登陸系統後: 1.顯示防火牆當前生效配置參數。 H3Cdisplay current-
configuration 找到如下信息:
# interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
nat outbound 2000 nat server protocol tcp
global 172.16.1.1 www inside 192.168.1.254 www
登陸系統後:
1.顯示防火牆當前生效配置參數。
<H3C>display current-configuration
找到如下信息:
#
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
nat outbound 2000
nat server protocol tcp global 172.16.1.1 www inside 192.168.1.254 www
nat server protocol tcp global 172.16.1.1 22 inside 192.168.1.254 22
2.進入系統視圖
<H3C>system-view
[H3C]
3.進入網卡0
[H3C]interface ethernet0/0
[H3C-Ethernet0/0]
4.運行nat 命令添加FTP端口映射。
[H3C-Ethernet0/0] nat server protocol tcp global 172.16.1.1 ftp inside
192.168.1.254 ftp
5.查看防火牆當前生效配置參數。
<H3C>display current-configuration
找到如下信息:
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
nat outbound 2000
nat server protocol tcp global 172.16.1.1 www inside 192.168.1.254 www
nat server protocol tcp global 172.16.1.1 22 inside 192.168.1.254 22
nat server protocol tcp global 172.16.1.1 ftp inside 192.168.1.254 ftp
6.測試FTP端口是否映射成功。
C:\Documents and Settings\aran>ftp 5X.21X.24X.24X
Connected to 5X.21X.24X.24X.
220 (vsFTPd
User (5X.21X.24X.24X:(none)): aran
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> user
Username aran
331 Please specify the password.
Password:
230 Login successful.
ftp>
H3C端口映射命令及設備查看計算機 2009-03-21 17:15:00 閱讀315 評論0 字
號:大中小 訂閱
一,用固定的公網ip做映射命令
System
int dialer 0
[Quidway-Ethernet3/0] nat server protocol tcp global 200.200.200.1 外網
端口inside 192.168.1.254 內網端口
[Quidway-Ethernet3/0] nat server protocol tcp global 200.200.200.1 外網
端口 inside 192.168.1.254 內網端口
【提示】
1、global後跟公網地址,inside後跟的是私網服務器地址,www和ftp可以改爲端
口號
2、內部用戶不能使用公網地址來訪問內部服務器,必須使用內網地址訪問.,如
192.168.1.0/24網段的用戶,不能訪問http://200.200.200.1,而只能訪問
http://192.168.1.254
二,如果沒有固定ip,對於上面命令要作修改,修改如下
system
int dialer 0
nat server pro tcp global current 內網端口 inside 192.168.1.2 外網端
口
刪除命令
在前面加上undo nat server pro tcp global current 內網端口 inside
192.168.1.2 外網端口
三,display nat all命令用來顯示所有的地址轉換的配置信息
【視圖】
任意視圖
【缺省級別】
1:監控級
【參數】
無
【描述】
display nat all命令用來顯示所有的地址轉換的配置信息。
【舉例】
# 顯示所有的關於地址轉換的配置信息。
<Sysname> display nat all
NAT address-group information:
There are currently 1 nat address-group(s)
1 : from 202.110.10.10 to 202.110.10.15
NAT outbound information:
There are currently 2 nat outbound rule(s)
Ethernet1/0: acl(2001) --- NAT address-group(1)
[no-pat]
Ethernet2/0: --- static
NAT server in private network information:
There are currently 1 internal server(s)
Interface:Ethernet1/0, Protocol:6(tcp),
[global] 202.110.10.10: 8080 [local] 10.110.10.10:
80(www)
NAT static information:
There are currently 2 static table(s)
GlobalAddr InsideAddr ***-instance
192.168.1.111
NAT aging-time value information:
tcp ---- aging-time value is 86400 (seconds)
udp ---- aging-time value is 300 (seconds)
icmp ---- aging-time value is 60 (seconds)
pptp ---- aging-time value is 86400 (seconds)
dns ---- aging-time value is 60 (seconds)
tcp-fin ---- aging-time value is 60 (seconds)
tcp-syn ---- aging-time value is 60 (seconds)
ftp-ctrl ---- aging-time value is 7200 (seconds)
ftp-data ---- aging-time value is 300 (seconds)
NAT log information:
log enable : enable acl 2000
flow-begin : enable
flow-active : 10(minutes)
表1-5 display nat all命令顯示信息描述表
字段
描述
NAT address-group information
顯示NAT地址池信息
There are currently 1 nat address-group(s)
存在1條NAT地址池信息
1 : from 202.110.10.10 to 202.110.10.15
1號地址池的IP地址範圍從202.110.10.10到202.110.10.15
NAT outbound information:
顯示內部地址和外部地址的轉換配置信息
There are currently 2 nat outbound rule(s)
存在2條地址轉換關聯信息
Ethernet1/0: acl(2001) --- NAT address-group(1) [no-pat]
在Ethernet1/0配置了1個地址轉換關聯:ACL規則2001與地址池1關聯,進行多對
多方式的地址轉換;[no-pat]表示不進行端口的轉換
Ethernet2/0: --- static
在Ethernet1/0配置了靜態地址轉換
NAT server in private network information
顯示內部服務器信息
There are currently 1 internal server(s)
存在1條內部服務器信息
Interface:Ethernet1/0, Protocol:6(tcp),
[global] 202.110.10.10: 8080 [local] 10.110.10.10:
80(www)
在Ethernet1/0配置了1個內部服務器:使用TCP協議;公網地址是202.110.10.10
,端口號爲8080;內部地址是10.110.10.10,端口號爲80
NAT static information:
靜態地址轉換信息
There are currently 2 static table(s)
存在2條靜態轉換表項
GlobalAddr
外部IP地址
InsideAddr
內部IP地址
***-instance
內部IP地址所屬的三層***名
NAT aging-time value information
顯示各個協議的NAT轉換有效時間
tcp ---- aging-time value is 86400 (seconds)
TCP協議地址轉換有效時間爲86400秒
udp ---- aging-time value is 300 (seconds)
UDP協議地址轉換有效時間爲300秒
icmp ---- aging-time value is 60 (seconds)
ICMP協議地址轉換有效時間爲60秒
pptp ---- aging-time value is 86400 (seconds)
PPTP協議地址轉換有效時間爲86400秒
dns ---- aging-time value is 60 (seconds)
DNS協議地址轉換有效時間爲60秒
tcp-fin ---- aging-time value is 60 (seconds)
TCP 協議fin 或 rst連接地址轉換有效時間爲60秒
tcp-syn ---- aging-time value is 60 (seconds)
TCP 協議syn連接地址轉換有效時間爲60秒
ftp-ctrl ---- aging-time value is 7200 (seconds)
FTP協議控制鏈路地址轉換有效時間爲7200秒
ftp-data ---- aging-time value is 300 (seconds)
FTP協議數據鏈路地址轉換有效時間300秒
NAT log information
顯示地址轉換的日誌信息
log enable : enable acl 2000
日誌使能信息,對匹配acl 2000的數據流做日誌記錄
flow-begin : enable
新建流使能
flow-active : 10(minutes)
活躍流的間隔時間爲10分鐘
四.區分路由器和防火牆
在Telnet的設備上輸入以下命令:
<Quidway>disp ver
Copyright Notice:
All rights reserved (Feb 22 2008).
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Feature 1652
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights
reserved.
Quidway SecPath //此處如果是SecPath,則爲防火牆100F uptime is 0 week, 0
day, 3 hours, 10 minutes
CPU type: Mips IDT RC32438 266MHz
256M bytes DDR SDRAM Memory
16M bytes Flash Memory
Pcb Version:3.0
Logic Version:1.0
BootROM Version:1.17
[SLOT 0] 4FE (Hardware)3.0, (Driver)2.0, (Cpld)1.0
[SLOT 1] 3FE (Hardware)3.0, (Driver)2.0, (Cpld)1.0
<R1-C-SDWH-NET>dis ver
Copyright Notice:
All rights reserved (Jun 14 2005).
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Huawei-3Com Versatile Routing Platform Software
VRP(R) software, Version 3.40, Release RT-0011
Copyright (c) 2003-2005 Hangzhou Huawei-3Com Tech. Co.,Ltd. All rights
reserved.
Copyright (c) 2000-2003 Huawei Tech. Co.,Ltd. All rights reserved.
Quidway AR28-31//此爲路由器,AR28-31爲路由器的型號. uptime is 0 week, 0
day, 21 hours, 13 minutes
CPU type: PowerPC 8245 300MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
128K bytes NvRAM Memory
Pcb Version:1.0
Logic Version:1.0
BootROM Version:9.12
[SLOT 0] 2FE (Hardware)2.1, (Driver)2.0, (Cpld)0.0
[SLOT 2] 4E1-F (Hardware)1.0, (Driver)1.0, (Cpld)1.0
nat address-group 2 221.0.185.204 221.0.185.204
#
firewall statistic system enable
#
DNS server 202.102.134.68
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher =VBX!6J709;1<%AOH#3\4Q!!
service-type telnet terminal
level 3
#
acl number 2000
rule 0 permit source
rule 1 deny
#
nat server-group protocol
#
interface Aux0
async mode flow
#
interface GigabitEthernet0/0
#
interface GigabitEthernet0/1
#
interface GigabitEthernet1/0
ip address 221.0.185.204 255.255.255.240
nat outbound 2000 address-group 2
nat server protocol tcp global 221.0.185.204 3389 inside 10.10.10.10 3389
nat server protocol tcp global 221.0.185.204 3390 inside 10.10.10.11 3389
nat server protocol tcp global 221.0.185.204 22 inside 10.10.10.7 22
nat server protocol tcp global 221.0.185.204 ftp inside 10.10.10.7 ftp
nat server protocol tcp global 221.0.185.204 8080 inside 10.10.10.7 8080
nat server protocol tcp global 221.0.185.204 8001 inside 10.10.10.8 22
nat server protocol tcp global 221.0.185.204 81 inside 10.10.10.8 8080
nat server protocol tcp global 221.0.185.204 8085 inside 10.10.10.10 8085
nat server protocol tcp global 221.0.185.204 8086 inside 10.10.10.10 8086
nat server protocol tcp global 221.0.185.204 8087 inside 10.10.10.10 8087
nat server protocol tcp global 221.0.185.204 8088 inside 10.10.10.10 8088
nat server protocol tcp global 221.0.185.204 8089 inside 10.10.10.10 8089
#
interface GigabitEthernet1/1
ip address 10.10.10.1 255.255.255.0
#