配置如下:[SW2]dis curr
#
version 7.1.064, Release 9360P28
#
sysname SW2
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
irf auto-merge enable
undo irf link-delay
irf member 2 priority 5
irf member 2 description FW-B
#
rip 199
network 10.0.0.0
network 192.0.0.0 0.255.255.255
#
password-recovery enable
#
vlan 1
#
irf-port 2/2
port group interface GigabitEthernet2/0/14
port group interface GigabitEthernet2/0/15
#
object-group ip address 192.168.1.5
#
object-group ip address nat_pool
0 network host address 10.175.90.200
#
controller Cellular2/0/0
#
controller Cellular2/0/1
#
interface NULL0
#
interface GigabitEthernet2/0/0
port link-mode route
#
interface GigabitEthernet2/0/1
port link-mode route
#
interface GigabitEthernet2/0/2
port link-mode route
ip address 10.175.90.199 255.255.255.0
nat server global 10.175.90.200 inside 192.168.1.5 rule ServerRule_1 counting
#
interface GigabitEthernet2/0/3
port link-mode route
#
interface GigabitEthernet2/0/4
port link-mode route
#
interface GigabitEthernet2/0/5
port link-mode route
#
interface GigabitEthernet2/0/6
port link-mode route
#
interface GigabitEthernet2/0/7
port link-mode route
#
interface GigabitEthernet2/0/8
port link-mode route
#
interface GigabitEthernet2/0/9
port link-mode route
#
interface GigabitEthernet2/0/10
port link-mode route
#
interface GigabitEthernet2/0/11
port link-mode route
ip address 192.168.1.199 255.255.255.0
#
interface GigabitEthernet2/0/12
port link-mode route
#
interface GigabitEthernet2/0/13
port link-mode route
#
interface GigabitEthernet2/0/16
port link-mode route
#
interface GigabitEthernet2/0/17
port link-mode route
#
interface GigabitEthernet2/0/18
port link-mode route
#
interface GigabitEthernet2/0/19
port link-mode route
#
interface GigabitEthernet2/0/20
port link-mode route
#
interface GigabitEthernet2/0/21
port link-mode route
#
interface GigabitEthernet2/0/22
port link-mode route
#
interface GigabitEthernet2/0/23
port link-mode route
#
interface GigabitEthernet2/0/14
#
interface GigabitEthernet2/0/15
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet2/0/11
import ip 192.168.1.5 32
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet2/0/2
import ip 10.175.90.200 32
#
security-zone name Management
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 1
user-role network-operator
#
line con 1
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role level-15
user-role network-operator
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 10.175.90.199
ip route-static 192.0.0.0 8 192.168.1.199
#
performance-management
#
ssh server enable
#
acl basic 2000
rule 5 permit source 192.168.1.5 0
rule 100 deny
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$t7oIl7Y1CieVzlwY$bJQg2b4bpW4mV0c4rXEJODPvU/L8APA9oFI0uZORxtNsQ+uNOm4UONJ87XUifyjbItrn2o/8enl8K6RYbtDmhw==
service-type ssh telnet http https
authorization-attribute user-role level-15
authorization-attribute user-role network-operator
#
ip https port 8088
ip https enable
#
security-policy ip
rule 0 name nat_server
action pass
counting enable
source-zone untrust
destination-zone trust
source-ip nat_pool
destination-ip 192.168.1.5
rule 10 name permit-all
action pass
counting enable
source-zone Local
source-zone Trust
source-zone Untrust
destination-zone Local
destination-zone Trust
destination-zone Untrust
查看系统日志没有关于nat server 的告警信息
查看其他nat信息如下:
[SW2-security-policy-ip]dis nat all
NAT internal server information:
Totally 1 internal servers.
Interface: GigabitEthernet2/0/2
Protocol: 0(IPv4)
Global IP/port: 10.175.90.200/0
Local IP/port : 192.168.1.5/0
Rule name : ServerRule_1
NAT counting : 1
Config status : Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SCTP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
NAT link-switch recreate-session: Disabled
NAT configuration-for-new-connection: Disabled
NAT global-policy compatible-previous-version rule-type ipv4-snat-and-dnat translate-before-secp : Disabled
[SW2]dis nat session brief
Slot 2:
Total sessions found: 0
[SW2]dis nat session verbose
Slot 2:
Total sessions found: 0
[SW2]dis nat session verbose
Slot 2:
Initiator:
Source IP/port: 10.175.90.198/4262
Destination IP/port: 10.175.90.200/23
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.1.5/23
Destination IP/port: 10.175.90.198/4262
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/11
Source security zone: Trust
State: TCP_SYN_SENT
Application: TELNET
Rule ID: 10
Rule name: permit-all
Start time: 2025-06-16 15:52:08 TTL: 28s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
(0)
最佳答案
可以ping通
安全策略:
rule 0 name nat_server
action pass
counting enable
source-zone untrust
destination-zone trust
source-ip nat_pool
destination-ip 192.168.1.5
rule 10 name permit-all
action pass
counting enable
source-zone Local
source-zone Trust
source-zone Untrust
destination-zone Local
destination-zone Trust
destination-zone Untrust
(0)
你这出接口IPping不通啊
(0)
可以ping通的
可以ping通的
interface GigabitEthernet2/0/2
port link-mode route
ip address 10.175.90.199 255.255.255.0
nat server global 10.175.90.200 inside 192.168.1.5 rule ServerRule_1 counting
接口地址写错了吧?路由里面写的 ip route-static 0.0.0.0 0 10.175.90.199。
(1)
内网网正常的。
1、 10.175.90.200 需要配置到interface GigabitEthernet2/0/2上
2、10.175.90.200不是source-ip,其它访问对象才是source-ip啊
security-policy ip
rule 0 name nat_server
action pass
counting enable
source-zone untrust
destination-zone trust
source-ip nat_pool
destination-ip 192.168.1.5
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明