nat的基础配置（动态nat，nat server）

目录

1.静态nat

2.动态nat

（1）配置公网地址池

（2）配置acl，匹配做nat转换的源

（3）将源转换为公网地址，其中no-pat表示不做端口转化，只做一对一的地址转换

3.nat server(端口映射)

---

以下面的配置为例

AR1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR1
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
Sep 11 2023 15:17:30-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[AR1-GigabitEthernet0/0/0]qu
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 12.1.1.1 24
Sep 11 2023 15:18:10-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
 on the interface GigabitEthernet0/0/1 has entered the UP state. 
[AR1-GigabitEthernet0/0/1]qu
[AR1]

AR2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 12.1.1.254 24
Sep 11 2023 15:19:21-08:00 AR2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[AR2-GigabitEthernet0/0/0]qu
[AR2]

在这里PC1和PC2是能到网关（AR1）的，网关是有AR2的路由的

<AR1>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 10       Routes : 10       
 
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
       12.1.1.0/24  Direct  0    0           D   12.1.1.1        GigabitEthernet
0/0/1
       12.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/1
     12.1.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/1
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct  0    0           D   192.168.1.254   GigabitEthernet
0/0/0
  192.168.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/0
  192.168.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
 

所以PC1和PC2能到达AR2,但是AR2没有回程路由，即不知道到达192.168.1.1或192.168.1.2如何走

<AR2>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 7        Routes : 7        
 
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
       12.1.1.0/24  Direct  0    0           D   12.1.1.254      GigabitEthernet
0/0/0
     12.1.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/0
     12.1.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
 

 这里用nat将pc1的地址转换为公网地址，就可以ping通AR2        

1.静态nat

公网ip对应的是192.168.1.1这个内部的私网IP

<AR1>sys
Enter system view, return user view with Ctrl+Z.
[AR1]nat static global 12.1.1.2 inside 192.168.1.1

此时PC1 ping 不通AR2

PC>ping 12.1.1.254 -t
 
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!

 因为在全局下配置时，需要在接口上加上”nat static enable“

[AR1]int g0/0/1
 
[AR1-GigabitEthernet0/0/1]nat static enable

此时PC1能ping通了

Request timeout!
Request timeout!
From 12.1.1.254: bytes=32 seq=22 ttl=254 time=46 ms
From 12.1.1.254: bytes=32 seq=23 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=24 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=25 ttl=254 time=31 ms
From 12.1.1.254: bytes=32 seq=26 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=27 ttl=254 time=15 ms
From 12.1.1.254: bytes=32 seq=28 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=29 ttl=254 time=31 ms

通过对AR2抓包，可见源地址变为了12.1.1.2,目的地址为12.1.1.254

AR2有12.1.1.0/24 这一直连路由，所以就有了回程路由

注意：

在全局下配置时，需要在出接口配置 nat static enable

如果直接在接口配置，就不需要加nat static enable

[AR1-GigabitEthernet0/0/1]undo nat static enable
[AR1-GigabitEthernet0/0/1]quit
[AR1]undo nat static global 12.1.1.2 inside 192.168.1.1
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat static global 12.1.1.10 inside 192.168.1.1
#不用在接口下再加入nat static enable
#在pc1上ping AR2也是能ping通的

2.动态nat

（1）配置公网地址池

[AR1]nat address-group 1 12.1.1.2 12.1.1.10

（2）配置acl，匹配做nat转换的源

[AR1]acl 2000
[AR1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255

（3）将源转换为公网地址，其中no-pat表示不做端口转化，只做一对一的地址转换

[AR1-acl-basic-2000]quit
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
#nat只有outbound,对于acl则可能有outbound或inbound

配置完毕以后，pc1能ping通AR2        

PC>ping 12.1.1.254

Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
From 12.1.1.254: bytes=32 seq=1 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=2 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=3 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=4 ttl=254 time=62 ms

 如果不加no-pat，多个用户可以用一个出口ip

[AR1-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1 no-pat
[AR1-GigabitEthernet0/0/1]quit
[AR1]undo nat address-group 1
[AR1]nat address-group 1 12.1.1.2 12.1.1.2
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
#多个用户可以用一个出口
 
#PC依旧能ping通
PC>ping 12.1.1.254
 
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
From 12.1.1.254: bytes=32 seq=1 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=2 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=3 ttl=254 time=31 ms

easy ip：直接用出口的ip地址上网

[AR1]int g0/0/1
#将2000这个acl匹配的地址转换为公网地址
[AR1-GigabitEthernet0/0/1]nat outbound 2000
 
#这样也能ping通
 
PC>ping 12.1.1.254
 
Ping 12.1.1.254: 32 data bytes, Press Ctrl_C to break
From 12.1.1.254: bytes=32 seq=1 ttl=254 time=47 ms
From 12.1.1.254: bytes=32 seq=2 ttl=254 time=32 ms
From 12.1.1.254: bytes=32 seq=3 ttl=254 time=15 ms
From 12.1.1.254: bytes=32 seq=4 ttl=254 time=31 ms
From 12.1.1.254: bytes=32 seq=5 ttl=254 time=32 ms

3.nat server(端口映射)

#将内网服务器的地址，映射到公网的IP
 
[AR1-GigabitEthernet0/0/1]nat server protocol TCP global 12.1.1.2 80 inside 192.
168.1.2 80
#若使用12.1.1.2的80端口，实际是访问192.168.1.2的80端口