The blog by building a small network topology, NAT be familiar with the basic configuration, the following is performed Huawei ensp simulator, as shown below,
the first step: build a good topology, each device on the respective after ip address configured interface, AR1 disposed on a static route destined for the public network,
[AR1] ip route-static 100.0.23.0 100.0.12.2 255.255.255.0
Next, begin NAT configuration.
1. The static NAT is disposed
an interface AR1 (Breakout Gateway) in G0 / 0/0 port configuration,
[AR1] int G0 / 0 /. 1
[AR1-the GigabitEthernet0 / 0 /. 1] IP address 192.168.1.254 24
[AR1] nat static global 100.0.12.2 inside 192.168.1.2 and create a static NAT mapping table, the address 192.168.1.2 private network and the public network address 100.0.12.2 do mapping
[AR1] static NAT, Ltd. Free Join 100.0.12.11 Inside 192.168.1.1
NAT static, Ltd. Free Join { global-address} inside {host- address} command to create to static NAT.
global parameters for configuring the external public network address. ; Inside parameters for configuring internal private addresses.
After the above configuration, it is possible to display nat static command to view the static NAT configuration, as shown in FIG.
Global IP / Port represents a public IP address and service port number.
Inside IP / Port services represent private address and port number.
From the figure, it can be seen, by doing the NAT static, ip address may be a private network and public network address to do a conversion, but does not do the conversion and the port number.
2. Dynamic NAT configuration
before doing dynamic NAT experiment, the need to do before deleted arranged on static NAT
on AR1,
[AR1] Group NAT-address. 1 100.0.12.100 100.0.12.200 NAT address pool, address pool 100.0.12.100 to 100.0.12.200 ip address from a total of 101.
[AR1] ACL 2000
[AR1-Basic-ACL-2000] Source rule the permit 192.168.1.0 0.0.0.255. 5
[AR1-Basic-ACL-2000] Q
[AR1-the GigabitEthernet0 / 0/0] 2000 outbound NAT-address. 1 Group no-pat
the ACL traffic 2000 to be converted 192.168.1.0/24. associate and address pool address 1 (address-group 1) address translation. no-pat indicates that only data packets converted without converting an address port information. If not no-pat, is NAPT configuration
can create a query to a dynamic address pool by dis nat address-group, as shown below
Next, we can use to access the Internet PC1 ip address of the interface 100.0.23.254 , is shown below in the ping.
AR1 in the G0 / 0/0 port capture, as shown below, and the source object ip ip have become a public network address, i.e., the egress gateway converted public IP address ip private network address, the packets are sent out.
3. Easy IP configuration
Before doing experiments Easy IP, the need to do before configuration About dynamic NAT deleted
arranged on AR1
[AR1] ACL 2000
[AR1-Basic-ACL-2000] Source rule the permit 192.168.1.0 0.0.0.255. 5
[AR1] int G0 / 0/0
[AR1-the GigabitEthernet0 / 0/0] nat outbound 2000
after doing the above configuration, the display by the nat outbound query, as shown
fetch packet of AR1 G0 / 0/0 port as shown below, can be found, either by using PC1 or PC2 to access the Internet, private network addresses are converted into G0 / 0/0 port of the public network ip address AR1 address to access the Internet.
4.NAT configuration server
[AR1-GigabitEthernet0 / 0/0 ] nat server protocol tcp global 100.0.12.200 www inside 192.168.1.3 80
Mapping table is used to define an internal server, the user can access the external server via the internal network address and public port.
Protocol parameter specifies a required address translation protocol; Specifies the public address needs to be converted back Global parameters; parameter inside the designated network address server.
Can be viewed through the display nat server NAT server configuration on AR1, as shown below,
after the finish, we can be on the public network Client, network text AR1 to bind the public network address of the server 100.0.12.200 as shown in the figure below, we can see a successful visit.
If the public network a private network wants to access device features ftp server, you can then access the configuration command an ftp server
[AR1-GigabitEthernet0 / 0/0 ] nat server protocol tcp global 100.0.12.200 ftp inside 192.168.1.3 ftp
[AR1] nat alg ftp enable nat alg open for ftp service functions, nat alg is a network application layer gateway address conversion, in addition to converting ip address and port number, you can also convert ip and port the application layer,
done after, client1 we can go up in the public network of private network access the ftp server, as shown below, can successfully access the ftp server.
