Shulou(Shulou.com)06/01 Report--

Objective NAT learning

Qq3421609946

1. Overview

Destination NAT means that when packets are translated in the firewall, the destination IP address is translated, not the source IP address.

When the mobile terminal accesses the wireless network, if the default WAP gateway address is inconsistent with the WAP gateway address of the local operator, a device can be deployed in the middle of the terminal between the WAP gateway and the destination NAT function, so that the device will automatically forward the message forwarded to the wrong WAP gateway address to the correct WAP gateway.

two。 Network topology diagram

two。 First of all, the basic configuration of the network

AR1

Interface GigabitEthernet0/0/0 ip address 192.168.0.100 255.255.255.0ip route-static 0.0.0.0 0.0.0.0 192.168.0.1

AR2

Interface GigabitEthernet0/0/0 ip address 1.1.1.2 255.255.255.0

FW1

The interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 192.168.0.1 255.255.255.0 dhcp select interface dhcp server gateway-list 192.168.0.1//g0/0/0 port does not need to be configured, which is the default. Interface GigabitEthernet0/0/1ip address 1.1.1.1 255.255.255.03. Firewall NAT configuration

(1) first of all, add the G0Universe port to the untrust area.

Firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1

(2) configure policies to allow communication between trust and untrust regions

Policy interzone trust untrust outbound policy 1 action permit

(3) configure NAT through easy-ip

Nat-policy interzone trust untrust outbound policy 1 action source-nat easy-ip GigabitEthernet0/0/1

(4) configure destination NAT

Configure the access control list first

Acl number 3000 rule 1 permit ip source 192.168.0.0 0.0.255 destination 2.2.2.2 Universe / here 2.2.2.2 is the address that simulates the intranet terminal access error.

Configure destination NAT in firewall zone trust

Firewall zone trust set priority 85 destination-nat 3000 address 1.1.1.2 add interface GigabitEthernet0/0/04 / destination address translation, traffic matching ACL3000 translates to destination address 1.1.1.2. Verification

After verification on AR1, ping2.2.2.2 is successful, which is actually 1.1.1.2 of the visit.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.