Destination NAT learning
1 Overview
Destination NAT firewall is packet conversion, the conversion is the destination IP address, source IP address is not.
When the mobile terminal to access the wireless network, if the default WAP gateway address WAP gateway address inconsistencies in the operator's seat, the terminal can be in the middle of WAP gateway deployment of a piece of equipment, and the Department assigned destination NAT function, the device will automatically be forwarded to error messages WAP gateway addresses automatically forwarded to the correct WAP gateway.
2. Network topology
2. First configure the network foundation
AR1
interface GigabitEthernet0/0/0
ip address 192.168.0.100 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
AR2
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
FW1
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1//g0/0/0口不用配置,默认即是这样。
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
3. Firewall NAT configuration
(1) First G0 / 0/1 untrust area inlet with a mixture
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
(2) configure the policy, and allowing the trust zone area communication untrust
policy interzone trust untrust outbound
policy 1
action permit
(3) configure NAT by way of easy-ip
nat-policy interzone trust untrust outbound
policy 1
action source-nat
easy-ip GigabitEthernet0/0/1
(4) The purpose NAT configuration
to configure the access control list
acl number 3000
rule 1 permit ip source 192.168.0.0 0.0.0.255 destination 2.2.2.2 0//这里2.2.2.2是模拟内网终端访问错误的地址。
In the Destination NAT firewall zone trust configuration
firewall zone trust
set priority 85
destination-nat 3000 address 1.1.1.2//目的地址转换,匹配ACL3000的流量转换至目的地址1.1.1.2
add interface GigabitEthernet0/0/0
4. Verify
AR1 in the verification, ping2.2.2.2 success, actually accessed 1.1.1.2