思科多nat顺序

思科nat与h3c的nat过程不一样的:思科是在全局配置命令下做nat配置的,而H3c则是直接在接口上配置nat(哪条nat条目被应用于此接口,直接在此条目上过滤)。思科的这种配置法会使分组数据在路由到出口后,需要按照nat的排序(可通过show run查看排序)来进行匹配,从而满足条件后做NAT。所以配置思科nat时,请注意nat的先后顺序。这个结论是经过无数次的实验而得出的。


实验拓扑

思科多nat顺序_第1张图片


附:R2中10.45.1.0及1.1.1.0网段的接口为outside;192.168.1.0接口为inside。


R2配置:

R2(config)#do sh run
Building configuration...


Current configuration : 1436 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!

!
ip tcp synwait-time 5
    
!
interface Ethernet0/0
 ip address 1.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/1
 ip address 10.45.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
no ip http server
no ip http secure-server
!
no ip classless
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.0.0.0 255.0.0.0 10.45.1.3
!
ip nat inside source list wan interface Ethernet0/0 overload
ip nat inside source list wan2 interface Ethernet0/1 overload       \\这是nat的顺序
!

!
ip access-list extended wan
 permit ip any any
ip access-list extended wan2
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
control-plane

!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


R2(config)#            

我们知道inside到outside时 :分组数据先路由(选好路由的出口后,分组肯定要从这个出口路由出去,不会因为nat等原因而从另外不是最长匹配的路由出口出去),之后再nat。然而思科这里的nat并不是与接口绑定的,分组数据被nat时是有顺序的。如下


从R5上ping结果

R5#ping 10.45.3.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.3.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#ping 2.2.2.2  


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/42/64 ms
R5#

在R2上查看nat过程及转换表

R2#debug ip nat detailed 

IP NAT detailed debugging is on
R2#
*Mar  1 00:08:32.303: NAT: [0] Allocated Port for 192.168.1.2 -> 1.1.1.2: wanted 5 got 5      \\表明R5上ping 10.45.3.1时,R2上使用的是ip nat inside source list wan interface Ethernet0/0 overload这条。
*Mar  1 00:08:32.307: NAT*: i: icmp (192.168.1.2, 5) -> (10.45.3.1, 5) [25]
*Mar  1 00:08:32.307: NAT*: i: icmp (192.168.1.2, 5) -> (10.45.3.1, 5) [25]
*Mar  1 00:08:32.311: NAT*: s=192.168.1.2->1.1.1.2, d=10.45.3.1 [25]  
R2#
*Mar  1 00:08:34.311: NAT*: i: icmp (192.168.1.2, 5) -> (10.45.3.1, 5) [26]
*Mar  1 00:08:34.315: NAT*: s=192.168.1.2->1.1.1.2, d=10.45.3.1 [26]
R2#
*Mar  1 00:08:36.303: NAT*: i: icmp (192.168.1.2, 5) -> (10.45.3.1, 5) [27]
*Mar  1 00:08:36.307: NAT*: s=192.168.1.2->1.1.1.2, d=10.45.3.1 [27]
R2#
*Mar  1 00:08:38.259: NAT*: i: icmp (192.168.1.2, 5) -> (10.45.3.1, 5) [28]
*Mar  1 00:08:38.259: NAT*: s=192.168.1.2->1.1.1.2, d=10.45.3.1 [28]
R2#
*Mar  1 00:08:40.275: NAT*: i: icmp (192.168.1.2, 5) -> (10.45.3.1, 5) [29]
*Mar  1 00:08:40.275: NAT*: s=192.168.1.2->1.1.1.2, d=10.45.3.1 [29]
R2#sh ip nat tr          
Pro Inside global      Inside local       Outside local      Outside global
icmp 1.1.1.2:5         192.168.1.2:5      10.45.3.1:5        10.45.3.1:5     \\表明R5上ping 10.45.3.1时,R2上使用的是ip nat inside source list wan interface Ethernet0/0 overload这条。

导致无法ping通10.45.3.1的原因是由于当分组数据被路由到10网段的出口时候,发现出口上配置有ip nat outside,所以分组数据被整个nat列表(所有nat条目,按先后排序)过滤,当分组数据被第一条nat过滤时就已经匹配,所以10.45.3.1的源地址192.168.1.2就被替换为1.1.1.2了,不会再进行第二条nat过滤。

这里可能大家还有个疑问:可能是由于分组数据在选择路由时,使用的是默认路由呢?为了证实这一点,在R4上添加了一个环回地址:10.45.3.1,结果R5上还是没能ping通10.45.3.1,所以这个疑问是不成立的。所以证明路由已经选择10网段出口了,出错是在nat顺序上。

解决方法1:

在R2的ip access-list extended wan中首先添加一条deny目标为10的网段,
ip access-list extended wan
 deny   ip any 10.0.0.0 0.255.255.255
 permit ip any any

结果R5成功ping通10.45.3.1(略)


解决方法2:

在R2上调整nat条目的顺序,删除ip access-list extended wan后,添加ip access-list extended wan3,从而使调用wan3后排列在wna2的后面,

ip nat inside source list wan2 interface Ethernet0/1 overload
ip nat inside source list wan3 interface Ethernet0/0 overload
!
!
ip access-list extended wan2
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended wan3
 permit ip any any
!

结果在R5上分别ping 10.45.3.1及2.2.2.2都通

R5#ping 10.45.3.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/60 ms
R5#ping 2.2.2.2  


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/52 ms
R5#


在R2上显示nat的正常数据过程

R2(config)#            
*Mar  1 00:38:27.887: NAT: [0] Allocated Port for 192.168.1.2 -> 10.45.1.1: wanted 9 got 9
*Mar  1 00:38:27.891: NAT*: i: icmp (192.168.1.2, 9) -> (10.45.3.1, 9) [45]
*Mar  1 00:38:27.895: NAT*: i: icmp (192.168.1.2, 9) -> (10.45.3.1, 9) [45]
*Mar  1 00:38:27.899: NAT*: s=192.168.1.2->10.45.1.1, d=10.45.3.1 [45]
*Mar  1 00:38:27.931: NAT*: o: icmp (10.45.3.1, 9) -> (10.45.1.1, 9) [45]
*Mar  1 00:38:27.931: NAT*: s=10.45.3.1, d=10.45.1.1->192.168.1.2 [45]
*Mar  1 00:38:27.959: NAT*: i: icmp (192.168.1.2, 9) -> (10.45.3.1, 9) [46]
*Mar  1 00:38:27.963: NAT*: s=192.168.1.2->10.45.1.1, d=10.45.3.1 [46]
*Mar  1 00:38:27.979: NAT*: o: icmp (10.45.3.1, 9) -> (10.45.1.1, 9) [46]
*Mar  1 00:38:27.983: NAT*: s=10.45.3.1, d=10.45.1.1->192.168.1.2 [46]
*Mar  1 00:38:28.007: NAT*: i: icmp (192.168.1.2, 9) -> (10.45.3.1, 9) [47]
*Mar  1 00:38:28.007: NAT*: s=192.168.1.2->10.45.1.1, d=10.45.3.1 [47]
*Mar  1 00:38:28.023: NAT*: o: icmp (10.45.3.1, 9) -> (10.45.1.1, 9) [47]
*Mar  1 00:38:28.027: NAT*: s=10.45.3.1, d=10.45.1.1->192.168.1.2 [47]
*Mar  1 00:38:28.043: NAT*: i: icmp (192.168.1.2, 9) -> (10.45.3.1, 9) [48]
*Mar  1 00:38:28.047: NAT*: s=192.168.1.2->10.45.1.1, d=10.45.3.1 [48]
*Mar  1 00:38:28.071: NAT*: o: icmp (10.45.3.1, 9) -> (10.45.1.1, 9) [48]
*Mar  1 00:38:28.071: NAT*: s=10.45.3.1, d=10.45.1.1->192.168.1.2 [48]
*Mar  1 00:38:28.091: NAT*: i: icmp (192.168.1.2, 9) -> (10.45.3.1, 9) [49]
*Mar  1 00:38:28.091: NAT*: s=192.168.1.2->10.45.1.1, d=10.45.3.1 [49]
*Mar  1 00:38:28.111: NAT*: o: icmp (10.45.3.1, 9) -> (10.45.1.1, 9) [49]
*Mar  1 00:38:28.111: NAT*: s=10.45.3.1, d=10.45.1.1->192.168.1.2 [49]
R2(config)#            
R2(config)#            
*Mar  1 00:38:30.595: NAT: [0] Allocated Port for 192.168.1.2 -> 1.1.1.2: wanted 10 got 10
*Mar  1 00:38:30.599: NAT*: i: icmp (192.168.1.2, 10) -> (2.2.2.2, 10) [50]
*Mar  1 00:38:30.599: NAT*: i: icmp (192.168.1.2, 10) -> (2.2.2.2, 10) [50]
*Mar  1 00:38:30.603: NAT*: s=192.168.1.2->1.1.1.2, d=2.2.2.2 [50]
*Mar  1 00:38:30.619: NAT*: o: icmp (2.2.2.2, 10) -> (1.1.1.2, 10) [50]
*Mar  1 00:38:30.619: NAT*: s=2.2.2.2, d=1.1.1.2->192.168.1.2 [50]
*Mar  1 00:38:30.651: NAT*: i: icmp (192.168.1.2, 10) -> (2.2.2.2, 10) [51]
*Mar  1 00:38:30.651: NAT*: s=192.168.1.2->1.1.1.2, d=2.2.2.2 [51]
*Mar  1 00:38:30.683: NAT*: o: icmp (2.2.2.2, 10) -> (1.1.1.2, 10) [51]
*Mar  1 00:38:30.683: NAT*: s=2.2.2.2, d=1.1.1.2->192.168.1.2 [51]
*Mar  1 00:38:30.703: NAT*: i: icmp (192.168.1.2, 10) -> (2.2.2.2, 10) [52]
*Mar  1 00:38:30.703: NAT*: s=192.168.1.2->1.1.1.2, d=2.2.2.2 [52]
*Mar  1 00:38:30.723: NAT*: o: icmp (2.2.2.2, 10) -> (1.1.1.2, 10) [52]
*Mar  1 00:38:30.723: NAT*: s=2.2.2.2, d=1.1.1.2->192.168.1.2 [52]
*Mar  1 00:38:30.743: NAT*: i: icmp (192.168.1.2, 10) -> (2.2.2.2, 10) [53]
*Mar  1 00:38:30.743: NAT*: s=192.168.1.2->1.1.1.2, d=2.2.2.2 [53]
*Mar  1 00:38:30.767: NAT*: o: icmp (2.2.2.2, 10) -> (1.1.1.2, 10) [53]
*Mar  1 00:38:30.767: NAT*: s=2.2.2.2, d=1.1.1.2->192.168.1.2 [53]
*Mar  1 00:38:30.787: NAT*: i: icmp (192.168.1.2, 10) -> (2.2.2.2, 10) [54]
*Mar  1 00:38:30.787: NAT*: s=192.168.1.2->1.1.1.2, d=2.2.2.2 [54]
*Mar  1 00:38:30.807: NAT*: o: icmp (2.2.2.2, 10) -> (1.1.1.2, 10) [54]
*Mar  1 00:38:30.811: NAT*: s=2.2.2.2, d=1.1.1.2->192.168.1.2 [54]
R2(config)#


总结:

1、思科配置中,不仅访问控制列表acl有顺序,NAT列表也有顺序(需要做nat时都经过整个nat列表的过滤)。

2、本文的技术皆为自己实验感悟,目前已在packet tracer 以及gns3实验过。

3、由于多nat技术在各大论坛上少有介绍,借鉴于本论文的伙伴们,请多多查阅其他文章及多做实验是否支持本文技术,如有偏差请各位指导纠正。







你可能感兴趣的:(路由/交换)