F1000-AI-25

Nat44使用場景：內網用戶通過nat44策略，通過訪問202.38.1.1地址訪問內網10.110.10.1，並將源ip地址轉換為10.110.10.10防火牆上接口地址。

  配置接口IP地址

# 根據組網圖中規劃的信息，配置各接口的IP地址，具體配置步驟如下。

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 10.110.10.10 16

[Device-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址，具體配置步驟略。

(2)     將接口加入安全域

# 請根據組網圖中規劃的信息，將接口加入對應的安全域，具體配置步驟如下。

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/0/1

[Device-security-zone-Trust] quit

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2

[Device-security-zone-Untrust] quit

(3)     配置安全策略

# 配置名稱為untrust-trust的安全策略，保證trust安全域中的Host可以訪問Trust安全域中的Server，具體配置步驟如下。

[Device] security-policy ip

[Device-security-policy-ip] rule name trust-trust

[Device-security-policy-ip-1-trust-trust] source-zone trust

[Device-security-policy-ip-1-trust-trust] destination-zone trust

[Device-security-policy-ip-1-trust-trust] action pass

[Device-security-policy-ip-1-trust-trust] quit

[Device-security-policy-ip] quit

(4)     配置NAT功能

# 配置服務對象組，提供Web服務。

[Device] object-group service service2

[Device-obj-grp-service-service2] service tcp destination eq 80

[Device-obj-grp-service-service2] quit

# 配置全局NAT規則，允許內網主機訪問內網服務器。

[Device] nat global-policy

[Device-nat-global-policy] rule name rule1

[Device-nat-global-policy-rule-rule1] destination-ip host 202.38.1.1

[Device-nat-global-policy-rule-rule1] source-zone trust

[Device-nat-global-policy-rule-rule1] service service1

[Device-nat-global-policy-rule-rule1] action dnat ip-address 10.110.10.1 local-port 80

[Device-nat-global-policy-rule-rule1] action snat easy-ip

[Device-nat-global-policy-rule-rule1] quit