NAT术语
ØInside local address(内部本地地址):
一个Inside网络中的设备,在Inside的IP地址,即内部主机的实际地址
ØInside global address(内部全局地址):
一个Inside网络中的设备,在Outside的IP地址,即内部主机经NAT转换后去往外部的地址
ØOutside local address(外部本地地址):
一个Outside网络中的设备,在Inside的IP地址,即外部主机由NAT设备转换后的地址
ØOutside global address(外部全局地址):
一个Outside网络中的设备,在Outside的IP地址,即外部主机的真实地址
1、拓扑图:
2、实验步骤:
1)参照拓扑完成各设备的基本配置,利用命令no ip routing 关闭PC1的路由功能,要求完成基本配置后,各直连设备可以互ping对方
R1(config)#int f0/0
R1(config-if)#ip ad
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config)#no ip rou
R1(config)#no ip routi
R1(config)#no ip routing
R1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/225/1056 ms
R2(config)#int s1/1
R2(config-if)#ip ad
R2(config-if)#ip address 20.1.1.2 255.255.255.0
R2(config-if)#no shut
R2#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/45/68 ms
ISP(config)#int f0/0
ISP(config-if)#ip ad
ISP(config-if)#ip address 192.168.1.2 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#int s1/1
ISP(config-if)#ip ad
ISP(config-if)#ip address 20.1.1.1 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#^Z
ISP#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/36 ms
ISP#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/52 ms
2)使用静态NAT实现PC1可以正常访问R2
在没有做NAT之前我们先来看一下PC1是否可以正常访问R2
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
显然是不可以的
我们现在开始配置NAT
ISP(config)#ip nat inside source static 192.168.1.1 20.1.1.1
ISP(config)#int f0/0
ISP(config-if)#ip na
ISP(config-if)#ip nat i
ISP(config-if)#ip nat inside
ISP(config-if)#int s1/1
ISP(config-if)#ip na
ISP(config-if)#ip nat o
ISP(config-if)#ip nat outside
再来测试一下
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/242/1060 ms
显然配置了静态的NAT就可以了。
3)分别使用ping和debug ip nat命令进行测试和调试,并在ISP上使用命令show ip nat translations仔细观察NAT表
R1#debug ip nat
IP NAT debugging is on
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/84 ms
ISP#show ip nat translations
Pro Inside globalInside localOutside localOutside global
--- 20.1.1.1192.168.1.1------
4)在路由器ISP上创建10个地址的动态地址池(200.200.200.1/24-200.200.200.10/24)
ISP(config)#ip nat pool pool1 ?
A.B.C.DStart IP address
netmaskSpecify the network mask
prefix-lengthSpecify the prefix length
ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10pr
ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24
5)删除前面配置的静态NAT,使用创建的动态地址池,用动态NAT实现PC1可以访问R2
ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24
ISP(config)#no ip nat inside source static 192.168.1.1 20.1.1.1
ISP(config)#ac
ISP(config)#access-list 1 pe
ISP(config)#access-list 1 permit a
ISP(config)#access-list 1 permit any
ISP(config)#ip nat inside source list 1 pool p
ISP(config)#ip nat inside source list 1 pool pool1
现在我们来测试一下
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
我们发现还是不可以ping通
为啥呢?根据提示我们发现木有回包,发现原因后,我们现在在R2上配置一条默认路由
R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1
配置好了再来测试一下
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms
哈哈,可以了。
6)分别使用ping和debug ip nat命令进行测试和调试,并使用命令show ip nat translations 仔细观察NAT表
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms
R1#
ISP#debug ip nat
IP NAT debugging is on
ISP#show ip na
ISP#show ip nat t
ISP#show ip nat translations
Pro Inside globalInside localOutside localOutside global
--- 200.200.200.1192.168.1.1------
ISP#
7)将PC1的IP 改为192.168.1.100 /24,再使用ping命令进行测试,通过命令show ip nat translations 查看NAT表,分析动态NAT有何不足之处?
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 ms
R1#
ISP#show ip nat translations
Pro Inside globalInside localOutside localOutside global
--- 200.200.200.1192.168.1.1------
icmp 200.200.200.2:6192.168.1.100:620.1.1.2:620.1.1.2:6
--- 200.200.200.2192.168.1.100------
ISP#
从上面我们可以看出动态的NAT并不可以节省IP地址
8)在路由器ISP上删除地址池,利用接口,使用PAT实现PC1访问R2
ISP(config)#no ip nat inside source list 1 pool pool1
Dynamic mapping in use, do you want to delete all entries? [no]: y
ISP(config)#ip na
ISP(config)#ip nat
ISP(config)#ip nat is
ISP(config)#ip nat i
ISP(config)#ip nat inside s
ISP(config)#ip nat inside source l
ISP(config)#ip nat inside source list 1 int s1/1
ISP(config)#ip nat inside source list 1 int s1/1 o
ISP(config)#ip nat inside source list 1 int s1/1 ov
ISP(config)#ip nat inside source list 1 int s1/1 overload
overload一定要打上,因为IP地址的转转是要靠序列号来区分是那台主机转化的
9) 分别使用ping、telnet和debug ip nat命令进行测试和调试,并使用命令 show ip nat translations 查看NAT表,观察有何变化。Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ping 20.1.1.2
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/80 ms
R1#te
R1#tel
R1#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
Password required, but none set
[Connection to 192.168.1.2 closed by foreign host]
R1#
R1#de
R1#deb
R1#debug ip na
R1#debug ip nat
IP NAT debugging is on
ISP#show ip nat translations
Pro Inside globalInside localOutside localOutside global
icmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8
ISP#show ip nat translations
Pro Inside globalInside localOutside localOutside global
icmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8
ISP#
我们会发现用PAT配置可以节省IP地址