理论+实操 ：华为NAT地址转换（理论 实操 安全教育课）

理论+实操 ：华为NAT地址转换（理论 实操 安全教育课）

前言：nat地址转换可以让私有地址转换成公网地址，解决上网问题华为的三层交换机内不可以配ip地址，需要配vlanif

在企业当中，数据流量业务比较多时，用好一点的路由器多个私网地址对应外网口ip地址需要设置acl规则，只允许某个网段通行，后面跟子网反掩码接着到外网口宣告一下，acl的编号即可

网路地址转换

一： NAT概述

1.1 NAT的概念与实现方式

The device is running! system-view Enter system view, return user view with Ctrl+Z. [Huawei]un in en Info: Information center is disabled. [Huawei]sysname LSW1 [LSW1]vlan bat 10 20 30 40 Info: This operation may take a few seconds. Please wait for a moment...done. [LSW1]int g 0/0/1 [LSW1-GigabitEthernet0/0/1]p l a [LSW1-GigabitEthernet0/0/1]p d v 10 [LSW1-GigabitEthernet0/0/1]un sh Info: Interface GigabitEthernet0/0/1 is not shutdown. [LSW1-GigabitEthernet0/0/1]int g 0/0/2 [LSW1-GigabitEthernet0/0/2]p l a [LSW1-GigabitEthernet0/0/2]p d v 20 [LSW1-GigabitEthernet0/0/2]un sh Info: Interface GigabitEthernet0/0/2 is not shutdown. [LSW1-GigabitEthernet0/0/2]int g 0/0/3 [LSW1-GigabitEthernet0/0/3]p l a [LSW1-GigabitEthernet0/0/3]p d v 30 [LSW1-GigabitEthernet0/0/3]un sh Info: Interface GigabitEthernet0/0/3 is not shutdown. [LSW1-GigabitEthernet0/0/3]int g 0/0/4 [LSW1-GigabitEthernet0/0/4]p l a [LSW1-GigabitEthernet0/0/4]p d v 30 [LSW1-GigabitEthernet0/0/4]un sh Info: Interface GigabitEthernet0/0/4 is not shutdown. [LSW1-GigabitEthernet0/0/4]int g 0/0/6 [LSW1-GigabitEthernet0/0/6]p l a [LSW1-GigabitEthernet0/0/6]p d v 10 [LSW1-GigabitEthernet0/0/6]un sh Info: Interface GigabitEthernet0/0/6 is not shutdown. [LSW1-GigabitEthernet0/0/6]int g 0/0/5 [LSW1-GigabitEthernet0/0/5]p l a [LSW1-GigabitEthernet0/0/5]p d v 40 [LSW1-GigabitEthernet0/0/5]un sh Info: Interface GigabitEthernet0/0/5 is not shutdown. [LSW1-GigabitEthernet0/0/5]q [LSW1]dis vlan -------------------------------------------------------------------------------- 1 common UT:GE0/0/7(D) GE0/0/8(D) GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D) 10 common UT:GE0/0/1(U) GE0/0/6(U) 20 common UT:GE0/0/2(U) 30 common UT:GE0/0/3(U) GE0/0/4(U) 40 common UT:GE0/0/5(U) [LSW1]int vlanif 10 [LSW1-Vlanif10]ip add 192.168.10.1 24 [LSW1-Vlanif10]dis this # interface Vlanif10 ip address 192.168.10.1 255.255.255.0 # return [LSW1-Vlanif10]un sh Info: Interface Vlanif10 is not shutdown. [LSW1-Vlanif10]int vlanif 20 [LSW1-Vlanif20]ip add 192.168.20.1 24 [LSW1-Vlanif20]un sh Info: Interface Vlanif20 is not shutdown. [LSW1-Vlanif20]int vlanif 30 [LSW1-Vlanif30]ip add 192.168.30.1 24 [LSW1-Vlanif30]un sh Info: Interface Vlanif30 is not shutdown. [LSW1-Vlanif30]int vlanif 40 [LSW1-Vlanif40]ip add 11.0.0.2 24 [LSW1-Vlanif40]un sh Info: Interface Vlanif40 is not shutdown. [LSW1-Vlanif40]q [LSW1]dis interface b Interface PHY Protocol InUti OutUti inErrors outErrors GigabitEthernet0/0/1 up up 0% 0% 0 0 GigabitEthernet0/0/2 up up 0% 0% 0 0 GigabitEthernet0/0/3 up up 0% 0% 0 0 GigabitEthernet0/0/4 up up 0% 0% 0 0 GigabitEthernet0/0/5 up up 0% 0% 0 0 GigabitEthernet0/0/6 up up 0% 0% 0 0 Vlanif10 up up -- -- 0 0 Vlanif20 up up -- -- 0 0 Vlanif30 up up -- -- 0 0 Vlanif40 up up -- -- 0 0 [LSW1]dis ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface 11.0.0.0/24 Direct 0 0 D 11.0.0.2 Vlanif40 11.0.0.2/32 Direct 0 0 D 127.0.0.1 Vlanif40 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10 192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20 192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20 192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30 192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30 [LSW1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1

R2配置

The device is running! sys Enter system view, return user view with Ctrl+Z. [Huawei]un in en Info: Information center is disabled. [Huawei]sysname R2 [R2]int g 0/0/0 [R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24 [R2-GigabitEthernet0/0/0]un sh Info: Interface GigabitEthernet0/0/0 is not shutdown. [R2-GigabitEthernet0/0/0]int g 0/0/1 [R2-GigabitEthernet0/0/1]ip add 13.0.0.1 24 [R2-GigabitEthernet0/0/1]un sh Info: Interface GigabitEthernet0/0/1 is not shutdown. [R2-GigabitEthernet0/0/1]q [R2]int LoopBack 0 [R2-LoopBack0]ip add 114.114.114.114 32 [R2-LoopBack0]q [R2]dis ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface 12.0.0.0/24 Direct 0 0 D 12.0.0.2 GigabitEthernet 0/0/0 12.0.0.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/0 12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/0 13.0.0.0/24 Direct 0 0 D 13.0.0.1 GigabitEthernet 0/0/1 13.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 13.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 114.114.114.114/32 Direct 0 0 D 127.0.0.1 LoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 [R2]ip route-static 8.8.8.8 32 12.0.0.1

2.2 NAT router 配置，先配置第一种的静态nat转换，全局模式下配置，接口开启功能

The device is running! system-view Enter system view, return user view with Ctrl+Z. [Huawei]un in en Info: Information center is disabled. [Huawei]sysname NAT router [NAT router]int g 0/0/0 [NAT router-GigabitEthernet0/0/0]ip add 11.0.0.1 24 [NAT router-GigabitEthernet0/0/0]un sh Info: Interface GigabitEthernet0/0/0 is not shutdown. [NAT router-GigabitEthernet0/0/0]int g 0/0/1 [NAT router-GigabitEthernet0/0/1]ip add 12.0.0.1 24 [NAT router-GigabitEthernet0/0/1]un sh Info: Interface GigabitEthernet0/0/1 is not shutdown. [NAT router-GigabitEthernet0/0/1]q [NAT router]nat static global 8.8.8.8 inside 192.168.10.10 [NAT router]ip route-static 192.168.0.0 16 11.0.0.2 [NAT router]int g 0/0/1 [NAT router-GigabitEthernet0/0/1]nat static enable [NAT router-GigabitEthernet0/0/1]q [NAT router]ip route-static 114.114.114.114 32 12.0.0.2

2.3 配置静态NAT的第二种配法，在接口内配置

[NAT router]nat static global 9.9.9.9 inside 192.168.20.10 [NAT router]int g 0/0/1 [NAT router-GigabitEthernet0/0/1]nat static global 9.9.9.9 inside 192.168.20.10 Info: The NAT in the network has existed. Already existing configuration will be covered with current configure. [Y/N]: y [NAT router-GigabitEthernet0/0/1]

R2配置回程路由

[R2]ip route-static 9.9.9.9 32 12.0.0.1

2.4 设置动态nat地址转换，即多对多的模式，

在全局模式下把两个网段（公网和私网）宣告，私网是acl ，公网是address-group ，然后在公网接口 处宣告两者之间的关系

[NAT router]dis ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface 8.8.8.8/32 Unr 64 0 D 127.0.0.1 InLoopBack0 9.9.9.9/32 Unr 64 0 D 127.0.0.1 InLoopBack0 11.0.0.0/24 Direct 0 0 D 11.0.0.1 GigabitEthernet 0/0/0 11.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/0 11.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/0 12.0.0.0/24 Direct 0 0 D 12.0.0.1 GigabitEthernet 0/0/1 12.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/1 114.114.114.114/32 Static 60 0 RD 12.0.0.2 GigabitEthernet 0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 Static 60 0 RD 11.0.0.2 GigabitEthernet 0/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 [NAT router]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2 system-view Enter system view, return user view with Ctrl+Z. [NAT router]nat address-group 1 212.0.0.100 212.0.0.200 [NAT router]acl 2000 [NAT router-acl-basic-2000]rule permit source 192.168.30.0 0.0.0.255 [NAT router-acl-basic-2000]q [NAT router]int g 0/0/1 [NAT router-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat [NAT router-GigabitEthernet0/0/1]

与此对应的，增加R2的回程路由

[R2]ip route-static 212.0.0.0 24 12.0.0.1

2.5 配置nat模式中多个私网地址对应一个公网地址

思路跟动态nat思路大致相同，全局模式下宣告私网地址网段，acl，要注意的是这种nat命令跟动态nat命令的不同之处在有一个ip 字符然后在公网接口处指定关系，因为没有指定的公网网段，不填因为环境中pc没有富裕的，需要把之前的部分配置删掉，以免冲突

system-view Enter system view, return user view with Ctrl+Z. [NAT router]acl 3000 [NAT router-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 [NAT router-acl-adv-3000]q [NAT router]int g 0/0/1 [NAT router-GigabitEthernet0/0/1]nat outbound 3000 [NAT router-GigabitEthernet0/0/1]dis this [V200R003C00] # interface GigabitEthernet0/0/1 ip address 12.0.0.1 255.255.255.0 nat static global 9.9.9.9 inside 192.168.20.10 netmask 255.255.255.255 nat outbound 2000 address-group 1 no-pat nat outbound 3000 nat static enable # return [NAT router-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1 no-pat [NAT router-GigabitEthernet0/0/1]undo nat static global 9.9.9.9 inside 192.168.2 0.10 netmask 255.255.255.255 [NAT router-GigabitEthernet0/0/1]q [NAT router]

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。