试验演示
试验拓扑:
实验一:静态NAT
R1模拟PC
基本配置:
ip nat inside source static 10.0.0.1 20.0.0.1 /定义转换关系
interface Serial1/0 /内部接口
ip address 10.0.0.2 255.255.255.0
ip nat inside
interface Serial1/1 /外部接口
ip address 20.0.0.1 255.255.255.0
ip nat outside
实验二:动态NAT
access-list 1 permit # /定义被转换的地址
ip nat pool 1 20.0.0.1 20.0.0.2 netmask 255.255.255.0 /定义转换地址池
ip nat inside source list 1 pool 1 /关联转换关系
思考:当我们同时有3个或以上内部地址PING的时候能否正常通信?
提示:转换错误,NAT放弃转换,是因为外部地址只有2个,所以只能转换个内部地址,如果想转换第3个地址,必须前面2个转换中有一个转换停止。可见这种转换有很大的局限性,为了能够实现多个地址转换成一个地址,我们需要新的转换方法。即 NAT超载。
实验三:复用NAT
反复的提取地址池中的地址,其实是一种 pat 的技术。也就是利用一个逻辑地址的多个端口来进行转换。
ip nat inside source list 1 pool 1 overload
实验四:端口地址重定向(PAR)
R2(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
ip nat inside source static tcp 192.168.1.1 80 20.0.0.2 80 exten //web访问重定向
实验的实现:
一、静态NAT的实现:
配置:
-----------------------------------------------R1------------------------------------------------
hostname R1
no ip domain lookup
interface Loopback0
ip address 10.1.1.2 255.255.255.0 secondary
ip address 10.1.1.3 255.255.255.0 secondary
ip address 10.1.1.4 255.255.255.0 secondary
ip address 10.1.1.1 255.255.255.0
ip nat inside //配置NAT内部接口 (流量出来的地方)
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
ip nat outside //配置NAT外部接口 (流量进来的地方)
ip route 23.1.1.0 255.255.255.0 FastEthernet0/0 //带送出接口的静态路由
ip nat inside source static 10.1.1.1 12.1.1.1 //配置内部局部地址与内部全局地址之间的静态转换
ip nat inside source static 10.1.1.2 12.1.1.3
line con 0
exec-timeout 0 0
logging synchronous
end
--------------------------------------------------R2---------------------------------------------
hostname R2
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
interface FastEthernet1/0
ip address 23.1.1.2 255.255.255.0
line con 0
exec-timeout 0 0
logging synchronous
end
*R1只做基本的配置就好了。
-----------------------------------------------R3-PC-------------------------------------------
hostname R3
no ip routing //关闭路由器的路由功能,模拟PC
no ip domain lookup
interface FastEthernet0/0
ip address 23.1.1.3 255.255.255.0
no ip route-cache
ip default-gateway 23.1.1.2 //PC的网关,也就是R2的F1/0上的IP地址
line con 0
exec-timeout 0 0
logging synchronous
end
实验的调试:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 12.1.1.1 10.1.1.1 --- ---
--- 12.1.1.3 10.1.1.2 --- ---
*以上输出的是NAT表,静态映射时,NAT表是一直存在的。
使用debug ip nat 查看NAT转换地址的过程:
R1#ping 23.1.1.3 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/62/80 ms
R1#
*Mar 1 00:57:09.307: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [53]
*Mar 1 00:57:09.387: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [53]
*Mar 1 00:57:09.391: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [54]
*Mar 1 00:57:09.459: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [54]
*Mar 1 00:57:09.463: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [55]
*Mar 1 00:57:09.499: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [55]
*Mar 1 00:57:09.499: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [56]
*Mar 1 00:57:09.539: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [56]
*Mar 1 00:57:09.543: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [57]
*Mar 1 00:57:09.619: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [57]
以上的输出看到:首先把私有的地址:10.1.1.1转换成:12.1.1.1然后才去访问23.1.1.3。
R1#ping 23.1.1.3 source 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/76/100 ms
R1#
*Mar 1 01:02:20.319: NAT: s=10.1.1.2->12.1.1.3, d=23.1.1.3 [58]
*Mar 1 01:02:20.411: NAT*: s=23.1.1.3, d=12.1.1.3->10.1.1.2 [58]
*Mar 1 01:02:20.415: NAT: s=10.1.1.2->12.1.1.3, d=23.1.1.3 [59]
*Mar 1 01:02:20.471: NAT*: s=23.1.1.3, d=12.1.1.3->10.1.1.2 [59]
*Mar 1 01:02:20.471: NAT: s=10.1.1.2->12.1.1.3, d=23.1.1.3 [60]
*Mar 1 01:02:20.515: NAT*: s=23.1.1.3, d=12.1.1.3->10.1.1.2 [60]
*Mar 1 01:02:20.519: NAT: s=10.1.1.2->12.1.1.3, d=23.1.1.3 [61]
*Mar 1 01:02:20.619: NAT*: s=23.1.1.3, d=12.1.1.3->10.1.1.2 [61]
*Mar 1 01:02:20.623: NAT: s=10.1.1.2->12.1.1.3, d=23.1.1.3 [62]
*Mar 1 01:02:20.699: NAT*: s=23.1.1.3, d=12.1.1.3->10.1.1.2 [62]
==============================================================
二、动态NAT的配置:
-----------------------------------------------R1-----------------------------------------
R1(config)#ip nat pool D_NAT 12.1.1.1 12.1.1.3 prefix-length 24 //配置动态NAT转换的地址池,一共有3个地址。
R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255 //配置允许动态转换的内部地址
R1(config)#ip nat inside source list 1 pool D_NAT //配置动态NAT映射,将NAT地址池与ACL绑定
R1(config)#int loo 0
R1(config-if)#ip nat inside
R1(config-if)#int f0/0
R1(config-if)#ip nat outside
实验的调试:
R1#ping 23.1.1.3 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/76 ms
R1#
*Mar 1 01:40:17.251: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [108]
*Mar 1 01:40:17.327: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [108]
*Mar 1 01:40:17.331: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [109]
*Mar 1 01:40:17.395: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [109]
*Mar 1 01:40:17.399: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [110]
*Mar 1 01:40:17.455: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [110]
*Mar 1 01:40:17.459: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [111]
*Mar 1 01:40:17.495: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [111]
*Mar 1 01:40:17.499: NAT: s=10.1.1.1->12.1.1.1, d=23.1.1.3 [112]
*Mar 1 01:40:17.535: NAT*: s=23.1.1.3, d=12.1.1.1->10.1.1.1 [112]
我们查看一些路由表:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 12.1.1.1:22 10.1.1.1:22 23.1.1.3:22 23.1.1.3:22
--- 12.1.1.1 10.1.1.1 --- ---
icmp 12.1.1.2:21 10.1.1.2:21 23.1.1.3:21 23.1.1.3:21
--- 12.1.1.2 10.1.1.2 --- ---
*动态的NAT表是有生存的时间的,而且不是一直都在NAT表上的,只有在使用时才会生成。
R1#ping 23.1.1.3 source 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.4
*Mar 1 01:45:08.371: NAT: translation failed (E), dropping packet s=10.1.1.4 d=23.1. 1.3.
*Mar 1 01:45:10.371: NAT: translation failed (E), dropping packet s=10.1.1.4 d=23.1.1.3.
*Mar 1 01:45:12.371: NAT: translation failed (E), dropping packet s=10.1.1.4 d=23.1.1.3.
*Mar 1 01:45:14.371: NAT: translation failed (E), dropping packet s=10.1.1.4 d=23.1.1.3.
*Mar 1 01:45:16.371: NAT: translation failed (E), dropping packet s=10.1.1.4 d=23.1.1.3.
Success rate is 0 percent (0/5)
*以上的输出看到如果动态NAT地址池中没有足够的地址作为动态的映射,则会出现以上的dropping packet。
*可以通过命令来修改超时的时间:
R1(config)#ip nat translation timeout timeout 参数timeout范围是0~2147483.
R1#show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 0 extended) //处于活动转换条目是3条。
Outside interfaces:
FastEthernet0/0
Inside interfaces:
Loopback0
Hits: 134 Misses: 0
CEF Translated packets: 59, CEF Punted packets: 0
Expired translations: 15
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool D_NAT refcount 3
pool D_NAT: netmask 255.255.255.0
start 12.1.1.1 end 12.1.1.3
type generic, total addresses 3, allocated 3 (100%), misses 10
Queued Packets: 0
========================================================
三、PAT的实现:
-----------------------------------------------R1-----------------------------------
R1#clear ip nat translation * //清除上面的NAT表
R1(config)#ip nat inside source list 1 pool D_NAT overload //配置PAT
实验的调试:
R1#ping 23.1.1.3 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/71/104 ms
R1#ping 23.1.1.3 source 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/59/72 ms
R1#ping 23.1.1.3 source 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/64/80 ms
R1#ping 23.1.1.3 source 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/62/100 ms
*所有的私有地址都可以转换成了公有地址实现了通信。
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 12.1.1.1:32 10.1.1.1:32 23.1.1.3:32 23.1.1.3:32
icmp 12.1.1.1:31 10.1.1.2:31 23.1.1.3:31 23.1.1.3:31
icmp 12.1.1.1:33 10.1.1.2:33 23.1.1.3:33 23.1.1.3:33
icmp 12.1.1.1:29 10.1.1.3:29 23.1.1.3:29 23.1.1.3:29
icmp 12.1.1.1:30 10.1.1.4:30 23.1.1.3:30 23.1.1.3:30
*以上的输出说明进行PAT时,每个条目的协议类型和使用的端口号,无论是ping,还是Web访问,使用的内部全局地址都是12.1.1.1,但是端口号不一样。
R1#show ip nat statistics
Total active translations: 5 (0 static, 5 dynamic; 5 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
Loopback0
Hits: 274 Misses: 0
CEF Translated packets: 129, CEF Punted packets: 0
Expired translations: 24
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool D_NAT refcount 5
pool D_NAT: netmask 255.255.255.0
start 12.1.1.1 end 12.1.1.3
type generic, total addresses 3, allocated 1 (33%), misses 10
Queued Packets:
