logo资料库

H3C NAT配置手册.pdf

发布时间:2022-06-10 发布人:admin 分类:说明书 资料大小:0.79M 资料格式:pdf 举报 版权申诉
第1页 / 共92页
第2页 / 共92页
第3页 / 共92页
第4页 / 共92页
第5页 / 共92页
第6页 / 共92页
第7页 / 共92页
第8页 / 共92页
资料共92页,剩余部分请下载后查看
    扉页
    00-前言
    读者对象
    本书约定
    1. 命令行格式约定
    2. 图形界面格式约定
    3. 各类标志
    4. 图标约定
    5. 示例约定
    资料获取方式
    技术支持
    资料意见反馈
    01-NAT配置
    1 NAT
    1.1 NAT简介
    1.1.1 NAT工作机制
    1. 基本概念
    2. NAT的基本组网类型
    3. 传统NAT的典型工作过程
    1.1.2 NAT转换控制
    1.1.3 NAT实现方式
    1. 静态方式
    2. 动态方式
    3. 内部服务器
    4. NAT444端口块方式
    5. DS-Lite B4端口块方式
    1.1.4 NAT表项
    1. NAT会话表项
    2. EIM表项
    3. NO-PAT表项
    4. NAT444端口块表项
    1.1.5 NAT支持多VPN实例
    1.1.6 DNS mapping
    1.1.7 NAT支持ALG
    1.1.8 NAT444支持和BRAS联动
    1.2 NAT配置任务简介
    1.3 配置限制和指导
    1.4 配置静态地址转换
    1.4.1 配置准备
    1.4.2 配置出方向一对一静态地址转换
    1.4.3 配置出方向网段对网段静态地址转换
    1.4.4 配置基于对象组的出方向静态地址转换
    1.4.5 配置入方向一对一静态地址转换
    1.4.6 配置入方向网段对网段静态地址转换
    1.4.7 配置基于对象组的入方向静态地址转换
    1.5 配置动态地址转换
    1.5.1 配置限制和指导
    1.5.2 配置准备
    1.5.3 配置出方向动态地址转换
    1.5.4 配置入方向动态地址转换
    1.6 配置内部服务器
    1.6.1 配置普通内部服务器
    1.6.2 配置负载分担内部服务器
    1.6.3 配置基于ACL的内部服务器
    1.7 配置NAT444地址转换
    1.7.1 配置NAT444端口块静态映射
    1.7.2 配置NAT444端口块动态映射
    1.7.3 配置NAT444端口块全局共享功能
    1.8 配置DS-Lite B4地址转换
    1.9 调整NAT规则的匹配优先级
    1.9.1 功能简介
    1.9.2 配置限制和指导
    1.9.3 配置准备
    1.9.4 调整出方向动态NAT规则的匹配优先级
    1.9.5 调整入方向动态NAT规则的匹配优先级
    1.9.6 调整入方向一对一静态NAT规则的匹配优先级
    1.9.7 调整出方向一对一静态NAT规则的匹配优先级
    1.9.8 调整基于ACL内部服务器NAT规则的匹配优先级
    1.10 开启NAT端口负载分担功能
    1.11 配置DNS mapping
    1.12 配置NAT hairpin功能
    1.13 配置NAT ALG
    1.14 配置NAT日志功能
    1.14.1 配置NAT会话日志功能
    1.14.2 配置NAT444用户日志功能
    1.14.3 配置NAT告警信息日志功能
    1.14.4 配置动态NAT444端口块使用率的阈值
    1.15 开启NAT转换失败发送ICMP差错报文功能
    1.16 开启反向报文的重定向功能
    1.17 开启对TCP SYN和SYN ACK报文中时间戳的删除功能
    1.18 开启NAT会话新建速率的统计功能
    1.19 NAT显示和维护
    1.20 NAT典型配置举例
    1.20.1 内网用户通过NAT地址访问外网(静态地址转换)配置举例
    1. 组网需求
    2. 组网图
    3. 配置步骤
    4. 验证配置
    1.20.2 内网用户通过NAT地址访问外网(地址不重叠)配置举例
    1. 组网需求
    2. 组网图
    3. 配置步骤
    4. 验证配置
    1.20.3 内网用户通过NAT地址访问外网(地址重叠)配置举例
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.4 外网用户通过外网地址访问内网服务器配置举例
    1. 组网需求
    2. 组网图
    3. 配置步骤
    4. 验证配置
    1.20.5 外网用户通过域名访问内网服务器配置举例(地址不重叠)
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.6 外网用户通过域名访问内网服务器配置举例(地址重叠)
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.7 内网用户通过NAT地址访问内网服务器配置举例
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.8 内网用户通过NAT地址互访配置举例
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.9 地址重叠的两个VPN之间互访配置举例
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.10 内部服务器负载分担配置举例
    1. 组网需求
    2. 组网图
    3. 配置步骤
    4. 验证配置
    1.20.11 NAT DNS mapping配置举例
    1. 组网需求
    2. 组网图
    3. 配置思路
    4. 配置步骤
    5. 验证配置
    1.20.12 NAT444端口块静态映射配置举例
    1. 组网需求
    2. 组网图
    3. 配置步骤
    4. 验证配置
    1.20.13 NAT444端口块动态映射配置举例
    1. 组网需求
    2. 组网图
    3. 配置步骤
    4. 验证配置
    1.20.14 DS-Lite B4端口块动态映射配置举例
    1. 组网需求
    2. 组网图
    3. 配置注意事项
    4. 配置步骤
    5. 验证配置
    02-AFT配置
    1 AFT
    1.1 AFT简介
    1.1.1 AFT应用场景
    1.1.2 AFT基本概念
    1. NAT64前缀
    2. IVI前缀
    3. General前缀
    1.1.3 AFT转换方式
    1. 静态方式
    2. 动态方式
    3. 前缀方式
    4. IPv6内部服务器
    1.1.4 AFT报文转换过程
    1. IPv6侧发起访问
    2. IPv4侧发起访问
    1.1.5 AFT支持ALG
    1.2 AFT配置任务简介
    1.2.1 IPv6侧发起访问时AFT配置任务简介
    1.2.2 IPv4侧发起访问时AFT配置任务简介
    1.3 AFT配置限制和指导
    1.4 配置AFT
    1.4.1 开启AFT功能
    1.4.2 配置IPv6到IPv4的目的地址转换策略
    1.4.3 配置IPv6到IPv4的源地址转换策略
    1.4.4 配置IPv4到IPv6目的地址转换策略
    1.4.5 配置IPv4到IPv6源地址转换策略
    1.4.6 开启AFT日志功能
    1.4.7 配置AFT转换后IPv4报文的ToS字段值
    1.4.8 配置AFT转换后IPv6报文的Traffic Class字段值
    1.5 AFT显示和维护
    H3C SecPath 防火墙系列 NAT 配置指导 新华三技术有限公司 http://www.h3c.com 资料版本:5W301-20170918
    Copyright © 2017 新华三技术有限公司及其许可者 版权所有,保留一切权利。 未经本公司书面许可,任何单位和个人不得擅自摘抄、复制本书内容的部分或全部,并不得以任何 形式传播。 、H3Care、 、H3CS、H3CIE、H3CNE、Aolynk、 H3C、 、IRF、NetPilot、 Netflow、SecEngine、SecPath、SecCenter、SecBlade、Comware、ITCMM、HUASAN、 华 三 均为新华三技术有限公司的商标。对于本手册中出现的其它公司的商标、产品标识及商品名称,由 各自权利人拥有。 由于产品版本升级或其他原因,本手册内容有可能变更。H3C 保留在没有任何通知或者提示的情况 下对本手册的内容进行修改的权利。本手册仅作为使用指导,H3C 尽全力在本手册中提供准确的信 息,但是 H3C 并不确保手册内容完全没有错误,本手册中的所有陈述、信息和建议也不构成任何 明示或暗示的担保。
    前 言 H3C SecPath 防火墙系列配置指导介绍了防火墙产品各软件特性的原理及其配置方法,包含原理简 介、配置任务描述和配置举例。《NAT 配置指导》主要介绍 NAT 和 AFT 相关的特性。 前言部分包含如下内容: • 读者对象 • 本书约定 • 资料获取方式 • 技术支持 • 资料意见反馈 读者对象 本手册主要适用于如下工程师: • 网络规划人员 • 现场技术支持与维护人员 • 负责网络配置和维护的网络管理员 本书约定 1. 命令行格式约定 格 式 意 义 粗体 斜体 [ ] 命令行关键字(命令中保持不变、必须照输的部分)采用加粗字体表示。 命令行参数(命令中必须由实际值进行替代的部分)采用斜体表示。 表示用“[ ]”括起来的部分在命令配置时是可选的。 { x | y | ... } [ x | y | ... ] 表示从多个选项中仅选取一个。 表示从多个选项中选取一个或者不选。 { x | y | ... } * 表示从多个选项中至少选取一个。 [ x | y | ... ] * 表示从多个选项中选取一个、多个或者不选。 &<1-n> 表示符号&前面的参数可以重复输入1~n次。 # 由“#”号开始的行表示为注释行。 2. 图形界面格式约定 格 式 意 义 < > [ ] 带尖括号“< >”表示按钮名,如“单击<确定>按钮”。 带方括号“[ ]”表示窗口名、菜单名和数据表,如“弹出[新建用户]窗口”。
    格 式 / 多级菜单用“/”隔开。如[文件/新建/文件夹]多级菜单表示[文件]菜单下的[新建]子菜单下 的[文件夹]菜单项。 意 义 3. 各类标志 本书还采用各种醒目标志来表示在操作过程中应该特别注意的地方,这些标志的意义如下: 该标志后的注释需给予格外关注,不当的操作可能会对人身造成伤害。 提醒操作中应注意的事项,不当的操作可能会导致数据丢失或者设备损坏。 为确保设备配置成功或者正常工作而需要特别关注的操作或信息。 对操作内容的描述进行必要的补充和说明。 配置、操作、或使用设备的技巧、小窍门。 4. 图标约定 本书使用的图标及其含义如下: TT TT 该图标及其相关描述文字代表一般网络设备,如路由器、交换机、防火墙等。 该图标及其相关描述文字代表一般意义下的路由器,以及其他运行了路由协议的设备。 该图标及其相关描述文字代表二、三层以太网交换机,以及运行了二层协议的设备。 该图标及其相关描述文字代表无线控制器、无线控制器业务板和有线无线一体化交换机的 无线控制引擎设备。 该图标及其相关描述文字代表无线接入点设备。 该图标及其相关描述文字代表无线终结单元。 该图标及其相关描述文字代表无线终结者。 该图标及其相关描述文字代表无线Mesh设备。 该图标代表发散的无线射频信号。 该图标代表点到点的无线射频信号。 该图标及其相关描述文字代表防火墙、UTM、多业务安全网关、负载均衡等安全设备。
    该图标及其相关描述文字代表防火墙插卡、负载均衡插卡、NetStream插卡、SSL VPN插 卡、IPS插卡、ACG插卡等安全插卡。 5. 示例约定 由于设备型号不同、配置不同、版本升级等原因,可能造成本手册中的内容与用户使用的设备显示 信息不一致。实际使用中请以设备显示的内容为准。 本手册中出现的端口编号仅作示例,并不代表设备上实际具有此编号的端口,实际使用中请以设备 上存在的端口编号为准。 资料获取方式 您可以通过 H3C 网站(www.h3c.com)获取最新的产品资料: • 获取安装类、配置类或维护类等产品资料 http://www.h3c.com/cn/Technical_Documents • 获取版本说明书等与软件版本配套的资料 http://www.h3c.com/cn/Software_Download 技术支持 用户支持邮箱:service@h3c.com 技术支持热线电话:400-810-0504(手机、固话均可拨打) 网址:http://www.h3c.com 资料意见反馈 如果您在使用过程中发现产品资料的任何问题,可以通过以下方式反馈: E-mail:info@h3c.com 感谢您的反馈,让我们做得更好!
    目 录 1 NAT ···························································································································· 1-1 1.1 NAT 简介 ·················································································································· 1-1 1.1.1 NAT 工作机制 ··································································································· 1-1 1.1.2 NAT 转换控制 ··································································································· 1-3 1.1.3 NAT 实现方式 ··································································································· 1-3 1.1.4 NAT 表项 ········································································································· 1-7 1.1.5 NAT 支持多 VPN 实例 ························································································· 1-8 1.1.6 DNS mapping ··································································································· 1-8 1.1.7 NAT 支持 ALG ·································································································· 1-9 1.1.8 NAT444 支持和 BRAS 联动 ·················································································· 1-9 1.2 NAT 配置任务简介 ···································································································· 1-10 1.3 配置限制和指导 ········································································································ 1-11 1.4 配置静态地址转换 ····································································································· 1-12 1.4.1 配置准备 ········································································································ 1-12 1.4.2 配置出方向一对一静态地址转换 ·········································································· 1-12 1.4.3 配置出方向网段对网段静态地址转换 ···································································· 1-13 1.4.4 配置基于对象组的出方向静态地址转换 ································································· 1-13 1.4.5 配置入方向一对一静态地址转换 ·········································································· 1-14 1.4.6 配置入方向网段对网段静态地址转换 ···································································· 1-15 1.4.7 配置基于对象组的入方向静态地址转换 ································································· 1-15 1.5 配置动态地址转换 ····································································································· 1-16 1.5.1 配置限制和指导 ······························································································· 1-16 1.5.2 配置准备 ········································································································ 1-16 1.5.3 配置出方向动态地址转换 ··················································································· 1-17 1.5.4 配置入方向动态地址转换 ··················································································· 1-18 1.6 配置内部服务器 ········································································································ 1-19 1.6.1 配置普通内部服务器 ························································································· 1-19 1.6.2 配置负载分担内部服务器 ··················································································· 1-20 1.6.3 配置基于 ACL 的内部服务器 ··············································································· 1-21 1.7 配置 NAT444 地址转换 ······························································································ 1-21 1.7.1 配置 NAT444 端口块静态映射 ············································································· 1-21 1.7.2 配置 NAT444 端口块动态映射 ············································································· 1-22 1.7.3 配置 NAT444 端口块全局共享功能 ······································································· 1-23 i
    1.8 配置 DS-Lite B4 地址转换 ··························································································· 1-23 1.9 调整 NAT 规则的匹配优先级 ······················································································· 1-24 1.9.1 功能简介 ········································································································ 1-24 1.9.2 配置限制和指导 ······························································································· 1-24 1.9.3 配置准备 ········································································································ 1-24 1.9.4 调整出方向动态 NAT 规则的匹配优先级 ································································ 1-25 1.9.5 调整入方向动态 NAT 规则的匹配优先级 ································································ 1-25 1.9.6 调整入方向一对一静态 NAT 规则的匹配优先级 ······················································· 1-25 1.9.7 调整出方向一对一静态 NAT 规则的匹配优先级 ······················································· 1-25 1.9.8 调整基于 ACL 内部服务器 NAT 规则的匹配优先级 ··················································· 1-26 1.10 开启 NAT 端口负载分担功能 ······················································································ 1-26 1.11 配置 DNS mapping ·································································································· 1-26 1.12 配置 NAT hairpin 功能 ······························································································ 1-27 1.13 配置 NAT ALG ······································································································· 1-27 1.14 配置 NAT 日志功能 ·································································································· 1-28 1.14.1 配置 NAT 会话日志功能 ··················································································· 1-28 1.14.2 配置 NAT444 用户日志功能 ·············································································· 1-28 1.14.3 配置 NAT 告警信息日志功能 ············································································· 1-29 1.14.4 配置动态 NAT444 端口块使用率的阈值 ······························································· 1-30 1.15 开启 NAT 转换失败发送 ICMP 差错报文功能 ································································· 1-30 1.16 开启反向报文的重定向功能 ······················································································· 1-30 1.17 开启对 TCP SYN 和 SYN ACK 报文中时间戳的删除功能 ················································· 1-31 1.18 开启 NAT 会话新建速率的统计功能 ············································································· 1-31 1.19 NAT 显示和维护 ····································································································· 1-31 1.20 NAT 典型配置举例 ·································································································· 1-32 1.20.1 内网用户通过 NAT 地址访问外网(静态地址转换)配置举例 ··································· 1-32 1.20.2 内网用户通过 NAT 地址访问外网(地址不重叠)配置举例 ······································ 1-34 1.20.3 内网用户通过 NAT 地址访问外网(地址重叠)配置举例 ········································· 1-36 1.20.4 外网用户通过外网地址访问内网服务器配置举例 ···················································· 1-40 1.20.5 外网用户通过域名访问内网服务器配置举例(地址不重叠) ····································· 1-42 1.20.6 外网用户通过域名访问内网服务器配置举例(地址重叠) ········································ 1-45 1.20.7 内网用户通过 NAT 地址访问内网服务器配置举例 ·················································· 1-49 1.20.8 内网用户通过 NAT 地址互访配置举例 ································································· 1-52 1.20.9 地址重叠的两个 VPN 之间互访配置举例 ······························································ 1-55 1.20.10 内部服务器负载分担配置举例 ·········································································· 1-58 1.20.11 NAT DNS mapping 配置举例 ··········································································· 1-61 ii
    1.20.12 NAT444 端口块静态映射配置举例 ···································································· 1-65 1.20.13 NAT444 端口块动态映射配置举例 ···································································· 1-67 1.20.14 DS-Lite B4 端口块动态映射配置举例 ································································· 1-70 iii
    分享到:
    收藏

    相关推荐

    资料库

    网络技术

    共收录2367份资料,累计7个分类,关注成员有19位,主要包括:综合布线,网管软件,网络监控,网络设备,其它,系统集成,网络基础

    热门标签

    综合布线 网管软件 网络监控 网络设备 其它 系统集成 网络基础

    最新资料