eNSP小实验（ACL和NAT）

一.ACL

实验目的：过滤流量，然后匹配规划后，判断该流量通过或拒绝

1.拓扑图

2.配置

基本ACL

其它同理配置

[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/0
#
return
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.2.254 24
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.3.254 24
[R1-GigabitEthernet0/0/2]q
[R1]acl 2000
[R1-acl-basic-2000]ru	
[R1-acl-basic-2000]rule de	
[R1-acl-basic-2000]rule deny so	
[R1-acl-basic-2000]rule deny source 192.168.1.1 0
[R1-acl-basic-2000]dis th
[V200R003C00]
#
acl number 2000  rule 5 deny source 192.168.1.1 0 
#
return
[R1-acl-basic-2000]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]t	
[R1-GigabitEthernet0/0/1]tr	
[R1-GigabitEthernet0/0/1]traffic-filter o	
[R1-GigabitEthernet0/0/1]traffic-filter outbound  ac	
[R1-GigabitEthernet0/0/1]traffic-filter outbound  acl 2000
[R1-GigabitEthernet0/0/1]q
[R1]dis	
[R1]display acl aTotal quantity of nonempty ACL number is 1 Basic ACL 2000, 1 rule
Acl's step is 5rule 5 deny source 192.168.1.1 0 (4 matches)[R1]

高级ACL

开启Server1服务

Client1去访问

把之前那个指令删了undo xxxxx

[R1]acl 3000
[R1-acl-adv-3000]rule deny tcp so	
[R1-acl-adv-3000]rule deny tcp source 192.168.1.1 0 de	
[R1-acl-adv-3000]rule deny tcp source 192.168.1.1 0 destination 192.168.2.1 0 de[R1-acl-adv-3000]rule deny tcp source 192.168.1.1 0 destination 192.168.2.1 0 de
stination-port eq www
[R1-acl-adv-3000]dis th
[V200R003C00]
#
acl number 3000  rule 5 deny tcp source 192.168.1.1 0 destination 192.168.2.1 0 destination-porteq www        //不让192.168.1.1 去访问 192.168.2.1的tcp 80端口（www web 服务）
#
return
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]tra	
[R1-GigabitEthernet0/0/0]traf	
[R1-GigabitEthernet0/0/0]traffic-fi	
[R1-GigabitEthernet0/0/0]traffic-filter in	
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000    //将此规则配置在进口方向
[R1-GigabitEthernet0/0/0]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/0ip address 192.168.1.254 255.255.255.0 traffic-filter inbound acl 3000
#
return
[R1-GigabitEthernet0/0/0]

Client1不可以访问Server2！

3.测试

基本ACL

从Client1出发，只有Server1不可到达，其他正常！

Client2能到

二.NAT

静态动态

1.拓扑图

2.配置

运营商ISP

企业出口QY

静态NAT

<Huawei>
<Huawei>
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys	
[Huawei]sysname QY
[QY]int g0/0/0
[QY-GigabitEthernet0/0/0]q
[QY]int g0/0/0
[QY-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[QY-GigabitEthernet0/0/0]int g0/0/1
[QY-GigabitEthernet0/0/1]ip add 200.0.0.1 24
[QY-GigabitEthernet0/0/1]ping 200.0.0.2PING 200.0.0.2: 56  data bytes, press CTRL_C to breakReply from 200.0.0.2: bytes=56 Sequence=1 ttl=255 time=80 msReply from 200.0.0.2: bytes=56 Sequence=2 ttl=255 time=20 msReply from 200.0.0.2: bytes=56 Sequence=3 ttl=255 time=20 msReply from 200.0.0.2: bytes=56 Sequence=4 ttl=255 time=20 msReply from 200.0.0.2: bytes=56 Sequence=5 ttl=255 time=20 ms--- 200.0.0.2 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 20/32/80 ms[QY-GigabitEthernet0/0/1]nat sta	
[QY-GigabitEthernet0/0/1]nat static en	
[QY-GigabitEthernet0/0/1]nat static enable 
[QY-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1ip address 200.0.0.1 255.255.255.0 nat static enable
#
return
[QY-GigabitEthernet0/0/1]nat sta	
[QY-GigabitEthernet0/0/1]nat static glo	
[QY-GigabitEthernet0/0/1]nat static global 200.0.0.100 in	
[QY-GigabitEthernet0/0/1]nat static global 200.0.0.100 inside 192.168.1.1
[QY-GigabitEthernet0/0/1]nat st	
[QY-GigabitEthernet0/0/1]nat static gl	
[QY-GigabitEthernet0/0/1]nat static global 200.0.0.200 in	
[QY-GigabitEthernet0/0/1]nat static global 200.0.0.200 inside 192.168.1.2
[QY-GigabitEthernet0/0/1]

动态NAT

[QY-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1ip address 200.0.0.1 255.255.255.0 nat static global 200.0.0.100 inside 192.168.1.1 netmask 255.255.255.255nat static global 200.0.0.200 inside 192.168.1.2 netmask 255.255.255.255nat static enable
#
return
[QY-GigabitEthernet0/0/1]undo nat static global 200.0.0.100 inside 192.168.1.1 n
etmask 255.255.255.255
[QY-GigabitEthernet0/0/1]
[QY-GigabitEthernet0/0/1]undo  nat static global 200.0.0.200 inside 192.168.1.2 
netmask 255.255.255.255
[QY-GigabitEthernet0/0/1]
[QY-GigabitEthernet0/0/1]undo nat static enable
[QY-GigabitEthernet0/0/1]
[QY-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1ip address 200.0.0.1 255.255.255.0 
#
return
[QY-GigabitEthernet0/0/1]q
[QY]nat a	
[QY]nat address-group 1 200.0.0.10 200.0.0.50
[QY]acl 2000
[QY-acl-basic-2000]dis th
[V200R003C00]
#
acl number 2000  
#
return
[QY-acl-basic-2000]rule per	
[QY-acl-basic-2000]rule permit so	
[QY-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[QY-acl-basic-2000]q
[QY]int g0/0/1
[QY-GigabitEthernet0/0/1]nat ou	
[QY-GigabitEthernet0/0/1]nat outbound  2000 a	
[QY-GigabitEthernet0/0/1]nat outbound  2000 address-group 1
[QY-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1ip address 200.0.0.1 255.255.255.0 nat outbound 2000 address-group 1 
#
return
[QY-GigabitEthernet0/0/1]

拓扑图

NAT Service

[QY]int g0/0/1
[QY-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1ip address 200.0.0.1 255.255.255.0 nat outbound 2000 address-group 1 
#
return
[QY-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1
[QY-GigabitEthernet0/0/1]nat	
[QY-GigabitEthernet0/0/1]nat se	
[QY-GigabitEthernet0/0/1]nat server pr	
[QY-GigabitEthernet0/0/1]nat server protocol tcp gl	
[QY-GigabitEthernet0/0/1]nat server protocol tcp global cu	
[QY-GigabitEthernet0/0/1]nat server protocol tcp global current-interface www in
si	
[QY-GigabitEthernet0/0/1]nat server protocol tcp global current-interface www in
side 192.168.1.100 www
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[QY-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1ip address 200.0.0.1 255.255.255.0 nat server protocol tcp global current-interface www inside 192.168.1.100 www
#
return
[QY-GigabitEthernet0/0/1]

可以通