1 配置静态NAT
R1配置:
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)在内部局部和内部全局地址之间建立静态地址转换
R1(config)#ip nat inside source static 192.168.1.1 172.16.1.1
R1(config)#ip nat inside source static 192.168.1.2 172.16.1.2
(4)在内部接口和外部接口上启用NAT
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip nat outside
(5)启用默认路由
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
R2配置:
R2>en
R2#conf t
R2(config)#int s1/1
R2(config-if)#ip address 1.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int f0/0
R2(config-if)#ip address 2.2.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1
(6)验证
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/254/336 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.1.1:7      192.168.1.1:7      2.2.2.2:7          2.2.2.2:7
--- 172.16.1.1         192.168.1.1        ---                ---
--- 172.16.1.2         192.168.1.2        ---                ---
当PC1对PC3执行了PING命令之后,我们在R1上show ip nat translations后可以发现已经成功执行了NAT转换
内部局部地址192.168.1.1到达路由器后执行NAT转换,转换成内部全局地址172.16.1.1。在PC3看来,与自己通信的是172.16.1.1。
R1#debug ip nat
IP NAT debugging is on
R1#
*Mar  1 01:13:06.659: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [25]
*Mar  1 01:13:06.803: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [25]
*Mar  1 01:13:06.995: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [26]
*Mar  1 01:13:07.163: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [26]
*Mar  1 01:13:07.235: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [27]
*Mar  1 01:13:07.395: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [27]
*Mar  1 01:13:07.443: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [28]
*Mar  1 01:13:07.575: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [28]
*Mar  1 01:13:07.603: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [29]
*Mar  1 01:13:07.735: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [29]
当PC2对PC3执行PING命令之后,我在R1上运行dubug ip nat后,可以看到更加详细的转换。源地址192.168.2.2到达路由器之后转换成172.16.1.2与PC3 2.2.2.2进行通信。
2 配置动态NAT
配置之前,下将任务1中配置的静态NAT删除掉
R1:
R1(config)#no ip nat inside source static 192.168.1.1 172.16.1.1
R1(config)#no ip nat inside source static 192.168.1.2 172.16.1.2
R1(config)#int f0/0
R1(config-if)#no ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#no ip nat outside
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)定义内部网络中允许访问外部网络的访问控制列表
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(4)定义合法IP地址池
R1(config)#ip nat pool test1 10.0.0.1 10.0.0.3 netmask 255.255.255.0
(5)实现网络地址转换
R1(config)#ip nat inside source list 1 pool test1
(6)在内部和外部接口启用NAT
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip nat outside
(7)验证:
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 264/298/332 ms
PC2:
PC2#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 228/280/384 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.0.0.1:10       192.168.1.1:10     2.2.2.2:10         2.2.2.2:10
--- 10.0.0.1           192.168.1.1        ---                ---
icmp 10.0.0.2:7        192.168.1.2:7      2.2.2.2:7          2.2.2.2:7
--- 10.0.0.2           192.168.1.2        ---                ---
3 配置PAT
  提供内部全局地址为:10.10.10.10/24
R1#conf t
R1(config)#no ip nat inside source list 1 pool test1       
R1(config)#no access-list 1         
R1(config)#no ip nat pool test1                   
R1(config)#int f0/0
R1(config-if)#no ip nat inside
R1(config)#int s1/0
R1(config-if)#no ip nat outside
R1(config-if)#end
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)定义内部网络中允许访问外部网络的访问控制列表
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(4)定义合法IP地址池
R1(config)#ip nat pool test2 10.10.10.10 10.10.10.10 netmask 255.255.255.0
(5)设置复用动态IP地址转换
R1(config)#ip nat inside source list 1 pool test2 overload
(6)在内部和外部端口上启用NAT
R1(config)#int s1/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#int f0/0
R1(config-if)#ip nat inside
(7)验证:
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/289/500 ms
PC2:
PC2#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/270/492 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.10.10.10:11    192.168.1.1:11     2.2.2.2:11         2.2.2.2:11
icmp 10.10.10.10:8     192.168.1.2:8      2.2.2.2:8          2.2.2.2:8
可见,局域网内部的IP地址都复用了内部全局地址10.10.10.10
   复用路由器外部接口地址
R1:
R1#conf t
R1(config)#no ip nat inside source list 1 pool test2
R1(config)#no access-list 1
R1(config)#no ip nat pool test2
R1(config)#int f0/0
R1(config-if)#no ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#no ip nat outside
R1(config-if)#end
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)定义内部网络中允许访问外部网络的访问控制列表
R1(config)#access-list 2 permit 192.168.1.0 0.0.0.255
(4)由于使用外部接口地址,所以不用再定义IP地址池了
(5)设置复用动态IP地址转换
R1(config)#ip nat inside source list 2 interface s1/0 overload
(6)在内部和外部端口上启用NAT
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip nat outside
(7)验证
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/316/424 ms
PC2:
PC2#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/297/356 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 1.1.1.1:13        192.168.1.1:13     2.2.2.2:13         2.2.2.2:13
icmp 1.1.1.1:9         192.168.1.2:9      2.2.2.2:9          2.2.2.2:9