但原文命令过多,把重点给盖过了,没有批评作者的意思,只是想写一篇更方便实验和突出原作者想要表达的重点命令,思路归原作者所有。
本文用GNS3搭建环境,vpc,模拟pc,进而取代原文路由器关闭路由来模拟pc,节约内存,精简命令
拓扑图如下
实验目的:
1R1PC1PC2的私网地址静态映射成公网地址.(一对一的转换)
2然后将R1连接的内网网段用动态转换出去.(动态转换)
3R1连接的内网用PAT发布出去.(端口多路复用技术)
调试命令:
show ip nat translations
show ip nat statistics
实验步骤:
给所有的PC和路由器配置IP地址,并确保所有vpcping通自己的网关
R1(config)#int s1/0
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int f0/1
R1(config-if)#ip add 192.168.2.1 255.255.255.0
R1(config-if)#no shut
 
R2(config)#int f0/0
R2(config-if)#ip address 172.16.2.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int f0/1
R2(config-if)#ip address 172.16.1.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int s1/0
R2(config-if)#ip address 10.0.0.2 255.255.255.0
R2(config-if)#no shut
 
实验1:将R1PC1PC2的私网地址静态映射成公网地址
注意:这里的配置是一个公网地址对一个私网地址
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config)#int f0/1
R1(config-if)#ip nat inside
R1(config-if)#int s1/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#ip nat inside source static 192.168.1.2 10.0.0.100
R1(config)#ip nat inside source static 192.168.2.2 10.0.0.200
 
R2(config)#int f0/0
R2(config-if)#ip nat inside
R2(config)#int f0/1
R2(config-if)#ip nat inside
R2(config-if)#int s1/0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip nat inside source static 172.16.1.2 10.0.0.10  
R2(config)#ip nat inside source static 172.16.2.2 10.0.0.11
 
测试
 
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 10.0.0.100         192.168.1.2        ---                ---
--- 10.0.0.200         192.168.2.2        ---                ---
 
R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 10.0.0.10          172.16.1.2         ---                ---
--- 10.0.0.11          172.16.2.2         ---                ---
 
VPCS 1 >ping 10.0.0.10
10.0.0.10 icmp_seq=1 time=140.000 ms
10.0.0.10 icmp_seq=2 time=125.000 ms
10.0.0.10 icmp_seq=3 time=109.000 ms
10.0.0.10 icmp_seq=4 time=94.000 ms
10.0.0.10 icmp_seq=5 time=94.000 ms
 
VPCS 1 >ping 10.0.0.11
10.0.0.11 icmp_seq=1 time=109.000 ms
10.0.0.11 icmp_seq=2 time=109.000 ms
10.0.0.11 icmp_seq=3 time=94.000 ms
10.0.0.11 icmp_seq=4 time=94.000 ms
10.0.0.11 icmp_seq=5 time=110.000 ms
 
VPCS 3 >ping 10.0.0.100
10.0.0.100 icmp_seq=1 time=204.000 ms
10.0.0.100 icmp_seq=2 time=140.000 ms
10.0.0.100 icmp_seq=3 time=125.000 ms
10.0.0.100 icmp_seq=4 time=157.000 ms
10.0.0.100 icmp_seq=5 time=141.000 ms
 
VPCS 3 >ping 10.0.0.200
10.0.0.200 icmp_seq=1 time=203.000 ms
10.0.0.200 icmp_seq=2 time=109.000 ms
10.0.0.200 icmp_seq=3 time=93.000 ms
10.0.0.200 icmp_seq=4 time=125.000 ms
10.0.0.200 icmp_seq=5 time=141.000 ms
 
实验2R1连接的内网网段用动态转换出去.
这里是:比如你申请了多个公网IP的时候,可以做一个地址池,让地址池里面的IP轮流为你的内网的IP做转换
先删除实验1中的命令
R1(config)#no ip nat inside source static 192.168.1.2 10.0.0.100
R1(config)#no ip nat inside source static 192.168.2.2 10.0.0.200
R2(config)#no ip nat inside source static 172.16.1.2 10.0.0.10  
R2(config)#no ip nat inside source static 172.16.2.2 10.0.0.11
 
然后允许的网段
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# access-list 1 permit 192.168.2.0 0.0.0.255
设定地址池的范围
R1(config)ip nat pool haha 10.0.0.10 10.0.0.15 netmask 255.255.255.0 type rotary
R1(config)ip nat inside source list 1 pool haha
 
R2R1一样设置
R2(config)# access-list 1 permit 172.16.1.0 0.0.0.255
R2(config)# access-list 1 permit 172.16.2.0 0.0.0.255
设定地址池的范围
R2(config)ip nat pool hehe 10.0.0.20 10.0.0.25 netmask 255.255.255.0
R2(config)ip nat inside source list 1 pool hehe
 
 
而后用vpc ping一个确定存在的外网地址
VPCS 1 >ping 10.0.0.2
10.0.0.2 icmp_seq=1 time=203.000 ms
10.0.0.2 icmp_seq=2 time=156.000 ms
10.0.0.2 icmp_seq=3 time=203.000 ms
10.0.0.2 icmp_seq=4 time=125.000 ms
10.0.0.2 icmp_seq=5 time=62.000 ms
 
VPCS 2 >ping 10.0.0.2
10.0.0.2 icmp_seq=1 time=141.000 ms
10.0.0.2 icmp_seq=2 time=78.000 ms
10.0.0.2 icmp_seq=3 time=79.000 ms
10.0.0.2 icmp_seq=4 time=141.000 ms
10.0.0.2 icmp_seq=5 time=110.000 ms
 
R1中查看他们的地址,因为是随机分配,所以开始并不知道
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.0.0.11          10.0.0.1
--- 10.0.0.10          192.168.1.2        ---                ---
--- 10.0.0.12          192.168.2.2        ---                ---
 
PC3 ping pc1 pc2
VPCS 2 >3
VPCS 3 >ping 10.0.0.10
10.0.0.10 icmp_seq=1 time=234.000 ms
10.0.0.10 icmp_seq=2 time=156.000 ms
10.0.0.10 icmp_seq=3 time=110.000 ms
10.0.0.10 icmp_seq=4 time=78.000 ms
10.0.0.10 icmp_seq=5 time=109.000 ms
 
 
VPCS 3 >ping 10.0.0.12
10.0.0.12 icmp_seq=1 time=172.000 ms
10.0.0.12 icmp_seq=2 time=125.000 ms
10.0.0.12 icmp_seq=3 time=156.000 ms
10.0.0.12 icmp_seq=4 time=187.000 ms
10.0.0.12 icmp_seq=5 time=125.000 ms
 
R2中查看
R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.0.0.20          10.0.0.2
icmp 10.0.0.21:30953   172.16.1.2:30953   10.0.0.10:30953    10.0.0.10:30953
icmp 10.0.0.21:36073   172.16.1.2:36073   10.0.0.12:36073    10.0.0.12:36073
icmp 10.0.0.21:36329   172.16.1.2:36329   10.0.0.12:36329    10.0.0.12:36329
--- 10.0.0.21          172.16.1.2         ---                ---
--- 10.0.0.22          172.16.2.2         ---                ---
 
实验2完成
注:如果想删除已经动分配的地址池,会出现
%Pool hehe in use, cannot destroy
清空一下即可
R2#clear ip nat statistics
R2#clear ip nat t *
实验3)R1连接的内网用PAT发布出去.
端口多路复用技术,通过区分端口,是内网所有用户通过一个公网IP上网
删除实验2的步骤
R1(config)#no ip nat pool haha 10.0.0.10 10.0.0.15 netmask 255.255.255.0 type rotary
R1(config)#no ip nat inside source list 1 pool haha
R2(config)#no ip nat pool hehe 10.0.0.20 10.0.0.25 netmask 255.255.255.0
R2(config)#no ip nat inside source list 1 pool hehe
 
 
然后开始实验3
R1(config)#ip nat pool one 10.0.0.10 10.0.0.10 netmask 255.255.255.0
R1(config)#ip nat inside source list 1 pool one overload
R2(config)#ip nat pool one 10.0.0.20 10.0.0.20 netmask 255.255.255.0
R2(config)#ip nat inside source list 1 pool one overload
 
VPCS 1 >ping 10.0.0.2
10.0.0.2 icmp_seq=1 time=218.000 ms
10.0.0.2 icmp_seq=2 time=79.000 ms
10.0.0.2 icmp_seq=3 time=141.000 ms
10.0.0.2 icmp_seq=4 time=234.000 ms
10.0.0.2 icmp_seq=5 time=140.000 ms
 
VPCS 4 >ping 10.0.0.1
10.0.0.1 icmp_seq=1 time=172.000 ms
10.0.0.1 icmp_seq=2 time=172.000 ms
10.0.0.1 icmp_seq=3 time=171.000 ms
10.0.0.1 icmp_seq=4 time=141.000 ms
10.0.0.1 icmp_seq=5 time=125.000 ms
 
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.0.0.10:38131   192.168.1.2:38131  10.0.0.2:38131     10.0.0.2:38131
icmp 10.0.0.10:38387   192.168.1.2:38387  10.0.0.2:38387     10.0.0.2:38387
icmp 10.0.0.10:38899   192.168.2.2:38899  10.0.0.2:38899     10.0.0.2:38899
icmp 10.0.0.10:39155   192.168.2.2:39155  10.0.0.2:39155     10.0.0.2:39155
 
R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.0.0.20:31219   172.16.1.2:31219   10.0.0.1:31219     10.0.0.1:31219
icmp 10.0.0.20:31475   172.16.1.2:31475   10.0.0.1:31475     10.0.0.1:31475
icmp 10.0.0.20:33523   172.16.2.2:33523   10.0.0.1:33523     10.0.0.1:33523
icmp 10.0.0.20:33779   172.16.2.2:33779   10.0.0.1:33779     10.0.0.1:33779
 
如果只申请了一个IP,则直接映射s1/0
ip nat inside source list 1 interface s1/0 overload
最后总结一下nat的优缺点
原理:转换内部地址,转换外部地址,PAT,解决地址重叠问题.
优点:节省IP地址,能够处理地址重复的情况,增加了灵活性,消除了地址重新编号,隐藏了内部IP地址.
缺点:增加了延迟,丢失了端到端的IP的跟踪过程,不能够支持一些特定的应用(:SNMP),需要更多的内存来存储一个NAT,需要更多的CPU来处理NAT的过程.