NAT配置

NAT配置

一、实验目的

1、  静态的NAT配置

2、  动态的NAT配置

3、  PAT配置

二、         实验拓扑

三、实验步骤

R1的基本配置

en

conf t

no ip domain-look

int f1/0

ip add 10.1.1.1 255.255.255.0

no sh

int f0/0

ip add 192.168.1.1 255.255.255.0

no sh

exit

 

R2的基本配置

en

conf t

no ip domain-look

int f0/0

ip add 192.168.1.2 255.255.255.0

no sh

int f1/0

ip add 172.16.1.1 255.255.255.0

no sh

exit

1.     静态NAT配置

R1

ip nat inside source static 10.1.1.2 192.168.1.10 

ip nat inside source static 10.1.1.3 192.168.1.20

int f1/0

ip nat inside

int f0/0

ip nat outside

R2

ip nat inside source static 172.16.1.2 192.168.1.30  

ip nat inside source static 172.16.1.3 192.168.1.40

int f1/0

ip nat inside

int f0/0

ip nat outside

验证:

VPCS 1 >ping 192.168.1.2

192.168.1.2 icmp_seq=1 timeout

192.168.1.2 icmp_seq=2 time=110.000 ms

192.168.1.2 icmp_seq=3 time=62.000 ms

192.168.1.2 icmp_seq=4 time=47.000 ms

192.168.1.2 icmp_seq=5 time=62.000 ms

Router#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.1.10:24510 10.1.1.2:24510    192.168.1.2:24510  192.168.1.2:24510

icmp 192.168.1.10:24766 10.1.1.2:24766    192.168.1.2:24766  192.168.1.2:24766

icmp 192.168.1.10:25022 10.1.1.2:25022    192.168.1.2:25022  192.168.1.2:25022

icmp 192.168.1.10:25278 10.1.1.2:25278    192.168.1.2:25278  192.168.1.2:25278

icmp 192.168.1.10:25534 10.1.1.2:25534    192.168.1.2:25534  192.168.1.2:25534

icmp 192.168.1.10:25790 10.1.1.2:25790    192.168.1.2:25790  192.168.1.2:25790

--- 192.168.1.10       10.1.1.2           ---                ---

--- 192.168.1.20       10.1.1.3           ---                ---

从上可以看出内网已经可以和外网通信了。

2.     动态NAT配置

R1

conf t                                                        

access-list 1 permit 10.1.1.0 0.0.0.255                                     

ip nat pool AAA 192.168.1.100 192.168.1.150 netmask 255.255.255.0

ip nat inside source list 1 pool AAA

int f1/0

ip nat inside

int f0/0

ip nat outside

R2

conf t                                                                               

access-list 1 permit 172.16.1.0 0.0.0.255

ip nat pool BBB 192.168.1.151 192.168.1.200 netmask 255.255.255.0

ip nat inside source list 1 pool BBB

int f1/0

ip nat inside

int f0/0

ip nat outside        

验证：

VPCS 1 >ping 192.168.1.2

192.168.1.2 icmp_seq=1 timeout

192.168.1.2 icmp_seq=2 time=125.000 ms

192.168.1.2 icmp_seq=3 time=125.000 ms

192.168.1.2 icmp_seq=4 time=47.000 ms

192.168.1.2 icmp_seq=5 time=125.000 ms

Router#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.1.100:50368 10.1.1.2:50368   192.168.1.2:50368  192.168.1.2:50368

icmp 192.168.1.100:50624 10.1.1.2:50624   192.168.1.2:50624  192.168.1.2:50624

icmp 192.168.1.100:50880 10.1.1.2:50880   192.168.1.2:50880  192.168.1.2:50880

icmp 192.168.1.100:51136 10.1.1.2:51136   192.168.1.2:51136  192.168.1.2:51136

icmp 192.168.1.100:51392 10.1.1.2:51392   192.168.1.2:51392  192.168.1.2:51392

icmp 192.168.1.100:51648 10.1.1.2:51648   192.168.1.2:51648  192.168.1.2:51648

--- 192.168.1.100      10.1.1.2           ---                ---

Router#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 192.168.1.100      10.1.1.2           ---                ---

icmp 192.168.1.101:10180 10.1.1.3:10180   192.168.1.2:10180  192.168.1.2:10180

icmp 192.168.1.101:10436 10.1.1.3:10436   192.168.1.2:10436  192.168.1.2:10436

icmp 192.168.1.101:10692 10.1.1.3:10692   192.168.1.2:10692  192.168.1.2:10692

icmp 192.168.1.101:10948 10.1.1.3:10948   192.168.1.2:10948  192.168.1.2:10948

icmp 192.168.1.101:11204 10.1.1.3:11204   192.168.1.2:11204  192.168.1.2:11204

icmp 192.168.1.101:11460 10.1.1.3:11460   192.168.1.2:11460  192.168.1.2:11460

--- 192.168.1.101      10.1.1.3           ---                ---

Router#

从上面可以看到内网已经从地址池中动态的选择了外网IP（默认是从小往大）

3.       PAT配置

R1

conf t                                                            

access-list 1 permit 10.1.1.0 0.0.0.255                                            

ip nat pool ABC 192.168.1.20 192.168.1.20 netmask 255.255.255.0  定义地址池

ip nat inside source list 1 pool ABC overload

int f1/0

ip nat inside

int f0/0

ip nat outside

end

R2

conf t                                                             

access-list 1 permit 172.16.1.0 0.0.0.255                         

ip nat inside source list 1 int f0/0 overload    定义接口

int f1/0

ip nat inside

int f0/0

ip nat outside

end

验证：

VPCS 1 >ping 192.168.1.2

192.168.1.2 icmp_seq=1 time=172.000 ms

192.168.1.2 icmp_seq=2 time=62.000 ms

192.168.1.2 icmp_seq=3 time=94.000 ms

192.168.1.2 icmp_seq=4 time=78.000 ms

192.168.1.2 icmp_seq=5 time=62.000 ms

VPCS 2 >ping 192.168.1.2

192.168.1.2 icmp_seq=1 time=125.000 ms

192.168.1.2 icmp_seq=2 time=93.000 ms

192.168.1.2 icmp_seq=3 time=94.000 ms

192.168.1.2 icmp_seq=4 time=62.000 ms

192.168.1.2 icmp_seq=5 time=93.000 ms

VPCS 3 >ping 192.168.1.1

192.168.1.1 icmp_seq=1 time=141.000 ms

192.168.1.1 icmp_seq=2 time=47.000 ms

192.168.1.1 icmp_seq=3 time=78.000 ms

192.168.1.1 icmp_seq=4 time=78.000 ms

192.168.1.1 icmp_seq=5 time=62.000 ms

VPCS 4 >ping 192.168.1.1

192.168.1.1 icmp_seq=1 time=110.000 ms

192.168.1.1 icmp_seq=2 time=94.000 ms

192.168.1.1 icmp_seq=3 time=62.000 ms

192.168.1.1 icmp_seq=4 time=78.000 ms

192.168.1.1 icmp_seq=5 time=125.000 ms

Router#sh ip nat translations（R1）

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.1.20:7625 10.1.1.2:7625      192.168.1.2:7625   192.168.1.2:7625

icmp 192.168.1.20:7881 10.1.1.2:7881      192.168.1.2:7881   192.168.1.2:7881

icmp 192.168.1.20:8137 10.1.1.2:8137      192.168.1.2:8137   192.168.1.2:8137

icmp 192.168.1.20:8393 10.1.1.2:8393      192.168.1.2:8393   192.168.1.2:8393

icmp 192.168.1.20:8649 10.1.1.2:8649      192.168.1.2:8649   192.168.1.2:8649

icmp 192.168.1.20:8905 10.1.1.2:8905      192.168.1.2:8905   192.168.1.2:8905

icmp 192.168.1.20:10185 10.1.1.3:10185    192.168.1.2:10185  192.168.1.2:10185

icmp 192.168.1.20:10697 10.1.1.3:10697    192.168.1.2:10697  192.168.1.2:10697

icmp 192.168.1.20:10953 10.1.1.3:10953    192.168.1.2:10953  192.168.1.2:10953

icmp 192.168.1.20:11209 10.1.1.3:11209    192.168.1.2:11209  192.168.1.2:11209

icmp 192.168.1.20:11465 10.1.1.3:11465    192.168.1.2:11465  192.168.1.2:11465

icmp 192.168.1.20:11721 10.1.1.3:11721    192.168.1.2:11721  192.168.1.2:11721

Router#sh ip nat translations（R2）

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.1.2:13001 172.16.1.2:13001   192.168.1.1:13001  192.168.1.1:13001

icmp 192.168.1.2:13257 172.16.1.2:13257   192.168.1.1:13257  192.168.1.1:13257

icmp 192.168.1.2:13769 172.16.1.2:13769   192.168.1.1:13769  192.168.1.1:13769

icmp 192.168.1.2:14025 172.16.1.2:14025   192.168.1.1:14025  192.168.1.1:14025

icmp 192.168.1.2:14281 172.16.1.2:14281   192.168.1.1:14281  192.168.1.1:14281

icmp 192.168.1.2:14537 172.16.1.2:14537   192.168.1.1:14537  192.168.1.1:14537

icmp 192.168.1.2:15817 172.16.1.3:15817   192.168.1.1:15817  192.168.1.1:15817

icmp 192.168.1.2:16073 172.16.1.3:16073   192.168.1.1:16073  192.168.1.1:16073

icmp 192.168.1.2:16329 172.16.1.3:16329   192.168.1.1:16329  192.168.1.1:16329

icmp 192.168.1.2:16585 172.16.1.3:16585   192.168.1.1:16585  192.168.1.1:16585

icmp 192.168.1.2:16841 172.16.1.3:16841   192.168.1.1:16841  192.168.1.1:16841

icmp 192.168.1.2:17097 172.16.1.3:17097   192.168.1.1:17097  192.168.1.1:17097

从实验结果可以看出PAT配置的灵活性即多个主机共用一个公网IP，用端口号来识别

四、实验总结

三种方法都到达了地址转换，其中应用最多的还是PAT 。

NAT的工作原理：
　　　当内部网络中的一台主机想传输数据到外部网络时，它先将数据包传输到NAT路由器上，路由器检查数据包的报头，获取该数据包的源IP信息，并从它的NAT映射表中找出与该IP匹配的转换条目，用所选用的内部全局地址（全球唯一的IP地址）来替换内部局部地址，并转发数据包。
　　　当外部网络对内部主机进行应答时，数据包被送到NAT路由器上，路由器接收到目的地址为内部全局地址的数据包后，它将用内部全局地址通过NAT映射表查找出内部局部地址，然后将数据包的目的地址替换成内部局部地址，并将数据包转发到内部主机。