HCIA---NAT基础配置
一、实验要求
浅蓝色里面模拟内网,isp模拟外网,现在做一个NAT可以用内网访问外网。
二、拓扑图
三、IP 地址规划
| 设备 | IP地址 |
|---|---|
| R1 | g0/0/0 192.168.1.1 /24 g0/0/1 192.168.2.1 /24 |
| R2 | g0/0/0 192.168.2.2 /24 g0/0/1 192.168.3.1 /24 g0/0/2 12.0.0.1 /24 |
| R3 | g0/0/0 12.0.0.2 /24 g0/0/1 10.0.0.1 /24 环回1.1.1.1 /24 |
| PC1 | 192.168.1.2 |
| PC2 | 192.168.1.3 |
| PC3 | 192.168.3.2 |
| PC4 | 192.168.3.3 |
四、路由配置
R1:
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
<r1>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet
0/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet
0/0/1
192.168.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.3.0/24 Static 60 0 RD 192.168.2.2 GigabitEthernet
0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<r1>display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.1.1/24 up up
GigabitEthernet0/0/1 192.168.2.1/24 up up
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
<r1>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet
0/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet
0/0/1
192.168.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.3.0/24 Static 60 0 RD 192.168.2.2 GigabitEthernet
0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[r1]ip route-static 12.0.0.0 24 192.168.2.2
[r1]ip route-static 1.1.1.0 24 192.168.2.2
R2:
[r2]ip route-static 192.168.1.0 24 192.168.2.1
[r2]nat address-group 0 12.0.0.4 12.0.0.8
[r2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[r2-GigabitEthernet0/0/2]nat outbound 2000 address-group 0 no-pat
[r2]ip route-static 1.1.1.0 24 12.0.0.2
[r2]int g 0/0/2
[r2-GigabitEthernet0/0/2]undo nat static global 12.0.0.3 inside 192.168.1.2
[r2-GigabitEthernet0/0/2]undo nat outbound 2000 address-group 0 no-pat
[r2-GigabitEthernet0/0/2]display this
[V200R003C00]
#
interface GigabitEthernet0/0/2
ip address 12.0.0.1 255.255.255.0
#
return
[r2-GigabitEthernet0/0/2]acl 2001
[r2-acl-basic-2001]rule permit source 192.168.0.0 0.0.255.255
[r2]interface g 0/0/2
[r2-GigabitEthernet0/0/2]nat outbound 2001
[r2]int g0/0/2
[r2-GigabitEthernet0/0/2]nat server protocol tcp global 12.0.0.1 80 inside 192.1
68.1.10 80
Error: The address conflicts with interface or ARP IP.
[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 80 ins
ide 192.168.1.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[r2-GigabitEthernet0/0/2]
[r2-GigabitEthernet0/0/2]
[r2-GigabitEthernet0/0/2]
<r2>
R3:
The device is running!
[Huawei]sysname isp
[isp]int g 0/0/0
[isp-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[isp-GigabitEthernet0/0/0]int l 0
[isp-LoopBack0]ip add 1.1.1.1 24
[isp]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.0/24 Direct 0 0 D 1.1.1.1 LoopBack0
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
1.1.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
12.0.0.0/24 Direct 0 0 D 12.0.0.2 GigabitEthernet
0/0/0
12.0.0.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[isp]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.0/24 Direct 0 0 D 1.1.1.1 LoopBack0
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
1.1.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
12.0.0.0/24 Direct 0 0 D 12.0.0.2 GigabitEthernet
0/0/0
12.0.0.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[isp]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 12.0.0.2/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
LoopBack0 1.1.1.1/24 up up(s)
NULL0 unassigned up up(s)
[isp]
<isp>
<isp>
<isp>
Please check whether system data has been changed, and save data in time
Configuration console time out, please press any key to log on
[isp]ip route-static 192.168.1.0 24 12.0.0.1
[isp]ip route-static 192.168.2.0 24 12.0.0.1
[isp]ip route-static 192.168.3.0 24 12.0.0.1
[isp]int g0/0/1
[isp-GigabitEthernet0/0/1]ip add 10.0.0.1 24
五、测试
路由配置好后,测试结果是:
此时内网可以互通!
所有NAT配置好后 用每一台PC去测试ping 1.1.1.1
六、小结
注意:华为设备所有关于NAT的配置都是在出接口上配置;
1.静态NAT:一对一的NAT
[r2-GigabitEthernet0/0/2]nat static global 12.0.0.3 inside 192.168.1.2
12.0.0.3 的来历:1.需要向isp购买的合法的公网IP地址 ;2.需要在12.0.0.0网段内。
查看静态NAT映射表:
2.动态NAT:多对多NAT
创建公网IP组:
[r2]nat address-group 0 12.0.0.4 12.0.0.8
必须是连续的公网IP,并且都是花钱买来的IP
处理私网IP,抓取感兴趣流:
[r2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
将公网IP组合acl绑定:
[r2-GigabitEthernet0/0/2]nat outbound 2000 address-group 0 no-pat
3.NAPT:网络地址端口转换
抓取感兴趣流;
[r2-acl-basic-2001]rule permit source 192.168.0.0 0.0.255.255
[r2-GigabitEthernet0/0/2]nat outbound 2001
4.端口映射:
[r2-GigabitEthernet0/0/2]nat server protocol tcp global 12.0.0.1 80 inside 192.1
68.1.10 80
[r2-GigabitEthernet0/0/2]nat server protocol tcp global current-interface 80 ins
ide 192.168.1.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
作者:ChAn
-------------------------------------------
个性签名:今天做了别人不想做的事,明天你就做得到别人做不到的事,尝试你都不敢,你拿什么赢!
如果觉得这篇文章对你有小小的帮助的话,记得在右下角点个“推荐”哦,博主在此感谢!
