组网及说明
问题描述
组网如图,配置如下。内网终端相同,想要通过acl匹配不同目的地址,nat outbound转换成不同的源地址。但是测试发现,如果同时访问两个目的地址的话,只会转换成同一个源地址
#
nat address-group 1
address 3.3.3.10 3.3.3.20
#
nat address-group 2
address 3.3.3.40 3.3.3.50
##
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 3.3.3.3 255.255.255.0
nat outbound 3001 address-group 2 no-pat
nat outbound 3000 address-group 1 no-pat
#
acl advanced 3000
rule 5 permit ip source 10.0.0.1 0 destination 40.0.0.1 0
acl advanced 3001
rule 0 permit ip source 10.0.0.1 0 destination 30.0.0.1 0
过程分析
设备上debug nat packet发现,10.0.0.1访问30.0.0.1和40.0.0.1确实都转换成了address-group 1中相同的地址
[H3C-acl-ipv4-adv-3000]*Dec 17 12:54:22:042 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-out-config) Protocol: ICMP
10.0.0.1:10987 - 30.0.0.1: 2048(VPN: 0) ------>
3.3.3.15:10987 - 30.0.0.1: 2048(VPN: 0)
*Dec 17 12:54:22:043 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-in-session) Protocol: ICMP
30.0.0.1:10987 - 3.3.3.15: 0(VPN: 0) ------>
30.0.0.1:10987 - 10.0.0.1: 0(VPN: 0)
*Dec 17 12:54:26:739 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-out-config) Protocol: ICMP
10.0.0.1:10988 - 40.0.0.1: 2048(VPN: 0) ------>
3.3.3.15:10988 - 40.0.0.1: 2048(VPN: 0)
*Dec 17 12:54:26:739 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-in-session) Protocol: ICMP
40.0.0.1:10988 - 3.3.3.15: 0(VPN: 0) ------>
40.0.0.1:10988 - 10.0.0.1: 0(VPN: 0)
解决方法
经确认,no-pat方式只会匹配源ip,当已经有了一个会话的时候,后面所有相同的源ip都会转换成相同的地址,去掉no-pat之后可以正常匹配acl,转换成对应address-group中的地址