acl-nat 实验配置

实验拓扑图如上

         用NAT让内外网通讯
一、配置IP地址
   inside:lo0=172.16.1.1/24
          lo1=172.16.2.1/24
          s1/0=12.1.1.1/24
   Border:s1/0=12.1.1.2/24
          f0/0=23.1.1.1/24
      ISP:f0/0=23.1.1.2/24
          lo0=100.100.100.100/24

配置inside

inside>en
inside#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
inside(config)#no ip domain-lookup
inside(config)#line console 0
inside(config-line)#exec-timeout 0 0
inside(config-line)#logg syn
inside(config-line)#exit
inside(config)#exit

inside#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
inside(config)#int l 0
inside(config-if)#ip add
*Mar  1 00:32:49.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
inside(config-if)#ip add 172.16.1.1 255.255.255.0
inside(config-if)#int l 1
inside(config-if)#ip add
*Mar  1 00:33:01.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
inside(config-if)#ip add 172.16.2.1 255.255.255.0
inside(config-if)#int s1/0
inside(config-if)#no sh
inside(config-if)#ip add 12.1.1.
*Mar  1 00:33:26.919: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
inside(config-if)#ip add 12.1.1.1 25
*Mar  1 00:33:27.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
inside(config-if)#ip add 12.1.1.1 255.255.255.0

配置border

border>en
border#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
border(config)#no ip domain-lookup
border(config)#line console 0
border(config-line)#exec-timeout 0 0
border(config-line)#logg syn
border(config-line)#exit
border(config)#exit

border#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
border(config)#int s1/0
border(config-if)#no sh
border(config-if)#ip add
*Mar  1 00:34:53.755: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
border(config-if)#ip add 12
*Mar  1 00:34:54.763: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
border(config-if)#ip add 12.1.1.2 255.255.255.0

配置isp

isp>en
isp#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
isp(config)#no ip domain-lookup
isp(config)#line console 0
isp(config-line)#exec-timeout 0 0
isp(config-line)#logg syn
isp(config-line)#exit
isp(config)#exit

isp#conf
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line.  End with CNTL/Z.
isp(config)#int f0/0
isp(config-if)#no sh 
isp(config-if)#ip add
*Mar  1 00:36:23.871: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:36:24.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
isp(config-if)#ip add 23.1.1.2 255.255.255.0
isp(config-if)#int l 0
isp(config-if)#no sh
isp(config-if)#
*Mar  1 00:36:37.931: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
isp(config-if)#ip add 100.100.100.100 255.255.255.0

二、配置routing通信
  1.Border
     1)配置缺省路由指向ISP
        测试能否ping通ISP的环回口
     2）配置汇总路由指向Inside

border(config)#ip route 172.16.0.0 255.255.0.0 12.1.1.1

border(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2 

border#ping 100.100.100.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/33/56 ms

  2.Inside
     1)配置缺省路由指向Borde
     2)配置汇总路由指向Null0端口（防环路）
        测试Borde能否与内网通信

inside(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
inside(config)#ip route 172.16.0.0 255.255.0.0 null 0

border#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/40/72 ms

三、配置动态NAT

border(config)#access-list 1 per 172.16.1.1 0.0.0.255
border(config)#access-list 1 per 172.16.2.1 0.0.0.255

Router(config)#ip nat pool cisco 23.1.1.1 23.1.1.1 prefix-length 24

border(config)#ip nat inside source list 1 pool cisco overload
border(config)#int s1/0
border(config-if)#ip nat ins
border(config-if)#ip nat inside
border(config-if)#int f0/0
border(config-if)#ip nat out
border(config-if)#ip nat outside

四、测试
   1.在Boder/ISP打开debug ip nat
        用inside及内网ping Isp的环回，查看Border的转换过程，注意带端口转换（
        sh ip nat tran）
   2.icmp没有端口，nat给的是编号
   3.用带端口的测试：telnet 100.100.100.100 /source-in lo0/1 快速查看Border的
        转换过程（sh ip nat tran)

Router#
Mar  1 00:23:33.047: NAT*: s=172.16.1.1->23.1.1.1, d=100.100.100.100 [65]
*Mar  1 00:23:33.175: NAT*: s=100.100.100.100, d=23.1.1.1->172.16.1.1 [65]
*Mar  1 00:23:33.219: NAT*: s=172.16.1.1->23.1.1.1, d=100.100.100.100 [66]
*Mar  1 00:23:33.251: NAT*: s=100.100.100.100, d=23.1.1.1->172.16.1.1 [66]
*Mar  1 00:23:33.315: NAT*: s=172.16.1.1->23.1.1.1, d=100.100.100.100 [67]
*Mar  1 00:23:33.331: NAT*: s=100.100.100.100, d=23.1.1.1->172.16.1.1 [67]
*Mar  1 00:23:33.375: NAT*: s=172.16.1.1->23.1.1.1, d=100.100.100.100 [68]
*Mar  1 00:23:33.391: NAT*: s=100.100.100.100, d=23.1.1.1->172.16.1.1 [68]
*Mar  1 00:23:33.439: NAT*: s=172.16.1.1->23.1.1.1, d=100.100.100.100 [69]
 --More--
*Mar  1 00:23:33.471: NAT*: s=100.100.100.100, d=23.1.1.1->172.16.1.1 [69]
 --More--
*Mar  1 00:24:33.867: NAT: expiring 23.1.1.1 (172.16.1.1) icmp 13 (13)

inside#tel 100.100.100.100 /source-interface l 0
Trying 100.100.100.100 ... Open

User Access Verification

Password:
isp>en
Password:
isp#exit

border#sh ip nat tran
Pro Inside global      Inside local       Outside local      Outside global
tcp 23.1.1.1:33138     172.16.1.1:33138   100.100.100.100:23 100.100.100.100:23
tcp 23.1.1.1:43199     172.16.1.1:43199   100.100.100.100:23 100.100.100.100:23