环境:两台路由器,由串口相联。
要求:如下图所示,设置R1以太口的secondary地址为10.1.1.2-10.1.1.4,将10.1.1.2和10.1.1.3这两个辅助地址做动态NAT转换,地址池范围:80.1.1.2-80.1.1.9;将辅助地址10.1.1.4静态转换成80.1.1.10,将以太口的主IP地址作PAT转换。10.1.1.6和80.1.1.8 进行端口的映射。然后使用PC来测试。
步骤一、基本配置
R1的配置:
R1(config)#interface e0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#ip address 10.1.1.2 255.255.255.0 secondary à设置辅助IP
R1(config-if)#ip address 10.1.1.3 255.255.255.0 secondary
R1(config-if)#ip address 10.1.1.4 255.255.255.0 secondary
R1(config-if)#ip address 10.1.1.5 255.255.255.0 secondary
R1(config-if)#ip address 10.1.1.6 255.255.255.0 secondary
R1(config-if)#no keepalive à关闭检测
R1(config-if)#no shutdown
R1(config-if)#interface s0
R1(config-if)#ip address 30.1.1.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R2的配置:
R2(config)#interface loopback 0
R2(config-if)#ip address 20.1.1.1 255.255.255.0
R2(config-if)#interface s1
R2(config-if)#ip address 30.1.1.2 255.255.255.0
R2(config-if)#no shutdown
配置路由:
R2(config)#ip route 80.1.1.0 255.255.255.240 serial 1
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0
步骤二、NAT与PAT的创建
NAT的配置:
R1(config)#access-list 10 permit host 10.1.1.2 à定义转换列表
R1(config)#access-list 10 permit host 10.1.1.3
R1(config)#ip nat pool ippool 80.1.1.2 80.1.1.9 prefix-length 28 à定义地址池
R1(config)#ip nat inside source list 10 pool ippool à将池和列表关联
PAT的配置:
R1(config)#access-list 11 permit host 10.1.1.1 àPAT转换列表
R1(config)#ip nat inside source list 11 interface serial 0 overload à与接口映射
静态NAT的配置:
R1(config)#ip nat inside source static 10.1.1.4 80.1.1.10
R1(config)#ip nat inside source static tcp 10.1.1.6 80 80.1.1.8 80
R1(config)#interface e0
R1(config-if)#ip nat inside à加载到接口
R1(config-if)#interface s0
R1(config-if)#ip nat outside à加载到接口
R1(config-if)#ip http server 开启路由器的http服务,验证80端口是否映射成功
步骤三、测试
R1#ping
Protocol [ip]:
Target IP address:20.1.1.1
Extended commands [n]: y
Source address or interface: 10.1.1.1
!!!!!
R1#ping
Protocol [ip]:
Target IP address: 20.1.1.1
Extended commands [n]: y
Source address or interface: 10.1.1.2
!!!!!
R1#ping
Protocol [ip]:
Target IP address:20.1.1.1
Extended commands [n]: y
Source address or interface: 10.1.1.3
!!!!!
R1#show ip nat translation à查看转换列表
Pro Inside global Inside local Outside local Outside global
--- 80.1.1.10 10.1.1.4 --- ---
--- 80.1.1.2 10.1.1.2 --- ---
--- 80.1.1.3 10.1.1.3 --- ---
icmp 30.1.1.1:2832 10.1.1.1:2832 20.1.1.1:2832 20.1.1.1:2832
icmp 30.1.1.1:2833 10.1.1.1:2833 20.1.1.1:2833 20.1.1.1:2833
icmp 30.1.1.1:2834 10.1.1.1:2834 20.1.1.1:2834 20.1.1.1:2834
icmp 30.1.1.1:2835 10.1.1.1:2835 20.1.1.1:2835 20.1.1.1:2835
icmp 30.1.1.1:2836 10.1.1.1:2836 20.1.1.1:2836 20.1.1.1:2836
步骤四、显示当前配置
R1的当前配置:
R1#show running-config
hostname R1
!
no ip domain-lookup
!
interface Ethernet0
ip address 10.1.1.2 255.255.255.0 secondary
ip address 10.1.1.3 255.255.255.0 secondary
ip address 10.1.1.4 255.255.255.0 secondary
ip address 10.1.1.5 255.255.255.0 secondary
ip address 10.1.1.6 255.255.255.0 secondary
ip address 10.1.1.1 255.255.255.0
ip nat inside
no keepalive
!
interface Serial0
ip address 30.1.1.1 255.255.255.0
ip nat outside
clockrate 64000
!
ip nat pool ippool 80.1.1.2 80.1.1.9 prefix-length 28
ip nat inside source list 10 pool ippool
ip nat inside source list 11 interface Serial0 overload
ip nat inside source static 10.1.1.4 80.1.1.10
ip nat inside source static tcp 10.1.1.6 80 80.1.1.8 80 extendable
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.155.0 255.255.255.0 30.1.1.2 /这个是我PC机的网段
ip http server
!
!
access-list 10 permit 10.1.1.2
access-list 10 permit 10.1.1.3
access-list 11 permit 10.1.1.1
!
line con 0
exec-timeout 0 0
logging synchronous
end
R2的当前配置:
r2#show running-config
hostname r2
no ip domain-lookup
!
interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.155.11 255.255.255.0
duplex half
!
interface Serial1
ip address 30.1.1.2 255.255.255.0
!
ip route 80.1.1.0 255.255.255.240 Serial1
line con 0
exec-timeout 0 0
logging synchronous
end
PC上设置:
c:>route add 80.1.1.0 mask 255.255.255.0 192.168.155.11 metric 5
然后在PC上浏览80.1.1.8网址,再浏览80.1.1.7网址。看谁能够正常访问,谁不能正常访问,从而验证端口映射是否成功~!