全部博文(1015)
分类:
2012-10-11 15:12:55
CISCO多出口做NAT的地址池问题
一、问题:
用CISCO设备做NAT,连接多个公网出口,每个公网出口都有地址池,要求从那个公网出口出去就用那个接口的地址池。由于CISCO的NAT配置是在全局配置的,没有出接口关键字,配置不当就有可能从B出口出去(由路由决定)而采用A出口的地址池(由NAT的ACL决定),如果公网外部是相通的这个没有多大的问题,但是如果公网有策略导致地址池的路由问题的话会导致断网。
二、配置:
|
!连接内网的接口 interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 no ip proxy-arp ip nat inside ip virtual-reassembly !外网出口1 interface Serial1/0 ip address 1.1.1.2 255.255.255.0 no ip proxy-arp ip nat outside ip virtual-reassembly serial restart-delay 0 !外网出口2 interface Serial1/1 ip address 2.2.2.2 255.255.255.0 no ip proxy-arp ip nat outside ip virtual-reassembly serial restart-delay 0 !外网出口3 interface Serial1/2 ip address 3.3.3.2 255.255.255.0 no ip proxy-arp ip nat outside ip virtual-reassembly serial restart-delay 0 !定义地址池以及做NAT ip nat pool pool1 1.1.1.5 1.1.1.10 netmask 255.255.255.0 ip nat pool pool2 2.2.2.5 2.2.2.10 netmask 255.255.255.0 ip nat pool pool3 3.3.3.5 3.3.3.10 netmask 255.255.255.0 ip nat inside source route-map rm1 pool pool1 overload ip nat inside source route-map rm2 pool pool2 overload ip nat inside source route-map rm3 pool pool3 overload !配置路由条目,如果出口对端DOWN掉后路由不能自动失效的话建议做TRACK。 ip route 0.0.0.0 0.0.0.0 1.1.1.1 ip route 0.0.0.0 0.0.0.0 2.2.2.1 ip route 0.0.0.0 0.0.0.0 3.3.3.1 ! access-list 1 permit 192.168.0.0 0.0.255.255 ! route-map rm3 permit 10 match ip address 1 match interface Serial1/2 ! route-map rm2 permit 10 match ip address 1 match interface Serial1/1 ! route-map rm1 permit 10 match ip address 1 match interface Serial1/0 ! |
