思科NAT
动态NAT:用的不多,需要太多的公有地址,多对多
动态PAT:企业内网上外网的通用方式,端口多路复用,多对一
接口多路复用:特殊的PAT,复用路由器或防火墙外部接口ip地址,普通内网访问外网
命令案例
路由器内网接口f0/1;外网接口f0/0
全局:路由器实现接口PAT
access-list 1 permit any
ip nat inside source list 1 int f0/0 overload
int f0/0
ip nat outside
int f0/1
ip nat inside
命令案例2:防火墙配置接口PAT
全局:nat (inside) 1 0 0
global (outside) 1 interface
静态NAT
多用于内部服务器发布,一对一,可实现外网访问内部服务器
命令案例
映射服务器192.168.1.10到公有地址200.0.0.10
全局: 路由器内网接口f0/1;外网接口f0/0,
ip nat inside source static 192.168.1.10 200.0.0.10
int f0/0
ip nat outside
int f0/1
ip nat inside
命令案例
映射DMZ服务器192.168.1.10到公有地址200.0.0.10
全局: ASA防火墙
static (dmz,outside) 200.0.0.10 192.168.1.10
access-list out-dmz permit ip any host 200.0.0.10
access-group out-dmz in interface outside
华为NAT
源地址转换
NAT No-PAT:相当于思科的动态NAT
NAPT:相当于思科的动态PAT,需要单独的一个公有地址
Easy-IP: 相当于思科的PAT中特殊形式–接口多路复用,即复用外网接口ip上网目标地址转换
NAT Server: 相当于静态nat
案例
NAT No-PAT
配置网络参数及路由
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 202.96.1.1 24
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.96.1.2
配置安全策略
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int g1/0/1 //内网接口加入trust区域
[USG6000V1-zone-trust]firewall zone untrust
[USG6000V1-zone-untrust]add int g1/0/0 //外网接口加入untrust区域
[USG6000V1-zone-untrust]quit
[USG6000V1]security-policy //配置安全策略
[USG6000V1-policy-security]rule name trust_untrust //配置规则并指定规则名为trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust //指定条件
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_untrust]action permit //指定动作
[USG6000V1-policy-security-rule-trust_untrust]quit
[USG6000V1-policy-security]quit
配置NAT地址组,地址组中的地址对应的是公网地址
[USG6000V1]nat address-group natgroup //配置NAT地址组,指定名称natgroup
[USG6000V1-address-group-natgroup]section 0 202.96.1.10 202.96.1.11
[USG6000V1-address-group-natgroup]mode no-pat local
[USG6000V1-address-group-natgroup]quit
配置NAT策略
[USG6000V1]nat-policy //配置NAT策略
[USG6000V1-policy-nat]rule name natpolicy //配置名称为natpolicy的NAT规则
[USG6000V1-policy-nat-rule-natpolicy]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust //指定动作,满足条件的数据白将一句地址组做NAT NO-PAT方式的源地址转换
[USG6000V1-policy-nat-rule-natpolicy]action nat address-group natgroup
[USG6000V1-policy-nat-rule-natpolicy]quit
[USG6000V1-policy-nat]quit
针对转换后的全局地址(NAT地址组中的地址)配置黑洞路由
[USG6000V1]ip route-static 202.96.1.10 32 null 0
[USG6000V1]ip route-static 202.96.1.11 32 null 0
案例
NAPT
在第3步的基础上继续配置
[USG6000V1]nat-policy
[USG6000V1-policy-nat]undo rule name natpolicy
[USG6000V1-policy-nat]quit
[USG6000V1]undo nat address-group natgroup
[USG6000V1]nat address-group natgroup
[USG6000V1-address-group-natgroup]section 0 202.96.1.10 202.96.1.11
[USG6000V1-address-group-natgroup]mode pat
[USG6000V1-address-group-natgroup]quit
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name natpolicy
[USG6000V1-policy-nat-rule-natpolicy]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust
[USG6000V1-policy-nat-rule-natpolicy]action nat address-group natgroup
[USG6000V1-policy-nat-rule-natpolicy]quit
[USG6000V1-policy-nat]quit
其他命令不动
案例
Easy-IP ***
在上面的基础上修改配置
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name natpolicy
[USG6000V1-policy-nat-rule-natpolicy]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust
[USG6000V1-policy-nat-rule-natpolicy]action nat easy-ip
[USG6000V1-policy-nat-rule-natpolicy]quit
[USG6000V1-policy-nat]quit
[USG6000V1]undo nat address-group natgroup
案例
Nat server ***
发布内部服务器192.168.1.4 到 202.96.1.4
[USG6000V1]nat server natserver global 202.96.1.4 inside 192.168.1.4
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name untrust_trust
[USG6000V1-policy-security-rule-un_trust]source-zone untrust
[USG6000V1-policy-security-rule-un_trust]destination-zone trust
[USG6000V1-policy-security-rule-un_trust]action permit
[USG6000V1-policy-security-rule-un_trust]quit
[USG6000V1-policy-security]quit
查看nat会话表
dis firewall session table
查看server map表(注:pat不会启用server map)
dis firewall server-map