Network Address Translation (NAT)


 

 

naaat

1. Cihaz isim ve ip address yapılandırması.
[Huawei]sysname CLIGURU-R1
[CLIGURU-R1]interface GigabitEthernet 0/0/1
[CLIGURU-R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24

 

[Huawei]sysname CLIGURU-R3
[CLIGURU-R3]interface GigabitEthernet 0/0/2
[CLIGURU-R3-GigabitEthernet0/0/2]ip address 10.0.6.3 24

 

[Huawei]sysname CLIGURU-S1
[CLIGURU-S1]vlan 4
[CLIGURU-S1-vlan4]quit
[CLIGURU-S1]interface vlanif 4
[CLIGURU-S1-Vlanif4]ip address 10.0.4.254 24
[CLIGURU-S1-Vlanif4]quit

 

[Huawei]sysname CLIGURU-S2
[CLIGURU-S2]vlan 6
[CLIGURU-S2-vlan6]quit
[CLIGURU-S2]interface vlanif 6
[CLIGURU-S2-Vlanif6]ip address 10.0.6.254 24
[CLIGURU-S2-Vlanif6]quit

 

2. CLIGURU-S1 ve CLIGURU-S2 için Vlan oluşturalım.
[CLIGURU-S1]interface GigabitEthernet 0/0/1
[CLIGURU-S1-GigabitEthernet0/0/1]port link-type trunk
[CLIGURU-S1-GigabitEthernet0/0/1]port trunk pvid vlan 4
[CLIGURU-S1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[CLIGURU-S1-GigabitEthernet0/0/1]quit

 

[CLIGURU-S2]interface GigabitEthernet 0/0/2
[CLIGURU-S2-GigabitEthernet0/0/2]port link-type trunk
[CLIGURU-S2-GigabitEthernet0/0/2]port trunk pvid vlan 6
[CLIGURU-S2-GigabitEthernet0/0/2]port trunk allow-pass vlan all

 

[CLIGURU-R1]interface GigabitEthernet 0/0/0
[CLIGURU-R1-GigabitEthernet0/0/0]ip address 119.84.111.1 24

 

[CLIGURU-R3]interface GigabitEthernet 0/0/0
[CLIGURU-R3-GigabitEthernet0/0/0]ip address 119.84.111.3 24

 

CLIGURU-R1’in CLIGURU-S1 ve CLIGURU-R3  ile bağlantısını kontrol edelim.
<CLIGURU-R1>ping 10.0.4.254
PING 10.0.4.254: 56  data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=255 time=150 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=255 time=30 ms
— 10.0.4.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/62/150 ms

 

<CLIGURU-R1>ping 119.84.111.3
PING 119.84.111.3: 56  data bytes, press CTRL_C to break
Reply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=170 ms
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=90 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=90 ms
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=90 ms
— 119.84.111.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/102/170 ms

 

3. CLIGURU-R1 ve CLIGURU-R3 cihazları için Access Control List konfigürasyonu oluşturalım.
CLIGURU-R1 cihazı için advance bir ACL konfigürasyonu oluşturalım ve CLIGURU-S1 source’unu data flow seçelim , CLIGURU-R3 destination ve telnet servis noktasına kadar  izin verelim.
[CLIGURU-R1]acl 3000
[CLIGURU-R1-acl-adv-3000]rule 5 permit tcp source 10.0.4.254 0.0.0.0 destination 119.84.111.3 0.0.0.0 destination-port eq 23
[CLIGURU-R1-acl-adv-3000]rule 10 permit ip source 10.0.4.0 0.0.0.255 destination any
[CLIGURU-R1-acl-adv-3000]rule 15 deny ip

 

CLIGURU-R3 cihazı için basic bir ACL konfigürasyonu oluşturalım ve data  flaw  source IP address 10.0.6.0/24 yazalım.
[CLIGURU-R3]acl 2000
[CLIGURU-R3-acl-basic-2000]rule permit source 10.0.6.0 0.0.0.255

 

4. Dynamic NAT konfigürasyonu.

 

CLIGURU-S1 ve CLIGURU-S2 cihazları için static route yapılandıralım.
[CLIGURU-S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.1

 

[CLIGURU-S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.3

 

CLIGURU-R1 cihazı interface G0/0/0 için dynamic NAT’ı yapılandıralım.

[CLIGURU-R1]nat address-group  1 119.84.111.240 119.84.111.243
[CLIGURU-R1]interface GigabitEthernet 0/0/0
[CLIGURU-R1-GigabitEthernet0/0/0]nat outbound 3000 address-group 1

 

CLIGURU-R3 cihazınıda telnet server olarak yapılandıralım.
[CLIGURU-R3]user-interface vty 0 4
[CLIGURU-R3-ui-vty0-4]authentication-mode password
[CLIGURU-R3-ui-vty0-4]set authentication password cipher huawei
[CLIGURU-R3-ui-vty0-4]quit

 

Adres grubunun  doğru yapılandırıldıgını kontrol edelim.

 

<CLIGURU-R1>display nat address-groupNAT Address-Group Information:————————————–

Index   Start-address      End-address

————————————–

1      119.84.111.240   119.84.111.243

————————————–Total : 1

 

Konfigürasyonmuzun çalıştıgını kontrol edelim.
<CLIGURU-S1>ping 119.84.111.3PING 119.84.111.3: 56  data bytes, press CTRL_C to breakReply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=170 ms

Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=70 ms

Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=90 ms

Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=90 ms

Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=90 ms

— 119.84.111.3 ping statistics —

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/102/170 ms

 

 Sonuç..
<CLIGURU-R1>display current-configuration#sysname CLIGURU-R1#

firewall-nat session icmp aging-time 300

#

nat address-group 1 119.84.111.240 119.84.111.243

#

acl number 3000

rule 5 permit tcp source 10.0.4.254 0 destination 119.84.111.3 0 destination-port eq telnet

rule 10 permit ip source 10.0.4.0 0.0.0.255

rule 15 deny ip

#

interface GigabitEthernet0/0/0

ip address 119.84.111.1 255.255.255.0

nat outbound 3000 address-group 1

#

interface GigabitEthernet0/0/1

ip address 10.0.4.1 255.255.255.0

#

user-interface con 0

user-interface vty 0 4

user-interface vty 16 20

#

return

 

<CLIGURU-S1>display current-configuration#sysname CLIGURU-S1#

vlan batch 4

#

interface Vlanif4

ip address 10.0.4.254 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type trunk

port trunk pvid vlan 4

port trunk allow-pass vlan 2 to 4094

#

ip route-static 0.0.0.0 0.0.0.0 10.0.4.1

#

user-interface con 0

user-interface vty 0 4

#

return

 

<CLIGURU-S2>display current-configuration
#
sysname CLIGURU-S2
#
vlan batch 6
#
interface Vlanif6
ip address 10.0.6.254 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 6
port trunk allow-pass vlan 2 to 4094
#
ip route-static 0.0.0.0 0.0.0.0 10.0.6.3
#
user-interface con 0
user-interface vty 0 4
#
return

 

<CLIGURU-R3>disply current-configuration
#
sysname CLIGURU-R3
#
acl number 2000
rule 5 permit source 10.0.6.0 0.0.0.255
#
interface GigabitEthernet0/0/0
ip address 119.84.111.3 255.255.255.0

nat outbound 2000

#
interface GigabitEthernet0/0/2
ip address 10.0.6.3 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
set authentication password cipher BF8HNYzg(UajUn1vMEIBsZw#
user-interface vty 16 20
#
return