备同时debug nat查看,发现C路由器应答报文,但是A设备没有正常接收到。

B设备debug

*Aug 31 12:11:31:194 2018 H3C NAT/7/COMMON:

 PACKET: (GigabitEthernet0/1-out) Protocol: ICMP

     192.168.1.1:    0 -    192.168.2.10:    0(VPN:    0) ------>

   192.168.2.100:    0 -    192.168.2.10:    0(VPN:    0)

*Aug 31 12:11:31:194 2018 H3C IPFW/7/IPFW_PACKET:

Sending, interface = GigabitEthernet0/1, version = 4, headlen = 20, tos = 0,

pktlen = 84, pktid = 24, offset = 0, ttl = 255, protocol = 1,

checksum = 13778, s = 192.168.2.100, d = 192.168.2.10

prompt: Sending the packet from local at GigabitEthernet0/1.

 

Request time out

 

C设备debug

<H3C>*Aug 31 13:26:30:101 2018 H3C IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 32997, offset = 0, ttl = 3, protocol = 17,

checksum = 45345, s = 192.168.2.100, d = 192.168.2.10

prompt: Receiving IP packet.

 

*Aug 31 13:26:30:101 2018 H3C IPFW/7/IPFW_PACKET:

Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 32997, offset = 0, ttl = 3, protocol = 17,

checksum = 45345, s = 192.168.2.100, d = 192.168.2.10

prompt: IP packet is delivering up.

 

*Aug 31 13:26:30:101 2018 H3C IPFW/7/IPFW_PACKET:

Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 56, pktid = 32997, offset = 0, ttl = 255, protocol = 1,

checksum = 46368, s = 192.168.2.10, d = 192.168.2.100

prompt: Sending the packet from local at GigabitEthernet0/0.

 

4.2  B路由器G0/1接口配置nat outbound时,携带vpn-instance1

B设备debug

*Aug 31 13:29:59:622 2018 H3C IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 32993, offset = 0, ttl = 2, protocol = 17,

checksum = 45951, s = 192.168.1.10, d = 192.168.2.10

prompt: Receiving IP packet.

 

*Aug 31 13:29:59:622 2018 H3C NAT/7/COMMON:

 PACKET: (GigabitEthernet0/1-out) Protocol: UDP

    192.168.1.10:32990 -    192.168.2.10:33437(VPN:    0) ------>

   192.168.2.100: 1024 -    192.168.2.10:33437(VPN:    1)

*Aug 31 13:29:59:622 2018 H3C IPFW/7/IPFW_PACKET:

Sending, interface = GigabitEthernet0/1, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 32993, offset = 0, ttl = 1, protocol = 17,

checksum = 45861, s = 192.168.2.100, d = 192.168.2.10

prompt: Sending the packet from GigabitEthernet0/0 at GigabitEthernet0/1.

 

*Aug 31 13:29:59:623 2018 H3C IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/1, version = 4, headlen = 20, tos = 0,

pktlen = 56, pktid = 32993, offset = 0, ttl = 255, protocol = 1,

checksum = 46372, s = 192.168.2.10, d = 192.168.2.100

prompt: Receiving IP packet.

 

*Aug 31 13:29:59:623 2018 H3C IPFW/7/IPFW_PACKET:

Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 56, pktid = 32993, offset = 0, ttl = 254, protocol = 1,

checksum = 46974, s = 192.168.2.10, d = 192.168.1.10

prompt: Sending the packet from GigabitEthernet0/1 at GigabitEthernet0/0.

 

C设备debug

*Aug 31 13:30:11:890 2018 H3C IPFW/7/IPFW_PACKET:

Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 32993, offset = 0, ttl = 1, protocol = 17,

checksum = 45861, s = 192.168.2.100, d = 192.168.2.10

prompt: Receiving IP packet.

 

*Aug 31 13:30:11:890 2018 H3C IPFW/7/IPFW_PACKET:

Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 32993, offset = 0, ttl = 1, protocol = 17,

checksum = 45861, s = 192.168.2.100, d = 192.168.2.10

prompt: IP packet is delivering up.

 

*Aug 31 13:30:11:892 2018 H3C IPFW/7/IPFW_PACKET:

Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,

pktlen = 56, pktid = 32993, offset = 0, ttl = 255, protocol = 1,

checksum = 46372, s = 192.168.2.10, d = 192.168.2.100

prompt: Sending the packet from local at GigabitEthernet0/0.

 

总结:对别两次debug,发现,当nat 带实例时,nat表项可以正常记录出去的流量属于VPN实例1,所以路由器B接收到C的回包时,可以查询到nat会话信息,正常接收并转发报文。

1) 报文来源属于非VPN实例时,ACL规则不需要携带VPN实例;反之,需要绑定实例;

2) 配置NAT outbound的接口绑定了VPN实例时,nat outbound配置需要携带VPN实例名

5 扩展

A路由器属于VPN实例1 C设备属于非VPN实例。CA的路由,需要B设备nat后,实现A能访问C

AC配置不变。

B设备的配置需要修改为如下(红色部分是修改的配置):

#

ip vpn-instance 1

 route-distinguisher 1:1

 vpn-target 1:1 import-extcommunity

 vpn-target 1:1 export-extcommunity

#

interface GigabitEthernet0/0

 ip binding vpn-instance 1

 ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet0/1

 ip address 192.168.2.1 255.255.255.0

 nat outbound 3000

#

ip route-static 192.168.1.0 24 vpn-instance 1 192.168.1.10

 ip route-static vpn-instance 1 0.0.0.0 0 192.168.2.10 public

#

acl advanced 3000

 rule 5 permit ip vpn-instance 1

#

nat address-group 1

 address 192.168.2.100 192.168.2.100

#

 

该案例对您是否有帮助:

您的评价:1

若您有关于案例的建议,请反馈:

0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作