Introduction
IP has the distinction of public network and private network. Usually the private network IP is used for the internal network, and the public network IP address is used for the Internet. However, the computer using the private network address needs to use NAT technology when accessing the public network.
Network Address Translation (NAT for short), NAT is divided into static NAT, dynamic NAT, and network address port translation.
Network topology
Principle and configuration of static NAT
Static NAT means that a private network address corresponds to a public network address. It cannot save public network addresses. This method is rarely used in practical applications, and the common one is server use.
Static NAT 1-to-1 host communication, usually used for servers
R1
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR1
[AR1]inter g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 200.1.1.2 30
[AR1-GigabitEthernet0/0/1]inter g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[AR1-GigabitEthernet0/0/0]inter g0/0/1
[AR1-GigabitEthernet0/0/1]nat static global 117.29.161.242 ?
inside Specify inside information of NAT
[AR1-GigabitEthernet0/0/1]nat static global 117.29.161.242 ins
[AR1-GigabitEthernet0/0/1]nat static global 117.29.161.242 inside 192.168.1.10
[AR1-GigabitEthernet0/0/1]disp this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.252
nat static global 117.29.161.242 inside 192.168.1.10 netmask 255.255.255.255
#
return
[AR1-GigabitEthernet0/0/1]nat static global 117.29.161.243 inside 192.168.1.20
R2
<Huawei>u t m
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR2
[AR2]inter g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 200.1.1.1 30
[AR2-GigabitEthernet0/0/0]quit
[AR2]ip route-static 117.29.161.242 255.255.255.0 200.1.1.2
PAT
[AR1]inter g0/0/1
[AR1-GigabitEthernet0/0/1]undo nat static global 117.29.161.242 inside 192.168.1.10
[AR1-GigabitEthernet0/0/1]undo nat static global 117.29.161.243 inside 192.168.1.20
[AR1-GigabitEthernet0/0/1]disp this #检查一下配置是否删除
[AR1-GigabitEthernet0/0/1]quit
[AR1]nat address-group 1 117.29.161.242 117.29.161.242 #NAT地址池(我只配置了1个IP,如果有多个都可以加进去)
[AR1]acl 2020 #创建基本ACL
[AR1-acl-basic-2020]rule 5 permit source 192.168.1.0 0.0.0.255 #允许1.0网段获取
[AR1-acl-basic-2020]inter g0/0/1
#地址池和列表进行关联
[AR1-GigabitEthernet0/0/1]nat outbound 2020 address-group 1 ?
no-pat Not use PAT
<cr> Please press ENTER to execute command
#到这一步如果直接回车,在华为默认启用PAT
#PAT即对一个公网地址反复使用,通过端口号转换,
#如果想用动态NAT,则需要在group 1后面加上no-pat
#动态NAT无法节约公网IP,在地址池中选一个IP对应一个内网IP
[AR1-GigabitEthernet0/0/1]nat outbound 2020 address-group 1 #回车对地址池和列表进行关联,使用PAT功能
When using PAT, ping 200.1.1.1 from the host can be used at the same time, but ping 117.29.161.242 from 200.1.1.1 is unworkable, because many hosts take it as an address and cannot find it without specifying a port (PAT is equivalent to a natural firewall , The real address is blocked out)
Dynamic NAT
[Huawei-GigabitEthernet0/0/1]undo nat outbound 2020 address-group 1 #取消PAT
[Huawei-GigabitEthernet0/0/1]nat outbound 2020 address-group 1 no-pat #使用动态NAT
Interface-based PAT
In real scenarios, the most widely used PAT, the configuration of interface-based PAT can use a public IP to allow the entire company to go online
[Huawei-GigabitEthernet0/0/1]undo nat outbound 2020 address-group 1
[Huawei-GigabitEthernet0/0/1]nat outbound 2020 #outbound 2020默认使用地址池的公网地址进行替换复用
[Huawei-GigabitEthernet0/0/1]disp this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.252
nat outbound 2020
#
return
Static PAT
The server on the internal network needs to do static port mapping to provide external services,