前言:
nat地址轉換可以讓私有地址轉換成公網地址,解決上網問題
華爲的三層交換機內不可以配ip地址,需要配vlanif
在企業當中,數據流量業務比較多時,用好一點的路由器
多個私網地址對應外網口ip地址
需要設置acl規則,只允許某個網段通行,後面跟子網反掩碼
接着到外網口宣告一下,acl的編號即可
網路地址轉換
一: NAT概述
1.1 NAT的概念與實現方式
- 地址轉換出現的背景
- NAT的工作原理
- network address translation,網路地址轉換
- NAT實現方式
- 靜態轉換(static translation)
- 動態轉換(Dynamic translation)
- 端口多路複用(port address translation, PAT) easyip
nat地址轉換,識別的依據是端口的不同,不然數據返回不知道給誰1.2 NAT的術語與轉換表
![在這裏插入圖片描述]()
NAT的轉換條目
擴展轉換條目1.3 NAT實現方法的工作過程
- 靜態轉換和動態轉換
![在這裏插入圖片描述]()
1.4 NAT的特性
1.4.1 NAT的優點
- 節省公有合法IP地址
- 處理地址重疊
- 增強靈活性
- 安全性
1.4.2 NAT的缺點
- 延遲增大
- 配置和維護的複雜性
- 不支持某些應用,可以通過靜態NAT映射來避免
二:實操:
![在這裏插入圖片描述]()
2.1 基本配置
LSW1
The device is running!
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname LSW1
[LSW1]vlan bat 10 20 30 40
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1]int g 0/0/1
[LSW1-GigabitEthernet0/0/1]p l a
[LSW1-GigabitEthernet0/0/1]p d v 10
[LSW1-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[LSW1-GigabitEthernet0/0/1]int g 0/0/2
[LSW1-GigabitEthernet0/0/2]p l a
[LSW1-GigabitEthernet0/0/2]p d v 20
[LSW1-GigabitEthernet0/0/2]un sh
Info: Interface GigabitEthernet0/0/2 is not shutdown.
[LSW1-GigabitEthernet0/0/2]int g 0/0/3
[LSW1-GigabitEthernet0/0/3]p l a
[LSW1-GigabitEthernet0/0/3]p d v 30
[LSW1-GigabitEthernet0/0/3]un sh
Info: Interface GigabitEthernet0/0/3 is not shutdown.
[LSW1-GigabitEthernet0/0/3]int g 0/0/4
[LSW1-GigabitEthernet0/0/4]p l a
[LSW1-GigabitEthernet0/0/4]p d v 30
[LSW1-GigabitEthernet0/0/4]un sh
Info: Interface GigabitEthernet0/0/4 is not shutdown.
[LSW1-GigabitEthernet0/0/4]int g 0/0/6
[LSW1-GigabitEthernet0/0/6]p l a
[LSW1-GigabitEthernet0/0/6]p d v 10
[LSW1-GigabitEthernet0/0/6]un sh
Info: Interface GigabitEthernet0/0/6 is not shutdown.
[LSW1-GigabitEthernet0/0/6]int g 0/0/5
[LSW1-GigabitEthernet0/0/5]p l a
[LSW1-GigabitEthernet0/0/5]p d v 40
[LSW1-GigabitEthernet0/0/5]un sh
Info: Interface GigabitEthernet0/0/5 is not shutdown.
[LSW1-GigabitEthernet0/0/5]q
[LSW1]dis vlan
--------------------------------------------------------------------------------
1 common UT:GE0/0/7(D) GE0/0/8(D) GE0/0/9(D) GE0/0/10(D)
GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D)
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
GE0/0/23(D) GE0/0/24(D)
10 common UT:GE0/0/1(U) GE0/0/6(U)
20 common UT:GE0/0/2(U)
30 common UT:GE0/0/3(U) GE0/0/4(U)
40 common UT:GE0/0/5(U)
[LSW1]int vlanif 10
[LSW1-Vlanif10]ip add 192.168.10.1 24
[LSW1-Vlanif10]dis this
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
return
[LSW1-Vlanif10]un sh
Info: Interface Vlanif10 is not shutdown.
[LSW1-Vlanif10]int vlanif 20
[LSW1-Vlanif20]ip add 192.168.20.1 24
[LSW1-Vlanif20]un sh
Info: Interface Vlanif20 is not shutdown.
[LSW1-Vlanif20]int vlanif 30
[LSW1-Vlanif30]ip add 192.168.30.1 24
[LSW1-Vlanif30]un sh
Info: Interface Vlanif30 is not shutdown.
[LSW1-Vlanif30]int vlanif 40
[LSW1-Vlanif40]ip add 11.0.0.2 24
[LSW1-Vlanif40]un sh
Info: Interface Vlanif40 is not shutdown.
[LSW1-Vlanif40]q
[LSW1]dis interface b
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 up up 0% 0% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
GigabitEthernet0/0/3 up up 0% 0% 0 0
GigabitEthernet0/0/4 up up 0% 0% 0 0
GigabitEthernet0/0/5 up up 0% 0% 0 0
GigabitEthernet0/0/6 up up 0% 0% 0 0
Vlanif10 up up -- -- 0 0
Vlanif20 up up -- -- 0 0
Vlanif30 up up -- -- 0 0
Vlanif40 up up -- -- 0 0
[LSW1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.0.0.0/24 Direct 0 0 D 11.0.0.2 Vlanif40
11.0.0.2/32 Direct 0 0 D 127.0.0.1 Vlanif40
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10
192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20
192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30
192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
[LSW1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1R2配置
The device is running!
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2
[R2]int g 0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[R2-GigabitEthernet0/0/0]un sh
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R2-GigabitEthernet0/0/0]int g 0/0/1
[R2-GigabitEthernet0/0/1]ip add 13.0.0.1 24
[R2-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R2-GigabitEthernet0/0/1]q
[R2]int LoopBack 0
[R2-LoopBack0]ip add 114.114.114.114 32
[R2-LoopBack0]q
[R2]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
12.0.0.0/24 Direct 0 0 D 12.0.0.2 GigabitEthernet
0/0/0
12.0.0.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
13.0.0.0/24 Direct 0 0 D 13.0.0.1 GigabitEthernet
0/0/1
13.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
13.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
114.114.114.114/32 Direct 0 0 D 127.0.0.1 LoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[R2]ip route-static 8.8.8.8 32 12.0.0.1
2.2 NAT router 配置,先配置第一種的靜態nat轉換,全局模式下配置,接口開啓功能
The device is running!
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname NAT router
[NAT router]int g 0/0/0
[NAT router-GigabitEthernet0/0/0]ip add 11.0.0.1 24
[NAT router-GigabitEthernet0/0/0]un sh
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[NAT router-GigabitEthernet0/0/0]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[NAT router-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[NAT router-GigabitEthernet0/0/1]q
[NAT router]nat static global 8.8.8.8 inside 192.168.10.10
[NAT router]ip route-static 192.168.0.0 16 11.0.0.2
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat static enable
[NAT router-GigabitEthernet0/0/1]q
[NAT router]ip route-static 114.114.114.114 32 12.0.0.2
測試192.168.10.10 去ping lo 0 114.114.114.114 ,在R2的g0/0/0處抓包
2.3 配置靜態NAT的第二種配法,在接口內配置
[NAT router]nat static global 9.9.9.9 inside 192.168.20.10
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat static global 9.9.9.9 inside 192.168.20.10
Info: The NAT in the network has existed.
Already existing configuration will be covered with current configure. [Y/N]:
y
[NAT router-GigabitEthernet0/0/1]R2配置回程路由
[R2]ip route-static 9.9.9.9 32 12.0.0.1192.168.20.10 去ping 114.114.114.114
2.4 設置動態nat地址轉換,即多對多的模式,
在全局模式下把兩個網段(公網和私網)宣告,
私網是acl ,
公網是address-group ,
然後在公網接口 處宣告兩者之間的關係
[NAT router]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
8.8.8.8/32 Unr 64 0 D 127.0.0.1 InLoopBack0
9.9.9.9/32 Unr 64 0 D 127.0.0.1 InLoopBack0
11.0.0.0/24 Direct 0 0 D 11.0.0.1 GigabitEthernet
0/0/0
11.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
11.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.0.0.0/24 Direct 0 0 D 12.0.0.1 GigabitEthernet
0/0/1
12.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
114.114.114.114/32 Static 60 0 RD 12.0.0.2 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.0.0/16 Static 60 0 RD 11.0.0.2 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[NAT router]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2
<NAT router>system-view
Enter system view, return user view with Ctrl+Z.
[NAT router]nat address-group 1 212.0.0.100 212.0.0.200
[NAT router]acl 2000
[NAT router-acl-basic-2000]rule permit source 192.168.30.0 0.0.0.255
[NAT router-acl-basic-2000]q
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
[NAT router-GigabitEthernet0/0/1]與此對應的,增加R2的回程路由
[R2]ip route-static 212.0.0.0 24 12.0.0.1從抓包數據可以觀察到,源ip一直在變
2.5 配置nat模式中多個私網地址對應一個公網地址
思路跟動態nat思路大致相同,
全局模式下宣告私網地址網段,acl,要注意的是這種nat命令跟動態nat命令的不同之處在有一個ip 字符
然後在公網接口處指定關係,因爲沒有指定的公網網段,不填
因爲環境中pc沒有富裕的,需要把之前的部分配置刪掉,以免衝突
<NAT router>system-view
Enter system view, return user view with Ctrl+Z.
[NAT router]acl 3000
[NAT router-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255
[NAT router-acl-adv-3000]q
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat outbound 3000
[NAT router-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 12.0.0.1 255.255.255.0
nat static global 9.9.9.9 inside 192.168.20.10 netmask 255.255.255.255
nat outbound 2000 address-group 1 no-pat
nat outbound 3000
nat static enable
#
return
[NAT router-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1 no-pat
[NAT router-GigabitEthernet0/0/1]undo nat static global 9.9.9.9 inside 192.168.2
0.10 netmask 255.255.255.255
[NAT router-GigabitEthernet0/0/1]q
[NAT router]