在企业中会遇到一个路由器上联了几个单位或者公司,而内部网络某一网段或者某一服务器同时需要访问几个上联的单位,而且都需要经过NAT进行访问,如果是内部网络中某一台服务器需要访问上联各单位,怎样配置NAT呢,如果只访问一个上联单位,那肯定就简单了,一条静态映射就OK了,那么是两个上联单位呢?或者更多呢?下面就通过案例介绍一下:
如上图所示:单位A的内部网络服务器192.168.93.82(在此以loopback来测试),需要访问单位B的3.3.3.3和单位C的4.4.4.4,但都需要在路由器R2上进行地址转换,访问单位B时转换为10.49.250.49进行互访,访问单位C时转换成10.11.11.2进行互访。
思路很简单,静态NAT肯定是要配置的,但是如果在设备上只配置一般情况下我们所配置的一条静态转换(ip nat inside static 192.168.93.82 10.11.11.2),那么就只能实现访问一个上联单位,不能同时实现两个单位的互访,而不相互影响,如果再配置一条ip nat inside static 192.168.93.82 10.49.250.49 ,在这种情况下,这条命令是配置不上去的,因上已经配置了一条转换到单位C的静态转换了。那怎样才能两条都配置上去呢?在后面加上route-map就可以了,使访问3.3.3.3的转换成10.49.250.49,访问4.4.4.4的转换成10.11.11.2。那么route-map怎样来写呢?只需要匹配两个条件,一是匹配那一个IP地址或者网段,二是匹配访问那一个单位(出接口或者下一跳)。
具体配置如下:
R1:
interface Loopback0
ip address 192.168.93.82 255.255.255.255
!
interface Serial0/0
ip address 12.1.1.1 255.255.255.252
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2:
interface Serial0/0
ip address 12.1.1.2 255.255.255.252
ip nat inside
interface FastEthernet1/0
ip address 23.1.1.1 255.255.255.252
ip nat outside
interface FastEthernet2/0
ip address 24.1.1.1 255.255.255.252
ip nat outside
ip nat inside source static 192.168.93.82 10.11.11.2 route-map danweiC
ip nat inside source static 192.168.93.82 10.49.250.59 route-map danweiB
access-list 1 permit 192.168.93.82
!
route-map danweiC permit 10
match ip address 1
match interface FastEthernet2/0 //这儿可以配置下一跳
!
route-map danweiB permit 10
match ip address 1
match interface FastEthernet1/0
R3:
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 23.1.1.2 255.255.255.252
ip route 10.49.250.0 255.255.255.0 23.1.1.1
R4:
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 24.1.1.2 255.255.255.252
ip route 10.11.11.2 255.255.255.255 24.1.1.1
R1测试:
R1#ping 3.3.3.3 source 192.168.93.82
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.93.82
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/52/80 ms
R1#ping 4.4.4.4 source 192.168.93.82
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.93.82
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/60 ms
R2上的转换会话:
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.12.1.2:4 192.168.93.82:4 4.4.4.4:4 4.4.4.4:4
icmp 10.12.1.2:5 192.168.93.82:5 4.4.4.4:5 4.4.4.4:5
icmp 10.49.250.59:6 192.168.93.82:6 3.3.3.3:6 3.3.3.3:6
icmp 10.49.250.59:7 192.168.93.82:7 3.3.3.3:7 3.3.3.3:7
icmp 10.49.250.59:8 192.168.93.82:8 3.3.3.3:8 3.3.3.3:8
icmp 10.12.1.2:9 192.168.93.82:9 4.4.4.4:9 4.4.4.4:9
icmp 10.12.1.2:10 192.168.93.82:10 4.4.4.4:10 4.4.4.4:10
--- 10.12.1.2 192.168.93.82 --- ---
--- 10.49.250.59 192.168.93.82 --- ---
上面案例是一个服务器访问两个上联单位的情况配置,如果是某一个网段,就只需要在访问控制那儿修改access-list 1 permit 192.168.93.0 0.0.0.255。如果转换地址有多个,那么就用地址池的方式,配置如下:
ip nat pool danweiC 10.11.11.1 10.11.11.14 prefix-length 28
ip nat pool danweiB 10.49.250.1 10.49.250.14 prefix-length 28
ip nat inside source route-map danweiC pool danweiC
ip nat inside source route-map danweiB pool danweiB
route-map 配置不变!