网络安全学习--NAT

Posted 2022-01-08 丢爸

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了网络安全学习--NAT相关的知识，希望对你有一定的参考价值。

NAT

NAT(Network Address Translations)网络地址转换
IPV4地址不够用了
IP地址分为公网IP和私有IP
- 公网上不允许出现私有IP
- 私网IP可以重复在内网使用
NAT实现公私有IP地址的转换，一般在路由器或防火墙上完成，不建议在三层交换机上配置。

私有IP地址范围

10.0.0.0/8
172.16.0.0/16-172.31.0.0/16(172.16开头至172.31开头)
192.168.0.0/16(192.168开头的)

NAT分类

静态NAT：1对1映射，（静态PAT，端口映射）
动态NAT
PAT(端口地址转换)Port Address Translations,也叫端口复用技术

NAT定义

定义内外网端口
- 内网到外网：转换源IP
- 外网到内网：转换目标IP
NAT地址转换表

NAT命令

定义内网端口

interface fa0/0
ip nat inside
exit

定义外网端口

interface fa0/1
ip nat outside
exit

配置PAT

#定义内部地址池
access-list 1 permit 192.168.0.0 0.0.255.255
#做PAT动态映射
ip nat inside source list 1 int fa0/1 overload
#配置静态端口转换
ip nat inside source static tcp 192.168.1.3 80 100.1.1.2 80

实验一

实验文件下载

#------------------Router0配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface fa0/0
Router(config-if)#ip addr 192.168.1.254 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 100.1.1.1 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)#ip nat inside source list 1 int fa0/1 overload
Router(config)#ip route 0.0.0.0 0.0.0.0 100.1.1.2
Router(config)#ip nat inside source static tcp 192.168.1.3 80 100.1.1.1 80
Router(config)#
#查看nat转换表
Router(config)#do show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
icmp 100.1.1.1:37      192.168.1.1:37     200.1.1.1:37       200.1.1.1:37
icmp 100.1.1.1:38      192.168.1.1:38     200.1.1.1:38       200.1.1.1:38
icmp 100.1.1.1:39      192.168.1.1:39     200.1.1.1:39       200.1.1.1:39
icmp 100.1.1.1:40      192.168.1.1:40     200.1.1.1:40       200.1.1.1:40
tcp 100.1.1.1:80       192.168.1.3:80     ---                ---
tcp 100.1.1.1:80       192.168.1.3:80     200.1.1.1:1030     200.1.1.1:1030
#------------------Router0配置
#------------------Router1配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa0/1
Router(config-if)#ip addr 100.1.1.2 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 150.1.1.1 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       100.1.1.0/24 is directly connected, FastEthernet0/1
L       100.1.1.2/32 is directly connected, FastEthernet0/1
     150.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       150.1.1.0/24 is directly connected, FastEthernet0/0
L       150.1.1.1/32 is directly connected, FastEthernet0/0

Router(config-if)#ip route 200.1.1.0 255.255.255.0 150.1.1.2
Router(config)#
#------------------Router1配置
#------------------Router2配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip addr 150.1.1.2 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 200.1.1.1 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Router(config-if)#no ip addr 200.1.1.1 255.255.255.0
Router(config-if)#ip addr 200.1.1.254 255.255.255.0
Router(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     150.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       150.1.1.0/24 is directly connected, FastEthernet0/0
L       150.1.1.2/32 is directly connected, FastEthernet0/0
     200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       200.1.1.0/24 is directly connected, FastEthernet0/1
L       200.1.1.254/32 is directly connected, FastEthernet0/1

Router(config-if)#exit
Router(config)#ip route 100.1.1.0 255.255.255.0 150.1.1.1
Router(config)#no ip route 100.1.1.0 255.255.255.0 150.1.1.1
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     150.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       150.1.1.0/24 is directly connected, FastEthernet0/0
L       150.1.1.2/32 is directly connected, FastEthernet0/0
     200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       200.1.1.0/24 is directly connected, FastEthernet0/1
L       200.1.1.254/32 is directly connected, FastEthernet0/1

Router(config)#ip route 0.0.0.0 0.0.0.0 150.1.1.1
Router(config)#

#------------------Router2配置

以上是关于网络安全学习--NAT的主要内容，如果未能解决你的问题，请参考以下文章

《华为HCIE安全认证》学习笔记 | 双向NAT技术

网络穿透（nat-udp）学习记录

《华为HCIE安全认证》学习笔记 | 源NAT技术

通过思科模拟器CISCO PACKET TRACER学习网络12——静态NAT

《华为HCIE安全认证》学习笔记 | 目的NAT及服务器负载均衡技术

计算机网络学习笔记07PPP协议IP编址NAT技术