为新一代服务配置两次动态 NAT
为两次动态 NAT 配置源池和目标池
要为两次动态 NAT 配置源池和目标池:
- 创建源池。
user@host# edit services nat source pool nat-pool-name
- 定义源地址转换为的地址或子网。
[edit services nat source pool nat-pool-name] user@host# set address address-prefix
或
[edit services nat source pool nat-pool-name] user@host# set address address-prefix to address address-prefix
- 禁用端口转换。
[edit services nat destination pool nat-pool-name] user@host# set port no-translation
- 定义触发 SNMP 陷阱的 NAT 池利用率级别。是
raise-threshold触发陷阱的池利用率百分比,范围为 50 到 100。是clear-threshold清除陷阱的池利用率百分比,范围为 40 到 100。利用率基于使用的地址数量。[edit services nat source pool nat-pool-name] user@host# set pool-utilization-alarm raise-threshold value user@host# set pool-utilization-alarm clear-threshold value
如果不配置
pool-utilization-alarm,则不会创建陷阱。 - 创建目标池。请勿使用与用于源池的名称相同。
user@host# edit services nat destination pool nat-pool-name
- 定义将转换到的目标地址的地址或子网。
[edit services nat destination pool nat-pool-name] user@host# set address address-prefix
- 要允许 NAT 源池或目标池的 IP 地址与其他服务集中使用的池中的 IP 地址重叠,请配置
allow-overlapping-pools。[edit services nat] user@host# set allow-overlapping-pools
为两次动态 NAT 配置 NAT 规则
要为两次动态 NAT 配置源和目标 NAT 规则:
- 配置源 NAT 规则名称。
[edit services nat source] user@host# set rule-set rule-set-name rule rule-name
- 指定 NAT 规则集适用的流量方向。
[edit services nat source rule-set rule-set-name] user@host# set match-direction (in | out | in-out)
- 指定由源 NAT 规则转换的地址。
要指定一个地址或前缀值:
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set match source-address address
要指定地址范围,请配置具有所需地址范围的通讯簿全局地址,并将全局地址分配给 NAT 规则:
[edit services address-book global] user@host# set address address-name range-address lower-limit to upper-limit [edit services nat source rule-set rule-set-name rule rule-name] user@host# set match source-address-name address-name
要指定任何单播地址:
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set match source-address any-unicast
- 指定源 NAT 规则应用于的一个或多个应用程序协议。规则中列出的应用程序数量不得超过 3072。
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set match application [application-name]
- 如果要确保为来自同一内部主机的所有会话分配相同的外部 IP 地址,请配置地址池配对功能。
[edit services nat source rule-set rule-set-name rule rule-name then source-nat mapping-type] user@host# set address-pooling-paired
- 为
address-pooling-paired使用 NAT 池的映射指定超时期限。范围为 120 到 86,400 秒,默认为 300。在此时间段内处于非活动状态的映射将被删除。[edit services nat source pool nat-pool-name] user@host# set mapping-timeout mapping-timeout
如果未为与端点无关的转换进行配置
ei-mapping-timeout,则mapping-timeout该值用于与端点无关的转换。 - 指定包含转换流量地址的源 NAT 池。
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set then source-nat pool nat-pool-name
- 配置当流量与 NAT 规则条件匹配时生成系统日志。
[edit services nat source rule-set rule-set-name rule rule-name then] user@host# set syslog
- 配置目标 NAT 规则名称。
[edit services nat destination] user@host# set rule-set rule-set-name rule rule-name
- 指定目标 NAT 规则集适用的流量方向。
[edit services nat destination rule-set rule-set-name] user@host# set match-direction (in | out | in-out)
- 指定目标 NAT 规则应用于的流量的目标地址。
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address address
要指定地址范围,请配置具有所需地址范围的通讯簿全局地址,并将全局地址分配给 NAT 规则:
[edit services address-book global] user@host# set address address-name range-address lower-limit to upper-limit [edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address-name address-name
要指定任何单播地址:
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address any-unicast
- 指定目标 NAT 规则应用于的一个或多个应用程序协议。规则中列出的应用程序数量不得超过 3072。
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set match application [application-name]
- 指定包含转换流量的目标地址的目标 NAT 池。
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set then destination-nat pool nat-pool-name
- 配置当流量与目标 NAT 规则匹配条件匹配时生成系统日志。
[edit services nat destination rule-set rule-set-name rule rule-name then] user@host# set syslog
为两次动态 NAT 配置服务集
要为两次动态 NAT 配置服务集:
- 定义服务集。
[edit services] user@host# edit service-set service-set-name
- 配置需要单个服务接口的接口服务,或需要内部和外部服务接口的下一跃点服务。
[edit services service-set service-set-name] user@host# set interface-service service-interface interface-name
或
[edit services service-set service-set-name] user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name
- 指定要与服务集一起使用的 NAT 规则集。包括源 NAT 规则集和目标 NAT 规则集。
[edit services service-set service-set-name] user@host# set nat-rule-sets rule-set-name