NAT地址转换协议学习

NAT 是将IP数据报文头部汇总的IP地址转换为另一个IP地址的过程，主要用于实现内部网络方位外部网络的功能。 NAT 一般部署在链接内网和外网的网关设备上。 网关设备上有一个NAT映射表，一遍半段从公网收到的报文应该发往的私网目的地址

NAT 地址转换有以下几种方式 1. 静态NAT 静态NAT实现了私有地址和公有地址的一对一映射 一个公网IP只能分配给唯一且固定的内网主机地址 2. 动态NAT 动态NAT基于地址池来实现私有地址和公有地址的转换 3. NAPT 网络地址短偶转换NAPT允许多个内部地址映射到同一个公有地址的不同端口 4. Easy IP Easy IP 允许将多个内部地址映射到网关出接口地址上的不同端口 5. NAT服务器 通过配置NAT服务器，可以使外网用户访问内网服务器

 

 

#路由器设置端口ip和默认路由

##R1、R2内网，R4外网，R3网关 #AR1 interface GigabitEthernet0/0/0 ip address 13.1.1.1 255.255.255.0 ###配置默认路由 ip route-static 0.0.0.0 0.0.0.0 13.1.1.3 #AR2 interface GigabitEthernet0/0/0 ip address 23.1.1.2 255.255.255.0 ##配置默认路由 ip route-static 0.0.0.0 0.0.0.0 23.1.1.3 #AR3 interface GigabitEthernet0/0/0 ip address 13.1.1.3 255.255.255.0 interface GigabitEthernet0/0/1 ip address 23.1.1.3 255.255.255.0 interface GigabitEthernet0/0/2 ip address 34.1.1.3 255.255.255.0 #AR4 interface GigabitEthernet0/0/0 ip address 34.1.1.4 255.255.255.0 ##配置默认路由 ip route-static 0.0.0.0 0.0.0.0 34.1.1.3

配置NAPT 1.acl 2.address group -出接口ip，EASY IP 3.关联

[AR3]acl 2000 [AR3-acl-basic-2000]rule 5 permit source any [AR3-acl-basic-2000]q [AR3]nat address-group 1 34.1.1.100 34.1.1.100 [AR3]inter g0/0/2 [AR3-GigabitEthernet0/0/2]nat outbound 2000 address-group 1 [AR3-GigabitEthernet0/0/2]q <AR3>display NAT session ALL NAT Session Table Information: Protocol : TCP(6) SrcAddr Port Vpn : 23.1.1.2 32966 DestAddr Port Vpn : 34.1.1.4 5888 NAT-Info New SrcAddr : 34.1.1.100 New SrcPort : 10245 New DestAddr : ---- New DestPort : ---- Protocol : TCP(6) SrcAddr Port Vpn : 13.1.1.1 22720 DestAddr Port Vpn : 34.1.1.4 5888 NAT-Info New SrcAddr : 34.1.1.100 New SrcPort : 10244 New DestAddr : ---- New DestPort : ---- Total : 2

##打开AR4 的telnet  

[AR4]user-interface vty 0 4 [AR4-ui-vty0-4]authentication-mode password Please configure the login password (maximum length 16):huawei [AR4-ui-vty0-4]

##其他路由器telnet AR4 在AR4 查看状态  

[AR4]display tcp status TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State b4cf56b8 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening b4cf5bc8 6 /5 34.1.1.4:23 34.1.1.3:50894 0 Established b4cf5a84 6 /4 34.1.1.4:23 34.1.1.100:1320 0 Established [AR4]

easy IP 1. 定义acl  

interface GigabitEthernet0/0/2 ip address 34.1.1.3 255.255.255.0 nat outbound 2000 address-group 1 [AR3-GigabitEthernet0/0/2]undo nat outbound 2000 address-group 1 [AR3-GigabitEthernet0/0/2]di th [V200R003C00] # interface GigabitEthernet0/0/2 ip address 34.1.1.3 255.255.255.0 # return ###直接加acl [AR3-GigabitEthernet0/0/2]nat outbound 2000 [AR3-GigabitEthernet0/0/2]di th [V200R003C00] # interface GigabitEthernet0/0/2 ip address 34.1.1.3 255.255.255.0 nat outbound 2000 # return [AR3-GigabitEthernet0/0/2]

##其他机器上在telnet AR4

<AR4>display tcp status TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State b4cf56b8 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening b4cf5a84 6 /6 34.1.1.4:23 34.1.1.3:40 0 Established b4cf5bc8 6 /7 34.1.1.4:23 34.1.1.3:296 0 Established <AR4> <AR3>display nat session all NAT Session Table Information: Protocol : TCP(6) SrcAddr Port Vpn : 13.1.1.1 14528 DestAddr Port Vpn : 34.1.1.4 5888 NAT-Info New SrcAddr : 34.1.1.3 New SrcPort : 10240 New DestAddr : ---- New DestPort : ---- Protocol : TCP(6) SrcAddr Port Vpn : 23.1.1.2 15045 DestAddr Port Vpn : 34.1.1.4 5888 NAT-Info New SrcAddr : 34.1.1.3 New SrcPort : 10241 New DestAddr : ---- New DestPort : ---- Total : 2

<AR3>

NAT server(static NAPT) 假设 R1--telnet服务 23 , 2323

##在AR1 上开启telnet

<AR1>sy Enter system view, return user view with Ctrl+Z. [AR1]user-inter [AR1]user-interface v [AR1]user-interface vty 0 4 [AR1-ui-vty0-4]auth [AR1-ui-vty0-4]authentication-mode pass [AR1-ui-vty0-4]authentication-mode password Please configure the login password (maximum length 16):huawei [AR1-ui-vty0-4] [AR1-ui-vty0-4]q [AR1]

##在AR3 配置

[AR3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323 in [AR3-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 2323 inside 13.1.1.1 23 [AR3-GigabitEthernet0/0/2]di th [V200R003C00] # interface GigabitEthernet0/0/2 ip address 34.1.1.3 255.255.255.0 nat server protocol tcp global current-interface 2323 inside 13.1.1.1 telnet nat outbound 2000 # return [AR3-GigabitEthernet0/0/2]q [AR3]dis [AR3]display nat ser [AR3]display nat server Nat Server Information: Interface : GigabitEthernet0/0/2 Global IP/Port : current-interface/2323 (Real IP : 34.1.1.3) Inside IP/Port : 13.1.1.1/23(telnet) Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Description : ---- Total : 1 [AR3]

##AR4 上测试

<AR4> <AR4>telnet 34.1.1.3 2323 Press CTRL_] to quit telnet mode Trying 34.1.1.3 ... Connected to 34.1.1.3 ... Login authentication Password: <AR1>

###R2 开启telnet 23 用NAPT 测试，ip用34.1.1.3 端口是2003

[AR3-GigabitEthernet0/0/2]nat static protocol tcp global current-interface 2003 inside 23.1.1.2 23 [AR3-GigabitEthernet0/0/2]di th [V200R003C00] # interface GigabitEthernet0/0/2 ip address 34.1.1.3 255.255.255.0 nat server protocol tcp global current-interface 2323 inside 13.1.1.1 telnet nat static protocol tcp global current-interface 2003 inside 23.1.1.2 telnet ne tmask 255.255.255.255 nat outbound 2000 # return [AR3-GigabitEthernet0/0/2] <AR4>telnet 34.1.1.3 2003 Press CTRL_] to quit telnet mode Trying 34.1.1.3 ... Connected to 34.1.1.3 ... Login authentication Password: <AR2> [AR3]display nat session all NAT Session Table Information: Protocol : TCP(6) SrcAddr Port Vpn : 34.1.1.4 60099 DestAddr Port Vpn : 34.1.1.3 4873 NAT-Info New SrcAddr : ---- New SrcPort : ---- New DestAddr : 13.1.1.1 New DestPort : 5888 Protocol : TCP(6) SrcAddr Port Vpn : 13.1.1.1 14528 DestAddr Port Vpn : 34.1.1.4 5888 NAT-Info New SrcAddr : 34.1.1.3 New SrcPort : 10240 New DestAddr : ---- New DestPort : ---- Protocol : TCP(6) SrcAddr Port Vpn : 23.1.1.2 15045 DestAddr Port Vpn : 34.1.1.4 5888 NAT-Info New SrcAddr : 34.1.1.3 New SrcPort : 10241 New DestAddr : ---- New DestPort : ---- Protocol : TCP(6) SrcAddr Port Vpn : 34.1.1.4 48065 DestAddr Port Vpn : 34.1.1.3 54023 NAT-Info New SrcAddr : ---- New SrcPort : ---- New DestAddr : 23.1.1.2 New DestPort : 5888 Total : 4