双向nat问题
- 0关注
- 0收藏,173浏览
问题描述:
路由器上想做双向nat,用来从外部访问内部服务器的2018端口(内部网络默认路由不指向该路由器),在路由器上做了以下配置:
interface GigabitEthernet0/0
port link-mode route
ip address 211.111.111.1 255.255.255.252
nat inbound 3000 address-group 1 no-pat reversible
nat server protocol tcp global 211.111.111.1 62018 inside 172.168.2.5 2018
interface GigabitEthernet0/2
port link-mode route
ip address 10.255.0.2 255.255.255.0
interface Virtual-Template1(只有该虚拟接口的地址与服务器能互通)
ip address 172.17.1.100 255.255.255.0
nat address-group 1
address 172.17.1.100 172.17.1.100
acl advanced 3000
rule 0 permit tcp destination-port eq 62018
意图是将外网访问路由器出接口的62018端口的源地址转换成172.17.1.100,去访问目的地址为172.168.2.5的内部服务器2018端口,
但是从外网无法连到服务器的2018端口,dis nat session verbose结果如下:
dis nat sess ver
Slot 0:
Initiator:
Source IP/port: 121.237.151.193/47335
Destination IP/port: 211.111.111.1/62018
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet0/0
Responder:
Source IP/port: 172.168.2.5/2018
Destination IP/port: 172.17.1.100/47335
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet0/2
State: TCP_SYN_SENT
Application: GENERAL_TCP
Rule ID: -/-/-
Rule name:
Start time: 2024-06-18 21:54:41 TTL: 0s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
求教配置哪里出了问题?是还缺少什么配置吗?
- 2024-06-18提问
- 举报
-
(0)
nat inbound 3000 address-group 1 no-pat reversible
这个可以不做
vt接口配置个nat outbound 应该就可以了
- 2024-06-18回答
- 评论(3)
- 举报
-
(0)
interfainterface Virtual-Template1 接口下能做NAT吗?匹配目标是172.168.2.5 2018的然后对any源转换成自己的接口地址试下
- 2024-06-19回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
改了,还是不通 dis nat session verbose Slot 0: Initiator: Source IP/port: 121.237.151.193/48824 Destination IP/port: 211.111.111.1/62018 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/0 Responder: Source IP/port: 172.168.2.5/2018 Destination IP/port: 121.237.151.193/48824 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/2 State: TCP_CLOSE Application: GENERAL_TCP Rule ID: -/-/- Rule name: Start time: 2024-06-18 22:24:06 TTL: 1s Initiator->Responder: 0 packets 0 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source IP/port: 121.237.151.193/48826 Destination IP/port: 211.111.111.1/62018 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/0 Responder: Source IP/port: 172.168.2.5/2018 Destination IP/port: 121.237.151.193/48826 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/2 State: TCP_CLOSE Application: GENERAL_TCP Rule ID: -/-/- Rule name: Start time: 2024-06-18 22:24:08 TTL: 1s Initiator->Responder: 0 packets 0 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2
可以debug nat packet acl 看下具体的nat转换
PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45720 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45720 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:14:584 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45720(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45720(VPN: 0) *Jun 19 00:28:16:597 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45721 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45721 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:16:597 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45721(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45721(VPN: 0) *Jun 19 00:28:18:616 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45722 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45722 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:18:616 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45722(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45722(VPN: 0) *Jun 19 00:28:20:627 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45723 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45723 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:20:627 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45723(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45723(VPN: 0) 能看出点什么来吗?