华为USG-NAT

PAT
配置接口地址:
GigabitEthernet1/0/0 192.168.100.253/24 up up
GigabitEthernet1/0/1 202.100.1.2/24 up up
定义zone:
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1

定义nat地址池：
nat address-group nat_to_cmcc 0
mode pat
section 0 202.100.1.32 202.100.1.32

NAT策略配置：
nat-policy
rule name Trust_TO_Untrust
source-zone trust
destination untrust
action nat address-group nat_to_cmcc

安全策略放行：
security-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
action permit

测试PAT转换：

[USG6000V1]display firewall session table
 Current Total Sessions : 1
 icmp  VPN: public --> public  192.168.100.254:53419[202.100.1.32:2050] --> 202.100.1.1:2048

NAT server
配置安全策略，允许外部访问内网服务特定服务

[USG6000V1-policy-security-rule-untrust_to_trust_ser01]dis th
#
 rule name untrust_to_trust_ser01
  source-zone untrust
  destination-zone trust
  destination-address 192.168.100.254 32
  service telnet
  action permit

配置服务器映射：

[USG6000V1]nat server ser01 protocol tcp global 202.100.1.32 23 inside 192.168.100.254 23

测试，外网Telnet内部

<R1>telnet 202.100.1.32
 Press CTRL_] to quit telnet mode
  Trying 202.100.1.32 ...
  Connected to 202.100.1.32 ...
Login authentication
Username:
Password:
Info: The max number of VTY users is 5, and the number
      of current VTY users on line is 1.
      The current login time is 2020-08-02 09:53:43.
<SW1>display users 
  User-Intf    Delay    Type   Network Address     AuthenStatus    AuthorcmdFlag
  0   CON 0   00:01:25                                                  no      
  Username : Unspecified
+ 34  VTY 0   00:00:00  TEL    202.100.1.1               pass           no      
  Username : admin