如下拓扑:

nat 一对一方式_休闲

首先搭建试验环境:

PC1:192.168.1.2

PC2:111.111.111.2

R1:

Router>en

Router#confi t

Router(config)#host R1

R1(config)#int fa0/0

R1(config-if)#ip add 192.168.1.1 255.255.255.0

R1(config-if)#no shut

R1(config-if)#int s0/0

R1(config-if)#ip add 222.222.222.1 255.255.255.0

R1(config-if)#clock rate 56000

R1(config-if)#no shut

R1(config-if)#int s0/1

R1(config-if)#exit

R1(config)#int fa0/0

R1(config-if)#ip nat inside

R1(config-if)#int s0/0

R1(config-if)#ip nat outside

R1(config)#ip nat inside source static 192.168.1.2 222.222.222.1 映射成出口地址

R2:

Router>en

Router#confi t

Router(config)#host R2

R2(config)#int s0/1

R2(config-if)#ip add 222.222.222.2 255.255.255.0

R2(config-if)#no shut

R2(config-if)#int fa0/0

R2(config-if)#ip add 111.111.111.1 255.255.255.0

R2(config-if)#no shut

R2(config-if)#exit

首先在PC2上测试:

PC>ping 222.222.222.1

Pinging 222.222.222.1 with 32 bytes of data:

Request timed out.

Reply from 222.222.222.1: bytes=32 time=94ms TTL=126

Reply from 222.222.222.1: bytes=32 time=94ms TTL=126

Reply from 222.222.222.1: bytes=32 time=94ms TTL=126

Ping statistics for 222.222.222.1:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 94ms, Maximum = 94ms, Average = 94ms

PC>

在R1上:debug ip nat ;现象如下:

NAT*: s=111.111.111.2, d=222.222.222.1->192.168.1.2[0]

NAT*: s=111.111.111.2, d=222.222.222.1->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.1, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=222.222.222.1->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.1, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=222.222.222.1->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.1, d=111.111.111.2[0]

试验成功。

然后,地址用用一个该网段,其他地址来NAT;

R1(config)#no ip nat inside source static 192.168.1.2 222.222.222.1

R1(config)#ip nat inside source static 192.168.1.2 222.222.222.18

再次测试:PC2上:

PC>ping 222.222.222.18

Pinging 222.222.222.18 with 32 bytes of data:

Reply from 222.222.222.18: bytes=32 time=125ms TTL=126

Reply from 222.222.222.18: bytes=32 time=94ms TTL=126

Reply from 222.222.222.18: bytes=32 time=94ms TTL=126

Reply from 222.222.222.18: bytes=32 time=93ms TTL=126

Ping statistics for 222.222.222.18:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 93ms, Maximum = 125ms, Average = 101ms

PC>

R1上查看:

NAT*: s=111.111.111.2, d=222.222.222.18->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.18, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=222.222.222.18->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.18, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=222.222.222.18->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.18, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=222.222.222.18->192.168.1.2[0]

NAT: s=192.168.1.2->222.222.222.18, d=111.111.111.2[0]

试验成功。

然后,地址用用一个该网段,其他地址来NAT;

R1(config)#no ip nat inside source static 192.168.1.2 222.222.222.18

R1(config)#ip nat inside source static 192.168.1.2 88.88.88.88

在PC2上测试:

PC>ping 88.88.88.88

Pinging 88.88.88.88 with 32 bytes of data:

Reply from 111.111.111.1: Destination host unreachable.

Reply from 111.111.111.1: Destination host unreachable.

Reply from 111.111.111.1: Destination host unreachable.

Reply from 111.111.111.1: Destination host unreachable.

Ping statistics for 88.88.88.88:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

因为ISP无该条路由(88.88.88.88),不知道数据发往何处,可在R2上增加一条默认路由,把数据包发回R1的出口。R1查NAT表,则可转换地址(nat)

R2上:

R2(config)#ip route 0.0.0.0 0.0.0.0 222.222.222.1

再次在PC2上测试:

PC>ping 88.88.88.88

Pinging 88.88.88.88 with 32 bytes of data:

Reply from 88.88.88.88: bytes=32 time=94ms TTL=126

Reply from 88.88.88.88: bytes=32 time=94ms TTL=126

Reply from 88.88.88.88: bytes=32 time=93ms TTL=126

Reply from 88.88.88.88: bytes=32 time=94ms TTL=126

Ping statistics for 88.88.88.88:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 93ms, Maximum = 94ms, Average = 93ms

PC>

在R1上观察:

NAT*: s=111.111.111.2, d=88.88.88.88->192.168.1.2[0]

NAT: s=192.168.1.2->88.88.88.88, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=88.88.88.88->192.168.1.2[0]

NAT: s=192.168.1.2->88.88.88.88, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=88.88.88.88->192.168.1.2[0]

NAT: s=192.168.1.2->88.88.88.88, d=111.111.111.2[0]

NAT*: s=111.111.111.2, d=88.88.88.88->192.168.1.2[0]

NAT: s=192.168.1.2->88.88.88.88, d=111.111.111.2[0]

试验成功。

分析:NAT在路由满足的情况(正常通信的情况下,就是个地址代号---地址替换)

建议NAT的内部地址映射成出口地址或者相同网段的地址(这样,ISP有路由)

理论上也可以使用其他网段,该网段在ISP中没出现才行,如果出现了,就会发到其他的路由那里,无法实现数据包的地址转换。如果上没该路由,那么需要给ISP添加默认路由发回到内网网络出口路由上,从而才可地址转换。当然,这种情况,根本不会使用,ISP怎么会使用默认路由指向一个小小的接入网络的。

一般NAT映射成出口地址,或者该网段的地址。