本实验:配置测试NAT的五种类型,静态nat、动态nat,napt和esay ip,nat server,相关资料参考华为官方文档
HUAWEI-NAT的五种类型-配置案例
实验说明:某公司PC1-PC4四台客户机对访问Internet有特殊的需求,需要配置不同类型的NAT访问外网,同时公司内部有一台Web服务器需要NAT Server对外提供WEB服务。
IP地址规划表:
本端设备 | 端口 | IP地址或所属VLAN | 对端设备 | 端口 | IP地址或所属VLAN |
R1 | Serial 1/0/0 | 12.0.0.1/28 | ISP | Serial 1/0/0 | 12.0.0.1/28 |
R1 | GE 0/0/1 | 192.168.2.254/24 | SW2 | GE 0/0/1 | (NULL) |
R1 | GE 0/0/2 | 192.168.1.254/24 | SW1 | GE 0/0/1 | (NULL) |
SW1 | Eth 0/0/1 | (NULL) | PC1 | Eth 0/0/1 | 192.168.1.1/24 |
SW1 | Eth 0/0/2 | (NULL) | PC2 | Eth 0/0/1 | 192.168.1.2/24 |
SW1 | Eth 0/0/3 | (NULL) | PC3 | Eth 0/0/1 | 192.168.1.3/24 |
SW2 | Eth 0/0/1 | (NULL) | PC4 | Eth 0/0/1 | 192.168.2.1/24 |
SW2 | Eth 0/0/2 | (NULL) | WebServer | Eth 0/0/0 | 192.168.2.200/24 |
ISP | GE 0/0/1 | 104.114.128.1/24 | Client1 | Eth 0/0/0 | 104.114.128.10/24 |
配置步骤:
- 配置接口IP地址、静态路由实现互通、
- 配置静态NAT,实现PC4私网与公网的一对一映射
- 配置动态NAT,实现PC1地址转换访问公网
- 配置NAPT,实现PC2转换地址和端口访问公网
- 配置Easy IP,实现PC3转换出接口地址访问公网
- 配置NAT Server,实现Web服务。
项目实施:
一、配置接口IP地址、静态路由实现互通
[R1]interface Serial1/0/0
[R1-Serial1/0/0] ip address 12.0.0.1 255.255.255.240
#
[R1-Serial1/0/0]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.254 255.255.255.0
#
[R1-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.1.254 255.255.255.0
#
[R1]ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
[ISP]interface Serial1/0/0
[ISP-Serial1/0/0] ip address 12.0.0.2 255.255.255.240
#
[ISP-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[ISP-GigabitEthernet0/0/1] ip address 104.114.128.1 255.255.255.0
二、配置静态NAT
[R1-Serial1/0/0]nat static enable
[R1-Serial1/0/0]nat static global 12.0.0.3 inside 192.168.2.2 netmask 255.255.255.255
验证:
[R1]display nat static
Static Nat Information:
Interface : Serial1/0/0
Global IP/Port : 12.0.0.3/----
Inside IP/Port : 192.168.2.2/----
Protocol : ----
VPN instance-name : ----
Acl number : ----
Netmask : 255.255.255.255
Description : ----
三、配置动态NAT
[R1]acl 2001
[R1-acl-basic-2001] rule 5 permit source 192.168.1.2 0
#
[R1]nat address-group 0 12.0.0.4 12.0.0.5
#
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]nat outbound 2001 address-group 0 no-pat
验证:
[R1]display nat session all
NAT Session Table Information:
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.2
DestAddr Vpn : 104.114.128.10
Type Code IcmpId : 0 8 31060
NAT-Info
New SrcAddr : 12.0.0.5
New DestAddr : ----
New IcmpId : ----
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.2
DestAddr Vpn : 104.114.128.10
Type Code IcmpId : 0 8 31059
NAT-Info
New SrcAddr : 12.0.0.4
New DestAddr : ----
New IcmpId : ----
四、配置NAPT
[R1]acl number 2002
[R1-acl-basic-2002]
[R1-acl-basic-2002]rule 5 permit source 192.168.1.3 0
#
[R1]nat address-group 1 12.0.0.6 12.0.0.6
#
[R1-Serial1/0/0]nat outbound 2002 address-group 1
验证:
R1]display nat session all
NAT Session Table Information:
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.3
DestAddr Vpn : 104.114.128.10
Type Code IcmpId : 0 8 32063
NAT-Info
New SrcAddr : 12.0.0.6
New DestAddr : ----
New IcmpId : 10258
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.3
DestAddr Vpn : 104.114.128.10
Type Code IcmpId : 0 8 32062
NAT-Info
New SrcAddr : 12.0.0.6
New DestAddr : ----
New IcmpId : 10257
五、配置Easy IP
[R1]acl number 2000
[R1-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255
#
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]nat outbound 2000
验证:
[R1]dis nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
Serial1/0/0 2001 0 no-pat
Serial1/0/0 2002 1 pat
Serial1/0/0 2000 12.0.0.1 easyip
--------------------------------------------------------------------------
六、配置NAT Server
[R1-Serial1/0/0]nat server protocol tcp global 12.0.0.10 www inside 192.168.2.200 www
验证:
[R1]display nat server
Nat Server Information:
Interface : Serial1/0/0
Global IP/Port : 12.0.0.10/80(www)
Inside IP/Port : 192.168.2.200/80(www)
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Total : 1
