静态、动态NAT、NAPT（Easy IP）、NAT Server技术

静态NAT

实验步骤：

1．修改路由器名字并配置IP地址

2．PC基础配置

3．配置静态nat

3.1 配置静态NAT让PC1能上网：

[AR1-GigabitEthernet0/0/0]nat static global 100.1.1.5 inside 192.168.1.1

3.2 查看静态nat： dis nat static（截图1）

3.3 在AR1的g0／0／0接口抓包并分析（截图2）

3.4 在AR1的g0／0／0接口添加一条静态nat，让pe2也可以上网，添加后查看静态nat

拓扑图

---

主机IP

---

基础配置

AR1

[Huawei]sysname R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/1]
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 100.1.1.2 24
[R1-GigabitEthernet0/0/0]q
[R1]nat static global 100.1.1.3 inside 192.168.1.1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat static enable 
[R1-GigabitEthernet0/0/0]q

AR2

[Huawei]sysname R2
[R2]inter g0/0/0
[R2-GigabitEthernet0/0/0]ip add 100.1.1.1 24
[R2-GigabitEthernet0/0/0]q
[R2]

---

验证

PC1

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 100.1.1.1: bytes=32 seq=2 ttl=254 time=94 ms
From 100.1.1.1: bytes=32 seq=3 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=4 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=5 ttl=254 time=47 ms

AR1

[R1]dis nat static 
  Static Nat Information:
  Global Nat Static 
    Global IP/Port     : 100.1.1.3/---- 
    Inside IP/Port     : 192.168.1.1/----
    Protocol : ----     
    VPN instance-name  : ----                            
    Acl number         : ----
    Netmask  : 255.255.255.255 
    Description : ----

  Total :    1

抓包AR1的G0/0/0(ping的时候)

AR1

[R1]nat static global 100.1.1.4 inside 192.168.1.2
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat static enable 
[R1-GigabitEthernet0/0/0]q
[R1]

验证

[R1]dis nat static 
  Static Nat Information:
  Global Nat Static 
    Global IP/Port     : 100.1.1.3/---- 
    Inside IP/Port     : 192.168.1.1/----
    Protocol : ----     
    VPN instance-name  : ----                            
    Acl number         : ----
    Netmask  : 255.255.255.255 
    Description : ----

  Global Nat Static 
    Global IP/Port     : 100.1.1.4/---- 
    Inside IP/Port     : 192.168.1.2/----
    Protocol : ----     
    VPN instance-name  : ----                            
    Acl number         : ----
    Netmask  : 255.255.255.255 
    Description : ----

  Total :    2

PC2

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=254 time=63 ms
From 100.1.1.1: bytes=32 seq=2 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=3 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=4 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=5 ttl=254 time=31 ms

动态NAT

还原配置

[R1]undo nat static global 100.1.1.3 inside 192.168.1.1
[R1]undo nat static global 100.1.1.4 inside 192.168.1.2

4．配置动态nat：让PC2不能上网，pc1可以上网

4.1 配置公网地址池：［Huawei］nat address-group 1 100.1.1.5 100.1.1.30 4.2 抓取想要上网的路由（ACL）

ac1 2000

rule 5 deny source 192.168.1.2 0

rule 10 permit source 192.168.1.1 0 4

.3 将抓取的路由与地址池绑定

［Huawei-GigabitEthernet0／0／0］nat outbound 2000 address-group 1 no-pat（不绑定端口） 

4.4 查看动态NAT

［Huawei］dis nat address-group 1（截图3） 

4.5 验证配置：［Huawei］dis nat outbound（截图4）

4.6 pc ping外网时，在AR1的g0／0／e接口抓包并分析（截图5）

配置AR1

[R1]nat address-group 2 100.1.1.5 100.1.1.10
[R1]acl 2001
[R1-acl-basic-2001]rule 5 deny source 192.168.1.2 0
[R1-acl-basic-2001]rule 10 permit source 192.168.1.1 0
[R1-acl-basic-2001]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2001 address-group 2 no-pat
[R1-GigabitEthernet0/0/0]q

验证配置

[R1]dis nat address-group 2

 NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 2           100.1.1.5       100.1.1.10
 --------------------------------------
  Total : 1
[R1]dis nat outbound 
 NAT Outbound Information:
 --------------------------------------------------------------------------
 Interface                     Acl     Address-group/IP/Interface      Type
 --------------------------------------------------------------------------
 GigabitEthernet0/0/0         2001                              2    no-pat
 --------------------------------------------------------------------------
  Total : 1
[R1]

PC1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=254 time=47 ms
Request timeout!
From 100.1.1.1: bytes=32 seq=3 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=4 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=5 ttl=254 time=32 ms

PC2

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

NAPT技术

5．配置NAPT

5.1 配置公网地址池（同4.1）

5.2 抓取想要上网的路由（同4.2）

让PC1不能上网，pc2可以上网

5.3 将抓取的路由与地址池绑定，并绑定端口

[Huawei-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 

5.4验证配置［Huawei］dis nat outbound

恢复配置

[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]undo nat outbound 2001 address-group 2 no-pat
[R1-GigabitEthernet0/0/0]undo nat static enable
[R1-GigabitEthernet0/0/0]q

[R1]undo nat address-group 2

配置NAPT

[R1]acl 2002
[R1-acl-basic-2002]rule 5 deny source 192.168.1.1 0
[R1-acl-basic-2002]rule 10 permit source 192.168.1.2 0
[R1-acl-basic-2002]q
[R1]nat address-group 3 100.1.1.11 100.1.1.11
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2002 address-group 3
[R1-GigabitEthernet0/0/0]q

验证配置

AR1

[R1]dis nat outbound 
 NAT Outbound Information:
 --------------------------------------------------------------------------
 Interface                     Acl     Address-group/IP/Interface      Type
 --------------------------------------------------------------------------
 GigabitEthernet0/0/0         2002                              3       pat
 --------------------------------------------------------------------------
  Total : 1
[R1]dis nat address-group

 NAT Address-Group Information:
 --------------------------------------
 Index   Start-address      End-address
 --------------------------------------
 3          100.1.1.11       100.1.1.11
 --------------------------------------
  Total : 1
[R1]

PC1

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

PC2

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=2 ttl=254 time=15 ms
From 100.1.1.1: bytes=32 seq=3 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=4 ttl=254 time=32 ms
From 100.1.1.1: bytes=32 seq=5 ttl=254 time=31 ms

---

EASY-IP

6．配置Easy-ip

6.1 抓取想要上网的路由（同4.2）

让pc1和pc2都可以上网

6.2 使用网关路由器的公网IP上网：［Huawei-GigabitEthernetθ／0／0］nat outbound 2000 

6.3 验证配置：［Huawei］dis nat outbound（截图）

抓包查看数据流，发现pc1和pc2去外网都是用的100.1.1.2（截图）

恢复配置

[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]undo nat outbound 2002 address-group 3
[R1-GigabitEthernet0/0/0]undo nat static enable 
[R1-GigabitEthernet0/0/0]q
[R1]undo nat address-group 3

配置Easy-IP

[R1]acl 2003
[R1-acl-basic-2003]rule permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2003]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2003
[R1-GigabitEthernet0/0/0]q
[R1]

验证配置

AR1

[R1]dis nat outbound 
 NAT Outbound Information:
 --------------------------------------------------------------------------
 Interface                     Acl     Address-group/IP/Interface      Type
 --------------------------------------------------------------------------
 GigabitEthernet0/0/0         2003                      100.1.1.2    easyip  
 --------------------------------------------------------------------------
  Total : 1

PC1

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=2 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=3 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=4 ttl=254 time=32 ms
From 100.1.1.1: bytes=32 seq=5 ttl=254 time=47 ms

PC2

PC>ping 100.1.1.1

Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=2 ttl=254 time=47 ms
From 100.1.1.1: bytes=32 seq=3 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=4 ttl=254 time=31 ms
From 100.1.1.1: bytes=32 seq=5 ttl=254 time=15 ms

在AR1的G0/0/0上抓包（在Ping的时候）

NAT SERVER

全部推倒重来

 

配置主机、Server的IP

基本配置

AR1

[Huawei]sysname R1
[R1]inter g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 200.10.10.1 24
[R1-GigabitEthernet0/0/1]q
[R1]ip route-static 0.0.0.0 0.0.0.0 200.10.10.2
[R1]

AR2

[Huawei]sysname R2
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 200.10.10.2 24
[R2-GigabitEthernet0/0/1]q
[R2]inter g0/0/0
[R2-GigabitEthernet0/0/0]ip add 2.2.2.254 24
[R2-GigabitEthernet0/0/0]q
[R2]ip route-static 0.0.0.0 0.0.0.0 200.10.10.1
[R2]

验证配置

PC1

PC>ping 2.2.2.2

Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
From 2.2.2.2: bytes=32 seq=3 ttl=253 time=47 ms
From 2.2.2.2: bytes=32 seq=4 ttl=253 time=31 ms
From 2.2.2.2: bytes=32 seq=5 ttl=253 time=31 ms

配置NAT Server

[R1]inter g0/0/1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 200.10.10.3 53 inside 192.168.1.2 ftp

配置Server1设备上的FTP Server服务

 

去Client连接如图

将HTTPDServer上的80转换到8080端口上

[R1-GigabitEthernet0/0/1]nat server protocol tcp global 200.10.10.4 8080 inside 192.168.1.2 80

与配置Server1设备上的FTP Server服务一样配置HTTPServer

 

输入网址“http://200.10.10.4:8080”获取,如图