組網及說明
問題描述
組網如圖,配置如下。內網終端相同,想要通過acl匹配不同目的地址,nat outbound轉換成不同的源地址。但是測試發現,如果同時訪問兩個目的地址的話,隻會轉換成同一個源地址
#
nat address-group 1
address 3.3.3.10 3.3.3.20
#
nat address-group 2
address 3.3.3.40 3.3.3.50
##
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 3.3.3.3 255.255.255.0
nat outbound 3001 address-group 2 no-pat
nat outbound 3000 address-group 1 no-pat
#
acl advanced 3000
rule 5 permit ip source 10.0.0.1 0 destination 40.0.0.1 0
acl advanced 3001
rule 0 permit ip source 10.0.0.1 0 destination 30.0.0.1 0
過程分析
設備上debug nat packet發現,10.0.0.1訪問30.0.0.1和40.0.0.1確實都轉換成了address-group 1中相同的地址
[H3C-acl-ipv4-adv-3000]*Dec 17 12:54:22:042 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-out-config) Protocol: ICMP
10.0.0.1:10987 - 30.0.0.1: 2048(VPN: 0) ------>
3.3.3.15:10987 - 30.0.0.1: 2048(VPN: 0)
*Dec 17 12:54:22:043 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-in-session) Protocol: ICMP
30.0.0.1:10987 - 3.3.3.15: 0(VPN: 0) ------>
30.0.0.1:10987 - 10.0.0.1: 0(VPN: 0)
*Dec 17 12:54:26:739 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-out-config) Protocol: ICMP
10.0.0.1:10988 - 40.0.0.1: 2048(VPN: 0) ------>
3.3.3.15:10988 - 40.0.0.1: 2048(VPN: 0)
*Dec 17 12:54:26:739 2024 H3C NAT/7/COMMON:
PACKET: (GigabitEthernet0/1-in-session) Protocol: ICMP
40.0.0.1:10988 - 3.3.3.15: 0(VPN: 0) ------>
40.0.0.1:10988 - 10.0.0.1: 0(VPN: 0)
解決方法
經確認,no-pat方式隻會匹配源ip,當已經有了一個會話的時候,後麵所有相同的源ip都會轉換成相同的地址,去掉no-pat之後可以正常匹配acl,轉換成對應address-group中的地址