r1-2514(config)#ip nat inside source list 1 ? interface Specify interface for global address pool Name pool of global addresses
从上面输出可以看出接下来要给一个全局地址,数据包中的源地址将被这个全局地址替代.
对于静态映射,还可以指定协议 端口号: When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts.
A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, a destination address matching one of those on an access list will be replaced with an address from a rotary pool. Allocation is done in a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect).
This feature was designed to provide protocol translation load distribution. It is not designed nor intended to be used as a substitute technology for Cisco's LocalDirector product. Destination address rotary translation should not be used to provide web service load balancing because, like vanilla DNS, it knows nothing about service availability. As a result, if a web server were to become offline, the destination address rotary translation feature would continue to send requests to the downed server.
ip nat outside source { list <acl> pool <name> | static <global-ip> <local-ip> }
The first form (list..pool..) enables dynamic translation. Packets from addresses that match those on the simple access list are translated using local addresses allocated from the named pool.
The second form (static) of the command sets up a single static translation.
一个例子:
CONFIGURATION EXAMPLES
The following sample configuration translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network. ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240 ip nat inside source list 1 pool net-20 ! interface Ethernet0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface Ethernet1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 The next sample configuration translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network. Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24. ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
定义一个名称为 net-20的内部全局地址池 ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0
定义一个名称为net-10的外部本地地址池 ip nat inside source list 1 pool net-20 ip nat outside source list 1 pool net-10
注意inside /outside全部调用了list 1 这说明 内外两边的源地址是重叠地址,通过将内部的源地址转换成net-20中地址和外部的9.114.11.0网络通信。将外部的源地址转换成net-10中的地址来与内部这边的9.114.11.0网络通信 ! interface Ethernet0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface Ethernet1 ip address 9.114.11.39 255.255.255.0 ip nat inside ! access-list 1 permit 9.114.11.0 0.0.0.255
NAT的一些扩展特性:
1。更灵活的地址池分配方法
More flexible pool configuration:
The pool configuration syntax has been extended to allow discontiguous ranges of addresses. The following syntax is now allowed: ip nat pool <name> { netmask <mask> | prefix-length <length> } [ type { rotary } ] This command will put the user into IP NAT Pool configuration mode, where a sequence of address ranges can be configured. There is only one command in this mode: address <start> <end> Example: Router(config)#ip nat pool fred prefix-length 24 Router(config-ipnat-pool)#address 171.69.233.225 171.69.233.226 Router(config-ipnat-pool)#address 171.69.233.228 171.69.233.238 This configuration creates a pool containing addresses 171.69.233.225-226 and 171.69.233.228-238 (171.69.233.227 has been omitted).
2。使用接口作地址,满足那些没有固定IP情况的需要
Translating to interface's address:
As a convenience for users wishing to translate all inside addresses to the address assigned to an interface on the router, the NAT code allows one to simply name the interface when configuring the dynamic translation rule: ip nat inside source list <number> interface <interface> overload If there is no address on the interface, or it the interface is not up, no translation will occur. Example: ip nat inside source list 1 interface Serial0 overload
3。利用端口的静态转换
Static translations with ports:
When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts. ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport> Example: ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25 In this example, outside-initiated connections to the SMTP port (25) will be sent to the inside host 192.168.10.1.
4。利用route-map实现多ISP策略
Support for route maps:
The dynamic translation command can now specify a route-map to be processed instead of an access-list. A route-map allows the user to match any combination of access-list, next-hop IP address, and output interface to determine which pool to use: ip nat inside source route-map <name> pool <name> Example: ip nat pool provider1-space 171.69.232.1 171.69.232.254 prefix-length 24 ip nat pool provider2-space 131.108.43.1 131.108.43.254 prefix-length 24 ip nat inside source route-map provider1-map pool provider1-space ip nat inside source route-map provider2-map pool provider2-space ! interface Serial0/0 ip nat outside ! interface Serial0/1 ip nat outside ! interface Fddi1/0 ip nat inside ! route-map provider1-map permit 10 match ip address 1 match interface Serial0/0 ! route-map provider2-map permit 10 match ip address 1 match interface Serial0/1
Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as "overload", a subset of NAT functionality.
PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.
