一.用小帆模拟器做的实验
案例要求:有三个地区,省(R2),市(R1),县(R3) 县内部有一台3.100的pc机用虚拟机连接,在不同在网段,用三个路由器连接起来,实现的功能是省和市到县都没有路由,只有县到省和到市有路由,要用到nat转换。案例图如下:
1.路由器上做下面相同的的配置:
R3(config)#line con 0 (进入控制端口)
R3(config-line)#no exec?
exec exec-banner exec-character-bits exec-timeout
R3(config-line)#no exec-timeout(设置没有超时时间)
R3(config-line)#log?
logging login logout-warning
synchronous Synchronized message output
R3(config-line)#logging synch(设置日志同步)
2.R1上的配置:
Router#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int s1/0
R1(config-if)#ip add 192.168.4.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.1.254 255.255.255.0
R1(config-if)#loop
R1(config-if)#shu
R1(config-if)#no shu (loopback的端口也要开启)
R1>ping 192.168.4.2(测试直连的是否连通)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/30/52 ms
3.R2上的配置:
Router(config)#hostname R2
R2(config)#int s1/1
R2(config-if)#ip add 192.168.5.1 255.255.255.0
R2(config-if)#int f0/0
R2(config-if)#ip add 192.168.2.254 255.255.255.0
R2(config-if)#loop
R2(config-if)#shu
R2(config-if)#no shu
4.R3上的配置:
Router(config)#hostname R3
R3(config)#int s1/0
R3(config-if)#ip add 192.168.4.2 255.255.255.0
R3(config-if)#shu
R3(config-if)#no shu
R3(config)#int s1/1
R3(config-if)#ip add 192.168.5.2 255.255.255.0
R3#ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/54/100 ms
5.要实现要求的功能还要在R3上做nat转换,要做的是在R1,R2上不做默认路由,只需要在R3上做默认路由即可,还要在此路由器上做访问控制列表,nat转换。
R3(config)#ip route 192.168.1.0 255.255.255.0 192.168.4.1
R3(config)#ip route 192.168.2.0 255.255.255.0 192.168.5.1 (添加两条默认的路由)
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, Serial1/0
C 192.168.5.0/24 is directly connected, Serial1/1
S 192.168.1.0/24 [1/0] via 192.168.4.1
S 192.168.2.0/24 [1/0] via 192.168.5.1
C 192.168.3.0/24 is directly connected, FastEthernet0/0
6.虚拟机用host-only连接,配置参数如下,刚开始ping不通1.254.和2.254.的网络,需要做nat转换
7.设置内部外部接口
R3(config-if)#int s1/0
R3(config-if)#ip nat outside()设置为外部接口
R3(config-if)#int s1/1
R3(config-if)#ip nat outside()设置为外部接口
R3(config-if)#int f0/0
R3(config-if)#ip nat in?
inside
R3(config-if)#ip nat inside(设置为内部接口)
R3(config)#ip nat inside source list 10 interface s1/0
8.创建访问控制列表(此实验需要用扩展的,因为需要对两个地区的目的地址做控制,华为上做一个就行)
Router(config)#access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 ?
A.B.C.D Destination wildcard bits
Router(config)#$ 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 (县到市做的控制)
Router(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
host A single destination host
Router(config)#$ 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 (县到省做的控制)
Router(config)#ip nat inside source list 100 interface s1/0 overload(nat转换用到出口)
Router(config)#ip nat inside source list 101 interface s1/1 overload
然后pc就能ping通了
ping 192.168.1.254 -t (一直ping)
ping 192.168.2.254 -t
二.华为上做这个实验基本差不多,但华为的实现这个功能不需要扩展的acl只需要基本的访问控制即可,不同的部分如下:
创建访问控制列表
1.核心部分
Acl 2000
rule permit source 192.168.3.0 0.0.0.255(定义规则)
int s1 进入要去往的那个接口,
Nat outbound 2000 interface 在此接口上用此规则
Acl 2001
rule permit source 192.168.3.0 0.0.0.255
Int s0
Nat outbound 2001 inter
2.此路由器上的配置
[R3]acl 2000
[R3-acl-2000]permit ?
Incorrect command
[R3-acl-2000]rule permit ?
source IP address of source host
[R3-acl-2000]rule permit source ?
X.X.X.X IP address of source host
any Any source host
[R3-acl-2000]rule permit source 192.168.3.0 0.0.0.255 ?
[R3-acl-2000]rule permit source 192.168.3.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R3-acl-2000]int s0
[R3-Serial0]nat ?
outbound Config nat address translation
reset Reset All active NAT table
server Configure Nat server in private network
[R3-Serial0]nat outbound ?
<2000-3999> ACL number
[R3-Serial0]nat outbound 2000 int?
interface Use Interface's IP address
[R3-Serial0]nat outbound 2000 inter
have existed in nat access table!
