NAT-PT原理与配置
NAT-PT使用通俗的方法理解:
IPV6要访问IPV4,必须要知道IPV4映射所形成的VIP6地址是多少,根据NAT-PT规定使用前缀为96的IPV6地址池来表示IPV4,这样每个IPV4就“存在”于IPV6中了。
IPV4要访问IPV6,必须要知道IPV6映射所形成的IPV4地址是多少,根据NAT-PT规定可以使用任意未占用的IPV4地址池来表示IPV6,这样每个IPV6也就“存在”于IPV4中了。(为了说明原理不必在意夸张的说法。)
根据上述理解知道,在NAT-PT路由器中必须存在两个地址池,一个为前缀96的IPV6地址池用于IPV4地址映射,另一个为IPV4地址池用于IPV6地址映射。明白了这个转换结构就容易配置各种NAT-PT类型了(如静态NAT-PT、动态NAT-PT等)。
以下二种NAT-PT的转换原理都从上面细变而来的,所以不再多介绍。
静态NAT-PT
静态模式提供一对一的IPv6地址和IPv4地址的映射。
动态NAT-PT
动态NAT-PT只能单向访问到一边的协议栈,但不能反过来访问。是多对多(指从映射池中取一个空闲的IP地址,当映射池IP用完,就不能再映射即其他内部没有得到映射的IP就无法访问外部)配置。
NAPT-PT
NAPT-PT也叫做重载,指多对一源地址转换,是v6向v4的单向访问,不能反过来访问v6。
实验目录:
1)静态NAT-PT,理解数据流的源IP和目的IP转换过程。
2)动态NAT-PT,通过多对多配置加深对NAT-PT的理解。
3)NAPT-PT,多对一转换,指多个源v6地址的转换仅一个v4地址,重要参数overload。natp-pt配合v4-mapped的使用。
实验拓扑:
实验配置:
1)静态NAT-PT
各接口配置如上图,在R2与R5之间配ripng,在R3与R5之间配置RIP。
R5(config)#do sh run
!
interface Serial1/0
no ip address
ipv6 address FE80:1::10 link-local
ipv6 address 10::1/64
ipv6 nat \\指明做NAT-PT的接口。
ipv6 rip rng_1 enable
serial restart-delay 0
!
interface Serial1/1
ip address 1.1.1.1 255.255.255.0
ipv6 nat
serial restart-delay 0
!
ipv6 router rip rng_1
redistribute connected metric 3 \\将NVI0接口重分发到ripng中,使前缀1000::/96在IPV6中可达 。
no split-horizon
!
ipv6 nat v4v6 source 1.1.1.2 1000::2 \\将v4映射成v6,从而能在ipv6网络中可以访问到ipv4主机。
ipv6 nat v6v4 source 21::1 100.1.1.2 \\同理。
ipv6 nat prefix 1000::/96 \\用于ipv4映射的地址池即NVI0接口的地址
!
R5(config)#
1.1、查看nat-pt静态映射表
R5#sh ipv nat tr
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
1.1.1.2 1000::2
--- 100.1.1.2 21::1
--- ---
R5#
1.2、查看ipv4到ipv6的转换过程
R3#ping 100.1.1.2 sou 1.1.1.2 re 1 \\从IPV4访问IPV6,单个ping包
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms
R3#
R5#debug ipv nat detailed
IPv6 NAT-PT detailed debugging is on
R5#
*Mar 1 02:22:49.771: IPv6 NAT: Found prefix 1000::/96 \\发现匹配地址转换的数据包。
*Mar 1 02:22:49.771: IPv6 NAT: IPv4->IPv6: \\指明为ipv4访问到ipv6
src (1.1.1.2 -> 1000::2) \\将ipv4源地址转换成ipv6
dst (0.0.0.0 -> ::) \\不知道这里为什么会这样了!!!!!! 在IPV6访问IPV4时源IP、目的IP都在同一个包显示出转换,但这里没有???
ref_count = 1, usecount = 0, flags = 513,
rt_flags = 0, more_flags = 0
*Mar 1 02:22:49.775: IPv6 NAT: IPv4->IPv6:
src (0.0.0.0 -> ::)
dst (100.1.1.2 -> 21::1) \\将ipv4目的地址转换成ipv6
ref_count = 1, usecount = 0, flags = 257,
rt_flags = 0, more_flags = 0
R5#
1.3、查看ipv6到ipv4的转换过程
R2#ping 1000::2 sou 21::1 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 1000::2, timeout is 2 seconds:
Packet sent with a source address of 21::1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 68/68/68 ms
R2#
R5#clear ipv nat translation *
R5#
*Mar 1 02:43:55.347: IPv6 NAT: IPv6->IPv4:
src (21::1 -> 100.1.1.2)
dst (1000::2 -> 1.1.1.2) \\同时显示转换地址,与上面v4访问v6结果不一样?????
ref_count = 1, usecount = 0, flags = 64,
rt_flags = 0, more_flags = 0
*Mar 1 02:43:55.351: IPv6 NAT: icmp src (21::1) -> (100.1.1.2), dst (1000::2) -> (1.1.1.2)
*Mar 1 02:43:55.395: IPv6 NAT: Found prefix 1000::/96
*Mar 1 02:43:55.395: IPv6 NAT: IPv4->IPv6:
src (1.1.1.2 -> 1000::2)
dst (100.1.1.2 -> 21::1)
ref_count = 1, usecount = 0, flags = 64,
rt_flags = 0, more_flags = 0
*Mar 1 02:43:55.399: IPv6 NAT: icmp src (1.1.1.2) -> (1000::2), dst (100.1.1.2) -> (21::1)
R5#
2)动态NAT-PT
R5#
!
ip access-list extended nat4
permit ip any 100.1.1.0 0.0.0.255
!
!
!
ipv6 router rip rng_1
redistribute connected metric 3
no split-horizon
!
ipv6 nat v4v6 source list nat4 pool pre_1000 \\从v4映射到v6没有overload选项,因为v6地址数量足够让每个v4地址“存在”于v6中。
ipv6 nat v4v6 pool pre_1000 1000::100 1000::101 prefix-length 96 \\将V4映射成V6的映射池设置为有2个。
ipv6 nat v6v4 source 20::1 100.1.1.3 \\静态映射使v6地址“存在”于v4中,让v4知道目标地址。
ipv6 nat v6v4 source 21::1 100.1.1.2
ipv6 nat v6v4 source 22::1 100.1.1.4
ipv6 nat prefix 1000::/96
从R3#访问到V6
R3#ping 100.1.1.2 \\同源IP访问多个目标地址转换后仅占映射池一个地址。
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/30/48 ms
R3#ping 100.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/36 ms
R3#ping 100.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/52 ms
R3#ping 100.1.1.2 sou 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 30.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
R3#ping 100.1.1.2 sou 31.1.1.1 \\当前面使用完映射池地址后,第三个源地址31.1.1.1无法转换,
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 31.1.1.1
.....
Success rate is 0 percent (0/5)
R3#
将R5映射表清空,结果再次证明,映射池IP数量决定转换地址数量。
R3#ping 100.1.1.2 sou 31.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 31.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/36 ms
R3#ping 100.1.1.2 sou 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 30.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/32 ms
R3#ping 100.1.1.2 sou 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.2
.....
Success rate is 0 percent (0/5)
R3#
3)NAPT-PT
3.1、配置napt-pt
R5#
!
ipv6 nat v4v6 source 30.1.1.1 1000::30
ipv6 nat v4v6 source 31.1.1.1 1000::31
ipv6 nat v6v4 source list napt6 pool v4_100 overload \\关键字
ipv6 nat v6v4 pool v4_100 100.1.1.100 100.1.1.100 prefix-length 24 \\注意映射池中只用一个IPV4。
ipv6 nat prefix 1000::/96
!
ipv6 access-list napt6
permit ipv6 any 1000::/96
3.1、验证V6访问V4,源地址转换只占用v4一个。v6任意源地址访问已做映射的v4地址。最后查看R5映射表。
R5(config)#do sh ipv nat tr
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
30.1.1.1 1000::30
--- --- ---
31.1.1.1 1000::31
icmp 100.1.1.100,8815 21::1,8815 \\可看到使用参数overload后,任何v6访问v4,只用一个ipv4地址,并使用端口号来区分ipv6地址的访问。
30.1.1.1,8815 1000::30,8815
icmp 100.1.1.100,6869 22::1,6869
30.1.1.1,6869 1000::30,6869
icmp 100.1.1.100,8552 22::1,8552
30.1.1.1,8552 1000::30,8552
icmp 100.1.1.100,7697 22::1,7697
31.1.1.1,7697 1000::31,769
R5(config)#
可以看到v6转换的源地址只占用一个4地址,表示overload成功。这样子就可以有效的节省ipv4。
3.3、v6要访问到v4,那么必须手动配置每个IVP4地址的静态映射,这样子工作量会比较大,而且难免有错漏。所以下面将介绍一种自动V4映射方法——v4_mapped。
R5#
ipv6 nat v6v4 source list napt6 pool v4_100 overload
ipv6 nat v6v4 pool v4_100 100.1.1.100 100.1.1.100 prefix-length 24
ipv6 nat prefix 1000::/96 v4-mapped nat4all \\启动v4-mapped功能,使用nat4all标识匹配的地址,将从此地址中提取出ipv4并做为转换的目标地址。
!
ipv6 access-list napt6
permit ipv6 any 1000::/96
!
ipv6 access-list nat4all
permit ipv6 1000::/96 1000::/96 \\nat4all要求匹配的地址范围。
R5#
从上面配置中看出ipv4没有做映射,那么v6怎么知道目标呢?上面已标明v4-mapped能使v6在访问的目标地址中提取出ipv4并做为转换的目标地址。做如下测试
R5#sh ipv nat tr
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
R5#
nat-pt路由器的映射表中目前没有任何映射条目,下面从R2上ping
R2#ping 1000::101:102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::101:102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/68 ms
R2#ping 1000::1E01:101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::1E01:101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/51/88 ms
R2#ping 1000::1f01:101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::1F01:101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/47/84 ms
R2#
都已ping成功。
R5#sh ipv nat tr
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
icmp 100.1.1.100,6467 20::1,6467
1.1.1.2,6467 1000::101:102,6467
icmp 100.1.1.100,6963 20::1,6963
30.1.1.1,6963 1000::1E01:101,6963
icmp 100.1.1.100,7332 20::1,7332
31.1.1.1,7332 1000::1F01:101,7332
R5#
映射表中出现了转换的条目,说明通过使用v4_mapped功能,在ipv6目标地址就能提取出ipv4地址并作为转换的ipv4目标地址,此表示法将整个ipv4栈地址都“映射”了,从而省去了每个ipv4都配置一条映射命令。
下面再从R2上ping一个v4没有存在的地址2.2.2.2,看看结果
R2#ping 1000::202:202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::202:202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
R5#debug ipv nat de
*Mar 1 06:39:33.610: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=665F0260, count=0, -Traceback= 0x6142DF7C 0x605397D0 0x6197B4A8 0x6317951C 0x631796D8 0x63179820 0x63144CE8 0x63145CA8 0x63145E64 0x631500E0 \\R2上一ping此命令,R5上马上出现一条无效的信息,此信息大概是说明转换成的v4目标地址不可达。
R5#
R5#
*Mar 1 06:48:16.730: IPv6 NAT: IPv6->IPv4:
src (20::1 -> 100.1.1.100)
dst (1000::202:202 -> 2.2.2.2)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
*Mar 1 06:48:16.734: IPv6 NAT: Dropping v6tov4 packet
R5#
*Mar 1 06:48:18.702: IPv6 NAT: IPv6->IPv4:
src (20::1 -> 100.1.1.100)
dst (1000::202:202 -> 2.2.2.2)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
*Mar 1 06:48:18.706: IPv6 NAT: Dropping v6tov4 packet
R5#
*Mar 1 06:48:20.138: IPv6 NAT: Found prefix 1000::/96
*Mar 1 06:48:20.142: IPv6 NAT:v4tov6 entry not found
*Mar 1 06:48:20.718: IPv6 NAT: IPv6->IPv4:
src (20::1 -> 100.1.1.100)
dst (1000::202:202 -> 2.2.2.2)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
*Mar 1 06:48:20.722: IPv6 NAT: Dropping v6tov4 packet
*Mar 1 06:48:21.078: IPv6 NAT: deleted a NAT entry after timeout
R5#
*Mar 1 06:48:22.730: IPv6 NAT: IPv6->IPv4:
src (20::1 -> 100.1.1.100)
dst (1000::202:202 -> 2.2.2.2)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
*Mar 1 06:48:22.734: IPv6 NAT: Dropping v6tov4 packet
R5#
*Mar 1 06:48:36.622: IPv6 NAT: deleted a NAT entry after timeout
R5#
从以上的调试内容可以看到v6到v4的数据流已经成功转换地址,但目标地址没有任何的回应,所以ping不通。
为此在R3上添加虚接口loo 2并在rip通告后,再测试如下结果
R2#ping 1000::202:202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::202:202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/59/100 ms
R2#
R5#sh ipv nat tr
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
icmp 100.1.1.100,959 20::1,959
2.2.2.2,959 1000::202:202,959
R5#
*Mar 1 06:58:02.270: IPv6 NAT: IPv6->IPv4:
src (20::1 -> 100.1.1.100)
dst (1000::202:202 -> 2.2.2.2)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
*Mar 1 06:58:02.274: IPv6 NAT: icmp src (20::1) -> (100.1.1.100), dst (1000::202:202) -> (2.2.2.2)
*Mar 1 06:58:02.298: IPv6 NAT: Found prefix 1000::/96
*Mar 1 06:58:02.298: IPv6 NAT: IPv4->IPv6:
src (2.2.2.2 -> 1000::202:202)
dst (100.1.1.100 -> 20::1)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
R5#
实验结束
附:
从R2上Ping 1000::101:101(为nat-pt路由器的本身ip),结果是不通的。因为数据流在返回来时,查看路由表发现,目标地址是自己,从而数据流在nat-pt上已匹配,不会返R2数据。这个与nat原理一样。
R2#ping 1000::101:101 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 1000::101:101, timeout is 2 seconds:.
Success rate is 0 percent (0/1)
R2#
R5#
*Mar 1 07:17:29.070: IPv6 NAT: IPv6->IPv4:
src (20::1 -> 100.1.1.100)
dst (1000::101:101 -> 1.1.1.1)
ref_count = 1, usecount = 0, flags = 2,
rt_flags = 0, more_flags = 16
*Mar 1 07:17:29.078: IPv6 NAT: icmp src (20::1) -> (100.1.1.100), dst (1000::101:101) -> (1.1.1.1)