NAT 是將IP數據報文頭部彙總的IP地址轉換爲另一個IP地址的過程,主要用於實現內部網絡方位外部網絡的功能。
NAT 一般部署在鏈接內網和外網的網關設備上。
網關設備上有一個NAT映射表,一遍半段從公網收到的報文應該發往的私網目的地址
NAT 地址轉換有以下幾種方式
1. 靜態NAT
靜態NAT實現了私有地址和公有地址的一對一映射
一個公網IP只能分配給唯一且固定的內網主機地址
2. 動態NAT
動態NAT基於地址池來實現私有地址和公有地址的轉換
3. NAPT
網絡地址短偶轉換NAPT允許多個內部地址映射到同一個公有地址的不同端口
4. Easy IP
Easy IP 允許將多個內部地址映射到網關出接口地址上的不同端口
5. NAT服務器
通過配置NAT服務器,可以使外網用戶訪問內網服務器
#路由器設置端口ip和默認路由
##R1、R2內網,R4外網,R3網關
#AR1
interface GigabitEthernet0/0/0
ip address 13.1.1.1 255.255.255.0
###配置默認路由
ip route-static 0.0.0.0 0.0.0.0 13.1.1.3
#AR2
interface GigabitEthernet0/0/0
ip address 23.1.1.2 255.255.255.0
##配置默認路由
ip route-static 0.0.0.0 0.0.0.0 23.1.1.3
#AR3
interface GigabitEthernet0/0/0
ip address 13.1.1.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 23.1.1.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
#AR4
interface GigabitEthernet0/0/0
ip address 34.1.1.4 255.255.255.0
##配置默認路由
ip route-static 0.0.0.0 0.0.0.0 34.1.1.3
配置NAPT
1.acl
2.address group -出接口ip,EASY IP
3.關聯
[AR3]acl 2000
[AR3-acl-basic-2000]rule 5 permit source any
[AR3-acl-basic-2000]q
[AR3]nat address-group 1 34.1.1.100 34.1.1.100
[AR3]inter g0/0/2
[AR3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1
[AR3-GigabitEthernet0/0/2]q
<AR3>display NAT session ALL
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 23.1.1.2 32966
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.100
New SrcPort : 10245
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 13.1.1.1 22720
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.100
New SrcPort : 10244
New DestAddr : ----
New DestPort : ----
Total : 2
##打開AR4 的telnet
[AR4]user-interface vty 0 4
[AR4-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):huawei
[AR4-ui-vty0-4]
##其他路由器telnet AR4 在AR4 查看狀態
[AR4]display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
b4cf56b8 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening
b4cf5bc8 6 /5 34.1.1.4:23 34.1.1.3:50894 0 Established
b4cf5a84 6 /4 34.1.1.4:23 34.1.1.100:1320 0 Established
[AR4]
easy IP
1. 定義acl
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat outbound 2000 address-group 1
[AR3-GigabitEthernet0/0/2]undo nat outbound 2000 address-group 1
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
#
return
###直接加acl
[AR3-GigabitEthernet0/0/2]nat outbound 2000
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat outbound 2000
#
return
[AR3-GigabitEthernet0/0/2]
##其他機器上在telnet AR4
<AR4>display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
b4cf56b8 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening
b4cf5a84 6 /6 34.1.1.4:23 34.1.1.3:40 0 Established
b4cf5bc8 6 /7 34.1.1.4:23 34.1.1.3:296 0 Established
<AR4>
<AR3>display nat session all
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 13.1.1.1 14528
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10240
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 23.1.1.2 15045
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10241
New DestAddr : ----
New DestPort : ----
Total : 2
<AR3>
NAT server(static NAPT)
假設 R1--telnet服務 23 , 2323
##在AR1 上開啓telnet
<AR1>sy
Enter system view, return user view with Ctrl+Z.
[AR1]user-inter
[AR1]user-interface v
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4]auth
[AR1-ui-vty0-4]authentication-mode pass
[AR1-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):huawei
[AR1-ui-vty0-4]
[AR1-ui-vty0-4]q
[AR1]
##在AR3 配置
[AR3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323
in
[AR3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323
inside 13.1.1.1 23
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat server protocol tcp global current-interface 2323 inside 13.1.1.1 telnet
nat outbound 2000
#
return
[AR3-GigabitEthernet0/0/2]q
[AR3]dis
[AR3]display nat ser
[AR3]display nat server
Nat Server Information:
Interface : GigabitEthernet0/0/2
Global IP/Port : current-interface/2323 (Real IP : 34.1.1.3)
Inside IP/Port : 13.1.1.1/23(telnet)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Total : 1
[AR3]
##AR4 上測試
<AR4>
<AR4>telnet 34.1.1.3 2323
Press CTRL_] to quit telnet mode
Trying 34.1.1.3 ...
Connected to 34.1.1.3 ...
Login authentication
Password:
<AR1>
###R2 開啓telnet 23 用NAPT 測試,ip用34.1.1.3 端口是2003
[AR3-GigabitEthernet0/0/2]nat static protocol tcp global current-interface 2003
inside 23.1.1.2 23
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat server protocol tcp global current-interface 2323 inside 13.1.1.1 telnet
nat static protocol tcp global current-interface 2003 inside 23.1.1.2 telnet ne
tmask 255.255.255.255
nat outbound 2000
#
return
[AR3-GigabitEthernet0/0/2]
<AR4>telnet 34.1.1.3 2003
Press CTRL_] to quit telnet mode
Trying 34.1.1.3 ...
Connected to 34.1.1.3 ...
Login authentication
Password:
<AR2>
[AR3]display nat session all
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 34.1.1.4 60099
DestAddr Port Vpn : 34.1.1.3 4873
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 13.1.1.1
New DestPort : 5888
Protocol : TCP(6)
SrcAddr Port Vpn : 13.1.1.1 14528
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10240
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 23.1.1.2 15045
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10241
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 34.1.1.4 48065
DestAddr Port Vpn : 34.1.1.3 54023
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 23.1.1.2
New DestPort : 5888
Total : 4