问

双向nat问题

2024-06-18提问

0关注
0收藏，468浏览

满天星Star

满天星Star 五段

粉丝：1人关注：1人

问题描述：

路由器上想做双向nat，用来从外部访问内部服务器的2018端口（内部网络默认路由不指向该路由器），在路由器上做了以下配置：

interface GigabitEthernet0/0

port link-mode route

ip address 211.111.111.1 255.255.255.252

nat inbound 3000 address-group 1 no-pat reversible

nat server protocol tcp global 211.111.111.1 62018 inside 172.168.2.5 2018

interface GigabitEthernet0/2

port link-mode route

ip address 10.255.0.2 255.255.255.0

interface Virtual-Template1（只有该虚拟接口的地址与服务器能互通）

ip address 172.17.1.100 255.255.255.0

nat address-group 1

address 172.17.1.100 172.17.1.100

acl advanced 3000

rule 0 permit tcp destination-port eq 62018

意图是将外网访问路由器出接口的62018端口的源地址转换成172.17.1.100，去访问目的地址为172.168.2.5的内部服务器2018端口，

但是从外网无法连到服务器的2018端口，dis nat session verbose结果如下：

dis nat sess ver

Slot 0:

Initiator:

Source IP/port: 121.237.151.193/47335

Destination IP/port: 211.111.111.1/62018

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet0/0

Responder:

Source IP/port: 172.168.2.5/2018

Destination IP/port: 172.17.1.100/47335

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet0/2

State: TCP_SYN_SENT

Application: GENERAL_TCP

Rule ID: -/-/-

Rule name:

Start time: 2024-06-18 21:54:41 TTL: 0s

Initiator->Responder: 0 packets 0 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

求教配置哪里出了问题？是还缺少什么配置吗？

2 个回答

按时间按赞数

追问我也不答

追问我也不答五段

粉丝：1人关注：7人

nat inbound 3000 address-group 1 no-pat reversible

这个可以不做
vt接口配置个nat outbound 应该就可以了

PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45720 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45720 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:14:584 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45720(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45720(VPN: 0) *Jun 19 00:28:16:597 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45721 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45721 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:16:597 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45721(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45721(VPN: 0) *Jun 19 00:28:18:616 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45722 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45722 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:18:616 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45722(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45722(VPN: 0) *Jun 19 00:28:20:627 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-in-config) Protocol: TCP 121.237.151.193:45723 - 211.111.111.1:62018(VPN: 0) ------> 121.237.151.193:45723 - 172.168.2.5: 2018(VPN: 0) *Jun 19 00:28:20:627 2024 h3c NAT/7/COMMON: PACKET: (GigabitEthernet0/0-out-session) Protocol: TCP 172.168.2.5: 2018 - 121.237.151.193:45723(VPN: 0) ------> 211.111.111.1:62018 - 121.237.151.193:45723(VPN: 0) 能看出点什么来吗？

满天星Star 发表时间：2024-06-19 更多>>

改了，还是不通 dis nat session verbose Slot 0: Initiator: Source IP/port: 121.237.151.193/48824 Destination IP/port: 211.111.111.1/62018 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/0 Responder: Source IP/port: 172.168.2.5/2018 Destination IP/port: 121.237.151.193/48824 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/2 State: TCP_CLOSE Application: GENERAL_TCP Rule ID: -/-/- Rule name: Start time: 2024-06-18 22:24:06 TTL: 1s Initiator->Responder: 0 packets 0 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source IP/port: 121.237.151.193/48826 Destination IP/port: 211.111.111.1/62018 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/0 Responder: Source IP/port: 172.168.2.5/2018 Destination IP/port: 121.237.151.193/48826 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet0/2 State: TCP_CLOSE Application: GENERAL_TCP Rule ID: -/-/- Rule name: Start time: 2024-06-18 22:24:08 TTL: 1s Initiator->Responder: 0 packets 0 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2

满天星Star 发表时间：2024-06-18

可以debug nat packet acl 看下具体的nat转换

追问我也不答发表时间：2024-06-18

满天星Star 发表时间：2024-06-19