1.nat一对一·
R1
acl number 2000
rule 5 permit source 10.0.0.0 0.0.0.255
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
nat outbound 2000
#静态nat配置
nat static global 100.0.0.4 inside 10.0.0.2
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
配置外部地址访问 内部服务器
int g/0/1
nat server protocol tcp global current-interface www inside 10.0.0.3 www //将内网10.0.0.3的80端口映射到外网1.1.1.2 的80端口
R2
interface GigabitEthernet0/0/0
ip address 100.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.2 255.255.255.0
2.nat多对多
R3配置
interface GigabitEthernet0/0/0
ip address 10.10.10.2 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 //设置默认路由,类似指定网关
R1 配置(指定数据包出路由能到达R2) R2为运营商路由器因此不能配置回程路由
ip route-static 0.0.0.0. 0.0.0.0 100.100.100.2
nat address-group 1 100.100.100.100 100.100.100.105
acl number 2000
rule 5 permit source 10.10.10.0 0.0.0.255
interface GigabitEthernet0/0/1
ip address 100.10.10.1 255.255.255.0
nat outbond 2000 address-group 1
R2配置 IP地址
interface GigabitEthernet0/0/1
ip address 100.100.100.2 255.255.255.0
查看DNS : dis nat session all
3.PNAT
[AR1]int g 0/0/0
[AR1-GigabitEthernet0/0/0]ip add 10.0.0.1 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 202.0.0.2 24
[AR1]ip route-static 0.0.0.0 0.0.0.0 200.0.0.2
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 10.0.0.0 0.0.0.255
[AR1]nat address-group 1 202.0.0.3 202.0.0.5
[AR1]int g0/0/01
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
Easy IP方式:
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 10.0.0.0 0.0.0.255
[R1-acl-basic-2000]int g0/0/01
[R1-GigabitEthernet0/0/1]nat outbound 2000
4.防火墙NAT配置
防火墙配置
创建一个安全区域
firewall zone name userzone
设置优先级
set priority 60
给安全区域添加接口
add int g0/0/01
高优先级到低优先级 outbound 低优先级到高优先级inbound
从内部到外部NAT
// R1配置
[pc]int g0/0/0
[pc-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[pc]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 //配置网关
// 防火墙配置接口地址
[SRG]int g0/0/0
[SRG-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[SRG-GigabitEthernet0/0/0]int g0/0/1
[SRG-GigabitEthernet0/0/1]ip add 100.1.1.1 24
// R2
[Intenet]int g0/0/01
[Intenet-GigabitEthernet0/0/1]ip add 100.1.1.2 24
// 配置接口区域
[SRG]firewall zone trust
[SRG-zone-trust]add int g0/0/0
[SRG]fire zone untrust
[SRG-zone-untrust]add int g0/0/01
//配置nat策略
[SRG]nat-policy interzone trust untrust outbound
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 0 //配置策略
[SRG-nat-policy-interzone-trust-untrust-outbound-0]action source-nat //配置动作 PAT转换
[SRG-nat-policy-interzone-trust-untrust-outbound-0]easy-ip g0/0/01 //转化为g0/0/1口下的接口地址
//配置包过滤策略 允许区域trust 到 untrust 出方向的数据包通过
[SRG]firewall packet-filter default permit interzone trust untrust direction outbound
从外部访问内部地址(静态nat)
[pc]user-interface vty 0 4
[pc-ui-vty0-4]set authentication password cipher admin
[pc-ui-vty0-4]q
<pc>telnet 127.0.0.1 //测试能否telnet 端口23
// 配置策略
[SRG]policy interzone trust untrust inbound
[SRG-policy-interzone-trust-untrust-inbound]policy 0
[SRG-policy-interzone-trust-untrust-inbound-0]action permit //动作允许从外到内的访问
[SRG]nat server 0 protocol tcp global 100.1.1.1 3000 inside 192.168.1.2 23 //外网的3000端口映射到 192.168.1.2 的23 端口
<Intenet>telnet 100.1.1.1 3000 //测试