NAT配置

1.nat一对一·

R1
acl number 2000  
 rule 5 permit source 10.0.0.0 0.0.0.255
interface GigabitEthernet0/0/0
 ip address 10.0.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0 
nat outbound 2000


#静态nat配置
nat static global 100.0.0.4 inside 10.0.0.2

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2


配置外部地址访问 内部服务器
int g/0/1
nat server protocol tcp global current-interface www inside 10.0.0.3 www //将内网10.0.0.3的80端口映射到外网1.1.1.2 的80端口


R2
interface GigabitEthernet0/0/0
 ip address 100.0.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
ip address 1.1.1.2 255.255.255.0 

2.nat多对多

R3配置
interface GigabitEthernet0/0/0
ip address 10.10.10.2 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1  //设置默认路由,类似指定网关

R1 配置(指定数据包出路由能到达R2) R2为运营商路由器因此不能配置回程路由
ip route-static 0.0.0.0. 0.0.0.0 100.100.100.2

nat address-group 1 100.100.100.100 100.100.100.105

acl number 2000
 rule 5 permit source 10.10.10.0 0.0.0.255
 
interface GigabitEthernet0/0/1
ip address 100.10.10.1 255.255.255.0
nat outbond 2000 address-group 1

R2配置 IP地址
interface GigabitEthernet0/0/1
ip address 100.100.100.2 255.255.255.0

查看DNS : dis nat  session all  

3.PNAT

[AR1]int g 0/0/0 
[AR1-GigabitEthernet0/0/0]ip add 10.0.0.1 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 202.0.0.2 24
[AR1]ip route-static 0.0.0.0 0.0.0.0  200.0.0.2

[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 10.0.0.0 0.0.0.255

[AR1]nat address-group 1 202.0.0.3 202.0.0.5 

[AR1]int g0/0/01
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1

Easy  IP方式：
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 10.0.0.0 0.0.0.255

[R1-acl-basic-2000]int g0/0/01
[R1-GigabitEthernet0/0/1]nat outbound 2000

4.防火墙NAT配置

防火墙配置
创建一个安全区域
firewall zone name userzone
设置优先级
set priority 60
给安全区域添加接口
add int g0/0/01
高优先级到低优先级 outbound   低优先级到高优先级inbound

从内部到外部NAT

// R1配置
[pc]int g0/0/0
[pc-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[pc]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1      //配置网关 

// 防火墙配置接口地址 
[SRG]int g0/0/0
[SRG-GigabitEthernet0/0/0]ip add 192.168.1.1 24

[SRG-GigabitEthernet0/0/0]int g0/0/1
[SRG-GigabitEthernet0/0/1]ip add 100.1.1.1 24

//  R2
[Intenet]int g0/0/01
[Intenet-GigabitEthernet0/0/1]ip add 100.1.1.2 24

//   配置接口区域 
[SRG]firewall zone trust 
[SRG-zone-trust]add int g0/0/0

[SRG]fire zone untrust 
[SRG-zone-untrust]add int g0/0/01

//配置nat策略
[SRG]nat-policy interzone trust untrust outbound 
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 0     //配置策略
[SRG-nat-policy-interzone-trust-untrust-outbound-0]action source-nat   //配置动作  PAT转换
[SRG-nat-policy-interzone-trust-untrust-outbound-0]easy-ip g0/0/01    //转化为g0/0/1口下的接口地址

//配置包过滤策略   允许区域trust 到 untrust 出方向的数据包通过
[SRG]firewall packet-filter default permit interzone trust untrust direction outbound 

从外部访问内部地址（静态nat）

[pc]user-interface vty 0 4
[pc-ui-vty0-4]set authentication password cipher admin
[pc-ui-vty0-4]q
<pc>telnet 127.0.0.1  //测试能否telnet 端口23

// 配置策略  
[SRG]policy interzone trust untrust inbound 
[SRG-policy-interzone-trust-untrust-inbound]policy 0 
[SRG-policy-interzone-trust-untrust-inbound-0]action permit  //动作允许从外到内的访问

[SRG]nat server 0 protocol tcp global 100.1.1.1 3000 inside 192.168.1.2 23  //外网的3000端口映射到 192.168.1.2 的23 端口

<Intenet>telnet 100.1.1.1 3000 //测试