NAT 是将IP数据报文头部汇总的IP地址转换为另一个IP地址的过程,主要用于实现内部网络方位外部网络的功能。
NAT 一般部署在链接内网和外网的网关设备上。
网关设备上有一个NAT映射表,一遍半段从公网收到的报文应该发往的私网目的地址
NAT 地址转换有以下几种方式
1. 静态NAT
静态NAT实现了私有地址和公有地址的一对一映射
一个公网IP只能分配给唯一且固定的内网主机地址
2. 动态NAT
动态NAT基于地址池来实现私有地址和公有地址的转换
3. NAPT
网络地址短偶转换NAPT允许多个内部地址映射到同一个公有地址的不同端口
4. Easy IP
Easy IP 允许将多个内部地址映射到网关出接口地址上的不同端口
5. NAT服务器
通过配置NAT服务器,可以使外网用户访问内网服务器
#路由器设置端口ip和默认路由
##R1、R2内网,R4外网,R3网关
#AR1
interface GigabitEthernet0/0/0
ip address 13.1.1.1 255.255.255.0
###配置默认路由
ip route-static 0.0.0.0 0.0.0.0 13.1.1.3
#AR2
interface GigabitEthernet0/0/0
ip address 23.1.1.2 255.255.255.0
##配置默认路由
ip route-static 0.0.0.0 0.0.0.0 23.1.1.3
#AR3
interface GigabitEthernet0/0/0
ip address 13.1.1.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 23.1.1.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
#AR4
interface GigabitEthernet0/0/0
ip address 34.1.1.4 255.255.255.0
##配置默认路由
ip route-static 0.0.0.0 0.0.0.0 34.1.1.3
配置NAPT
1.acl
2.address group -出接口ip,EASY IP
3.关联
[AR3]acl 2000
[AR3-acl-basic-2000]rule 5 permit source any
[AR3-acl-basic-2000]q
[AR3]nat address-group 1 34.1.1.100 34.1.1.100
[AR3]inter g0/0/2
[AR3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1
[AR3-GigabitEthernet0/0/2]q
<AR3>display NAT session ALL
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 23.1.1.2 32966
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.100
New SrcPort : 10245
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 13.1.1.1 22720
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.100
New SrcPort : 10244
New DestAddr : ----
New DestPort : ----
Total : 2
##打开AR4 的telnet
[AR4]user-interface vty 0 4
[AR4-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):huawei
[AR4-ui-vty0-4]
##其他路由器telnet AR4 在AR4 查看状态
[AR4]display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
b4cf56b8 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening
b4cf5bc8 6 /5 34.1.1.4:23 34.1.1.3:50894 0 Established
b4cf5a84 6 /4 34.1.1.4:23 34.1.1.100:1320 0 Established
[AR4]
easy IP
1. 定义acl
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat outbound 2000 address-group 1
[AR3-GigabitEthernet0/0/2]undo nat outbound 2000 address-group 1
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
#
return
###直接加acl
[AR3-GigabitEthernet0/0/2]nat outbound 2000
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat outbound 2000
#
return
[AR3-GigabitEthernet0/0/2]
##其他机器上在telnet AR4
<AR4>display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
b4cf56b8 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening
b4cf5a84 6 /6 34.1.1.4:23 34.1.1.3:40 0 Established
b4cf5bc8 6 /7 34.1.1.4:23 34.1.1.3:296 0 Established
<AR4>
<AR3>display nat session all
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 13.1.1.1 14528
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10240
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 23.1.1.2 15045
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10241
New DestAddr : ----
New DestPort : ----
Total : 2
<AR3>
NAT server(static NAPT)
假设 R1--telnet服务 23 , 2323
##在AR1 上开启telnet
<AR1>sy
Enter system view, return user view with Ctrl+Z.
[AR1]user-inter
[AR1]user-interface v
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4]auth
[AR1-ui-vty0-4]authentication-mode pass
[AR1-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):huawei
[AR1-ui-vty0-4]
[AR1-ui-vty0-4]q
[AR1]
##在AR3 配置
[AR3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323
in
[AR3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323
inside 13.1.1.1 23
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat server protocol tcp global current-interface 2323 inside 13.1.1.1 telnet
nat outbound 2000
#
return
[AR3-GigabitEthernet0/0/2]q
[AR3]dis
[AR3]display nat ser
[AR3]display nat server
Nat Server Information:
Interface : GigabitEthernet0/0/2
Global IP/Port : current-interface/2323 (Real IP : 34.1.1.3)
Inside IP/Port : 13.1.1.1/23(telnet)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Total : 1
[AR3]
##AR4 上测试
<AR4>
<AR4>telnet 34.1.1.3 2323
Press CTRL_] to quit telnet mode
Trying 34.1.1.3 ...
Connected to 34.1.1.3 ...
Login authentication
Password:
<AR1>
###R2 开启telnet 23 用NAPT 测试,ip用34.1.1.3 端口是2003
[AR3-GigabitEthernet0/0/2]nat static protocol tcp global current-interface 2003
inside 23.1.1.2 23
[AR3-GigabitEthernet0/0/2]di th
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
nat server protocol tcp global current-interface 2323 inside 13.1.1.1 telnet
nat static protocol tcp global current-interface 2003 inside 23.1.1.2 telnet ne
tmask 255.255.255.255
nat outbound 2000
#
return
[AR3-GigabitEthernet0/0/2]
<AR4>telnet 34.1.1.3 2003
Press CTRL_] to quit telnet mode
Trying 34.1.1.3 ...
Connected to 34.1.1.3 ...
Login authentication
Password:
<AR2>
[AR3]display nat session all
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 34.1.1.4 60099
DestAddr Port Vpn : 34.1.1.3 4873
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 13.1.1.1
New DestPort : 5888
Protocol : TCP(6)
SrcAddr Port Vpn : 13.1.1.1 14528
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10240
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 23.1.1.2 15045
DestAddr Port Vpn : 34.1.1.4 5888
NAT-Info
New SrcAddr : 34.1.1.3
New SrcPort : 10241
New DestAddr : ----
New DestPort : ----
Protocol : TCP(6)
SrcAddr Port Vpn : 34.1.1.4 48065
DestAddr Port Vpn : 34.1.1.3 54023
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 23.1.1.2
New DestPort : 5888
Total : 4