NAT地址转换
一、  实验环境:P5,Cisco2811(两个)、Cisco2960(两个)、Cisco2950一个,N个PC。
PC0、PC2、PC4对应交换机的都是F0/23接口,IP地址分别是10.10.10.10、10.10.20.10、192.168.10.2      PC1、PC3、PC5对应交换机的都是F0/24接口,IP地址分别是10.10.10.20、10.10.20.20、192.168.20.2           掩码都是24位,其中PC5、PC6分别对应的是vlan10、vlan20。

二、  实验目的:模拟实际公司的环境,实现不同vlan指定对应不同公网IP地址,在本实验中实现PC0、PC1使用172.16.1.11和172.16.1.21转换,PC2、PC3使用172.16.1.3转换,PC4、PC5(它俩是不同的vlan也是本实验的关键)分别使用172.16.1.10、172.16.1.20转换。拓扑如下:

不同vlan的NAT转换_第1张图片

三、  在R0上的配置:

R0#show running-config
Building configuration...

Current configuration : 1000 bytes
!
version 12.4
no service password-encryption
!
hostname R0
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Ethernet1/0
 ip address 172.16.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface Ethernet1/1
 no ip address
 duplex auto
 speed auto
!
interface Ethernet1/2
 no ip address
 duplex auto
 speed auto
!
interface Ethernet1/3
 no ip address
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip nat pool onlyone 172.16.1.3 172.16.1.3 netmask 255.255.255.0
ip nat inside source list 1 pool onlyone overload
ip nat inside source static 10.10.10.10 172.16.1.11
ip nat inside source static 10.10.10.20 172.16.1.21
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!
access-list 1 permit 10.10.20.0 0.0.0.255
!
!
!
line con 0
line vty 0 4
 login
!
!
end

R0#show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
---  172.16.1.11       10.10.10.10        ---                ---
---  172.16.1.21       10.10.10.20        ---                ---
R0#show ip nat statistics
Total translations: 2 (2 static, 0 dynamic, 0 extended)
Outside Interfaces: Ethernet1/0
Inside Interfaces: FastEthernet0/0 , FastEthernet0/1
Hits: 0  Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 1 pool onlyone refCount 0
 pool onlyone: netmask 255.255.255.0
       start 172.16.1.3 end 172.16.1.3
       type generic, total addresses 1 , allocated 0 (0%), misses 0

R0#show access-lists
Standard IP access list 1
    permit 10.10.20.0 0.0.0.255

 

四、  在R1上做的配置:

R1#show running-config
Building configuration...

Current configuration : 911 bytes
!
version 12.4
no service password-encryption
!
hostname R1
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
 ip address 172.16.1.2 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan1
 no ip address
 shutdown
!
ip nat pool test10 172.16.1.10 172.16.1.10 netmask 255.255.255.0
ip nat pool test20 172.16.1.20 172.16.1.20 netmask 255.255.255.0
ip nat inside source list 10 pool test10
ip nat inside source list 20 pool test20
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
!
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
!
!
!
line con 0
line vty 0 4
 login
!
!
end

R1#show ip nat translations
R1#show ip nat statistics
Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: FastEthernet0/0
Inside Interfaces: FastEthernet0/1
Hits: 0  Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 10 pool test10 refCount 0
 pool test10: netmask 255.255.255.0
       start 172.16.1.10 end 172.16.1.10
       type generic, total addresses 1 , allocated 0 (0%), misses 0
-- Inside Source
access-list 20 pool test20 refCount 0
 pool test20: netmask 255.255.255.0
       start 172.16.1.20 end 172.16.1.20
       type generic, total addresses 1 , allocated 0 (0%), misses 0
R1#show acces
Standard IP access list 10
    permit 192.168.10.0 0.0.0.255
Standard IP access list 20
    permit 192.168.20.0 0.0.0.255

五、  测试网络连通性。

1)在PC1上pingPC4
ping  192.168.10.2

R0#debug ip nat
IP NAT debugging is on
R0#
NAT: s=10.10.10.20->172.16.1.21, d=192.168.10.2[0]
NAT*: s=172.16.1.10, d=172.16.1.21->10.10.10.20[0]
NAT: s=10.10.10.20->172.16.1.21, d=192.168.10.2[0]
NAT*: s=172.16.1.10, d=172.16.1.21->10.10.10.20[0]
NAT: s=10.10.10.20->172.16.1.21, d=192.168.10.2[0]
NAT*: s=172.16.1.10, d=172.16.1.21->10.10.10.20[0]
NAT: s=10.10.10.20->172.16.1.21, d=192.168.10.2[0]
NAT*: s=172.16.1.10, d=172.16.1.21->10.10.10.20[0]

2)在PC5上测试PC3
ping 10.10.20.20

R1#debug ip nat
IP NAT debugging is on
R1#
NAT: s=192.168.20.2->172.16.1.20, d=10.10.20.20[2]
NAT*: s=172.16.1.3, d=172.16.1.20->192.168.20.2[2]
NAT: s=192.168.20.2->172.16.1.20, d=10.10.20.20[2]
NAT*: s=172.16.1.3, d=172.16.1.20->192.168.20.2[2]
NAT: s=192.168.20.2->172.16.1.20, d=10.10.20.20[2]
NAT*: s=172.16.1.3, d=172.16.1.20->192.168.20.2[2]
NAT: s=192.168.20.2->172.16.1.20, d=10.10.20.20[2]
NAT*: s=172.16.1.3, d=172.16.1.20->192.168.20.2[2]

六、  总结

本实验源于一个同学的问题:想实现不同的vlan使用不同的公网IP地址上网,第一反应是肯定可以实现,但是这只是理论,后来做好几次实验都是以失败告终(无语),几度想放弃,但是本着对真理的追求,屡败屡战的精神最后我成功了,这里和大家分享我的喜悦,没有任何炫耀的意思,也行在别人开来很简单,呵呵......努力一定会有结果,不管结果怎么样,过程才是最美好的!(*^__^*) 嘻嘻……