拓扑：

防火墙nat配置：

ar1：trust

ar3：untrust

nat策略

再配置静态路由

在r2上配个环回地址，模拟外网，在r1上ping它

ftp端口映射：

作用：特殊的端口号容易被黑客利用，例如（21，80，443等）将端口号在内网边界上变为自定义的端口号，提高安全性

配置：

在r1上启动ftp服务，模拟ftp服务器

aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user 123 password cipher %$%$%3%*(NE+}>Rpp"YQq*o/R7}e%$%$
 local-user 123 privilege level 15
 local-user 123 ftp-directory flash:
 local-user 123 service-type ftp
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http

在防火墙上配置安全策略，使得外网能访问内网的ftp服务器：

配置端口映射：

将21端口变为2121端口 

在r3上验证成果：

<untrust>ftp 100.1.1.1 2121
Trying 100.1.1.1 ...

Press CTRL+K to abort
Connected to 100.1.1.1.
220 FTP service ready.
User(100.1.1.1:(none)):123
331 Password required for 123.
Enter password:
230 User logged in.

[untrust-ftp]dir
200 Port command okay.
150 Opening ASCII mode data connection for *.
drwxrwxrwx   1 noone    nogroup         0 Apr 02 07:26 dhcp
-rwxrwxrwx   1 noone    nogroup    121802 May 26  2014 portalpage.zip
-rwxrwxrwx   1 noone    nogroup      2263 Apr 02 07:26 statemach.efs
-rwxrwxrwx   1 noone    nogroup    828482 May 26  2014 sslvpn.zip
drwxrwxrwx   1 noone    nogroup         0 Apr 02 07:26 .
226 Transfer complete.
FTP: 327 byte(s) received in 0.070 second(s) 4.67Kbyte(s)/sec.

[untrust-ftp]cd dhcp
250 CWD command successful.

[untrust-ftp]dir
200 Port command okay.
150 Opening ASCII mode data connection for *.
-rwxrwxrwx   1 noone    nogroup        98 Apr 02 07:26 dhcp-duid.txt
drwxrwxrwx   1 noone    nogroup         0 Apr 02 07:26 ..
drwxrwxrwx   1 noone    nogroup         0 Apr 02 07:26 .
226 Transfer complete.
FTP: 187 byte(s) received in 0.050 second(s) 3.74Kbyte(s)/sec.

[untrust-ftp]get dhcp-duid.txt
200 Port command okay.
150 Opening ASCII mode data connection for dhcp-duid.txt.
226 Transfer complete.
FTP: 98 byte(s) received in 0.240 second(s) 408.33byte(s)/sec.

<USG6000V1>dis firewall session table 
2022-04-02 09:28:48.110 
 Current Total Sessions : 4
 tcp  VPN: default --> default  10.1.2.100:59194 --> 10.1.2.1:8443
 tcp  VPN: default --> default  10.1.2.100:59014 --> 10.1.2.1:8443
 ftp  VPN: public --> public  100.1.1.2:49277 +-> 100.1.1.1:2121[192.168.1.2:21]
 ftp-data  VPN: public --> public  192.168.1.2:20[100.1.1.1:20] --> 100.1.1.2:49189

<USG6000V1>dis fir server-map 
2022-04-02 09:32:22.880 
 Current Total Server-map : 1
 Type: Nat Server,  ANY -> 100.1.1.1:2121[192.168.1.2:21],  Zone: untrust ,  pro
tocol:tcp
 Vpn: public -> public

成功了

nat ALG（应用网关）

某些协议会在应用层添加IP地址，而nat无法修改应用层的IP地址，这会导致在通信的回包阶段的IP地址还是原来的私网地址，使得通信失败，nat ALG会修改应用层IP地址，在设备上都是默认开启的。

域外双向NAT

在原来的nat基础上，再在防火墙上做一次nat，让上图的192.168.1.1地址访问内网服务器，而不是对外公网地址

配置：

验证：

[trust]undo ip route-static 0.0.0.0 0.0.0.0 192.168.1.1    //在r1上删除到防火墙的路由

<untrust>ftp 100.1.1.1
Trying 100.1.1.1 ...

Press CTRL+K to abort
Connected to 100.1.1.1.
220 FTP service ready.
User(100.1.1.1:(none)):123
331 Password required for 123.
Enter password:
230 User logged in.

[untrust-ftp]dir
200 Port command okay.
150 Opening ASCII mode data connection for *.
drwxrwxrwx   1 noone    nogroup         0 Apr 02 07:26 dhcp
-rwxrwxrwx   1 noone    nogroup    121802 May 26  2014 portalpage.zip
-rwxrwxrwx   1 noone    nogroup      2263 Apr 02 07:26 statemach.efs
-rwxrwxrwx   1 noone    nogroup    828482 May 26  2014 sslvpn.zip
drwxrwxrwx   1 noone    nogroup         0 Apr 02 07:26 .
226 Transfer complete.
FTP: 327 byte(s) received in 0.070 second(s) 4.67Kbyte(s)/sec.

ftp仍然运行正常，说明成功了 

域内双向NAT

场景：

内网用户需要用域名来访问服务器，这时候用户得到的是公网IP，流量经过公网访问服务器 

新拓扑：

配置：

 源地址是内网地址

目的地址是100.1.1.1（外网口地址）

在r1 r4上重启静态路由 

ip route-static 0.0.0.0 0.0.0.0 192.168.1.1

在r4上ftp公网地址

<Huawei>ftp 100.1.1.1
Trying 100.1.1.1 ...

Press CTRL+K to abort
Connected to 100.1.1.1.
220 FTP service ready.
User(100.1.1.1:(none)):123
331 Password required for 123.
Enter password:
230 User logged in.

[Huawei-ftp]dir
200 Port command okay.
150 Opening ASCII mode data connection for *.
drwxrwxrwx   1 noone    nogroup         0 Apr 03 10:40 dhcp
-rwxrwxrwx   1 noone    nogroup    121802 May 26  2014 portalpage.zip
-rwxrwxrwx   1 noone    nogroup      2263 Apr 03 10:40 statemach.efs
-rwxrwxrwx   1 noone    nogroup    828482 May 26  2014 sslvpn.zip
drwxrwxrwx   1 noone    nogroup         0 Apr 03 10:40 .
-rwxrwxrwx   1 noone    nogroup       646 Apr 03 10:40 vrpcfg.zip
226 Transfer complete.
FTP: 394 byte(s) received in 0.090 second(s) 4.37Kbyte(s)/sec.

再对r1的g0/0/0接口进行抓包验证

 实验成功

“主备”nat

新拓扑：

r3为电信，r6为联通

两条线互为主备，r3为主，r6为备

问题：静态路由可以浮动，但nat没有优先级或开销，当主线路断开时，nat转换的源还是g1/0/1上的源，无法回包

解决方法：

在接口上开启源进源出路由控制，这样就会将浮动静态路由与nat联动

 注意：必须填写网关