NAT 地址转换技术
原创
©著作权归作者所有:来自51CTO博客作者hitns的原创作品,请联系作者获取转载授权,否则将追究法律责任
在边缘路由器上实现内部地址与公网地址的转换NAT
NAT配置的要求:
- 按照网络拓扑图,配置好三层交换机,创建VLAN,给VLAN配置适当的IP地址,把接口加入相应的VLAN,使所有VLAN之间的主机能正确路由;
- 配置路由器的接口IP地址,并启用接口;配置路由器对端三层交换机接口的地址,并启用该接口;
- 在边缘路由器上指定NAT的外口和内口;
- 配置所有计算机和服务器的IP地址;
- 编写NAT外部地址池;
- 编写NAT内部放行网段的访问控制列表;
- 实现NAT动态地址转换;
- 实现NAT静态地址转换(一对一);
- 实现NAT静态地址端口转换(对外的某个应用对应内部特定的服务器地址)
拓扑结构图:
配置代码:
S1配置代码与过程:
en
conf t
hostname s1
no ip domain-lookup
vlan 2
exit
vlan 3
exit
vlan 4
exit
vlan 5
exit
int f0/1
switch access vlan 2
int f0/2
switch access vlan 3
int f0/3
switch access vlan 4
int f0/5
switch access vlan 5
int f0/4
no switchport
ip address 192.168.6.2 255.255.255.252
no shut
exit
int vlan 2
ip address 192.168.2.254 255.255.255.0
int vlan 3
ip address 192.168.3.254 255.255.255.0
int vlan 4
ip address 192.168.4.254 255.255.255.0
int vlan 5
ip address 192.168.5.254 255.255.255.0
ip routing
router ospf 5021
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
network 192.168.6.0 0.0.0.3 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.6.1
R1配置代码与过程:
en
conf t
hostname r1
no ip domain-lookup
int g0/0
ip address 192.168.6.1 255.255.255.252
no shut
exit
int g0/1
ip address 202.120.80.2 255.255.255.0
no shut
Exit
ip route 0.0.0.0 0.0.0.0 202.120.80.1
!进广域网需要设置默认路由
router ospf 5021
network 192.168.6.0 0.0.0.3 area 0
exit
!地址转换
!指定转换的外口
int g0/1
ip nat outside
!exit
!指定转换的内口
int g0/0
ip nat inside
exit
!指定地址转换外部地址池
ip nat pool global 202.120.80.3 202.120.80.5 netmask 255.255.255.0
!指定地址转换内部地址池
access-list 1 permit 192.168.2.0 0.0.0.255
!执行NAT指定地址转换内部地址池
ip nat inside source list 1 pool global overload
!增加VLAN 3,VLAN 4,VLAN 5上外网
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
!指定NAT地址转换外部地址和内部地址的对应关系(静态地址转换一对一)
ip nat inside source static 192.168.2.1 202.120.80.6
!外网和内网地址的一一绑定
ip nat inside source static 192.168.3.1 202.120.80.7
!利用NAT实现外网访问内网服务器上特定的应用;
!允许公网访问内网特定主机上的WEB应用(TCP 80端口号)
ip nat inside source static tcp 192.168.5.1 80 202.120.80.6 80
!允许公网访问内网特定主机上的FTP应用(TCP 21端口号)
ip nat inside source static tcp 192.168.5.1 21 202.120.80.6 21
R2配置代码的过程:
en
Conf t
Hostname r2
No ip domain-lookup
int g0/0
ip address 202.120.80.1 255.255.255.0
no shut
End
Debug ip icmp
配置结果:
拓扑图一:
PC1:
PC2:
PC3:
FTP Web:
R2:Debug ip icmp的结果
拓扑图二:
Server:www.baidu.com