H3C ACL与NAT 配置

IPv4访问控制列表

source-acl-number：源IPv4 ACL 的序号，该IPv4 ACL 必须存在。
?? 2000～2999：基本IPv4 ACL；
?? 3000～3999：高级IPv4 ACL；
?? 4000～4999：二层ACL；
?? 5000～5999：用户自定义ACL。

标准访问控制列表

acl number 2000
rule permit source 192.168.0.2 0.0.0.0
rule permit source 192.168.3.0 0.0.0.255
rule deny source 192.168.5.0 0.0.0.255

查看现象：

<H3C>dis acl 2000
dis acl 2000
Basic ACL  2000, named -none-, 2 rules,
ACL's step is 5
 rule 0 permit source 192.168.0.2 0
 rule 5 permit source 192.168.3.0 0.0.0.255
---------------------------------------------------------------------------

扩展访问控制列表

acl number 3002 name xiaoxiao
rule permit tcp source 192.168.3.0 0.0.0.255 destination 202.38.160.1.0 0.0.0.255 destination-port eq 80

--------------------------------------------------------------------------------------------------------------------------------------------------------
删除：

H3C]undo acl number 3009
undo acl number 3009

[H3C]
[H3C]undo acl name zhangtian
undo acl name zhangtian

-----------------------------------------------------------------------------------------------------------------------------------------------------

IPv6访问控制列表：

标准访问控制列表：

acl ipv6 number 2000 name xiaoxiao
rule permit source 2010::/64
rule 5 permit source 2020::/64
rule 6 permit source 2030::/64

 

产看现象：
<H3C>dis acl ipv6 all
dis acl ipv6 all
 Basic IPv6 ACL  2000, named xiaoxiao, 0 rule,
 ACL's step is 5

 Basic IPv6 ACL  2010, named xiaosan, 4 rules,
 ACL's step is 5
 rule 0 permit source 2010::/64
 rule 5 permit source 2020::/64
 rule 6 permit source 2030::/64
 rule 8 permit source 2040::/64

 

扩展访问控制列表：

acl ipv6 number 3010 name wangwang
rule permit tcp source 3010::/64 destination 1010::/64 destination-port eq 80

删除IPv6访问控制列表

先查看：

<H3C>
<H3C>dis acl ipv6 all
dis acl ipv6 all
 Basic IPv6 ACL  2000, named xiaoxiao, 0 rule,
 ACL's step is 5

 Basic IPv6 ACL  2010, named xiaosan, 4 rules,
 ACL's step is 5
 rule 0 permit source 2010::/64
 rule 5 permit source 2020::/64
 rule 6 permit source 2030::/64
 rule 8 permit source 2040::/64

 Advanced IPv6 ACL  3010, named wangwang, 1 rule,
 ACL's step is 5
 rule 0 permit tcp source 3010::/64 destination 1010::/64 destination-port eq www

 

undo acl ipv6 number 3010
undo acl ipv6 name wangwang

 

ACL放到相应的接口下：
int e0/1/0
firewall packet-filter 2001 inbound
quit

 

NAT 配置：

system-view
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255                                       指定进行NAT的内网私有IP地址
quit
nat address-group 1 202.232.61.158 202.232.61.200                    指定进行NAT的转换后的公有IP
int e0/1/0
nat outbound 2000 address-group 1                                                 在内网到外网的接口下进行地址转换

 

ACL的IPv4与IPv6基本配置完成，NAT基本配置完成。