Preface:
NAT address conversion allows private address into a public address and solve Internet problems
within Huawei's three switches can not be with ip address, you need to with vlanif
In the enterprise, business data traffic relatively long time, with a little better router
corresponds to multiple private addresses external network interface ip address
to set acl rules, allowing only a certain segment traffic, followed by anti-subnet mask
and then to the external network mouth declare it, acl number to
Network address translation
A: NAT Overview
1.1 NAT concepts and implementation
- Address translation occurs background
- NAT works
- network address translation, network address translation
- NAT implementations
- Static converters (static translation)
- Dynamic conversion (Dynamic translation)
- Port multiplexer (Port address - Search.com, PAT) EasyIP
NAT address translation, it is based on the identification of different ports, or do not know to whom the data is returned1.2 NAT, the term conversion table
NAT translation entries
extended translation entry1.3 NAT implementation of the work process
- Static and dynamic conversion conversion
1.4 NAT features
1.4.1 NAT advantage
- Save public IP addresses legitimate
- Processing addresses overlap
- Increased flexibility
- safety
1.4.2 NAT's shortcomings
- Delay increases
- The complexity of configuration and maintenance
- Some applications are not supported, can be avoided by a static NAT mapping
II: practical operation:
2.1 Basic Configuration
LSW1
The device is running!
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname LSW1
[LSW1]vlan bat 10 20 30 40
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1]int g 0/0/1
[LSW1-GigabitEthernet0/0/1]p l a
[LSW1-GigabitEthernet0/0/1]p d v 10
[LSW1-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[LSW1-GigabitEthernet0/0/1]int g 0/0/2
[LSW1-GigabitEthernet0/0/2]p l a
[LSW1-GigabitEthernet0/0/2]p d v 20
[LSW1-GigabitEthernet0/0/2]un sh
Info: Interface GigabitEthernet0/0/2 is not shutdown.
[LSW1-GigabitEthernet0/0/2]int g 0/0/3
[LSW1-GigabitEthernet0/0/3]p l a
[LSW1-GigabitEthernet0/0/3]p d v 30
[LSW1-GigabitEthernet0/0/3]un sh
Info: Interface GigabitEthernet0/0/3 is not shutdown.
[LSW1-GigabitEthernet0/0/3]int g 0/0/4
[LSW1-GigabitEthernet0/0/4]p l a
[LSW1-GigabitEthernet0/0/4]p d v 30
[LSW1-GigabitEthernet0/0/4]un sh
Info: Interface GigabitEthernet0/0/4 is not shutdown.
[LSW1-GigabitEthernet0/0/4]int g 0/0/6
[LSW1-GigabitEthernet0/0/6]p l a
[LSW1-GigabitEthernet0/0/6]p d v 10
[LSW1-GigabitEthernet0/0/6]un sh
Info: Interface GigabitEthernet0/0/6 is not shutdown.
[LSW1-GigabitEthernet0/0/6]int g 0/0/5
[LSW1-GigabitEthernet0/0/5]p l a
[LSW1-GigabitEthernet0/0/5]p d v 40
[LSW1-GigabitEthernet0/0/5]un sh
Info: Interface GigabitEthernet0/0/5 is not shutdown.
[LSW1-GigabitEthernet0/0/5]q
[LSW1]dis vlan
--------------------------------------------------------------------------------
1 common UT:GE0/0/7(D) GE0/0/8(D) GE0/0/9(D) GE0/0/10(D)
GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D)
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
GE0/0/23(D) GE0/0/24(D)
10 common UT:GE0/0/1(U) GE0/0/6(U)
20 common UT:GE0/0/2(U)
30 common UT:GE0/0/3(U) GE0/0/4(U)
40 common UT:GE0/0/5(U)
[LSW1]int vlanif 10
[LSW1-Vlanif10]ip add 192.168.10.1 24
[LSW1-Vlanif10]dis this
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
return
[LSW1-Vlanif10]un sh
Info: Interface Vlanif10 is not shutdown.
[LSW1-Vlanif10]int vlanif 20
[LSW1-Vlanif20]ip add 192.168.20.1 24
[LSW1-Vlanif20]un sh
Info: Interface Vlanif20 is not shutdown.
[LSW1-Vlanif20]int vlanif 30
[LSW1-Vlanif30]ip add 192.168.30.1 24
[LSW1-Vlanif30]un sh
Info: Interface Vlanif30 is not shutdown.
[LSW1-Vlanif30]int vlanif 40
[LSW1-Vlanif40]ip add 11.0.0.2 24
[LSW1-Vlanif40]un sh
Info: Interface Vlanif40 is not shutdown.
[LSW1-Vlanif40]q
[LSW1]dis interface b
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 up up 0% 0% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
GigabitEthernet0/0/3 up up 0% 0% 0 0
GigabitEthernet0/0/4 up up 0% 0% 0 0
GigabitEthernet0/0/5 up up 0% 0% 0 0
GigabitEthernet0/0/6 up up 0% 0% 0 0
Vlanif10 up up -- -- 0 0
Vlanif20 up up -- -- 0 0
Vlanif30 up up -- -- 0 0
Vlanif40 up up -- -- 0 0
[LSW1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.0.0.0/24 Direct 0 0 D 11.0.0.2 Vlanif40
11.0.0.2/32 Direct 0 0 D 127.0.0.1 Vlanif40
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10
192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20
192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30
192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
[LSW1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1R2 Configuration
The device is running!
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2
[R2]int g 0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[R2-GigabitEthernet0/0/0]un sh
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R2-GigabitEthernet0/0/0]int g 0/0/1
[R2-GigabitEthernet0/0/1]ip add 13.0.0.1 24
[R2-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R2-GigabitEthernet0/0/1]q
[R2]int LoopBack 0
[R2-LoopBack0]ip add 114.114.114.114 32
[R2-LoopBack0]q
[R2]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
12.0.0.0/24 Direct 0 0 D 12.0.0.2 GigabitEthernet
0/0/0
12.0.0.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
13.0.0.0/24 Direct 0 0 D 13.0.0.1 GigabitEthernet
0/0/1
13.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
13.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
114.114.114.114/32 Direct 0 0 D 127.0.0.1 LoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[R2]ip route-static 8.8.8.8 32 12.0.0.1
2.2 NAT router configuration, the first configuration to convert nat static, global configuration mode, the interface opening function
The device is running!
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname NAT router
[NAT router]int g 0/0/0
[NAT router-GigabitEthernet0/0/0]ip add 11.0.0.1 24
[NAT router-GigabitEthernet0/0/0]un sh
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[NAT router-GigabitEthernet0/0/0]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[NAT router-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[NAT router-GigabitEthernet0/0/1]q
[NAT router]nat static global 8.8.8.8 inside 192.168.10.10
[NAT router]ip route-static 192.168.0.0 16 11.0.0.2
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat static enable
[NAT router-GigabitEthernet0/0/1]q
[NAT router]ip route-static 114.114.114.114 32 12.0.0.2
Test 192.168.10.10 to ping lo 0 114.114.114.114, capture in g0 / 0/0 of R2 at a
2.3 with a second static NAT configuration method, disposed in the interface
[NAT router]nat static global 9.9.9.9 inside 192.168.20.10
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat static global 9.9.9.9 inside 192.168.20.10
Info: The NAT in the network has existed.
Already existing configuration will be covered with current configure. [Y/N]:
y
[NAT router-GigabitEthernet0/0/1]R2 backhaul routing configuration
[R2]ip route-static 9.9.9.9 32 12.0.0.1192.168.20.10 to ping 114.114.114.114
Nat 2.4 Dynamic address translation is provided, i.e., many-mode,
In the overall pattern of the two segments (public and private networks) declared,
the private network is ACL,
the public network is an address-group,
then declare the relationship between the public network interface
[NAT router]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
8.8.8.8/32 Unr 64 0 D 127.0.0.1 InLoopBack0
9.9.9.9/32 Unr 64 0 D 127.0.0.1 InLoopBack0
11.0.0.0/24 Direct 0 0 D 11.0.0.1 GigabitEthernet
0/0/0
11.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
11.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.0.0.0/24 Direct 0 0 D 12.0.0.1 GigabitEthernet
0/0/1
12.0.0.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
12.0.0.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
114.114.114.114/32 Static 60 0 RD 12.0.0.2 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.0.0/16 Static 60 0 RD 11.0.0.2 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[NAT router]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2
<NAT router>system-view
Enter system view, return user view with Ctrl+Z.
[NAT router]nat address-group 1 212.0.0.100 212.0.0.200
[NAT router]acl 2000
[NAT router-acl-basic-2000]rule permit source 192.168.30.0 0.0.0.255
[NAT router-acl-basic-2000]q
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
[NAT router-GigabitEthernet0/0/1]This corresponds to increase the return route R2
[R2]ip route-static 212.0.0.0 24 12.0.0.1Data capture can be observed from the source has been changed ip
2.5 nat configuration mode multiple private address corresponding to a public network address
Nat dynamic ideas with ideas about the same,
declaring private address network segment in the global mode, acl, to note that this is different from nat command with the nat dynamic command ip in a character
and then specify the relationship between the public network interface, because there is no designated public network segment, do not fill
because the environment is not rich pc, you need to delete part of the previous configuration, so as not to conflict
<NAT router>system-view
Enter system view, return user view with Ctrl+Z.
[NAT router]acl 3000
[NAT router-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255
[NAT router-acl-adv-3000]q
[NAT router]int g 0/0/1
[NAT router-GigabitEthernet0/0/1]nat outbound 3000
[NAT router-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 12.0.0.1 255.255.255.0
nat static global 9.9.9.9 inside 192.168.20.10 netmask 255.255.255.255
nat outbound 2000 address-group 1 no-pat
nat outbound 3000
nat static enable
#
return
[NAT router-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1 no-pat
[NAT router-GigabitEthernet0/0/1]undo nat static global 9.9.9.9 inside 192.168.2
0.10 netmask 255.255.255.255
[NAT router-GigabitEthernet0/0/1]q
[NAT router]