Network

华为路由器映射端口

发表于 浏览量 1675 没有评论

解决方案
V200R009以前版本 通过ACL方式配置实现
eg:映射15000-19000连续端口

[Huawei]acl 3001           //创建高级ACL     
[Huawei-acl-adv-3001]rule 5 permit tcp destination-port range 15000 19000        //匹配端口15000-19000
[Huawei-acl-adv-3001]quit        //退出
[Huawei]int GigabitEthernet 0/0/2            //进入接口
[Huawei-GigabitEthernet0/0/2]nat server global current-interface inside 192.168.5.100 acl 3001        //应用ACL

V200R009版本开始可以通过如下命令配置实现:
(AR2220E-S是V200R009)

[Huawei]int GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]nat static protocol tcp global current-interface 9000 inside 172.16.6.2 9000 netmask 255.255.255.255 //映射单个IP
[Huawei-GigabiEthernet0/0/0] net static protocol tcp global interface GigabitEthernet0/0/1 9000 inside 17.16.6.2 9000 netmask 255.255.255.255
[Huawei-GigabitEthernet0/0/1]nat static protocol tcp global current-interface 9000 9100 inside 172.16.6.2 9000 9100 netmask 255.255.255.255       //映射多个
[Huawei-GigabiEthernet0/0/0] net static protocol tcp global interface GigabitEthernet0/0/1 9000 9100 inside 17.16.6.2 9000 9100 netmask 255.255.255.255

注意事项:
V200R009以前版本,公网接口下如果映射的公网地址是同一个,nat server只能配置一条,后配置的会覆盖前面的配置
V200R009版本开始,配置了批量端口映射后 还可以配置其它的端口映射

实现内网使用外网IP访问方式:

acl number 3322        //创建高级ACL匹配规则
[Huawei-acl-dev-3322] rule 5 permit ip source 172.16.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255   //匹配源地址跟目标地址
interface GigabitEthernet 0/0/0  //进入内网接口
[interface GigabitEthernet 0/0/0] nat outbound 3322        //应用acl

内网设备互访案例

[Huawei] acl 3000                                   
[Huawei-acl-adv-3000] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255     //匹配允许内网互访的数据流               
[Huawei] traffic classifier c1                       
[Huawei-classifier-c1] if-match acl  3000            
[Huawei-classifier-c1] quit                          
[Huawei] traffic behavior b1                         
[Huawei-behavior-b1] permit
[Huawei-behavior-b1] quit

[Huawei] acl 3001                                  
[Huawei-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255   //匹配做策略路由的网段
[Huawei] traffic classifier c2                       
[Huawei-classifier-c2] if-match acl  3001           
[Huawei-classifier-c2] quit                          
[Huawei] traffic behavior b2                        
[Huawei-behavior-b2] redirect ip-nexthop 111.1.1.1   
[Huawei-behavior-b2] quit

[Huawei] traffic policy p1                           
[Huawei-trafficpolicy-p1] classifier c1 behavior b1  //先调用允许内网互访的
[Huawei-trafficpolicy-p1] classifier c2 behavior b2   //再调用做策略路由的

[Huawei] interface ethernet 0/0/2
[Huawei-Ethernet0/0/2] traffic-policy p1 inbound     
[Huawei-Ethernet0/0/2] quit

回复

This is just a placeholder img.
flandre.png