目录
(3)将源转换为公网地址,其中no-pat表示不做端口转化,只做一对一的地址转换
以下面的配置为例
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR1
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
Sep 11 2023 15:17:30-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[AR1-GigabitEthernet0/0/0]qu
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 12.1.1.1 24
Sep 11 2023 15:18:10-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[AR1-GigabitEthernet0/0/1]qu
[AR1]AR2
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 12.1.1.254 24
Sep 11 2023 15:19:21-08:00 AR2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[AR2-GigabitEthernet0/0/0]qu
[AR2]在这里PC1和PC2是能到网关(AR1)的,网关是有AR2的路由的
<AR1>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
12.1.1.0/24 Direct 0 0 D 12.1.1.1 GigabitEthernet
0/0/1
12.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
12.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.254 GigabitEthernet
0/0/0
192.168.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
所以PC1和PC2能到达AR2,但是AR2没有回程路由,即不知道到达192.168.1.1或192.168.1.2如何走
<AR2>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
12.1.1.0/24 Direct 0 0 D 12.1.1.254 GigabitEthernet
0/0/0
12.1.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
这里用nat将pc1的地址转换为公网地址,就可以ping通AR2
1.静态nat
公网ip对应的是192.168.1.1这个内部的私网IP
<AR1>sys
Enter system view, return user view with Ctrl+Z.
[AR1]nat static global 12.1.1.2 inside 192.168.1.1此时PC1 ping 不通AR2
PC>ping 12.1.1.254 -t
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
因为在全局下配置时,需要在接口上加上”nat static enable“
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat static enable
此时PC1能ping通了
Request timeout!
Request timeout!
From 12.1.1.254: bytes=32 seq=22 ttl=254 time=46 ms
From 12.1.1.254: bytes=32 seq=23 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=24 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=25 ttl=254 time=31 ms
From 12.1.1.254: bytes=32 seq=26 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=27 ttl=254 time=15 ms
From 12.1.1.254: bytes=32 seq=28 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=29 ttl=254 time=31 ms
通过对AR2抓包,可见源地址变为了12.1.1.2,目的地址为12.1.1.254
AR2有12.1.1.0/24 这一直连路由,所以就有了回程路由
注意:
在全局下配置时,需要在出接口配置 nat static enable
如果直接在接口配置,就不需要加nat static enable
[AR1-GigabitEthernet0/0/1]undo nat static enable [AR1-GigabitEthernet0/0/1]quit [AR1]undo nat static global 12.1.1.2 inside 192.168.1.1 [AR1]int g0/0/1 [AR1-GigabitEthernet0/0/1]nat static global 12.1.1.10 inside 192.168.1.1 #不用在接口下再加入nat static enable #在pc1上ping AR2也是能ping通的
2.动态nat
(1)配置公网地址池
[AR1]nat address-group 1 12.1.1.2 12.1.1.10(2)配置acl,匹配做nat转换的源
[AR1]acl 2000
[AR1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
(3)将源转换为公网地址,其中no-pat表示不做端口转化,只做一对一的地址转换
[AR1-acl-basic-2000]quit
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
#nat只有outbound,对于acl则可能有outbound或inbound配置完毕以后,pc1能ping通AR2
PC>ping 12.1.1.254
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
From 12.1.1.254: bytes=32 seq=1 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=2 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=3 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=4 ttl=254 time=62 ms
如果不加no-pat,多个用户可以用一个出口ip
[AR1-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1 no-pat
[AR1-GigabitEthernet0/0/1]quit
[AR1]undo nat address-group 1
[AR1]nat address-group 1 12.1.1.2 12.1.1.2
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
#多个用户可以用一个出口
#PC依旧能ping通
PC>ping 12.1.1.254
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
From 12.1.1.254: bytes=32 seq=1 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=2 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=3 ttl=254 time=31 ms
easy ip:直接用出口的ip地址上网
[AR1]int g0/0/1
#将2000这个acl匹配的地址转换为公网地址
[AR1-GigabitEthernet0/0/1]nat outbound 2000
#这样也能ping通
PC>ping 12.1.1.254
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
From 12.1.1.254: bytes=32 seq=1 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=2 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=3 ttl=254 time=15 ms
From 12.1.1.254: bytes=32 seq=4 ttl=254 time=31 ms
From 12.1.1.254: bytes=32 seq=5 ttl=254 time=32 ms
3.nat server(端口映射)
#将内网服务器的地址,映射到公网的IP
[AR1-GigabitEthernet0/0/1]nat server protocol TCP global 12.1.1.2 80 inside 192.
168.1.2 80
#若使用12.1.1.2的80端口,实际是访问192.168.1.2的80端口
1178
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
