用于设置和管理 NAT 的路由器配置示例Router configuration samples to set up and manage NAT

本文提供处理 ExpressRoute 时适用于 Cisco ASA 和 Juniper SRX 系列路由器的 NAT 配置示例。This article provides NAT configuration samples for Cisco ASA and Juniper SRX series routers when working with ExpressRoute. 这些路由器配置仅供指导,不能按原样使用。These router configurations are intended to be samples for guidance only and must not be used as is. 需要与供应商合作,以便为网络指定适当的配置。You'll need to work with your vendor to come up with appropriate configurations for your network.

重要

本页中的示例仅供指导。Samples in this page are intended to be purely for guidance. 必须与供应商的销售/技术团队和网络团队合作,以便指定符合需要的适当配置。You must work with your vendor's sales / technical team and your networking team to come up with appropriate configurations to meet your needs. 对于本页中所列配置的相关问题,Microsoft 不提供支持。Microsoft will not support issues related to configurations listed in this page. 有关支持问题,必须与设备供应商联系。You must contact your device vendor for support issues.

  • 以下路由器配置示例适用于 Azure 公共与 Microsoft 对等互连。Router configuration samples below apply to Azure Public and Microsoft peerings. 不得为 Azure 专用对等互连配置 NAT。You must not configure NAT for Azure private peering. 有关更多详细信息,请查看 ExpressRoute 对等互连ExpressRoute NAT 要求Review ExpressRoute peerings and ExpressRoute NAT requirements for more details.

  • 必须使用独立的 NAT IP 池来连接到 Internet 和 ExpressRoute。You MUST use separate NAT IP pools for connectivity to the internet and ExpressRoute. 在 Internet 与 ExpressRoute 中使用相同的 NAT IP 池会导致非对称路由和连接断开。Using the same NAT IP pool across the internet and ExpressRoute will result in asymmetric routing and loss of connectivity.

Cisco ASA 防火墙Cisco ASA firewalls

从客户网络到 Microsoft 的流量的 PAT 配置PAT configuration for traffic from customer network to Microsoft

object network MSFT-PAT
  range <SNAT-START-IP> <SNAT-END-IP>


object-group network MSFT-Range
  network-object <IP> <Subnet_Mask>

object-group network on-prem-range-1
  network-object <IP> <Subnet-Mask>

object-group network on-prem-range-2
  network-object <IP> <Subnet-Mask>

object-group network on-prem
  network-object object on-prem-range-1
  network-object object on-prem-range-2

nat (outside,inside) source dynamic on-prem pat-pool MSFT-PAT destination static MSFT-Range MSFT-Range

从 Microsoft 到客户网络的流量的 PAT 配置PAT configuration for traffic from Microsoft to customer network

接口和方向:Interfaces and Direction:

Source Interface (where the traffic enters the ASA): inside
Destination Interface (where the traffic exits the ASA): outside

配置:Configuration:

NAT 池:NAT Pool:

object network outbound-PAT
    host <NAT-IP>

目标服务器:Target Server:

object network Customer-Network
    network-object <IP> <Subnet-Mask>

客户 IP 地址的对象组:Object Group for Customer IP Addresses:

object-group network MSFT-Network-1
    network-object <MSFT-IP> <Subnet-Mask>

object-group network MSFT-PAT-Networks
    network-object object MSFT-Network-1

NAT 命令:NAT Commands:

nat (inside,outside) source dynamic MSFT-PAT-Networks pat-pool outbound-PAT destination static Customer-Network Customer-Network

Juniper SRX 系列路由器Juniper SRX series routers

1.为群集创建冗余的以太网接口1. Create redundant Ethernet interfaces for the cluster

    interfaces {
        reth0 {
            description "To Internal Network";
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 100 {
                vlan-id 100;
                family inet {
                    address <IP-Address/Subnet-mask>;
                }
            }
        }
        reth1 {
            description "To Microsoft via Edge Router";
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 2;
            }
            unit 100 {
                description "To Microsoft via Edge Router";
                vlan-id 100;
                family inet {
                    address <IP-Address/Subnet-mask>;
                }
            }
        }
    }

2.创建两个安全区域2. Create two security zones

  • 内部网络的信任区域和面向外部网络的边缘路由器的非信任区域Trust Zone for internal network and Untrust Zone for external network facing Edge Routers
  • 向区域分配适当的接口Assign appropriate interfaces to the zones
  • 在接口上允许服务Allow services on the interfaces
    security {
        zones {
            security-zone Trust {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    reth0.100;
                }
            }
            security-zone Untrust {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    reth1.100;
                }
            }
        }
    }

3.在区域之间创建安全策略3. Create security policies between zones

    security {
        policies {
            from-zone Trust to-zone Untrust {
                policy allow-any {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Untrust to-zone Trust {
                policy allow-any {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
    }

4.配置 NAT 策略4. Configure NAT policies

  • 创建两个 NAT 池。Create two NAT pools. 一个用于通过 NAT 转换出站到 Microsoft 的流量,另一个用于从 Microsoft 发往客户的流量。One will be used to NAT traffic outbound to Microsoft and other from Microsoft to the customer.
  • 创建规则以通过 NAT 转换相应的流量Create rules to NAT the respective traffic
       security {
           nat {
               source {
                   pool SNAT-To-ExpressRoute {
                       routing-instance {
                           External-ExpressRoute;
                       }
                       address {
                           <NAT-IP-address/Subnet-mask>;
                       }
                   }
                   pool SNAT-From-ExpressRoute {
                       routing-instance {
                           Internal;
                       }
                       address {
                           <NAT-IP-address/Subnet-mask>;
                       }
                   }
                   rule-set Outbound_NAT {
                       from routing-instance Internal;
                       to routing-instance External-ExpressRoute;
                       rule SNAT-Out {
                           match {
                               source-address 0.0.0.0/0;
                           }
                           then {
                               source-nat {
                                   pool {
                                       SNAT-To-ExpressRoute;
                                   }
                               }
                           }
                       }
                   }
                   rule-set Inbound-NAT {
                       from routing-instance External-ExpressRoute;
                       to routing-instance Internal;
                       rule SNAT-In {
                           match {
                               source-address 0.0.0.0/0;
                           }
                           then {
                               source-nat {
                                   pool {
                                       SNAT-From-ExpressRoute;
                                   }
                               }
                           }
                       }
                   }
               }
           }
       }

5.配置 BGP 以朝每个方向播发选择的前缀5. Configure BGP to advertise selective prefixes in each direction

请参阅路由配置示例页中的示例。Refer to samples in Routing configuration samples page.

6.创建策略6. Create policies

    routing-options {
                  autonomous-system <Customer-ASN>;
    }
    policy-options {
        prefix-list Microsoft-Prefixes {
            <IP-Address/Subnet-Mask;
            <IP-Address/Subnet-Mask;
        }
        prefix-list private-ranges {
            10.0.0.0/8;
            172.16.0.0/12;
            192.168.0.0/16;
            100.64.0.0/10;
        }
        policy-statement Advertise-NAT-Pools {
            from {
                protocol static;
                route-filter <NAT-Pool-Address/Subnet-mask> prefix-length-range /32-/32;
            }
            then accept;
        }
        policy-statement Accept-from-Microsoft {
            term 1 {
                from {
                    instance External-ExpressRoute;
                    prefix-list-filter Microsoft-Prefixes orlonger;
                }
                then accept;
            }
            term deny {
                then reject;
            }
        }
        policy-statement Accept-from-Internal {
            term no-private {
                from {
                    instance Internal;
                    prefix-list-filter private-ranges orlonger;
                }
                then reject;
            }
            term bgp {
                from {
                    instance Internal;
                    protocol bgp;
                }
                then accept;
            }
            term deny {
                then reject;
            }
        }
    }
    routing-instances {
        Internal {
            instance-type virtual-router;
            interface reth0.100;
            routing-options {
                static {
                    route <NAT-Pool-IP-Address/Subnet-mask> discard;
                }
                instance-import Accept-from-Microsoft;
            }
            protocols {
                bgp {
                    group customer {
                        export <Advertise-NAT-Pools>;
                        peer-as <Customer-ASN-1>;
                        neighbor <BGP-Neighbor-IP-Address>;
                    }
                }
            }
        }
        External-ExpressRoute {
            instance-type virtual-router;
            interface reth1.100;
            routing-options {
                static {
                    route <NAT-Pool-IP-Address/Subnet-mask> discard;
                }
                instance-import Accept-from-Internal;
            }
            protocols {
                bgp {
                    group edge-router {
                        export <Advertise-NAT-Pools>;
                        peer-as <Customer-Public-ASN>;
                        neighbor <BGP-Neighbor-IP-Address>;
                    }
                }
            }
        }
    }

后续步骤Next steps

有关详细信息,请参阅 ExpressRoute 常见问题解答For more information, see ExpressRoute FAQ.