3.2 防火墙源NAT-No-PAT

1.防火墙基本配置

#配置地址
interface GigabitEthernet1/0/0
 ip address 192.168.1.254 255.255.255.0
service-manage all permit 

interface GigabitEthernet1/0/1
 ip address 12.1.1.1 255.255.255.0
service-manage all permit 
#配置安全区域
firewall zone trust
 add interface GigabitEthernet1/0/0

firewall zone untrust
 add interface GigabitEthernet1/0/1

2.防火墙配置默认路由

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/1 12.1.1.2

3.R2配置静态路由（公网地址与接口地址不在同一网段，防止路由黑洞）

4.创建安全策略

security-policy
 rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit

5.配置NAT策略

1)创建NAT地址组
nat address-group ag01 
 mode no-pat global
 section 0 120.1.1.101 120.1.1.101

2）NAT地址组和NAT策略绑定
nat-policy
 rule name pc1-static
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.1 32
  action source-nat address-group ag01

6.PC1测试服务器，防火墙查看会话表和server-map表

#会话表是用来记录TCP、UDP、ICMP等协议连接状态的表项，是FW转发报文的重要依据。
#Server-map表用于放行某些在安全策略中无法明确放行的报文，是通过ASPF/ALG功能自动生成的精细“安全策略”，是FW上的“隐形通道”。
display firewall session table all
icmp  VPN: public --> public  192.168.1.1:21478[120.1.1.101:21478] --> 80.1.1.1:2048

display firewall server-map       
2023-07-27 03:45:42.590 
 Current Total Server-map : 2
 Type: No-Pat Reverse, ANY -> 120.1.1.101[192.168.1.1],  Zone:---
 Protocol: ANY, TTL:---, Left-Time:---,  Pool: 0, Section: 0
 Vpn: public

 Type: No-Pat,  192.168.1.1[120.1.1.101] -> ANY,  Zone:---
 Protocol: ANY, TTL:360, Left-Time:357,  Pool: 0, Section: 0
 Vpn: public

7.数据环路

原因-路由导致，FW 默认路由到internet ，但是没有明细路由120.1.1.101/32 指向到黑洞，黑洞路由解析NAT环路问题（公网访问内网问题）。

解决方法1：
ip route-static 120.1.1.101 32 NULL 0
display ip routing-table 
120.1.1.101/32  Static  60   0           D   0.0.0.0         NULL0

解决方法2：（先undo方法1）
nat address-group ag01 
route enable

display ip routing-table
 120.1.1.101/32  Unr     61   0           D   127.0.0.1       InLoopBack0

8.配置未匹配地址拒绝访问

nat-policy
 rule name pc1-static
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.1 mask 255.255.255.255
  destination-address 80.1.1.1 mask 255.255.255.255
  action source-nat address-group ag01

#Info: The current source conversion address pool type is no-pat, and if some businesses of the same user do not need to do NAT, please create a new rule with NAT type No-nat, otherwise the user's business will be NAT.

 rule name pc1-static-deny
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.1 mask 255.255.255.255
destination-address any
  action no-nat

PC>ping 80.1.1.1 -c 1
From 80.1.1.1: bytes=32 seq=1 ttl=253 time=78 ms

ping 200.1.1.1 -c 1
Request timeout!

9.多（地址组）对多（地址池） （动态）NAT （No-PAT）

#在进行绑定时配置 多对多配置，在内部IP地址 获取 NAT外部地址时，仍然1对1 绑定
1）创建公有地址组（先删除nat-polic和ag01后创建）
nat address-group ag11 
 mode no-pat global
 route enable
 section 0 120.1.1.101 120.1.1.103

2）创建nat策略绑定私有地址组
nat-policy
 rule name 192_168_1_0_nat
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat address-group ag11

3）pc1、pc2、pc3测试公网服务器，查看server-map
display firewall server-map

 Current Total Server-map : 6
 Type: No-Pat Reverse, ANY -> 120.1.1.102[192.168.1.2],  Zone:---
 Protocol: ANY, TTL:---, Left-Time:---,  Pool: 2, Section: 0
 Vpn: public

 Type: No-Pat Reverse, ANY -> 120.1.1.101[192.168.1.1],  Zone:---
 Protocol: ANY, TTL:---, Left-Time:---,  Pool: 2, Section: 0
 Vpn: public

 Type: No-Pat Reverse, ANY -> 120.1.1.103[192.168.1.3],  Zone:---
 Protocol: ANY, TTL:---, Left-Time:---,  Pool: 2, Section: 0
 Vpn: public

 Type: No-Pat,  192.168.1.2[120.1.1.102] -> ANY,  Zone:---
 Protocol: ANY, TTL:360, Left-Time:356,  Pool: 2, Section: 0
 Vpn: public

 Type: No-Pat,  192.168.1.1[120.1.1.101] -> ANY,  Zone:---
 Protocol: ANY, TTL:360, Left-Time:351,  Pool: 2, Section: 0
 Vpn: public

 Type: No-Pat,  192.168.1.3[120.1.1.103] -> ANY,  Zone:---
 Protocol: ANY, TTL:360, Left-Time:359,  Pool: 2, Section: 0