Cisco没有像Linux那样使用“pre/post路由”这么技术化的术语来定义NAT的行为,而是完全根据Domain来定义,所谓的Domain,即路由器两边一边属于inside,另一边属于outside。那么所有的NAT无外乎就以下4种类型:
1>从inside到outside时转换源地址
2>从inside到outside时转换目标地址
3>从outside到inside时转换源地址
4>从outside到inside时转换目标地址
其中1和4互相隐含,2和3互相隐含
实验一、静态一对一的NAT
PC配置:
PC#conf t
PC(config)#no ip routing
PC(config)#ip default-gateway 192.168.0.1
PC(config)#int fa0/0
PC(config-if)#ip add 192.168.0.100 255.255.255.0
PC(config-if)#no sh
PC(config-if)#exit
Server配置:
Server#conf t
Server(config)#no ip routing
Server(config)#ip default-gateway 192.168.0.1
Server(config)#int fa0/0
Server(config-if)#ip add 192.168.0.80 255.255.255.0
Server(config-if)#no sh
Server(config-if)#exit
Internet配置:
Internet#conf t
Internet(config)#int fa0/0
Internet(config-if)#ip add 202.100.100.100 255.255.255.0
Internet(config-if)#no sh
Internet(config-if)#exit
R1配置:
R1#conf t
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat inside //指定连接内部网络的内部接口,并启用NAT
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat outside //指定连接外部网络的外部接口,并启用NAT
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip nat inside source static 192.168.0.80202.100.100.80//指定内部源地址192.168.0.80静态一对一转换为202.100.100.80。当然可以设置转换为外部接口的IP:202.100.100.1,但是这样外部网络访问202.100.100.1的时候就全部转向访问Server了,如果内部网络不要求上网或没有其他服务时可以这样做,否则会影响内部网络的使用。所以不推荐
测试检查:
PC#ping 202.100.100.100 //PC没有转换
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Server#ping 202.100.100.100 //Server直接访问外部Internet
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max= 28/70/124 ms
Internet#ping 202.100.100.80 //Internet直接通过公网IP访问内部Server
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.80, timeoutis 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 28/77/152 ms
PC#ping 202.100.100.80 //PC可以通过公网IP访问内部服务器
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.80, timeoutis 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 8/39/140 ms
R1#debug ip nat //在R1调试转换信息,对于ICMP包,NAT通过更改ICMP的ID,来实现多对少的映射
IP NAT debugging is on
*Mar 100:12:25.683: NAT*: s=192.168.0.80->202.100.100.80, d=202.100.100.100 [0]
*Mar 100:12:26.655: NAT*: s=192.168.0.80->202.100.100.80, d=202.100.100.100 [1]
*Mar 100:12:26.751: NAT*: s=202.100.100.100, d=202.100.100.80->192.168.0.80 [1]
*Mar 100:12:26.815: NAT*: s=192.168.0.80->202.100.100.80, d=202.100.100.100 [2]
R1#sh ip nat translations //查看转换状态
Pro Inside global Inside local Outsidelocal Outside global
icmp 202.100.100.80:1 192.168.0.80:1 202.100.100.100:1 202.100.100.100:1
--- 202.100.100.80 192.168.0.80 --- ---
实验二、动态NAT
PC1配置:
PC1#conf t
PC1(config)#no ip routing
PC1(config)#ip default-gateway 192.168.0.1
PC1(config)#int fa0/0
PC1(config-if)#ip add 192.168.0.100 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC2配置:
PC2#conf t
PC2(config)#no ip routing
PC2(config)#ip default-gateway 192.168.0.1
PC2(config)#int fa0/0
PC2(config-if)#ip add 192.168.0.101 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
PC3配置:
PC3#conf t
PC3(config)#no ip routing
PC3(config)#ip default-gateway 192.168.0.1
PC3(config)#int fa0/0
PC3(config-if)#ip add 192.168.0.50 255.255.255.0
PC3(config-if)#no sh
PC3(config-if)#exit
Internet配置:
Internet#conf t
Internet(config)#int fa0/0
Internet(config-if)#ip add 202.100.100.100 255.255.255.0
Internet(config-if)#no sh
Internet(config-if)#exit
R1配置:
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip access-list standard nat//定义可以进行转换的内部地址范围
R1(config-std-nacl)#10 permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#20 deny any
R1(config-std-nacl)#exit
R1(config)#ip nat pool global-pool 202.100.100.2202.100.100.3 netmask 255.255.255.0//创建只有两个公网IP的地址池。
R1(config)#ip nat inside source list nat pool global-pool//创建动态转换将符合ACL的内部地址随机转换成公网IP地址池中的一个。动态NAT是临时映射关系,过一段时间没有用就会删除映射关系,释放公网IP。注意公网IP地址池有几个IP,那么同一时间只能有几台电脑可以上网,其他电脑要上网必须等临时映射关系结束才能使用被释放的公网IP再进行转换
R1(config)#ip nat translation timeout 10 //配置动态NAT的超时时间为10s,默认为24小时,即空闲10s没有用,就删除临时映射关系。方便测试
检查测试:
PC1#ping 202.100.100.100 //PC1是第一个转换的,从公网IP池中可以取得一个公网进行转换,可以上网
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max= 28/96/172 ms
PC2#ping 202.100.100.100 //PC2是第二个转换的,从公网IP池中可以取得第二个公网进行转换,可以上网
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max= 28/90/148 ms
PC3#ping 202.100.100.100 r 100 //PC3由于公网IP池中地址耗尽,要等到其他内部用户的NAT临时映射关系结束,才能使用被释放出来的公网IP进行上网。
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 0 percent (50/100)
R1#debug ip nat
IP NAT debugging is on
*Mar 100:42:20.671: NAT*: s=192.168.0.100->202.100.100.2, d=202.100.100.100 [1]
*Mar 1 00:42:22.795:NAT*: s=202.100.100.100, d=202.100.100.2->192.168.0.100 [2]
*Mar 100:52:35.259: NAT*: s=192.168.0.101->202.100.100.3, d=202.100.100.100 [5]
*Mar 100:52:35.367: NAT*: s=202.100.100.100, d=202.100.100.3->192.168.0.101 [5]
*Mar 101:07:28.083: NAT: translation failed (A), dropping packet s=192.168.0.50d=202.100.100.100 [158] //拒绝
*Mar 101:07:28.091: NAT: translation failed (A), dropping packet s=192.168.0.50d=202.100.100.100 [159]
*Mar 101:07:59.007: NAT: expiring 202.100.100.2 (192.168.0.100) icmp 3 (3) //过期结束映射关系,释放公网IP
*Mar 101:08:01.059: NAT: expiring 202.100.100.3 (192.168.0.101) icmp 2 (2)
*Mar 101:08:06.463: NAT*: s=192.168.0.50->202.100.100.2, d=202.100.100.100 [160]
*Mar 101:08:06.579: NAT*: s=202.100.100.100, d=202.100.100.2->192.168.0.50 [160]
*Mar 101:08:06.659: NAT*: s=192.168.0.50->202.100.100.2, d=202.100.100.100 [161]
R1#sh access-lists //查看ACL
Standard IP access list nat
10 permit192.168.0.0, wildcard bits 0.0.0.255 (303 matches)
20 deny any
R1#sh ip nat translations //注意10s超时后映射关系清空
Pro Inside global Inside local Outsidelocal Outside global
icmp 202.100.100.2:4 192.168.0.100:4 202.100.100.100:4 202.100.100.100:4
--- 202.100.100.2 192.168.0.100 --- ---
icmp 202.100.100.3:3 192.168.0.101:3 202.100.100.100:3 202.100.100.100:3
--- 202.100.100.3 192.168.0.101 --- ---
实验三、端口多路复用的NAT
PC1配置:
PC1#conf t
PC1(config)#no ip routing
PC1(config)#ip default-gateway 192.168.0.1
PC1(config)#int fa0/0
PC1(config-if)#ip add 192.168.0.100 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC2配置:
PC2#conf t
PC2(config)#no ip routing
PC2(config)#ip default-gateway 192.168.0.1
PC2(config)#int fa0/0
PC2(config-if)#ip add 192.168.0.101 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
Internet配置:
Internet#conf t
Internet(config)#int fa0/0
Internet(config-if)#ip add 202.100.100.100 255.255.255.0
Internet(config-if)#no sh
Internet(config-if)#exit
R1配置:
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip access-list standard nat //定义可以进行NAT转换的内部IP范围
R1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#deny any
R1(config-std-nacl)#exit
R1(config)#ip nat inside source list nat interface fa0/1overload//在外网接口启用端口复用NAT转换,转换我们的内部IP
检查测试:
PC1#ping 202.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 40/153/372 ms
PC2#ping 202.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 28/124/388 ms
R1#debug ip nat
*Mar 100:15:31.883: NAT*: s=192.168.0.100->202.100.100.1, d=202.100.100.100 [25]
*Mar 100:15:32.107: NAT*: s=202.100.100.100, d=202.100.100.1->192.168.0.100 [25]
*Mar 100:16:18.395: NAT*: s=192.168.0.101->202.100.100.1, d=202.100.100.100 [45]
*Mar 100:16:18.639: NAT*: s=202.100.100.100, d=202.100.100.1->192.168.0.101 [45]
R1#sh ip nat translations
Pro Inside global Inside local Outsidelocal Outside global
icmp 202.100.100.1:4 192.168.0.100:4 202.100.100.100:4 202.100.100.100:4
icmp 202.100.100.1:5 192.168.0.101:4 202.100.100.100:4 202.100.100.100:5
R1#sh access-lists
Standard IP access list nat
10 permit192.168.0.0, wildcard bits 0.0.0.255 (4 matches)
20 deny any
实验四、动态NAT端口多路复用
PC1配置:
PC1#conf t
PC1(config)#no ip routing
PC1(config)#ip default-gateway 192.168.0.1
PC1(config)#int fa0/0
PC1(config-if)#ip add 192.168.0.101 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC2配置:
PC2#conf t
PC2(config)#no ip routing
PC2(config)#ip default-gateway 192.168.0.1
PC2(config)#int fa0/0
PC2(config-if)#ip add 192.168.0.102 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
PC3配置:
PC3#conf t
PC3(config)#no ip routing
PC3(config)#ip default-gateway 192.168.01.
PC3(config)#ip default-gateway 192.168.0.1
PC3(config)#int fa0/0
PC3(config-if)#ip add 192.168.0.103 255.255.255.0
PC3(config-if)#no sh
PC3(config-if)#exit
Internet配置:
Internet#conf t
Internet(config)#int fa0/0
Internet(config-if)#ip add 202.100.100.100 255.255.255.0
Internet(config-if)#no sh
Internet(config-if)#exit
R1配置:
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip access-list standard go-internet
R1(config-std-nacl)#10 permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#20 deny any
R1(config-std-nacl)#exit
R1(config)# ip nat pool public-ip202.100.100.80 202.100.100.81 prefix-length 24
R1(config)#ip nat inside source list go-internet poolpublic-ip overload //注意overload参数关键,启用复用
检查测试:
PC1#ping 202.100.100.100 r 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
.!!!!!!!!!
Success rate is 90 percent (9/10), round-trip min/avg/max= 28/46/108 ms
PC2#ping 202.100.100.100 r 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
.!!!!!!!!!
Success rate is 90 percent (9/10), round-trip min/avg/max= 28/55/80 ms
PC3#ping 202.100.100.100 r 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max= 40/154/1056 ms
R1#debug ip nat //可见三台主机可以同时访问外网,并且只用了公网ip地址池中的其中一个IP
IP NAT debugging is on
*Mar 100:13:27.883: NAT*: s=202.100.100.100, d=202.100.100.80->192.168.0.101[ 9]
*Mar 100:13:27.887: NAT*: ICMP id=0->1
*Mar 100:13:27.887: NAT*: s=192.168.0.102->202.100.100.80, d=202.100.100.100[ 1]
*Mar 100:13:27.895: NAT*: ICMP id=2->0
*Mar 100:13:27.895: NAT*: s=202.100.100.100, d=202.100.100.80->192.168.0.103[ 1]
*Mar 100:13:27.903: NAT*: ICMP id=1->0
*Mar 100:13:27.903: NAT*: s=202.100.100.100, d=202.100.100.80->192.168.0.102[ 1]
*Mar 100:13:27.911: NAT*: ICMP id=0->2
*Mar 100:13:27.911: NAT*: s=192.168.0.103->202.100.100.80, d=202.100.100.100 [
R1#sh ip nat translations
Pro Inside global Inside local Outsidelocal Outside global
icmp 202.100.100.80:1 192.168.0.101:1 202.100.100.100:1 202.100.100.100:1
icmp 202.100.100.80:0 192.168.0.102:1 202.100.100.100:1 202.100.100.100:0
icmp 202.100.100.80:2 192.168.0.103:1 202.100.100.100:1 202.100.100.100:2
实验五、网络地址端口转换(NAPT)
PC1配置:
PC#conf t
PC(config)#no ip routing
PC(config)#ip default-gateway 192.168.0.1
PC(config)#int fa0/0
PC(config-if)#ip add 192.168.0.100 255.255.255.0
PC(config-if)#no sh
PC(config-if)#exit
Server配置:
Server#conf t
Server(config)#no ip routing
Server(config)#ip default-gateway 192.168.0.1
Server(config)#int fa0/0
Server(config-if)#ip add 192.168.0.80 255.255.255.0
Server(config-if)#no sh
Server(config-if)#exit
Internet配置:
Internet#conf t
Internet(config)#int fa0/0
Internet(config-if)#ip add 202.100.100.100 255.255.255.0
Internet(config-if)#no sh
Internet(config-if)#exit
Internet(config)#ip http server
R1配置:
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip access-list standard nat //定义可以进行NAT转换的内部IP范围
R1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#deny any
R1(config-std-nacl)#exit
R1(config)#ip nat inside source list nat interface fa0/1overload//开启端口多路复用让内网用户上网
R1(config)#ip nat inside source static tcp 192.168.0.8080 202.100.100.1 80//把server的web端口80放出来,跟我们的外网IP的80建立映射。
检查测试:
PC#ping 202.100.100.100 //PC可以访问外网
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max= 44/130/216 ms
PC#telnet 202.100.100.1 80 //PC不可以通过外网IP访问局域网内的服务器 (注意),传说的回流问题
Trying 202.100.100.1, 80 ...
% Connection refused by remote host
Internet#telnet 202.100.100.1 80 //外网可以访问内网服务器的80
Trying 202.100.100.1, 80 ... Open
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:15:36 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.100.100.1 closed by foreign host]
Server#ping 202.100.100.100 //服务器可以上网
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 36/108/324 ms
R1#debug ip nat
IP NAT debugging is on
*Mar 100:13:40.583: NAT: s=192.168.0.100->202.100.100.1, d=202.100.100.100 [0]
*Mar 100:13:41.559: NAT*: s=192.168.0.100->202.100.100.1, d=202.100.100.100 [1]
*Mar 100:14:43.879: NAT*: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [59621]
*Mar 100:14:44.039: NAT*: s=192.168.0.80->202.100.100.1, d=202.100.100.100 [5521]
*Mar 100:14:44.299: NAT*: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [59622]
*Mar 100:14:44.367: NAT*: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [59623]
*Mar 100:25:08.591: NAT*: s=192.168.0.80->202.100.100.1, d=202.100.100.100 [4]
*Mar 100:25:08.611: NAT*: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [4]
R1#sh ip nat translations
Pro Inside global Inside local Outsidelocal Outside global
icmp 202.100.100.1:1 192.168.0.80:1 202.100.100.100:1 202.100.100.100:1
tcp 202.100.100.1:80 192.168.0.80:80 202.100.100.100:35356 202.100.100.100:35356
tcp 202.100.100.1:80 192.168.0.80:80 --- ---
icmp 202.100.100.1:2 192.168.0.100:2 202.100.100.100:2 202.100.100.100:2
R1#sh access-lists
Standard IP access list nat
10 permit192.168.0.0, wildcard bits 0.0.0.255 (6 matches)
20 deny any 20 deny any
实验六、区域无关NAT(Domainless NAT)(推荐使用)
PC配置:
PC#conf t
PC(config)#no ip routing
PC(config)#ip default-gateway 192.168.0.1
PC(config)#int fa0/0
PC(config-if)#ip add 192.168.0.100 255.255.255.0
PC(config-if)#no sh
PC(config-if)#exit
Server配置:
Server#conf t
Server(config)#no ip routing
Server(config)#ip default-gateway 192.168.0.1
Server(config)#int fa0/0
Server(config-if)#ip add 192.168.0.80 255.255.255.0
Server(config-if)#no sh
Server(config-if)#exit
Server(config)#ip http server
Internet配置:
Internet#conf t
Internet(config)#int fa0/0
Internet(config-if)#ip add 202.100.100.100 255.255.255.0
Internet(config-if)#no sh
Internet(config-if)#exit
R1配置:
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat enable //开启nat支持,注意没有区域之分
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat enable //开启nat支持,注意没有区域之分
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip access-list standard Internet
R1(config-std-nacl)#10 permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#20 deny any
R1(config-std-nacl)#exit
R1(config)#ip nat source list Internet int fa0/1 overload//注意没有区域之分
R1(config)#ip nat source static tcp 192.168.0.80 80202.100.100.1 80//注意没有区域之分
检查测试:
PC#ping 202.100.100.100 //PC可以上网
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 88/120/192 ms
Server#ping 202.100.100.100 //Server可以上网
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.100.100,timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 80/310/1160 ms
Internet#telnet 202.100.100.1 80 //外网可以访问Server的80服务
Trying 202.100.100.1, 80 ... Open
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:21:03 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.100.100.1 closed by foreign host]
PC#telnet 202.100.100.1 80 //PC可以通过外网IP访问Server的80服务
Trying 202.100.100.1, 80 ... Open
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:26:32 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 202.100.100.1 closed by foreign host]
R1#debug ip nat //调试NAT
*Mar 100:19:15.107: NAT*: s=192.168.0.100->202.100.100.1, d=202.100.100.100 [19]
*Mar 100:19:15.211: NAT: s=202.100.100.100, d=202.100.100.1->192.168.0.100 [19]
*Mar 100:19:32.875: NAT*: s=192.168.0.80->202.100.100.1, d=202.100.100.100 [0]
*Mar 100:19:32.963: NAT: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [0]
*Mar 100:20:19.479: NAT: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [11992]
*Mar 100:20:19.595: NAT*: s=192.168.0.80->202.100.100.1, d=202.100.100.100 [4167]
*Mar 100:20:19.659: NAT: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [11993]
*Mar 100:20:19.667: NAT: s=202.100.100.100, d=202.100.100.1->192.168.0.80 [11994]
*Mar 100:22:25.551: NAT: s=192.168.0.100->202.100.100.1, d=202.100.100.1 [2180]
*Mar 100:22:25.555: NAT: s=202.100.100.1, d=202.100.100.1->192.168.0.80 [2180]
*Mar 100:22:25.663: NAT: s=192.168.0.80->202.100.100.1, d=202.100.100.1 [908]
*Mar 100:22:25.667: NAT: s=202.100.100.1, d=202.100.100.1->192.168.0.100 [908]
R1#sh ip nat nvi translations //查看NVI转换
Pro Source global Source local Destin local Destin global
icmp 202.100.100.1:1 192.168.0.80:1 202.100.100.100:1 202.100.100.100:1
tcp 202.100.100.1:80 192.168.0.80:80 --- ---
icmp 202.100.100.1:4 192.168.0.100:4 202.100.100.100:4 202.100.100.100:4
tcp 202.100.100.1:40023 192.168.0.100:40023 202.100.100.1:80192.168.0.80:80
tcp 202.100.100.100:63747 202.100.100.100:63747202.100.100.1:80 192.168.0.80:80
R1#sh access-lists //查看ACL
Standard IP access list Internet
10 permit192.168.0.0, wildcard bits 0.0.0.255 (8 matches)
20 deny any (2 matches)
ip nat inside source 数据包由inside 接口outside接口发包时,是先路由再NAT转换;而数据包由outside 接口向inside接口发包时是先NAT转换再路由,数据包的发送方向不同,则处理过程也不同
ip nat source做NAT转换时,在需要NAT转换接口上使用的命令为ip nat enable,数据包在由一个接口向另一个接口发包时,顺序是先路由再NAT然后再路由(第一个路由只是匹配一下路由,而没有真正的路由行为,第二个路由则是真实的路由行为),不管数据包从哪个接口发向哪个接口,处理过程都是一样的。
实验七、NAT解决网络地址重叠
PC1配置:
PC1#conf t
PC1(config)#no ip routing
PC1(config)#ip default-gateway 192.168.0.1
PC1(config)#int fa0/0
PC1(config-if)#ip add 192.168.0.101 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC2配置:
PC2#conf t
PC2(config)#no ip routing
PC2(config)#ip default-gateway 192.168.0.1
PC2(config)#int fa0/0
PC2(config-if)#ip add 192.168.0.101 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
R1配置:
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 202.100.100.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 172.168.20.0 255.255.255.0202.100.100.2 //注意添加去往对端内部全局地址路由
R1(config)#ip nat inside source static 192.168.0.101172.168.10.101
R2配置:
R2#conf t
R2(config)#int fa0/0
R2(config-if)#ip add 192.168.0.1 255.255.255.0
R2(config-if)#ip nat inside
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#int fa0/1
R2(config-if)#ip add 202.100.100.2 255.255.255.0
R2(config-if)#ip nat outside
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#ip route 172.168.10.0 255.255.255.0 202.100.100.1//注意添加去往对端内部全局地址路由
R2(config)#ip nat inside source static 192.168.0.101 172.168.20.101
检查测试:
PC1#ping 172.168.20.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.168.20.101, timeoutis 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max= 40/40/40 ms
PC2#ping 172.168.10.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.168.10.101, timeoutis 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 40/258/1100 ms
R1#debug ip nat
IP NAT debugging is on
*Mar 100:14:49.599: NAT*: s=192.168.0.101->172.168.10.101, d=172.168.20.101 [1]
*Mar 100:14:51.103: NAT*: s=172.168.20.101, d=172.168.10.101->192.168.0.101 [0]
*Mar 100:14:51.151: NAT*: s=192.168.0.101->172.168.10.101, d=172.168.20.101 [0]
*Mar 100:14:51.203: NAT*: s=172.168.20.101, d=172.168.10.101->192.168.0.101 [1]
R2#debug ip nat
IP NAT debugging is on
*Mar 100:14:48.267: NAT*: s=172.168.10.101, d=172.168.20.101->192.168.0.101 [1]
*Mar 100:14:49.723: NAT*: s=192.168.0.101->172.168.20.101, d=172.168.10.101 [0]
*Mar 100:14:49.795: NAT*: s=172.168.10.101, d=172.168.20.101->192.168.0.101 [0]
*Mar 100:14:49.843: NAT*: s=192.168.0.101->172.168.20.101, d=172.168.10.101 [1]
R1#sh ip nat translations
Pro Inside global Inside local Outsidelocal Outside global
icmp 172.168.10.101:1 192.168.0.101:1 172.168.20.101:1 172.168.20.101:1
--- 172.168.10.101 192.168.0.101 --- ---
R2#sh ip nat translations
Pro Inside global Inside local Outsidelocal Outside global
icmp 172.168.20.101:1 192.168.0.101:1 172.168.10.101:1 172.168.10.101:1
--- 172.168.20.101 192.168.0.101 --- ---