华为AR路由器NAT命令详解.doc

配置脚本#sysname RouterA#radius scheme system#domain system#acl number 2000 /配置允许进行NAT转换的内网地址段/rule 0 permit source 55rule 1 deny#interface Ethernet0/0ip address 48nat outbound 2000#interface Ethernet0/1 ip address /内网网关/#interface NULL0#ip route-static preference 60 /配置默认路由/#user-interface con 0user-interface vty 0 4#return配置脚本#sysname RouterA#nat address-group 0 /用户NAT的地址池/#radius scheme system#domain system#acl number 2000 /配置允许进行NAT转换的内网地址段/rule 0 permit source 55rule 1 deny#interface Ethernet0/0ip address 48nat outbound 2001 address-group 0 /在出接口上进行NAT转换/#interface Ethernet0/1ip address /内网网关/#interface NULL0#ip route-static preference 60 /配置默认路由/#user-interface con 0user-interface vty 0 4#return5.2.4 对外提供ftp，www等服务以www服务为例,除了5.2.1和5.2.2的配置,公网接口需要增加如下配置:Quidway-Ethernet0/0nat server protocol tcp global www inside www注意:如果需要其他用户可以ping通内部对外提供服务的服务器,必须增加如下配置:Router-Ethernet1nat server protocol icmp global inside 注意:内部用户不能使用公网地址来访问内部服务器,必须使用内网地址访问.如上例子:/24网段的用户,不能访问,而只能访问配置脚本#sysname RouterA#radius scheme system#domain system#acl number 2000 /配置允许进行NAT转换的内网地址段/rule 0 permit source 55rule 1 deny#interface Ethernet0/0ip address /内网网关/nat outbound 2000#interface Serial0/0 ip address 52 /公网出口/nat outbound 2000 /在出接口上进行NAT转换/#interface Serial0/1 ip address 52 /公网出口/nat outbound 2000#interface NULL0#ip route-static preference 60 /配置默认路由/ip route-static preference 60 /配置默认路由/#user-interface con 0user-interface vty 0 4#return【验证】disp ip rout Routing Table: public netDestination/Mask Protocol Pre Cost Nexthop Interface/0 STATIC 60 0 Serial0/1 Serial0/0/30 DIRECT 0 0 Serial0//32 DIRECT 0 0 Serial0//32 DIRECT 0 0 InLoopBack0/8 DIRECT 0 0 InLoopBack0/32 DIRECT 0 0 InLoopBack0/24 DIRECT 0 0 Ethernet0/0/32 DIRECT 0 0 InLoopBack0/30 DIRECT 0 0 Serial2/0/0/32 DIRECT 0 0 Serial2/0/0/32 DIRECT 0 0 InLoopBack0disp nat sessionThere are currently 2 NAT sessions:Protocol GlobalAddr Port InsideAddr Port DestAddr Port 6 12288 1036 23 VPN: 0, status: 11, TTL: 24:00:00, Left: 23:59:556 12289 192