NAT配置:
实验拓扑图:
ip地址分配:
pc2:192.168.0.3
sw1:192.168.0.2
r1:f0/0:192.168.0.1
r1:s1/0:219.146.0.1
r2:s1/0:219.146.0.2
r2:s1/1:219.146.1.1
r3:s1/0:219.146.1.2
r3:f0/0:192.168.1.1
sw3:192.168.1.2
pc5:192.168.1.3
pc2:192.168.0.3
sw1:192.168.0.2
r1:f0/0:192.168.0.1
r1:s1/0:219.146.0.1
r2:s1/0:219.146.0.2
r2:s1/1:219.146.1.1
r3:s1/0:219.146.1.2
r3:f0/0:192.168.1.1
sw3:192.168.1.2
pc5:192.168.1.3
实验目的:
(一)静态NAT配置
(二)动态NAT配置
(三)PAT的配置
(一)静态NAT配置
(二)动态NAT配置
(三)PAT的配置
r1配置:
Router>en
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r1
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r1
ip地址配置:
r1(config)#in f0/0
r1(config-if)#ip add 192.168.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#in s1/0
r1(config-if)#ip add 219.146.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#exi
r1(config)#in f0/0
r1(config-if)#ip add 192.168.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#in s1/0
r1(config-if)#ip add 219.146.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#exi
配置ospf路由协议:
r1(config)#router ospf 10
r1(config-router)#network 219.146.0.0 0.0.0.255 area 0
r1(config-router)#exi
r1(config)#router ospf 10
r1(config-router)#network 219.146.0.0 0.0.0.255 area 0
r1(config-router)#exi
r2配置:
Router>en
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r2
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r2
ip地址配置:
r2(config)#in s1/0
r2(config-if)#ip add 219.146.0.2 255.255.255.0
r2(config-if)#no shut
r2(config-if)#in s1/1
r2(config-if)#ip add 219.146.1.1 255.255.255.0
r2(config-if)#no shut
r2(config-if)#exi
r2(config)#in s1/0
r2(config-if)#ip add 219.146.0.2 255.255.255.0
r2(config-if)#no shut
r2(config-if)#in s1/1
r2(config-if)#ip add 219.146.1.1 255.255.255.0
r2(config-if)#no shut
r2(config-if)#exi
配置ospf路由协议:
r2(config)#router ospf 10
r2(config-router)#network 219.146.0.0 0.0.0.255 a 0
r2(config-router)#network 219.146.1.0 0.0.0.255 a 0
r2(config-router)#exi
r2(config)#router ospf 10
r2(config-router)#network 219.146.0.0 0.0.0.255 a 0
r2(config-router)#network 219.146.1.0 0.0.0.255 a 0
r2(config-router)#exi
r3配置:
Router>en
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r3
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r3
ip地址配置:
r3(config)#in s1/0
r3(config-if)#ip add 219.146.1.2 255.255.255.0
r3(config-if)#no shut
r3(config-if)#in f 0/0
r3(config-if)#ip add 192.168.1.1 255.255.255.0
r3(config-if)#no shut
r3(config-if)#exi
r3(config)#in s1/0
r3(config-if)#ip add 219.146.1.2 255.255.255.0
r3(config-if)#no shut
r3(config-if)#in f 0/0
r3(config-if)#ip add 192.168.1.1 255.255.255.0
r3(config-if)#no shut
r3(config-if)#exi
配置ospf路由协议:
r3(config)#router ospf 10
r3(config-router)#network 219.146.1.0 0.0.0.255 a 0
r3(config-router)#exi
r3(config)#router ospf 10
r3(config-router)#network 219.146.1.0 0.0.0.255 a 0
r3(config-router)#exi
pc和sw的地址配置(略)
在pc2上ping r2:
pc2#p 219.146.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
不通,因为r1和r2上根本没有这个网络的路由表。
(一)静态NAT配置
在r1上做一个静态NAT:
r1(config)#in f0/0
r1(config-if)#ip nat inside
r1(config-if)#in s1/0
r1(config-if)#ip nat outside
r1(config-if)#exi
r1(config)#ip nat inside source static 192.168.0.3 219.146.0.3 //静态映射
r1(config-if)#ip nat inside
r1(config-if)#in s1/0
r1(config-if)#ip nat outside
r1(config-if)#exi
r1(config)#ip nat inside source static 192.168.0.3 219.146.0.3 //静态映射
在pc2上测试:
pc2#p 219.146.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/93/160 ms
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/93/160 ms
已经通了,静态NAT就做完了。
但此时sw1仍然不能和外网通信,因为我们只添加一条pc2的静态NAT。如果要让sw1也能上外网,就要再添加一条静态NAT,也就是一个主机要添加一条静态NAT。这样,如果主机多的话,工作量很大。
但此时sw1仍然不能和外网通信,因为我们只添加一条pc2的静态NAT。如果要让sw1也能上外网,就要再添加一条静态NAT,也就是一个主机要添加一条静态NAT。这样,如果主机多的话,工作量很大。
(二)动态NAT配置
同样,现在pc5也不能和外网通信,那么在r3上做一个动态NAT。
r3(config)#in f0/0
r3(config-if)#ip nat inside
r3(config-if)#in s1/0
r3(config-if)#ip nat outside
r3(config-if)#exi
r3(config)#ip nat pool r3 219.146.1.3 219.146.1.3 prefix-length 24 //动态映射的地址池
r3(config)#access-list 10 permit 192.168.1.0 0.0.0.255 //访问列表
r3(config)#ip nat inside source list 10 pool r3 //允许列表10的主机去r3这个地址池拿地址
r3(config-if)#ip nat inside
r3(config-if)#in s1/0
r3(config-if)#ip nat outside
r3(config-if)#exi
r3(config)#ip nat pool r3 219.146.1.3 219.146.1.3 prefix-length 24 //动态映射的地址池
r3(config)#access-list 10 permit 192.168.1.0 0.0.0.255 //访问列表
r3(config)#ip nat inside source list 10 pool r3 //允许列表10的主机去r3这个地址池拿地址
在pc5和sw3上测试:
pc5#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/299/1084 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/299/1084 ms
pc5上已经正常
sw3#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
因为只有一个地址,所以sw3已经没有地址,所以不能上外网。
r3(config)#end
r3#clear ip nat translation * //清除己有的nat映射
先让sw3测试:
sw3#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/114/172 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/114/172 ms
现在pc5已经不通了
pc5#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
只有一个地址,谁先拿到谁就可以上外网。
静态和动态NAT都不能节省ip地址,都是一对一个关系。动态只是比静态工作量小点。
(三)PAT的配置
如果两个人想同时上网呢,怎么办?
下面来解决这个问题:
在r3上执行:
r3#conf t
r3(config)#no ip nat inside source list 10 pool r3 //去掉刚才那条映射关系
r3(config)#no ip nat inside source list 10 pool r3 //去掉刚才那条映射关系
Dynamic mapping in use, do you want to delete all entries? [no]: y
r3(config)#ip nat inside source list 10 pool r3 overload //加上overload,让这个地址池的地址重复使用
r3(config)#ip nat inside source list 10 pool r3 overload //加上overload,让这个地址池的地址重复使用
再来测试pc5和sw3:
pc5#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/116/188 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/116/188 ms
sw3#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/98/196 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/98/196 ms
已经都通了,问题已经解决了。
现在,还有一个问题。就是如果你只有一个公网地址,并且已经分配给了r3的s1/0接口上,其他主机又想上网,那又怎么办呢?
同样,在r3上操作:
r3(config)#no ip nat in sou li 10 po r3 over //去掉刚才的映射
r3(config)#ip nat in sou li 10 interface serial 1/0 overload //基于接口的映射
r3(config)#ip nat in sou li 10 interface serial 1/0 overload //基于接口的映射
测试:
pc5#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/84/156 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/84/156 ms
sw3#p 219.146.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/123/180 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/123/180 ms
目的已经达到。
现在又有个问题:
我们知道,外网的主机是不可能和内网和主机直接通信的。但,比如:pc2想telnet pc5,怎么实现?
pc5#conf t
pc5(config)#line vty 0 181
pc5(config-line)#pass abc
pc5(config-line)#login
pc5(config-line)#exi
r3(config)#ip nat inside source static tcp 192.168.1.3 23 219.146.1.4 23 //端口映射
pc2#tel 219.146.1.4
Trying 219.146.1.4 ... Open
Trying 219.146.1.4 ... Open
Password required, but none set
[Connection to 219.146.1.4 closed by foreign host]
pc2#tel 219.146.1.4
Trying 219.146.1.4 ... Open
pc2#tel 219.146.1.4
Trying 219.146.1.4 ... Open
User Access Verification
Password:
pc5>
pc5>
已经实现目的。
还有一个问题是:如果sw3和pc5是提供www服务的服务器。从pc2访问这台服务器,怎么实现负载均衡呢?(这里就以telnet为例)
r3(config)#no ip nat inside source static tcp 192.168.1.3 23 219.146.1.4 23
Static entry in use, do you want to delete child entries? [no]: y
r3(config)#access-list 10 permit host 219.146.1.4 //和刚才的相反
r3(config)#ip nat pool r3 192.168.1.2 192.168.1.3 netmask 255.255.255.0 type rotary //加上type rotary就能实现负载均衡
r3(config)#ip nat inside destination list 10 pool r3 //这里也由原来的source变成了destination。
r3(config)#ip nat pool r3 192.168.1.2 192.168.1.3 netmask 255.255.255.0 type rotary //加上type rotary就能实现负载均衡
r3(config)#ip nat inside destination list 10 pool r3 //这里也由原来的source变成了destination。
开启sw3的telnet服务:
sw3#conf t
sw3(config)#lin vty 0 935
sw3(config-line)#pas abc
sw3(config-line)#login
sw3(config-line)#exi
sw3(config)#lin vty 0 935
sw3(config-line)#pas abc
sw3(config-line)#login
sw3(config-line)#exi
测试:
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
User Access Verification
Password:
pc5>
pc5>
pc5>exi
pc5>
pc5>
pc5>exi
[Connection to 219.146.1.4 closed by foreign host]
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
User Access Verification
Password:
sw3>
sw3>
sw3>exi
sw3>
sw3>
sw3>exi
[Connection to 219.146.1.4 closed by foreign host]
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
User Access Verification
Password:
pc5>
pc5>exi
pc5>
pc5>exi
[Connection to 219.146.1.4 closed by foreign host]
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
pc2#telnet 219.146.1.4
Trying 219.146.1.4 ... Open
User Access Verification
Password:
sw3>
sw3>exi
sw3>
sw3>exi
[Connection to 219.146.1.4 closed by foreign host]
pc2#
pc2#
目的已经达到。实验完成。