用于设置和管理 NAT 的路由器配置示例
本文提供处理 ExpressRoute 时适用于 Cisco ASA 和 Juniper SRX 系列路由器的 NAT 配置示例。 这些路由器配置仅供指导,不能按原样使用。 需要与供应商合作,以便为网络指定适当的配置。
重要
本页中的示例仅供指导。 必须与供应商的销售/技术团队和网络团队合作,以便指定符合需要的适当配置。 对于本页中所列配置的相关问题,Microsoft 不提供支持。 有关支持问题,必须与设备供应商联系。
以下路由器配置示例适用于 Azure 公共与 Microsoft 对等互连。 不要为 Azure 专用对等互连配置 NAT。 有关更多详细信息,请查看 ExpressRoute 对等互连和 ExpressRoute NAT 要求。
必须使用独立的 NAT IP 池来连接到 Internet 和 ExpressRoute。 在 Internet 与 ExpressRoute 中使用相同的 NAT IP 池会导致非对称路由和连接断开。
Cisco ASA 防火墙
从客户网络到 Microsoft 的流量的 PAT 配置
object network MSFT-PAT
range <SNAT-START-IP> <SNAT-END-IP>
object-group network MSFT-Range
network-object <IP> <Subnet_Mask>
object-group network on-prem-range-1
network-object <IP> <Subnet-Mask>
object-group network on-prem-range-2
network-object <IP> <Subnet-Mask>
object-group network on-prem
network-object object on-prem-range-1
network-object object on-prem-range-2
nat (outside,inside) source dynamic on-prem pat-pool MSFT-PAT destination static MSFT-Range MSFT-Range
从 Microsoft 到客户网络的流量的 PAT 配置
接口和方向:
源接口(流量进入 ASA):目标接口(流量退出 ASA)内:外部
配置:
NAT 池:
object network outbound-PAT
host <NAT-IP>
目标服务器:
object network Customer-Network
network-object <IP> <Subnet-Mask>
客户 IP 地址的对象组:
object-group network MSFT-Network-1
network-object <MSFT-IP> <Subnet-Mask>
object-group network MSFT-PAT-Networks
network-object object MSFT-Network-1
NAT 命令:
nat (inside,outside) source dynamic MSFT-PAT-Networks pat-pool outbound-PAT destination static Customer-Network Customer-Network
Juniper SRX 系列路由器
1.为群集创建冗余的以太网接口
interfaces {
reth0 {
description "To Internal Network";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 100 {
vlan-id 100;
family inet {
address <IP-Address/Subnet-mask>;
}
}
}
reth1 {
description "To Microsoft via Edge Router";
vlan-tagging;
redundant-ether-options {
redundancy-group 2;
}
unit 100 {
description "To Microsoft via Edge Router";
vlan-id 100;
family inet {
address <IP-Address/Subnet-mask>;
}
}
}
}
2.创建两个安全区域
- 内部网络的信任区域和面向外部网络的边缘路由器的非信任区域
- 向区域分配适当的接口
- 在接口上允许服务
security {
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
interfaces {
reth0.100;
}
}
security-zone Untrust {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
interfaces {
reth1.100;
}
}
}
}
3.在区域之间创建安全策略
security {
policies {
from-zone Trust to-zone Untrust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Untrust to-zone Trust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
4.配置 NAT 策略
- 创建两个 NAT 池。 一个用于通过 NAT 转换出站到 Microsoft 的流量,另一个用于从 Microsoft 发往客户的流量。
- 创建规则以通过 NAT 转换相应的流量
security {
nat {
source {
pool SNAT-To-ExpressRoute {
routing-instance {
External-ExpressRoute;
}
address {
<NAT-IP-address/Subnet-mask>;
}
}
pool SNAT-From-ExpressRoute {
routing-instance {
Internal;
}
address {
<NAT-IP-address/Subnet-mask>;
}
}
rule-set Outbound_NAT {
from routing-instance Internal;
to routing-instance External-ExpressRoute;
rule SNAT-Out {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
pool {
SNAT-To-ExpressRoute;
}
}
}
}
}
rule-set Inbound-NAT {
from routing-instance External-ExpressRoute;
to routing-instance Internal;
rule SNAT-In {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
pool {
SNAT-From-ExpressRoute;
}
}
}
}
}
}
}
}
5.配置 BGP 以朝每个方向播发选择的前缀
请参阅路由配置示例页中的示例。
6.创建策略
routing-options {
autonomous-system <Customer-ASN>;
}
policy-options {
prefix-list Microsoft-Prefixes {
<IP-Address/Subnet-Mask;
<IP-Address/Subnet-Mask;
}
prefix-list private-ranges {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
100.64.0.0/10;
}
policy-statement Advertise-NAT-Pools {
from {
protocol static;
route-filter <NAT-Pool-Address/Subnet-mask> prefix-length-range /32-/32;
}
then accept;
}
policy-statement Accept-from-Microsoft {
term 1 {
from {
instance External-ExpressRoute;
prefix-list-filter Microsoft-Prefixes orlonger;
}
then accept;
}
term deny {
then reject;
}
}
policy-statement Accept-from-Internal {
term no-private {
from {
instance Internal;
prefix-list-filter private-ranges orlonger;
}
then reject;
}
term bgp {
from {
instance Internal;
protocol bgp;
}
then accept;
}
term deny {
then reject;
}
}
}
routing-instances {
Internal {
instance-type virtual-router;
interface reth0.100;
routing-options {
static {
route <NAT-Pool-IP-Address/Subnet-mask> discard;
}
instance-import Accept-from-Microsoft;
}
protocols {
bgp {
group customer {
export <Advertise-NAT-Pools>;
peer-as <Customer-ASN-1>;
neighbor <BGP-Neighbor-IP-Address>;
}
}
}
}
External-ExpressRoute {
instance-type virtual-router;
interface reth1.100;
routing-options {
static {
route <NAT-Pool-IP-Address/Subnet-mask> discard;
}
instance-import Accept-from-Internal;
}
protocols {
bgp {
group edge-router {
export <Advertise-NAT-Pools>;
peer-as <Customer-Public-ASN>;
neighbor <BGP-Neighbor-IP-Address>;
}
}
}
}
}
后续步骤
有关详细信息,请参阅 ExpressRoute 常见问题解答。