R1的配置
sysname R1
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 2.1.1.1 255.255.255.0
FW的配置(NAT NO-PAT)由于是一对一,同时不能上网只有pc1的nat会话表过期以后pc2才可以访问internet
可以手动清除map表
NAT no-pat配置
[FW]diagnose //进入diagnose视图
[FW-diagnose]reset firewall server-map //重置server-map表
interface GigabitEthernet1/0/0
ip address 192.168.1.254 255.255.255.0
service-manage ping permit //允许设备ping此接口,可以用于测试下联链路通断
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0 //将g1/0/0加入trust区域
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1 //将g1/0/1加入untrust区域
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //配置到达R1的接口的默认路由
#
nat address-group no-pat //进入nat地质组 自定义name为no-pat
mode no-pat global //使能全局模式为no-pat 即为不转换端口的nat
section 1.1.1.100 //设置地址池为1.1.1.100 若地址池有多个则语法为x.x.x.x-x.x.x.x
#
nat-policy //配置nat策略
rule name out //设置name为out的规则
source-zone trust //配置匹配nat的源区域为trust
destination-zone untrust //配置目的区域为untrust
source-address 192.168.1.0 mask 255.255.255.0 //配置需要转换地址的源地址;由于上网的目的地址不能确定,则不配置关于目的地址的配置
action source-nat address-group no-pat //使用源nat的nat地址组为开始设置的no-pat地址组
#
security-policy //配置安全策略原理同上
rule name nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
NATP 配置
[FW]nat-policy //进入nat策略配置视图内
[FW-policy-nat]rule name out //进入策略out视图内
[FW-policy-nat-rule-out]undo action source-nat //关闭策略使能
[FW]nat address-group no-pat //进入nat地址组no-pat内
[FW-address-group-no-pat]mode pat //更改模式为pat即为转换端口的nat
[FW]nat-policy //回到nat策略组内
[FW-policy-nat]rule name out
[FW-policy-nat-rule-out]action source-nat address-group no-pat //再次使能nat地址组no-pat
[FW]dis firewall session table //查询会话表 源目端口发生改变
2022-10-15 03:52:32.900
Current Total Sessions : 5
icmp VPN: public --> public 192.168.1.2:31278[1.1.1.100:2062] --> 2.1.1.2:204
8
icmp VPN: public --> public 192.168.1.2:30766[1.1.1.100:2060] --> 2.1.1.2:204
8
icmp VPN: public --> public 192.168.1.2:30510[1.1.1.100:2059] --> 2.1.1.2:204
8
icmp VPN: public --> public 192.168.1.2:31022[1.1.1.100:2061] --> 2.1.1.2:204
8
icmp VPN: public --> public 192.168.1.2:30254[1.1.1.100:2058] --> 2.1.1.2:204
8
[FW]
easy-ip配置
[FW-policy-nat-rule-out]action source-nat easy-ip //仅仅需要在nat策略内使能easy-ip即可
并且不需要配置nat地址组