实验名称:思科路由器网络地址转换(NAT)

实验目的:实现所有内网IP使用少量的公网IP连接Internet 

实验介绍:

       借助NAT技术,内网私有地址向路由器发送数据包时,私有地址被转换成合法的公网IP地址,从而实现大量内网计算机通过少量公网IP地址和互联网通信的需求。NAT技术解决了IP地址枯竭问题,还提高了内网的安全性。

实验拓扑

CISCO路由器网络地址转换(NAT)_第1张图片

实验配置步骤

一.设置计算机IP地址

1.PC1设置IP地址

CISCO路由器网络地址转换(NAT)_第2张图片

2.PC2设置IP地址

CISCO路由器网络地址转换(NAT)_第3张图片

3.PC3设置IP地址

CISCO路由器网络地址转换(NAT)_第4张图片

二.配置路由器

1.配置R1

   Router#conf t

   R1(config)#hostname R1

   R1(config)#int f0/0

   R1(config-if)#ip add 192.168.75.30 255.255.255.0

   R1(config-if)#ip nat inside

   R1(config-if)#no shutdown

   R1(config-if)#exi

   R1(config)#int f1/0

   R1(config-if)#ip add 202.96.0.1 255.255.255.248

   R1(config-if)#ip nat outside

   R1(config-if)#no shutdown

   R1(config-if)#exi

   R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 1/0

2.配置R2

   R2#conf t

   R2(config)#hostname R2

   R2(config)#int f0/0

   R2(config-if)#ip add 192.168.0.1 255.255.255.0

   R2(config-if)#no shutdown

   R2(config-if)#exi

   R2(config)#int f1/0

   R2(config-if)#ip add 202.96.0.2 255.255.255.248

   R2(config-if)#no shutdown

   R2(config-if)#exi

三、配置静态NAT

1.在R1上将PC1 192.168.75.2 映射到202.96.0.1

        将PC2 192.168.75.3 映射到202.96.0.3

   R1(config)#ip nat inside source static 192.168.75.2 202.96.0.1

   R1(config)#ip nat inside source static 192.168.75.3 202.96.0.3

2.在PC1上ping PC3测试

   PC>ping 192.168.0.2 

   Pinging 192.168.0.2 with 32 bytes of data:

   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

   Ping statistics for 192.168.0.2:
       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
   Approximate round trip times in milli-seconds:
       Minimum = 0ms, Maximum = 9ms, Average = 2ms

3.在PC2上ping PC3测试

   PC>ping 192.168.0.2
   Pinging 192.168.0.2 with 32 bytes of data:

   Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

   Ping statistics for 192.168.0.2:
       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
   Approximate round trip times in milli-seconds:
       Minimum = 0ms, Maximum = 1ms, Average = 0ms

4.在路由器R1上查看

  R1#sh ip nat translations
  Pro  Inside global     Inside local       Outside local      Outside global
  ---  202.96.0.1        192.168.75.2       ---                ---
  ---  202.96.0.3        192.168.75.3       ---                ---

  R1#sh ip nat translations
  Pro  Inside global     Inside local       Outside local      Outside global
  icmp 202.96.0.1:73     192.168.75.2:73    192.168.0.2:73     192.168.0.2:73
  icmp 202.96.0.1:74     192.168.75.2:74    192.168.0.2:74     192.168.0.2:74
  icmp 202.96.0.1:75     192.168.75.2:75    192.168.0.2:75     192.168.0.2:75
  icmp 202.96.0.1:76     192.168.75.2:76    192.168.0.2:76     192.168.0.2:76
  icmp 202.96.0.3:45     192.168.75.3:45    192.168.0.2:45     192.168.0.2:45
  icmp 202.96.0.3:46     192.168.75.3:46    192.168.0.2:46     192.168.0.2:46
  icmp 202.96.0.3:47     192.168.75.3:47    192.168.0.2:47     192.168.0.2:47
  icmp 202.96.0.3:48     192.168.75.3:48    192.168.0.2:48     192.168.0.2:48
  ---  202.96.0.1        192.168.75.2       ---                ---
  ---  202.96.0.3        192.168.75.3       ---                ---

小结

内网计算机被一对一的映射成了公网IP地址,使用此方法可以实现从外网访问内网特定网络设备,但安全性差,实际使用价值不高


四、配置动态NAT

1.路由器R1上移除两条静态IP映射

  R1(config)#no ip nat inside source static 192.168.75.2 202.96.0.1
  R1(config)#no ip nat inside source static 192.168.75.3 202.96.0.3

2.路由器R1上配置包含内网所有IP地址的ACL

  R1(config)#access-list 1 permit 192.168.75.0 0.0.0.255

3.配置合法的IP地址池

   R1(config)#ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.248

4.关联ACL和IP地址池

   R1(config)#ip nat inside source list 1 pool abc

5.在PC1上ping PC3测试

   PC>ping 192.168.0.2 


  Pinging 192.168.0.2 with 32 bytes of data:

  Request timed out.
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=2ms TTL=126

  Ping statistics for 192.168.0.2:
      Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 2ms, Average = 0ms

6.在PC2上ping PC3测试

   PC>ping 192.168.0.2

  Pinging 192.168.0.2 with 32 bytes of data:

  Request timed out.
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

  Ping statistics for 192.168.0.2:
      Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 0ms, Average = 0ms

7.在路由器R1上查看

   R1#sh ip nat translations 

   Pro  Inside global     Inside local       Outside local      Outside global
   icmp 202.96.0.5:81     192.168.75.2:81    192.168.0.2:81     192.168.0.2:81
   icmp 202.96.0.5:82     192.168.75.2:82    192.168.0.2:82     192.168.0.2:82
   icmp 202.96.0.5:83     192.168.75.2:83    192.168.0.2:83     192.168.0.2:83
   icmp 202.96.0.5:84     192.168.75.2:84    192.168.0.2:84     192.168.0.2:84
   icmp 202.96.0.4:5      192.168.75.3:5     192.168.0.2:5      192.168.0.2:5
   icmp 202.96.0.4:6      192.168.75.3:6     192.168.0.2:6      192.168.0.2:6
   icmp 202.96.0.4:7      192.168.75.3:7     192.168.0.2:7      192.168.0.2:7
   icmp 202.96.0.4:8      192.168.75.3:8     192.168.0.2:8      192.168.0.2:8

小结

映射关系是随机的,最大映射数为配置的合法公网IP地址有多少个,实际还是不能满足日常需要


五、端口多路复用PAT

1. 在关联ACL和IP地址池后面加上关键词 overload

   R1(config)#ip nat inside source list 1 pool abc overload

2.在PC1、PC2上Ping PC3后,在路由器R1上查看

   R1#sh ip nat translations 

   Pro  Inside global     Inside local       Outside local      Outside global
   icmp 202.96.0.5:85     192.168.75.2:85    192.168.0.2:85     192.168.0.2:85
   icmp 202.96.0.5:86     192.168.75.2:86    192.168.0.2:86     192.168.0.2:86
   icmp 202.96.0.5:87     192.168.75.2:87    192.168.0.2:87     192.168.0.2:87
   icmp 202.96.0.5:88     192.168.75.2:88    192.168.0.2:88     192.168.0.2:88
   icmp 202.96.0.5:10     192.168.75.3:10    192.168.0.2:10     192.168.0.2:10
   icmp 202.96.0.5:11     192.168.75.3:11    192.168.0.2:11     192.168.0.2:11
   icmp 202.96.0.5:12     192.168.75.3:12    192.168.0.2:12     192.168.0.2:12
   icmp 202.96.0.5:9      192.168.75.3:9     192.168.0.2:9      192.168.0.2:9

小结

内网计算机访问Internet 地址都映射成了同一个合法公网IP地址,内网计算机共用一个公网IP地址就能上互联网,最实用技术。


扩展知识

1.企业里常需要把特定内网计算机的某一端口映射到公网,在思科路由器上如何设置呢?

 ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable                        映射80端口用于发布网站
 ip nat inside source static tcp 192.168.75.2 3080 202.96.0.2 3389 extendable                    映射3389端口用于远程桌面连接

 ip nat inside source static tcp 192.168.75.2 3090 202.96.0.2 3090 extendable                    映射特别端口用于软件发布

 ip nat inside source static tcp 192.168.75.2 22 202.96.0.2 22 extendable                        映射22端口用于SSH远程连接


2.如果我们只有一个公网地址且已经分配给了R1的F1/0口,怎么反复利用或超载?

R1(config)#ip nat inside source list 10 interface f1/0 overload //在R1上不设置地址池,因为只有一个公网地址,而只对F1/0接口的地址超载

或者

R1(config)#ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248



3.怎么计算路由器NAT转换条目数?

一条NAT转换条目要占用160字节内存,因此NAT的转换数目受路由器的内存限制。