Shulou(Shulou.com)06/03 Report--

Dynamic NAT, static NAT and Huawei NAT

I. Overview of NAT

1. (network address translation) network address translation.

2. The working process of NAT:

After the NAT device receives the packet from the intranet

1. First check whether there is a local route to the destination address of the packet.

2. Check again whether there is a corresponding nat translation entry for the local device.

-- if so, make a geological conversion and send it out

-- if not, no geological conversion is made and then sent.

3. Static NAT:

Private-public 1:1, do not save IP address

4. Configure static NAT:

1. Configure R1 (the inner terminal router) with a default route to the service provider.

[R1] Ip route-static 0.0.0.0 0.0.0.0 100.1.12.2

2. Create a static NAT translation entry on R1 (that is, the router at the end of the interior)

[R1] nat static global 100.1.12.3 inside 192.168.1.1 can create multiple entries

3. Enable the "static NAT" function on the exit port of the packet on R1 (that is, the router at the end of the interior).

[R1] interface gi0/0/1

[R1-gi0/0/1] nat static enable

5. Dynamic NAT: no IP address is saved and no detailed explanation is given.

Private-public 1:1, do not save IP address

6. PAT/PNAT/NAT-Port/ port multiplexing / port NAT/ port NAT

Private-public multiple: 1, save IP address

7. Configuration ideas

1. Build the topology diagram and configure IP addresses and gateways for terminal devices and servers.

2. Configure each port of each router with IP address

3. Configure the default route from the terminal router to the service provider server

4. Configure ACL at the egress or ingress of the terminal router without calling the interface.

5. Configure dynamic NAT on the egress of the terminal router (that is, call ACL on the egress)

8. Configuration commands:

1. Define the traffic of interest, that is, create an ACL

[R1] acl 2000

[R1-acl-basic-2000] rule 5 permit source 192.168.1.1 0.0.0.0

2. Call the NAT command on the output port

[R1] interface gi0/0/1

[R1-gi0/0/1] the number of nat outbound + ACL

-- > if the packet sent out on the changed port is matched by acl 2000, and the permit action is performed

The source IP address of the data is translated by NAT to the public network IP address of the interface.

Note:

The ACL called in NAT is slightly different from the ACL called on the interface:

The last implicit default action of the ACL called in NAT is-reject all

The last implicit default action of the ACL called on the interface is-allow all

Case 1:

-Environment

There are two hosts in the intranet, PC-1/2,IP:192.168.1./24 and 192.168.1.2

Gateway IP:192.168.1.254

The public network IP addresses purchased by the company are 100.1.12.1 and 100.1.12.3, respectively.

-requirements:

PC-1 can access the server of the public network: 200.1.1.2 Universe 24

And test whether PC-2 can access the server on the public network.

-configuration:

1. Configure PC-1,PC-2 and IP address information of gateway devices

2. Configure the route from the gateway to the external network-- default route

[R1] ip route-static 0.0.0.0 0.0.0.0 100.1.12.2

3. Configure static NAT on the gateway device:

[R1] nat static global 100.1.12.3 inside 192.168.1.1

[R1] interface gi0/0/1

[R1-gi0/0/1] nat static enable

4. Test

PC-1:

Ping 200.1.1.2, OK

PC-2:

Ping 200.1.1.2, does not work because no NAT conversion has taken place.

-conclusion:

In static NAT, the relationship between private address and public address is: 1:1, do not save IP address

Static NAT needs to be "enabled" on the outgoing interface of the packet in order to achieve data interoperability.

-Optimization solution:

Replace the original "static NAT" with "PNAT", that is, port NAT.

The idea of configuration is as follows:

Create interesting traffic-through ACL; acl 2000 rule 5 permit source 192.168.1.1 0.0.0.0 & the above ACL entries can only match the packets sent by PC-1, and then NAT conversion, so that PC-1 can access the public network # create NAT translation entry interface gi0/0/1 nat outbound 2000 & all the data sent through this interface will be checked by ACL 2000, can be matched by ACL and perform permit action, then NAT conversion will be performed. That is to say, the Internet can be realized finally. In this case, PC-1 can surf the Internet, but PC-2 cannot. If you want to experiment with PC-2, you must modify the configuration of ACL 2000 as follows: acl 2000 rule 5 permit 192.168.1.0 0.0.0.255

Case 2:

-- Environment

The intranet has a web server, IP:192.168.1.8/24, which uses the default port

There are two hosts in the intranet, PC-1/2,IP:192.168.1.1/24, 192.168.1.2 and 24.

Gateway IP:192.168.1.254/24

The company has purchased two public network IP addresses: 100.1.12.1Universe 24 100.1.12.3 Plus 24.

-- requirements

PC-1 can access the server of the external network (200.1.1.1Universe 24)

PC-2 cannot access the public network

The http-client of the external network can directly access the internal web server through 8080 of the external network IP; (100.1.12.3 Comp24)

-- configuration steps

1. PC-1/2/Web-server configures the corresponding IP address and gateway IP address

Configure the PC and Web-server with IP address and gateway IP address

2. Configure the occurrence route of gateway device R1-default route

System-view

[R1] ip route-static 0.0.0.0 0.0.0.0 100.1.12.2

3. Configure the equipment on the ISP side of the simulator

4. Configure the ports of routers R1 and R2 to configure the corresponding IP addresses

System-view

[Huawei] sysname R1

[R1] interface GigabitEthernet 0/0/0

[R1-GigabitEthernet0/0/0] ip address 192.168.1.254 24

[R1] interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1] ip address 100.1.12.1 24

System-view

[Huawei] sysname R2

[R2] interface GigabitEthernet 0/0/1

[R2-GigabitEthernet0/0/1] ip address 100.1.12.2 24

[R2] interface GigabitEthernet 0/0/2

[R2-GigabitEthernet0/0/2] ip address 200.1.1.254 24

5. Configure-NAT on the border device

[R1] acl 2000

[R1-acl-basic-2000] rule 5 permit source 192.168.1.1 0.0.0.0

[R1-acl-basic-2000] rule 10 permit source 192.168.1.2 0.0.0.0

6. Configure NAT on the outbound port of the packet to implement PNAT

[R1] interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1] nat outbound 2000

7. NAT-Server (Port Mapping)

Configure on the egress port of the packet

[R1] interface GigabitEthernet 0 interface GigabitEthernet 0 interface GigabitEthernet 1 (the IP address in the public network segment purchased by the company except the IP address at both ends)

[R1-GigabitEthernet0/0/1] nat server protocol tcp global 100.1.12.3 8080

Inside 192.168.1.8 80

8. Create a new text document on the desktop in the following format: (IP + port number of Server)

+ after the content is written (saved in a folder), save as

Take a random name + suffix .html

Save type select all files

9. Open Server1, select HttpServer-Select the folder where the Html file is saved-- start

10. Open Client-client information-- enter http://100.1.12.10:8080-- and get it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.