1.实验拓扑

2.实验配置

[SW1]dis cu
#
sysname SW1
#
vlan batch 10 20
#
interface Vlanif10ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20ip address 192.168.20.253 255.255.255.0
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 20
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 10
#
ospf 1 router-id 1.1.1.1silent-interface Vlanif10area 0.0.0.0network 192.168.10.0 0.0.0.255network 192.168.20.0 0.0.0.255
#

[FW1]dis cu
2025-05-29 12:57:31.360 
!Software Version V500R005C10SPC300
#
sysname FW1
#
interface GigabitEthernet1/0/0undo shutdownip address 192.168.20.254 255.255.255.0
#
interface GigabitEthernet1/0/1undo shutdownip address 200.1.1.1 255.255.255.0
#
firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0
#
firewall zone untrustset priority 5add interface GigabitEthernet1/0/1
#
ospf 1 router-id 2.2.2.2default-route-advertisearea 0.0.0.0network 192.168.20.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
#
nat address-group 1 0mode patsection 0 200.1.1.10 200.1.1.20
#
security-policyrule name trust->untrustsource-zone trustdestination-zone untrustsource-address range 192.168.10.1 192.168.10.2service httpservice httpsservice icmpaction permit
#
nat-policyrule name patsource-zone trustdestination-zone untrustsource-address 192.168.10.0 mask 255.255.255.0action source-nat address-group 1
#

[R1]dis cu
[V200R003C00]
#sysname R1
#
interface GigabitEthernet0/0/0ip address 200.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1ip address 100.1.1.254 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1

3.实验验证

4.配置源NAT注意事项

[FW1-address-group-1] route  enable 

[FW1]nat address-group  1
[FW1-address-group-1]undo route  enable 
[FW1-address-group-1]undo section  0

[FW1-address-group-1]section  4.4.4.4

[FW1-address-group-1]route  enable