前言:nat地址转换可以让私有地址转换成公网地址,解决上网问题华为的三层交换机内不可以配ip地址,需要配vlanif 在企业当中,数据流量业务比较多时,用好一点的路由器多个私网地址对应外网口ip地址需
.
前言:
nat地址转换可以让私有地址转换成公网地址,解决上网问题
华为的三层交换机内不可以配ip地址,需要配vlanif
在企业当中,数据流量业务比较多时,用好一点的路由器
多个私网地址对应外网口ip地址
需要设置acl规则,只允许某个网段通行,后面跟子网反掩码
接着到外网口宣告一下,acl的编号即可
网路地址转换
一: NAT概述
1.1 NAT的概念与实现方式
- 地址转换出现的背景
- NAT的工作原理
- network address translation,网路地址转换
- NAT实现方式
- 静态转换(static translation)
- 动态转换(Dynamic translation)
- 端口多路复用(port address translation, PAT) easyip
nat地址转换,识别的依据是端口的不同,不然数据返回不知道给谁1.2 NAT的术语与转换表
NAT的转换条目
扩展转换条目1.3 NAT实现方法的工作过程
- 静态转换和动态转换
1.4 NAT的特性
1.4.1 NAT的优点
- 节省公有合法IP地址
- 处理地址重叠
- 增强灵活性
- 安全性
1.4.2 NAT的缺点
- 延迟增大
- 配置和维护的复杂性
- 不支持某些应用,可以通过静态NAT映射来避免
二:实操:
2.1 基本配置
LSW1
The device is running!<Huawei>system-view Enter system view, return user view with Ctrl+Z.[Huawei]un in enInfo: Information center is disabled.[Huawei]sysname LSW1[LSW1]vlan bat 10 20 30 40Info: This operation may take a few seconds. Please wait for a moment...done.[LSW1]int g 0/0/1[LSW1-GigabitEthernet0/0/1]p l a[LSW1-GigabitEthernet0/0/1]p d v 10[LSW1-GigabitEthernet0/0/1]un shInfo: Interface GigabitEthernet0/0/1 is not shutdown.[LSW1-GigabitEthernet0/0/1]int g 0/0/2 [LSW1-GigabitEthernet0/0/2]p l a[LSW1-GigabitEthernet0/0/2]p d v 20[LSW1-GigabitEthernet0/0/2]un shInfo: Interface GigabitEthernet0/0/2 is not shutdown.[LSW1-GigabitEthernet0/0/2]int g 0/0/3[LSW1-GigabitEthernet0/0/3]p l a[LSW1-GigabitEthernet0/0/3]p d v 30[LSW1-GigabitEthernet0/0/3]un shInfo: Interface GigabitEthernet0/0/3 is not shutdown.[LSW1-GigabitEthernet0/0/3]int g 0/0/4[LSW1-GigabitEthernet0/0/4]p l a[LSW1-GigabitEthernet0/0/4]p d v 30[LSW1-GigabitEthernet0/0/4]un shInfo: Interface GigabitEthernet0/0/4 is not shutdown.[LSW1-GigabitEthernet0/0/4]int g 0/0/6[LSW1-GigabitEthernet0/0/6]p l a[LSW1-GigabitEthernet0/0/6]p d v 10[LSW1-GigabitEthernet0/0/6]un shInfo: Interface GigabitEthernet0/0/6 is not shutdown.[LSW1-GigabitEthernet0/0/6]int g 0/0/5[LSW1-GigabitEthernet0/0/5]p l a[LSW1-GigabitEthernet0/0/5]p d v 40[LSW1-GigabitEthernet0/0/5]un shInfo: Interface GigabitEthernet0/0/5 is not shutdown.[LSW1-GigabitEthernet0/0/5]q[LSW1]dis vlan --------------------------------------------------------------------------------1 common UT:GE0/0/7(D) GE0/0/8(D) GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D) 10 common UT:GE0/0/1(U) GE0/0/6(U) 20 common UT:GE0/0/2(U) 30 common UT:GE0/0/3(U) GE0/0/4(U) 40 common UT:GE0/0/5(U) [LSW1]int vlanif 10[LSW1-Vlanif10]ip add 192.168.10.1 24[LSW1-Vlanif10]dis this#interface Vlanif10 ip address 192.168.10.1 255.255.255.0#return[LSW1-Vlanif10]un shInfo: Interface Vlanif10 is not shutdown.[LSW1-Vlanif10]int vlanif 20[LSW1-Vlanif20]ip add 192.168.20.1 24[LSW1-Vlanif20]un shInfo: Interface Vlanif20 is not shutdown.[LSW1-Vlanif20]int vlanif 30[LSW1-Vlanif30]ip add 192.168.30.1 24[LSW1-Vlanif30]un shInfo: Interface Vlanif30 is not shutdown.[LSW1-Vlanif30]int vlanif 40[LSW1-Vlanif40]ip add 11.0.0.2 24[LSW1-Vlanif40]un shInfo: Interface Vlanif40 is not shutdown.[LSW1-Vlanif40]q[LSW1]dis interface bInterface PHY Protocol InUti OutUti inErrors outErrorsGigabitEthernet0/0/1 up up 0% 0% 0 0GigabitEthernet0/0/2 up up 0% 0% 0 0GigabitEthernet0/0/3 up up 0% 0% 0 0GigabitEthernet0/0/4 up up 0% 0% 0 0GigabitEthernet0/0/5 up up 0% 0% 0 0GigabitEthernet0/0/6 up up 0% 0% 0 0Vlanif10 up up -- -- 0 0Vlanif20 up up -- -- 0 0Vlanif30 up up -- -- 0 0Vlanif40 up up -- -- 0 0[LSW1]dis ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface 11.0.0.0/24 Direct 0 0 D 11.0.0.2 Vlanif40 11.0.0.2/32 Direct 0 0 D 127.0.0.1 Vlanif40 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10 192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20 192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20 192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30 192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30 [LSW1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1R2配置
The device is running!<Huawei>sysEnter system view, return user view with Ctrl+Z.[Huawei]un in enInfo: Information center is disabled.[Huawei]sysname R2[R2]int g 0/0/0[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24[R2-GigabitEthernet0/0/0]un shInfo: Interface GigabitEthernet0/0/0 is not shutdown.[R2-GigabitEthernet0/0/0]int g 0/0/1[R2-GigabitEthernet0/0/1]ip add 13.0.0.1 24[R2-GigabitEthernet0/0/1]un shInfo: Interface GigabitEthernet0/0/1 is not shutdown.[R2-GigabitEthernet0/0/1]q[R2]int LoopBack 0[R2-LoopBack0]ip add 114.114.114.114 32[R2-LoopBack0]q[R2]dis ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface 12.0.0.0/24 Direct 0 0 D 12.0.0.2 GigabitEthernet0/0/0 12.0.0.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 13.0.0.0/24 Direct 0 0 D 13.0.0.1 GigabitEthernet0/0/1 13.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1 13.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1114.114.114.114/32 Direct 0 0 D 127.0.0.1 LoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0[R2]ip route-static 8.8.8.8 32 12.0.0.12.2 NAT router 配置,先配置第一种的静态nat转换,全局模式下配置,接口开启功能
The device is running!<Huawei>system-view Enter system view, return user view with Ctrl+Z.[Huawei]un in enInfo: Information center is disabled.[Huawei]sysname NAT router[NAT router]int g 0/0/0 [NAT router-GigabitEthernet0/0/0]ip add 11.0.0.1 24[NAT router-GigabitEthernet0/0/0]un shInfo: Interface GigabitEthernet0/0/0 is not shutdown.[NAT router-GigabitEthernet0/0/0]int g 0/0/1 [NAT router-GigabitEthernet0/0/1]ip add 12.0.0.1 24[NAT router-GigabitEthernet0/0/1]un shInfo: Interface GigabitEthernet0/0/1 is not shutdown.[NAT router-GigabitEthernet0/0/1]q [NAT router]nat static global 8.8.8.8 inside 192.168.10.10[NAT router]ip route-static 192.168.0.0 16 11.0.0.2[NAT router]int g 0/0/1[NAT router-GigabitEthernet0/0/1]nat static enable [NAT router-GigabitEthernet0/0/1]q[NAT router]ip route-static 114.114.114.114 32 12.0.0.2测试192.168.10.10 去ping lo 0 114.114.114.114 ,在R2的g0/0/0处抓包
2.3 配置静态NAT的第二种配法,在接口内配置
[NAT router]nat static global 9.9.9.9 inside 192.168.20.10[NAT router]int g 0/0/1[NAT router-GigabitEthernet0/0/1]nat static global 9.9.9.9 inside 192.168.20.10 Info: The NAT in the network has existed. Already existing configuration will be covered with current configure. [Y/N]: y[NAT router-GigabitEthernet0/0/1]R2配置回程路由
[R2]ip route-static 9.9.9.9 32 12.0.0.1192.168.20.10 去ping 114.114.114.114
2.4 设置动态nat地址转换,即多对多的模式,
在全局模式下把两个网段(公网和私网)宣告,
私网是acl ,
公网是address-group ,
然后在公网接口 处宣告两者之间的关系
[NAT router]dis ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface 8.8.8.8/32 Unr 64 0 D 127.0.0.1 InLoopBack0 9.9.9.9/32 Unr 64 0 D 127.0.0.1 InLoopBack0 11.0.0.0/24 Direct 0 0 D 11.0.0.1 GigabitEthernet0/0/0 11.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 11.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 12.0.0.0/24 Direct 0 0 D 12.0.0.1 GigabitEthernet0/0/1 12.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1 12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1114.114.114.114/32 Static 60 0 RD 12.0.0.2 GigabitEthernet0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 Static 60 0 RD 11.0.0.2 GigabitEthernet0/0/0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0[NAT router]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2<NAT router>system-view Enter system view, return user view with Ctrl+Z.[NAT router]nat address-group 1 212.0.0.100 212.0.0.200[NAT router]acl 2000[NAT router-acl-basic-2000]rule permit source 192.168.30.0 0.0.0.255[NAT router-acl-basic-2000]q[NAT router]int g 0/0/1[NAT router-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat[NAT router-GigabitEthernet0/0/1]与此对应的,增加R2的回程路由
[R2]ip route-static 212.0.0.0 24 12.0.0.1从抓包数据可以观察到,源ip一直在变
2.5 配置nat模式中多个私网地址对应一个公网地址
思路跟动态nat思路大致相同,
全局模式下宣告私网地址网段,acl,要注意的是这种nat命令跟动态nat命令的不同之处在有一个ip 字符
然后在公网接口处指定关系,因为没有指定的公网网段,不填
因为环境中pc没有富裕的,需要把之前的部分配置删掉,以免冲突
<NAT router>system-view Enter system view, return user view with Ctrl+Z.[NAT router]acl 3000 [NAT router-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255[NAT router-acl-adv-3000]q[NAT router]int g 0/0/1[NAT router-GigabitEthernet0/0/1]nat outbound 3000[NAT router-GigabitEthernet0/0/1]dis this[V200R003C00]#interface GigabitEthernet0/0/1 ip address 12.0.0.1 255.255.255.0 nat static global 9.9.9.9 inside 192.168.20.10 netmask 255.255.255.255 nat outbound 2000 address-group 1 no-pat nat outbound 3000 nat static enable#return[NAT router-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1 no-pat[NAT router-GigabitEthernet0/0/1]undo nat static global 9.9.9.9 inside 192.168.20.10 netmask 255.255.255.255[NAT router-GigabitEthernet0/0/1]q[NAT router]
