Catalog

One 、NAT How it works

Two 、NAT Realization way

3、 ... and 、NAT contain 4 Class address

Four 、NAT Conversion entry for

5、 ... and 、 summary

6、 ... and 、 experiment  

1. experiment 1

 2. experiment 2

 3. experiment 3

One 、NAT How it works

Network Address Translation, Network address translation

Two 、NAT Realization way

（1） Static conversion (Static Translation)

（2） Dynamic transformation (Dynamic Translation)

（3） Port multiplexing (Port Address Translation,PAT)

3、 ... and 、NAT contain 4 Class address

（1） Internal global address
（2） Internal local address
（3） External local address
（4） External global address

Four 、NAT Conversion entry for

（1） Simple conversion entries （2） Expand conversion entries

5、 ... and 、 summary

NAT (Network Address Translation) Also known as network address translation , It is used to realize mutual visits between private networks and public networks .
        Private network address and public network address
        Public network address （ Hereinafter referred to as the public network address ) It refers to the only in the world on the Internet IP Address .2019 year 11 month 26 Japan , It is a memorable day in the era of human Internet , almost 43 One hundred million IPv4 The address has been officially exhausted .
        Private network address ( Hereinafter referred to as private network address ) It refers to the internal network or host IP Address ,IANA( Internet Digital Distribution Agency ) It is stipulated that the following IP The address is reserved for private network address , be not in Internet（ Internet ). Assigned to , It can be used in units or companies .RFC1918 The private address specified in the is as follows :
A Class private address :i0.0.o.0~10.255.255.255
B Class private address : 172.16.0.0~172.31.255.255c Class private address :192.168.0.0~192.168.255.255
       NAT How it works :
       NAT It is used to convert the intranet address and port number into a legal public address and port number , Set up a conversation , Communicate with the public network host .
       NAT An external host cannot actively follow NAT Internal host communication ,NAT The internal host wants to communicate , Must be active and one of the public networks IP signal communication , The router is responsible for establishing a mapping relationship , So as to realize data forwarding .
NAT function :
      NAT Not only can it solve IP The problem of insufficient address , And it can also effectively avoid intrusion from outside the network , Hide and protect computers inside the network .
1. Broadband sharing : This is a NAT The biggest function of the host .
2. Safety protection :NAT Within PC Online to Internet. Up there , What he showed IP yes NAT Host's public network T, therefore client Terminal PC It has a certain degree of security , The outside world is portscan( Port scanning ) When , You can't detect the source client Terminal PC.
advantage : Saving is legal IP Address 、 Handle address overlap 、 Increase flexibility 、 Security
shortcoming : Delay increases 、 The complexity of configuration and maintenance 、 Some applications are not supported ( such as VPN)

        static state NAT
        static state NAT Realize one-to-one conversion between private network address and public network address . You need to configure as many public addresses as you have private addresses . static state NAT Can't save the public address , But it can hide the internal network .
        When the internal network sends a message to the external network , static state NAT The source of the message IP Replace the address with the corresponding public network address : When the external network sends a response message to the internal network , static state NAT Replace the destination address of the message with the corresponding private network address .
      Yes 2 Configuration methods :
The first one is :
Set static mode in global mode NAT
[R1] nat static global 8.8.8.8 inside. 192.168.10.10[R1 ]int g0/0/1 The sea I Internet access
[R1-GigabitEthernet0/0/1]nat static enable
### Live on the Internet port and start nat static enable function
The second kind : Declare directly on the interface nat static
[R1]int g0/0/1      Internet access
[R1-GigabitEthernet0/0/1]nat static global 8.8.8.8 inside 192.168.10.10
[R1]dis nat static
see NAT Static configuration information

dynamic NAT: Multiple private IP The address corresponds to multiple public networks IP Address , One to one mapping based on address pool

1、 Configure the configuration of external network port and internal network port IP Address
2、 Define legal IP Address pool
[R1]nat address-group 1 212.0.0.100 212.0.0.200    Create a new one called 1 Of nat Address pool   0-7
3、 Define the access control column length
3[R1]acl 2000
establish ACL, The source address allowed is 192.168.20.0/24 Segments and 11.0.0.0/24 The data from [R1-acl-basic-2000] rule permit source 192.168.20.0 0.0.0.255
[R1-acl -basic-2000]rule permit source 11.0.0.0 0.0.0.255
4、 At the Internet port , Set dynamic on IP address translation
[R1-acl-basic-2000]int g0/0/1 Hang · External port
[R1-GigabitEthernet0/o/1]nat outbound 2000 address-group 1 no-pat
take ACL2000 The matching data is converted to the interface IP Address as source address (no pat No port conversion , Only do IP address translation , The default is pat)2
[R1]dis nat outbound
see NAT Outbound Information about
inbound Is the port entry direction
outboundshi Is the direction of the port

PAT Port multiplexing
        PAT Also known as NAPT (Network Address PortTranslation), It realizes the mapping between a public network address and multiple private network addresses , Therefore, the public network address can be saved .PAT The basic principle of is to source messages with different private network addresses IP Address conversion to the same public network address , But they are converted to different port numbers for that address , Flash and still be able to share the same address . 

 PAT It has the following functions :
1. Change the of the packet ip Address monk slogan :2. It can save a lot of public network IP Address .
PAT There are the following types of :
1. dynamic PAT, Include NAPT and lEasy IP: NAT It's a one-to-one conversion
NAPT Many to one conversion
2. static state PAT, Include NAT Server.
NAPT: Multiple private networks Ip Address : Corresponding to fixed external network IP Address ( such as 200.1.1.10), Configuration method and dynamic NAT similar

1、 Remember the outside K National and internal national IP Address
2、 Define legal IP Address : pool
[R1] nat address-group 1 200.1.1.10 200.1.1,10    Use a fixed IP
3、 Define the access control column length
[R1]acl 2000 The source address allowed is 192.168.30.0/24 The data of the network segment passes through
[R1-acl-adv-2000] rule permit source 192.168.30.0 0.0.0.255
4、 Set... On the Internet port IP address translation
[R1-acl -basic- 2000]int g0/0/1      Internet access .
[Rl-GigabitEthernet0/0/1] nat outbound 2000 address-group 1
Intranet address           port           Public address       Different ports

EasyIp: Multiple private networks IP The address corresponds to the public network interface of the router IP Address ( such as 12.0.0.1)

1、 Configure external ports and internal network ports IP Address
2、 Define legal IP Address : pool
Due to the direct experiment, the external network port IP Address, so you don't have to define IP Address pool
3、 Define access control list
[R1]acl 3000 The source address allowed is 192.168.30.0/24 The data of the network segment passes through

[R1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255
4、 At the Internet port , Set up IP address translation
[R1 ]int g0/0/1 Internet access
[R1-GigabitEthernet0/0/1]nat outbound 3000
When aci3000 Matching source IP When data reaches this interface , Convert to... Of this interface IP Address : As source address
[R1]display nat session all    see NAT Flow table information of  

NAT server:
Port mapping , Map the private address port to the public address , Realize the intranet server for external network users to access .
[R1]int g0/0/1
[Rl-GigabitEthernet0/0/1]nat server protocol tcp global 9.9.9.9 www inside 192.168.10.100 www
61. Connect the private server address and the public address on the interface connecting to the public network : do ” Yes NAT Map binding
[R1-G1gab1 tEthernet0/0/1]nat server protocol tcp global current-interface 8080 inside 10.1.1.1 www
On the interface connecting the public network, pair the private network server address with the external network interface NAT Map binding
[RI -G1gabitEthernet0/0/1]nat server protocol tcp global current-interface 2121 inside 10.1.1.2 ftp
Port is 21 You can use keywords directly fp" Instead of

ACL:access list Access control list
ACL Two functions :
（1） Used for access control of data packets ( Discard or release ) In combination with other agreements , Used for four matching ranges
（2）acl working principle : When a packet passes through the interface , Because the interface is enabled acl, At this time, the router will check the message , Then make the corresponding treatment .
acl species :
basic acl (2000-2999): Can only match source ip Address .
senior acl (3000-3999): Can match source ip、 The goal is ip、 Source port 、 Three and four layers of fields and protocols such as target port .
On the second floor ACL (4000-4999): According to the source of the packet MAc Address 、 Purpose MAc Address 、802.1q priority 、 Two layer protocol type and other two layer information making rules .
ACL( Access control column length ) Application principle of : basic ACL, Try to use it near the destination of tea
senior ACL, Try to use it close to the source ( Can protect bandwidth and other resources )
Application rules
1、 The same direction of an interface 、 Only one... Can be called acl
2、 One acl There can be more than one rule The rules , According to the rules ID Sort from small to large , From top to bottom

3、 Data packets · Dan beimou rule matching , No more downward matching
4、 When used for packet access control , By default, all ( Huawei equipment ) 

 [ Huawei]acl number 2000.  establish acl 2000
[Huawei-acl--basic- 2000]rule 5 deny source 192.168.1.1 0  The rejection source address is 192.168.1.1 Of traffic ,0 Represents only this one ,5 Is the serial number of this rule ( Not to add 1)
[ Huawei] interface GigabitEthernet 0/0/1
Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[ Huawei -GigabitEthernet0/0/1]traffic-filter outbound acl 2000 Interface out direction call acl2000, outbound Represents the direction , inbound Represents the direction of entry
I Huawei-GigabitEtherneto/0/1]undo sh
[ Huawei]acl number 2001 Reenter acl 2001 list
[ Huawei-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.255.0#permit On behalf of the allowed ,source On behalf of the source , The mask part is unmasked
[Huawei-acl-basic-2001]rule deny source any # Deny all access on the th ,any On behalf of all 0.0.0.0255.255.255.255
perhaps rule deny
[Huawei]interface GigabitEthernet 0/0/1 # Enter the exit interface [Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 2001
[Huawei]acl nmuber 3000
Refuse tcp For advanced control , therefore 3000 rise
(Huawei -acl-adv-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192.168.3.1 0

Refuse Ping

 [ Huawei-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.1.0

destination-port eg 80

6、 ... and 、 experiment  

1. experiment 1

R1

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]un in en

Info: Information center is disabled.

[Huawei]sysname R1

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24

[R1-GigabitEthernet0/0/0]un sh

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[R1-GigabitEthernet0/0/0]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 13.0.0.1 24

[R1-GigabitEthernet0/0/1]un sh

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[R1-GigabitEthernet0/0/1]q

[R1]nat static global 30.0.0.30 inside 192.168.1.10

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]nat static enable

[R1-GigabitEthernet0/0/1]

[R1]un nat static global 30.0.0.30 inside 192.168.1.10 netmask 255.255.255.255

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]nat static global 30.0.0.30 inside 192.168.10.10

[R1-GigabitEthernet0/0/1]q

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]nat static global 30.0.0.30 inside 192.168.1.10

  Info: The NAT in the network has existed.

  Already existing configuration will be covered with current configure. [Y/N]:

y

[R1-GigabitEthernet0/0/1]

R1

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]un in en

Info: Information center is disabled.

[Huawei]sysname R1

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 13.0.0.1 24

[R1-GigabitEthernet0/0/1]un sh

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[R1-GigabitEthernet0/0/1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24

[R1-GigabitEthernet0/0/0]un sh

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[R1-GigabitEthernet0/0/0]q

[R1]nat address-group 1 20.0.0.100 20.0.0.200

[R1]acl 2000

[R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255

[R1-acl-basic-2000]q

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat

[R1-GigabitEthernet0/0/1]

 2. experiment 2

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]un in en

Info: Information center is disabled.

[Huawei]sysname R1

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24

[R1-GigabitEthernet0/0/0]un sh

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[R1-GigabitEthernet0/0/0]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 13.0.0.1 24

[R1-GigabitEthernet0/0/1]un sh

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[R1-GigabitEthernet0/0/1]q

[R1]nat address-group 1 20.1.1.10 20.1.1.10

[R1]acl 2000

[R1-acl-basic-2000]rule permit source 192.168.20.0 0.0.0.255

[R1-acl-basic-2000]int g0/0/1

[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1

[R1-GigabitEthernet0/0/1]nat static enable

[R1-GigabitEthernet0/0/1]q

[R1]acl 2000

[R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255

[R1-acl-basic-2000]q

[R1]

 3. experiment 3

R1

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]un in en

Info: Information center is disabled.

[Huawei]sysname R1

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 13.0.0.1 24

[R1-GigabitEthernet0/0/0]un sh

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[R1-GigabitEthernet0/0/0]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 192.168.10.1 24

[R1-GigabitEthernet0/0/1]un sh

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[R1-GigabitEthernet0/0/1]q

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 8080 inside 192.168.10.10 80

[R1-GigabitEthernet0/0/0]q

[R1]