IPv4 address space has been allocated in January 2011, limited public address resources, in order to solve the shortage of IP address resource issues, NAT technology was born.
NAT: Network Address Translation
1, Static NAT (one to one mapping): a router with a firewall, one to one mapping of binding.
2, dynamic NAT (NAT address pool): to achieve total private address and address-based NAT address conversion.
3, NAPT (Network Address Port Translation): allows multiple internal addresses are mapped to the same shared address a different port.
4, esay-ip: allows multiple internal addresses are mapped to a different port on the gateway interface address.
5, NAT Server: converts public addresses to private IP address, the external access to internal.
Network requirements:
An enterprise market is divided into two portions and research and development unit doors, the networking shown in Figure 5-3, FW enterprise network outlet is located,
the two organizations deploy Internet access links ISP-A, ISP-B . ISP-A Internet speed, network speed and stability
, but the marketing department to require a relatively high speed, Internet access via links ISP-A.
R & D for less demanding speed to access the Internet through ISP-B link, the higher cost, low-cost ISP-B Internet, but the speed is relatively slow.
Lab topology:
Experimental Procedure:
1: the operator configuration of the router
(1) the router 1
<the Huawei> Use the undo Monitor Terminal
<the Huawei> SYS
[the Huawei] Sysname Rl
[Rl] int G0 / 0/0
[Rl-the GigabitEthernet0 / 0/0] the Add IP 10.10.1.2 24
[Rl-the GigabitEthernet0 / 0/0] quit
[Rl] int G0 / 0 /. 1
[Rl-the GigabitEthernet0 / 0 /. 1] IP 100.1.1.1 the Add 24
[Rl-the GigabitEthernet0 / 0 /. 1] quit
(2)路由器2
<Huawei>undo terminal mo
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.20.1.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 200.1.1.1 24
[R2-GigabitEthernet0/0/1]quit
2: configure the IP address and security zone, to complete the basic network configuration parameters.
<USG6000V1> Use the undo Monitor Terminal
<USG6000V1> SYS
[USG6000V1] Sysname FW
[FW] interface of GigabitEthernet 1/0/2
[FW-GigabitEthernet / 0/2] 255.255.255.0 IP address 10.10.1.1
[FW-GigabitEthernet / 0/2 ] quit
[FW] interface of GigabitEthernet 1/0/3
[FW-GigabitEthernet / 0 /. 3] 255.255.255.0 IP address 10.1.1.1
[FW-GigabitEthernet / 0 /. 3] Sub 255.255.255.0 IP address 10.1.2.1
[FW- GigabitEthernet / 0 /. 3] quit
[FW] interface of GigabitEthernet 1/0/4
[FW-GigabitEthernet / 0 /. 4] 255.255.255.0 IP address 10.20.1.1
[FW-GigabitEthernet / 0 /. 4] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-zone-untrust] quit
3: routing firewall settings
[FW]-route static IP 100.1.1.0 24 10.10.1.2
[FW]-route static IP 200.1.1.0 24 10.20.1.2
2: Configure the security policy between the Trust and Untrust zones to allow internal users to access the external network resources. 10.1.1.0/24 subnet is assumed that the internal user and 10.1.2.0/24.
[FW] Security-Policy
[FW-Policy-Security] rule name SEC_1
[FW-Policy-Security-rule-policy_sec_trust_untrust] Source-Zone Trust
[FW-Policy-Security-rule-policy_sec_trust_untrust] Where do you want-Zone Untrust
[FW-Policy policy_sec_trust_untrust-rule--security] Source-address 10.1.1.0 24
[FW-Policy-Security-rule-policy_sec_trust_untrust] Source-address 10.1.2.0 24
[FW-Policy-Security-rule-policy_sec_trust_untrust] the permit Action
[FW-policy- policy_sec_trust_untrust-rule-Security] quit
[FW-Security Policy-] quit
3: Configure IP-Link function, link status detection.
[FW] Check enable IPLink
[FW] IPLink name pbr_1
[FW-IPLink-pbr_1] Where do you want 10.10.1.2 interface of GigabitEthernet 1/0/2
[FW-IPLink-pbr_1] quit
[FW] ip-link name pbr_2
[FW-iplink-pbr_2] destination 10.20.1.2 interface GigabitEthernet 1/0/4
[FW-iplink-pbr_2] quit
4: Create a PBR "pbr_1" and "pbr_2", sent from the packet belongs to the marketing department received the Trust zone to the next
hop 10.20.1.2, transmitted and received packets belonging to the region from the Trust R & D department to the next hop 10.10 .1.2.
[FW] Policy-based-route
[FW-Policy-PBR] rule name pbr_1
[FW-Policy-PBR-rule-pbr_1] Description pbr_1
[FW-Policy-PBR-rule-pbr_1] Source-Zone Trust
[FW-Policy pbr_1-rule--pbr] Source-address 10.1.1.0 24
[FW-Policy-PBR-rule-pbr_1] IP-Link Track pbr_1
[FW-Policy-PBR-rule-pbr_1] Action PBR Next-Hop 10.10.1.2
[ FW-policy-pbr-rule- pbr_1] quit
[FW-policy-pbr] rule name pbr_2
[FW-policy-pbr-rule-pbr_2] description pbr_2
[FW-policy-pbr-rule-pbr_2] source-zone trust
[FW-policy-pbr-rule-pbr_2] source-address 10.1.2.0 24
[FW-policy-pbr-rule-pbr_2] track ip-link pbr_2
[FW-policy-pbr-rule-pbr_2] action pbr next-hop 10.20.1.2
[FW-policy-pbr-rule-pbr_2] quit
[FW-policy-pbr] quit
5:NAT的设置
[FW]nat-policy
[FW-policy-nat]rule name nat_1
[FW-policy-nat-rule-nat_1]source-zone trust
[FW-policy-nat-rule-nat_1]destination-zone untrust
[FW-policy-nat-rule-nat_1]action nat easy-ip
[FW-policy-nat-rule-nat_1]quit
[FW-policy-nat]quit
6: the last test network connectivity to the external network
Ethereal look, then you can see the source IP to a conversion.