静态NAT
静态 NAT ( Static NAT )( 一对一 )。将内部网络的私有IP地址转换为公有IP地址,IP地址对是一对一的,是一直不变的。
实验拓扑:
PC配置
?
?
?
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sys AR1
[AR1]
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]ip add 192.168.2.2 24
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]q
[AR1]
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]ip add 192.168.3.2 24
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]ip add 100.100.100.1 24
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat static global 100.100.100.3 inside 192.168.1.1 net
mask 255.255.255.255
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat static global 100.100.100.4 inside 192.168.2.1 net
mask 255.255.255.255
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat static global 100.100.100.5 inside 192.168.3.1 net
mask 255.255.255.255
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]ip route-s
[AR1]ip route-static 0.0.0.0 0 100.100.100.2
[AR1]
AR2
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sys AR2
[AR2]
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]ip add 100.100.100.2 24
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]q
[AR2]
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]
[AR2-GigabitEthernet0/0/1]ip add 200.200.200.2 30
[AR2-GigabitEthernet0/0/1]
[AR2-GigabitEthernet0/0/1]q
[AR2]
实验结果:
动态NAT
动态地址 NAT ( Pooled NAT )(多对多)。将内部网络的私有 IP 地址转换为公用 IP 地址时,IP 地址是不确定,随机的。所有被授权访问 Internet 的私有 IP 地址可随机转换为任何指定合法的 IP 地址。也就是说,只要指定哪些内部地址可以进行转换,以及用哪些合法地址作为外部地址时,就可以进行动态 NAT 转换。动态 NAT 是在路由器上配置一个外网 IP 地址池,当内部有计算机需要和外部通信时,就从地址池里动态的取出一个外网 IP,并将他们的对应关系绑定到 NAT 表中,通信结束后,这个外网 IP 才被释放,可供其他内部 IP 地址转换使用,这个 DHCP 租约 IP 有相似之处。当 ISP 提供的合法 IP 地址略少于网络内部的计算机数量时。可以采用动态转换的方式。
PC配置同静态相同
ISP也无变化
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sys AR1
[AR1]
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]ip add 192.168.2.2 24
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]q
[AR1]
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]ip add 192.168.3.2 24
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]ip add 100.100.100.1 24
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]nat address-group 1 100.100.100.3 100.100.100.254
[AR1]
[AR1]acl 2000
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat outbound 2000 address-group 1 no-pat
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]ip route-static 0.0.0.0 0 100.100.100.2
[AR1]
实验结果:
?
NAPT
由于 NAT 实现是私有 IP 和 NAT 的公共 IP 之间的转换,那么,私有网中同时与公共网进行通信的主机数量就受到 NAT 的公共 IP 地址数量的限制。为了克服这种限制,NAT 被进一步扩展到在进行 IP 地址转换的同时进行 Port 的转换,这就是网络地址端口转换 NAPT(Network Address Port Translation)技术。 NAPT 与 NAT 的区别在于,NAPT 不仅转换 IP 包中的 IP 地址,还对 IP 包中 TCP 和 UDP 的 Port 进行转换。这使得多台私有网主机利用 1 个 NAT 公共 IP 就可以同时和公共网进行通信。
实验拓扑:
PC,ISP,SEVER 1 配置依旧同上
只改变出口设备配置
AR1(出口设备)
[Huawei]sys AR1
[AR1]
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]ip add 192.168.2.2 24
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]q
[AR1]
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]ip add 192.168.3.2 24
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]ip add 100.100.100.1 24
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]nat address-group 1 100.100.100.3 100.100.100.3
[AR1]
[AR1]acl 2000
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat outbound 2000 address-group 1
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]ip route-static 0.0.0.0 0 100.100.100.2
[AR1]
[AR1]q
Easy ip:
Easy-ip是NAPT的一种特例是单向转换的,配置时候不需要创建公网地址池。NAPT是实现私有IP和NAT的公共IP之间的动态转换。Easy-ip是实现公网IP 地址实现与私网IP 地址之间的映射。适合小型局域网接入Internet的情况,比如小型网吧,中小型企业。出接口通过拨号方式获得临时(或固定)公网IP 地址以供内部主机访问Internet。
拓扑图
其他配置依旧同上,只更改出口设备命令:
AR1(出口设备)
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sys AR1
[AR1]
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]ip add 192.168.2.2 24
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]q
[AR1]
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]ip add 192.168.3.2 24
[AR1-GigabitEthernet0/0/2]
[AR1-GigabitEthernet0/0/2]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]ip add 100.100.100.1 24
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]ip route-static 0.0.0.0 0 100.100.100.2
[AR1]
[AR1]acl 2000
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat outbound 2000
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
NAT server配置实验:
功能是使用一个公网地址来代表内部服务器对外地址。
拓扑图
外网用户配置:
server 2内网web配置:
?
路由器配置:
AR1(出口设备)
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sys AR1
[AR1]
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]ip add 100.100.100.1 24
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]ip route-static 0.0.0.0 0 100.100.100.2
[AR1]
[AR1]acl 2000
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]
[AR1-acl-basic-2000]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat outbound 2000
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]q
[AR1]
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]
[AR1-GigabitEthernet4/0/0]nat server protocol tcp global 100.100.100.3 80 inside
192.168.1.1 80
[AR1-GigabitEthernet4/0/0]
AR2(ISP)
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sys AR2
[AR2]
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]ip add 100.100.100.2 24
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]q
[AR2]
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]
[AR2-GigabitEthernet0/0/1]ip add 200.200.200.2 24
[AR2-GigabitEthernet0/0/1]
[AR2-GigabitEthernet0/0/1]q
[AR2]
实验结果:
|