实验名称:思科路由器网络地址转换(NAT)
实验目的:实现所有内网IP使用少量的公网IP连接Internet
实验介绍:
借助NAT技术,内网私有地址向路由器发送数据包时,私有地址被转换成合法的公网IP地址,从而实现大量内网计算机通过少量公网IP地址和互联网通信的需求。NAT技术解决了IP地址枯竭问题,还提高了内网的安全性。
实验拓扑
实验配置步骤
一.设置计算机IP地址
1.PC1设置IP地址
2.PC2设置IP地址
3.PC3设置IP地址
二.配置路由器
1.配置R1
Router#conf t
R1(config)#hostname R1
R1(config)#int f0/0
R1(config-if)#ip add 192.168.75.30 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no shutdown
R1(config-if)#exi
R1(config)#int f1/0
R1(config-if)#ip add 202.96.0.1 255.255.255.248
R1(config-if)#ip nat outside
R1(config-if)#no shutdown
R1(config-if)#exi
R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 1/0
2.配置R2
R2#conf t
R2(config)#hostname R2
R2(config)#int f0/0
R2(config-if)#ip add 192.168.0.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exi
R2(config)#int f1/0
R2(config-if)#ip add 202.96.0.2 255.255.255.248
R2(config-if)#no shutdown
R2(config-if)#exi
三、配置静态NAT
1.在R1上将PC1 192.168.75.2 映射到202.96.0.1
将PC2 192.168.75.3 映射到202.96.0.3
R1(config)#ip nat inside source static 192.168.75.2 202.96.0.1
R1(config)#ip nat inside source static 192.168.75.3 202.96.0.3
2.在PC1上ping PC3测试
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
3.在PC2上ping PC3测试
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
4.在路由器R1上查看
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 202.96.0.1 192.168.75.2 --- ---
--- 202.96.0.3 192.168.75.3 --- ---
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.1:73 192.168.75.2:73 192.168.0.2:73 192.168.0.2:73
icmp 202.96.0.1:74 192.168.75.2:74 192.168.0.2:74 192.168.0.2:74
icmp 202.96.0.1:75 192.168.75.2:75 192.168.0.2:75 192.168.0.2:75
icmp 202.96.0.1:76 192.168.75.2:76 192.168.0.2:76 192.168.0.2:76
icmp 202.96.0.3:45 192.168.75.3:45 192.168.0.2:45 192.168.0.2:45
icmp 202.96.0.3:46 192.168.75.3:46 192.168.0.2:46 192.168.0.2:46
icmp 202.96.0.3:47 192.168.75.3:47 192.168.0.2:47 192.168.0.2:47
icmp 202.96.0.3:48 192.168.75.3:48 192.168.0.2:48 192.168.0.2:48
--- 202.96.0.1 192.168.75.2 --- ---
--- 202.96.0.3 192.168.75.3 --- ---
小结
内网计算机被一对一的映射成了公网IP地址,使用此方法可以实现从外网访问内网特定网络设备,但安全性差,实际使用价值不高
四、配置动态NAT
1.路由器R1上移除两条静态IP映射
R1(config)#no ip nat inside source static 192.168.75.2 202.96.0.1
R1(config)#no ip nat inside source static 192.168.75.3 202.96.0.3
2.路由器R1上配置包含内网所有IP地址的ACL
R1(config)#access-list 1 permit 192.168.75.0 0.0.0.255
3.配置合法的IP地址池
R1(config)#ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.248
4.关联ACL和IP地址池
R1(config)#ip nat inside source list 1 pool abc
5.在PC1上ping PC3测试
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=2ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
6.在PC2上ping PC3测试
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
7.在路由器R1上查看
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.5:81 192.168.75.2:81 192.168.0.2:81 192.168.0.2:81
icmp 202.96.0.5:82 192.168.75.2:82 192.168.0.2:82 192.168.0.2:82
icmp 202.96.0.5:83 192.168.75.2:83 192.168.0.2:83 192.168.0.2:83
icmp 202.96.0.5:84 192.168.75.2:84 192.168.0.2:84 192.168.0.2:84
icmp 202.96.0.4:5 192.168.75.3:5 192.168.0.2:5 192.168.0.2:5
icmp 202.96.0.4:6 192.168.75.3:6 192.168.0.2:6 192.168.0.2:6
icmp 202.96.0.4:7 192.168.75.3:7 192.168.0.2:7 192.168.0.2:7
icmp 202.96.0.4:8 192.168.75.3:8 192.168.0.2:8 192.168.0.2:8
小结
映射关系是随机的,最大映射数为配置的合法公网IP地址有多少个,实际还是不能满足日常需要
五、端口多路复用PAT
1. 在关联ACL和IP地址池后面加上关键词 overload
R1(config)#ip nat inside source list 1 pool abc overload
2.在PC1、PC2上Ping PC3后,在路由器R1上查看
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.5:85 192.168.75.2:85 192.168.0.2:85 192.168.0.2:85
icmp 202.96.0.5:86 192.168.75.2:86 192.168.0.2:86 192.168.0.2:86
icmp 202.96.0.5:87 192.168.75.2:87 192.168.0.2:87 192.168.0.2:87
icmp 202.96.0.5:88 192.168.75.2:88 192.168.0.2:88 192.168.0.2:88
icmp 202.96.0.5:10 192.168.75.3:10 192.168.0.2:10 192.168.0.2:10
icmp 202.96.0.5:11 192.168.75.3:11 192.168.0.2:11 192.168.0.2:11
icmp 202.96.0.5:12 192.168.75.3:12 192.168.0.2:12 192.168.0.2:12
icmp 202.96.0.5:9 192.168.75.3:9 192.168.0.2:9 192.168.0.2:9
小结
内网计算机访问Internet 地址都映射成了同一个合法公网IP地址,内网计算机共用一个公网IP地址就能上互联网,最实用技术。
扩展知识
1.企业里常需要把特定内网计算机的某一端口映射到公网,在思科路由器上如何设置呢?
ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable 映射80端口用于发布网站
ip nat inside source static tcp 192.168.75.2 3080 202.96.0.2 3389 extendable 映射3389端口用于远程桌面连接
ip nat inside source static tcp 192.168.75.2 3090 202.96.0.2 3090 extendable 映射特别端口用于软件发布
ip nat inside source static tcp 192.168.75.2 22 202.96.0.2 22 extendable 映射22端口用于SSH远程连接
2.如果我们只有一个公网地址且已经分配给了R1的F1/0口,怎么反复利用或超载?
R1(config)#ip nat inside source list 10 interface f1/0 overload //在R1上不设置地址池,因为只有一个公网地址,而只对F1/0接口的地址超载
或者
R1(config)#ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248
3.怎么计算路由器NAT转换条目数?
一条NAT转换条目要占用160字节内存,因此NAT的转换数目受路由器的内存限制。