VPN实例与非VPN实例业务通过NAT互通方法
三台路由器A B C串联,A设备属于非VPN实例,C设备属于VPN实例,C没有A的路由。要求在B设备上配置NAT,实现A可以访问C。
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]
[H3C]int g0/0
[H3C-GigabitEthernet0/0] ip address 192.168.1.10 255.255.255.0
[H3C-GigabitEthernet0/0]quit
[H3C] ip route-static 0.0.0.0 0 192.168.1.1
[H3C]save force
<H3C>system-view
[H3C]ip vpn-instance 1
[H3C-vpn-instance-1]route-distinguisher 1:1
[H3C-vpn-instance-1]vpn-target 1:1 import-extcommunity
[H3C-vpn-instance-1]vpn-target 1:1 export-extcommunity
[H3C-vpn-instance-1]quit
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0
[H3C-GigabitEthernet0/0]quit
[H3C]int g0/1
[H3C-GigabitEthernet0/1]ip binding vpn-instance 1
[H3C-GigabitEthernet0/1]ip address 192.168.2.1 255.255.255.0
[H3C-GigabitEthernet0/1]quit
[H3C] ip route-static 0.0.0.0 0 vpn-instance 1 192.168.2.10
[H3C] ip route-static vpn-instance 1 192.168.1.0 24 192.168.1.10 public
<H3C>system-view
[H3C]int g0/0
[H3C-GigabitEthernet0/0] ip address 192.168.2.10 255.255.255.0
[H3C-GigabitEthernet0/0]quit
[H3C]save force
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule 0 permit ip //无需携带VPN实例。携带实例后,匹配不上规则
[H3C-acl-ipv4-adv-3000]quit
[H3C] nat address-group 1
[H3C-address-group-1] address 192.168.2.100 192.168.2.100
[H3C-address-group-1]quit
[H3C]int g0/1
[H3C-GigabitEthernet0/1]nat outbound 3000 address-group 1 vpn-instance 1
[H3C-GigabitEthernet0/1]quit
[H3C]save force
A 无法ping通C。三台设备debug ip packet,B设备同时debug nat查看,发现C路由器应答报文,但是A设备没有正常接收到。
B设备debug:
*Aug 31 12:11:31:194 2018 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-out) Protocol: ICMP
192.168.1.1: 0 - 192.168.2.10: 0(VPN: 0) ------>
192.168.2.100: 0 - 192.168.2.10: 0(VPN: 0)
*Aug 31 12:11:31:194 2018 H3C IPFW/7/IPFW_PACKET:
Sending, interface = GigabitEthernet0/1, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 24, offset = 0, ttl = 255, protocol = 1,
checksum = 13778, s = 192.168.2.100, d = 192.168.2.10
prompt: Sending the packet from local at GigabitEthernet0/1.
Request time out
C设备debug:
<H3C>*Aug 31 13:26:30:101 2018 H3C IPFW/7/IPFW_PACKET:
Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 40, pktid = 32997, offset = 0, ttl = 3, protocol = 17,
checksum = 45345, s = 192.168.2.100, d = 192.168.2.10
prompt: Receiving IP packet.
*Aug 31 13:26:30:101 2018 H3C IPFW/7/IPFW_PACKET:
Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 40, pktid = 32997, offset = 0, ttl = 3, protocol = 17,
checksum = 45345, s = 192.168.2.100, d = 192.168.2.10
prompt: IP packet is delivering up.
*Aug 31 13:26:30:101 2018 H3C IPFW/7/IPFW_PACKET:
Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 56, pktid = 32997, offset = 0, ttl = 255, protocol = 1,
checksum = 46368, s = 192.168.2.10, d = 192.168.2.100
prompt: Sending the packet from local at GigabitEthernet0/0.
B设备debug:
*Aug 31 13:29:59:622 2018 H3C IPFW/7/IPFW_PACKET:
Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 40, pktid = 32993, offset = 0, ttl = 2, protocol = 17,
checksum = 45951, s = 192.168.1.10, d = 192.168.2.10
prompt: Receiving IP packet.
*Aug 31 13:29:59:622 2018 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-out) Protocol: UDP
192.168.1.10:32990 - 192.168.2.10:33437(VPN: 0) ------>
192.168.2.100: 1024 - 192.168.2.10:33437(VPN: 1)
*Aug 31 13:29:59:622 2018 H3C IPFW/7/IPFW_PACKET:
Sending, interface = GigabitEthernet0/1, version = 4, headlen = 20, tos = 0,
pktlen = 40, pktid = 32993, offset = 0, ttl = 1, protocol = 17,
checksum = 45861, s = 192.168.2.100, d = 192.168.2.10
prompt: Sending the packet from GigabitEthernet0/0 at GigabitEthernet0/1.
*Aug 31 13:29:59:623 2018 H3C IPFW/7/IPFW_PACKET:
Receiving, interface = GigabitEthernet0/1, version = 4, headlen = 20, tos = 0,
pktlen = 56, pktid = 32993, offset = 0, ttl = 255, protocol = 1,
checksum = 46372, s = 192.168.2.10, d = 192.168.2.100
prompt: Receiving IP packet.
*Aug 31 13:29:59:623 2018 H3C IPFW/7/IPFW_PACKET:
Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 56, pktid = 32993, offset = 0, ttl = 254, protocol = 1,
checksum = 46974, s = 192.168.2.10, d = 192.168.1.10
prompt: Sending the packet from GigabitEthernet0/1 at GigabitEthernet0/0.
C设备debug:
*Aug 31 13:30:11:890 2018 H3C IPFW/7/IPFW_PACKET:
Receiving, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 40, pktid = 32993, offset = 0, ttl = 1, protocol = 17,
checksum = 45861, s = 192.168.2.100, d = 192.168.2.10
prompt: Receiving IP packet.
*Aug 31 13:30:11:890 2018 H3C IPFW/7/IPFW_PACKET:
Delivering, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 40, pktid = 32993, offset = 0, ttl = 1, protocol = 17,
checksum = 45861, s = 192.168.2.100, d = 192.168.2.10
prompt: IP packet is delivering up.
*Aug 31 13:30:11:892 2018 H3C IPFW/7/IPFW_PACKET:
Sending, interface = GigabitEthernet0/0, version = 4, headlen = 20, tos = 0,
pktlen = 56, pktid = 32993, offset = 0, ttl = 255, protocol = 1,
checksum = 46372, s = 192.168.2.10, d = 192.168.2.100
prompt: Sending the packet from local at GigabitEthernet0/0.
总结:对别两次debug,发现,当nat 带实例时,nat表项可以正常记录出去的流量属于VPN实例1,所以路由器B接收到C的回包时,可以查询到nat会话信息,正常接收并转发报文。
1)
2)
A路由器属于VPN实例1 ,C设备属于非VPN实例。C无A的路由,需要B设备nat后,实现A能访问C。
A和C配置不变。
B设备的配置需要修改为如下(红色部分是修改的配置):
#
ip vpn-instance 1
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
interface GigabitEthernet0/0
ip binding vpn-instance 1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
nat outbound 3000
#
ip route-static 192.168.1.0 24 vpn-instance 1 192.168.1.10
ip route-static vpn-instance 1 0.0.0.0 0 192.168.2.10 public
#
acl advanced 3000
rule 5 permit ip vpn-instance 1
#
nat address-group 1
address 192.168.2.100 192.168.2.100
#
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作