华为静态动态NAT地址转换及静态端口映射

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为静态动态NAT地址转换及静态端口映射相关的知识,希望对你有一定的参考价值。

Demo1:静态NAT地址转换

eNSP中拓扑:

技术图片

SW1:

<Huawei>sys 
[Huawei]sysname SW1
[SW1]vlan batch 10 20 30 40
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]int vlanif10
[SW1-Vlanif10]ip add 192.168.10.1 24
[SW1-Vlanif10]int vlanif20
[SW1-Vlanif20]ip add 192.168.20.1 24
[SW1-Vlanif20]int vlanif30
[SW1-Vlanif30]ip add 192.168.30.1 24
[SW1-Vlanif30]int vlanif40
[SW1-Vlanif40]ip add 11.0.0.2 24
[SW1-Vlanif40]q
[SW1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 5
The number of interface that is UP in Protocol is 1
The number of interface that is DOWN in Protocol is 6
Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           up         down      
Vlanif10                          192.168.10.1/24      down       down      
Vlanif20                          192.168.20.1/24      down       down      
Vlanif30                          192.168.30.1/24      down       down      
Vlanif40                          11.0.0.2/24          down       down 
[SW1]int g0/0/1 
[SW1-GigabitEthernet0/0/1]port link-type access 
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access 
[SW1-GigabitEthernet0/0/2]port default vlan 20
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 30
[SW1-GigabitEthernet0/0/3]int g0/0/4
[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default vlan 20
[SW1-GigabitEthernet0/0/4]int g0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 40
[SW1-GigabitEthernet0/0/5]dis vlan
The total number of vlans is : 5
--------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------
VID  Type    Ports                                                          
--------------------------------------------------------------------------------
1    common  UT:GE0/0/6(D)      GE0/0/7(D)      GE0/0/8(D)      GE0/0/9(D)      
                GE0/0/10(D)     GE0/0/11(D)     GE0/0/12(D)     GE0/0/13(D)     
                GE0/0/14(D)     GE0/0/15(D)     GE0/0/16(D)     GE0/0/17(D)     
                GE0/0/18(D)     GE0/0/19(D)     GE0/0/20(D)     GE0/0/21(D)     
                GE0/0/22(D)     GE0/0/23(D)     GE0/0/24(D)                     
10   common  UT:GE0/0/1(U)                                                      
20   common  UT:GE0/0/2(U)      GE0/0/4(U)                                      
30   common  UT:GE0/0/3(U)                                                      
40   common  UT:GE0/0/5(U)                                                      

VID  Status  Property      MAC-LRN Statistics Description      
--------------------------------------------------------------------------------
1    enable  default       enable  disable    VLAN 0001                         
10   enable  default       enable  disable    VLAN 0010                         
20   enable  default       enable  disable    VLAN 0020                         
30   enable  default       enable  disable    VLAN 0030                         
40   enable  default       enable  disable    VLAN 0040                         
[SW1-GigabitEthernet0/0/5]q
[SW1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 2
Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           down       down      
Vlanif10                          192.168.10.1/24      up         up        
Vlanif20                          192.168.20.1/24      up         up        
Vlanif30                          192.168.30.1/24      up         up        
Vlanif40                          11.0.0.2/24          up         up 
//此时端口全部配置结束并开启
[SW1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1

R1:

<Huawei>sys
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 11.0.0.1 24
[R1-GigabitEthernet0/0/0]un sh 
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]q
[R1]ping 11.0.0.2
  PING 11.0.0.2: 56  data bytes, press CTRL_C to break
    Reply from 11.0.0.2: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 11.0.0.2: bytes=56 Sequence=2 ttl=255 time=20 ms
    Reply from 11.0.0.2: bytes=56 Sequence=3 ttl=255 time=30 ms
    Reply from 11.0.0.2: bytes=56 Sequence=4 ttl=255 time=20 ms
    Reply from 11.0.0.2: bytes=56 Sequence=5 ttl=255 time=20 ms
  --- 11.0.0.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/28/50 ms
[R1]int g0/0/01
[R1-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[R1-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.   
[R1-GigabitEthernet0/0/1]nat static enable
[R1-GigabitEthernet0/0/1]q
[R1]nat static global 8.8.8.8 inside 192.168.10.10
[R1]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2
[R1]ip route-static 192.168.10.0 24 11.0.0.2
[R1]ip route-static 192.168.20.0 24 11.0.0.2
[R1]ip route-static 192.168.30.0 24 11.0.0.2

R2:

<Huawei>sys
[Huawei]sysname R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[R2-GigabitEthernet0/0/0]un sh 
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R2-GigabitEthernet0/0/0]ping 12.0.0.1
  PING 12.0.0.1: 56  data bytes, press CTRL_C to break
    Reply from 12.0.0.1: bytes=56 Sequence=1 ttl=255 time=110 ms
    Reply from 12.0.0.1: bytes=56 Sequence=2 ttl=255 time=30 ms
    Reply from 12.0.0.1: bytes=56 Sequence=3 ttl=255 time=20 ms
    Reply from 12.0.0.1: bytes=56 Sequence=4 ttl=255 time=20 ms
    Reply from 12.0.0.1: bytes=56 Sequence=5 ttl=255 time=10 ms
  --- 12.0.0.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/38/110 ms
[R2-GigabitEthernet0/0/0]q
[R2]int loopBack0
[R2-LoopBack0]ip add 114.114.114.114 32
[R2-LoopBack0]q 
[R2]ip route-static 8.8.8.8 32 12.0.0.1

验证:在PC4中ping:114.114.114.114

PC>ping 114.114.114.114
Ping 114.114.114.114: 32 data bytes, Press Ctrl_C to break
From 114.114.114.114: bytes=32 seq=1 ttl=253 time=47 ms
From 114.114.114.114: bytes=32 seq=2 ttl=253 time=31 ms
From 114.114.114.114: bytes=32 seq=3 ttl=253 time=47 ms
From 114.114.114.114: bytes=32 seq=4 ttl=253 time=31 ms
From 114.114.114.114: bytes=32 seq=5 ttl=253 time=47 ms
--- 114.114.114.114 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/40/47 ms

抓包软件测试地址转换:

技术图片
技术图片

Demo2:动态NAT:

R1:

[R1]nat address-group 1 212.0.0.100 212.0.0.200
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.20.0 0.0.0.255
[R1-acl-basic-2000]rule permit source 11.0.0.0 0.0.0.255
[R1-acl-basic-2000]int g0/0/1
[R1-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
 ip address 12.0.0.1 255.255.255.0 
 nat static global 8.8.8.8 inside 192.168.10.10 netmask 255.255.255.255
#
return
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
[R1-GigabitEthernet0/0/1]q

R2:

[R2]ip route-static 212.0.0.0 24 12.0.0.1
//配静态

在PC2中ping:114.114.114.114:

PC>ping 114.114.114.11
Ping 114.114.114.114: 32 data bytes, Press Ctrl_C to break
From 114.114.114.114: bytes=32 seq=1 ttl=253 time=31 ms
From 114.114.114.114: bytes=32 seq=2 ttl=253 time=47 ms
From 114.114.114.114: bytes=32 seq=3 ttl=253 time=47 ms
From 114.114.114.114: bytes=32 seq=4 ttl=253 time=47 ms
From 114.114.114.114: bytes=32 seq=5 ttl=253 time=62 ms
--- 114.114.114.114 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/46/62 ms

此时对R2的g0/0/0口进行抓包,可以发现地址已实现动态转换:

技术图片
技术图片

Demo3:Easyip多个私网IP地址对应外网口公网IP地址(12.0.0.1)

R1:

[R1]acl 3000    
[R1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255
[R1-acl-adv-3000]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
 ip address 12.0.0.1 255.255.255.0 
 nat static global 8.8.8.8 inside 192.168.10.10 netmask 255.255.255.255
 nat outbound 2000 address-group 1 no-pat
#
return
[R1-GigabitEthernet0/0/1]nat outbound 3000

在PC3中ping:114.114.114.114:

PC>ping 114.114.114.114
Ping 114.114.114.114: 32 data bytes, Press Ctrl_C to break
From 114.114.114.114: bytes=32 seq=1 ttl=253 time=31 ms
From 114.114.114.114: bytes=32 seq=2 ttl=253 time=78 ms
From 114.114.114.114: bytes=32 seq=3 ttl=253 time=31 ms
From 114.114.114.114: bytes=32 seq=4 ttl=253 time=16 ms
From 114.114.114.114: bytes=32 seq=5 ttl=253 time=31 ms
--- 114.114.114.114 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 16/37/78 ms

此时对R2的g0/0/0口进行抓包,查询地址是否转换:

技术图片
技术图片

此时NAT实验成功!谢谢观看!

以上是关于华为静态动态NAT地址转换及静态端口映射的主要内容,如果未能解决你的问题,请参考以下文章

NAT功能详解及案例分析—华为NAT server的实现

NAT地址转换详解(静态NAT,端口映射,动态NAT,PAT)

华为eNSP:静态NAT动态NAT端口NAT的配置(NAPT)-网络地址转换

华为防火墙中所有NAT技术解析

NAT(PNAT)华为版静态及动态配置PNAT

浅谈Cisco ASA应用NAT