NAT:地址转换,有以下几种方式
  • 1对1地址转换
  • 1对多地址转换(PAT)
  • 多对多地址转换(pool)

 
【实验拓扑】
拓扑说明,R1、R6、R4为局域网,R4为出口网关,连接两条链路到internet

 

【拓扑基本配置】
R1:
inter fa 0/0
ip address 10.0.0.1 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
inter ethernet 0/0
ip address 10.0.0.4 255.255.255.0
no shut
!
inter Loopback0
ip add 150.1.4.4 255.255.255.0
ip ospf network point-to-point
不配置高亮这条命令,对方学习到的loopback地址为32为掩码,这是由于OSPF的特性导致,注意loopback地址是150网段,而serial接口是155网段,不要混淆
!
interface Serial 0/0
encaps frame-relay
no shutdown
!
interface Serial 0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
!
interface Serial 0/1
no shutdown
ip address 155.1.45.4 255.255.255.0
!
router ospf 1
router-id 150.1.4.4
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
network 150.1.4.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 update-source Loopback0
neighbor 150.1.5.5 ebgp-multihop
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial 0/0
encapsulation frame-relay
no shut
!
interface Serial 0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial 0/1
no shutdown
clockrate 64000
ip address 155.1.45.5 255.255.255.0
!
router ospf 1
router-id 150.1.5.5
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
network 150.1.5.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 ebgp-multihop
neighbor 150.1.4.4 default-originate
R6:
inter gig 0/0
ip address 10.0.0.6 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.4

【实验1:在R4上设置Pool进行地址转换】

1、要求
运营商分配的公网地址范围为150.1.4.100-150.1.4.254,在R4上配置地址转换

2、配置
R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip nat pool NAT_POOL 150.1.4.100 150.1.4.254 prefix 24
!
ip access-list standard INSIDE_NETWORK
permit 10.0.0.0 0.0.0.255
!
ip nat inside source list INSIDE_NETWORK pool NAT_POOL
3、验证
R4#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/1, Serial0/0.1
Inside interfaces:
Ethernet0/0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list INSIDE_NETWORK pool NAT_POOL refcount 0
pool NAT_POOL: netmask 255.255.255.0
start 150.1.4.100 end 150.1.4.254
type generic, total addresses 155, allocated 0 (0%), misses 0
Queued Packets: 0
R4# debug ip nat detailed
在R4上开启debug查看
IP NAT detailed debugging is on
R1#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/46/48 ms
R4#
NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [125]
NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [125]
NAT*: s=10.0.0.1->150.1.4.101, d=150.1.5.5 [125]
NAT: installing alias for address 150.1.4.101
NAT*: o: icmp (150.1.5.5, 6) -> (150.1.4.101, 6) [125]
NAT*: s=150.1.5.5, d=150.1.4.101->10.0.0.1 [125]
NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [126]
NAT*: s=10.0.0.1->150.1.4.101, d=150.1.5.5 [126]
NAT*: o: icmp (150.1.5.5, 6) -> (150.1.4.101, 6) [126]
NAT*: s=150.1.5.5, d=150.1.4.101->10.0.0.1 [126]
NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [127]
看到转换的结果

 
R4# show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 155.1.45.4:2 10.0.0.1:2 150.1.5.5:2 150.1.5.5:2

 
【实验2,1对多配置(PAT)】

1、要求,在R4上利用loopback0地址实现1对多地址转换
2、配置
R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip access-list standard INSIDE_NETWORK
permit 10.0.0.0 0.0.0.255
!
ip nat inside source list INSIDE_NETWORK interface loopback 0 overload
和上面相比,少量pool,多了interface 以及最后的overload,验证方法和实验1 相同

 

【实验3,NAT冗余】


 
1、要求
我们看到R4有两个出口,需要通过两个出口地址进行转换,并且实现冗余nat
思考:如果我们设置如下两条是否实现了负载均衡
ip nat instide source list INSIDE_NETWORK interface s0/1 overload
ip nat instide source list INSIDE_NETWORK interface s0/1 overload
经过验证,我们输入第二条,将会把第一条替换,因此我们需要利用其它方法,route-map
2、配置
R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip access-list standard INSIDE_NETWORK
permit 10.0.0.0 0.0.0.255
!
route-map FR_INTERFACE
match interface Serial 0/0.1
match ip address INSIDE_NETWORK
!
route-map SERIAL_INTERFACE
match interface Serial 0/1
match ip address INSIDE_NETWORK
!
ip nat inside source route-map FR_INTERFACE int Serial 0/0.1 overload
ip nat inside source route-map SERIAL_INTERFACE int Serial 0/1 overload
3、验证
R4#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/0.1, Serial0/1
Inside interfaces:
Ethernet0/0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] route-map FR_INTERFACE interface Serial0/0.1 refcount 0
[Id: 2] route-map SERIAL_INTERFACE interface Serial0/1 refcount 0
Queued Packets: 0
R1#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/60/61 ms
R1#
R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 155.1.0.4:0 10.0.0.1:0 150.1.5.5:0 150.1.5.5:0

 
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#int se 0/0
R4(config-if)#shut
R4(config-if)#^Z
R4#
R1#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 155.1.45.4:5 10.0.0.6:5 150.1.5.5:5 150.1.5.5:5

【实验4,策略NAT】

1、实验要求:TCP23端口通过s0/1 进行nat,其它端口通s0/0.1进行nat
2、实验配置
R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip access-list ext INSIDE_TELNET
permit tcp 10.0.0.0 0.0.0.255 any eq 23
!
ip access-list ext INSIDE_OTHER
deny tcp 10.0.0.0 0.0.0.255 any eq 23
permit ip 10.0.0.0 0.0.0.255 any
!
route-map FR_INTERFACE
set interface Serial 0/0.1
match ip address INSIDE_TELNET
!
route-map SERIAL_INTERFACE
set interface Serial 0/1
match ip address INSIDE_OTHER
!
ip nat inside source route-map FR_INTERFACE int Serial 0/0.1 overload
ip nat inside source route-map SERIAL_INTERFACE int Serial 0/1 overload

 

【实验5,静态NAT配置】
R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip nat inside source static 10.0.0.1 150.1.4.1
ip nat inside source static 10.0.0.6 150.1.4.6
【实验6,静态PAT配置,一般用不到】
R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip nat inside source static tcp 10.0.0.1 23 interf Loopback0 1023
ip nat inside source static tcp 10.0.0.6 23 interf Loopback0 6023

【静态策略NAT,根据目的地址设置不同的转换地址】

R4:
interface Ethernet 0/0
ip nat inside
!
interface Serial 0/1
ip nat outside
!
interface Serial 0/0.1
ip nat outside
!
ip access-list extended TO_LOOPBACK0
permit ip 10.0.0.0 0.0.0.255 150.1.5.0 0.0.0.255
!
ip access-list extended TO_LOOPBACK1
permit ip 10.0.0.0 0.0.0.255 150.1.55.0 0.0.0.255
!
route-map DIVERT1 permit 10
match ip address TO_LOOPBACK0
!
route-map DIVERT2 permit 10
match ip address TO_LOOPBACK1
!
ip nat inside source static 10.0.0.1 150.1.4.5 route-map DIVERT1 reversible no-alias
ip nat inside source static 10.0.0.1 150.1.4.55 route-map DIVERT2 reversible no-alias
根据访问的目的地址设置静态转换,
访问150.1.5.0 的目的地址转换为150.1.4.5
访问160.1.55.0 的目的地址转换为150.1.4.55
reversible check route-map for out->in traffic
no-alias Do not create an alias for the global address

 
!
interface Loopback0
ip ospf network point-to-point
R5:
interface Loopback1
ip address 150.1.55.55 255.255.255.0
!
router ospf 1
network 150.1.55.55 0.0.0.0 area 0