在cisco路由器上做：双向NAT地址转换

背景：假如一个出口设备（如路由器或防火墙）连接了2个或者多个IPS运营商，那么就需要用到双向或者多向地址转换了。用NAT结合Router-map做。

目标让内网192.168.0.0/16走网通网络，让172.16.0.0/16走电信网络。出口一律NAT处理，利用route-map引导数据分流。

具体配置：

R(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255

R(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 any

R(config)#access-list 102 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

R(config)#access-list 102 permit ip 172.16.0.0 0.0.255.255 any

R(config)#access-list 103 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

R(config)#access-list 103 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255

 

R(config)#Route-map IPS-WT permit 10

Router(config-route-map)#match ip address 101
Router(config-route-map)#match interface s0/0

Router(config-route-map)#exit

 

Router(config)#Route-map ISP-DX permit 20

Router(config-route-map)#match ip address 102
Router(config-route-map)#match interface s0/1

Router(config-route-map)#exit

 

Router(config)#Route-map IPS-VPN permit 30

Router(config-route-map)#match ip address 103
Router(config-route-map)#match interface s0/2

Router(config-route-map)#exit

 

ip nat inside source route-map ISP-WT int s0/0 overload
ip nat inside source route-map ISP-DX int s0/1 overload
ip nat inside source route-map ISP-VPN int s0/2 overload

 

int s0/0

ip nat outside

exit

int s0/1

ip nat outside

exit

int s0/2

ip nat outside

int f1/0

ip nat inside

exit

int f1/1

ip nat inside

exit

可以使用tracert来验证流量的路径。