CCNA课程实验-12-NAT

实验条件

网络拓朴

需求

1. 在R2上配置静态NAT，将内网DNS Server关联到公网IP：202.1.1.2
2. 在R2上配置静态NAT，将内网HTTP Server的TCP 80端口关联到公网IP：202.1.1.1 的 81 端口
3. 在R1上配置端口复用PAT，使得PC1能访问到DNS服务器和HTTP服务器

配置实现

基础配置

R1

R1(config)#ip dhcp pool HOME
R1(dhcp-config)#networ
R1(dhcp-config)#network 192.168.10.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.10.254 
R1(dhcp-config)#dns-server 202.1.1.2
R1(dhcp-config)#exit
R1(config)#ip dhcp excluded-address 192.168.10.254
// 配置接口
R1(config)#int e0/0
R1(config-if)#ip address 192.168.10.254 255.255.255.0
R1(config-if)#no shutdown
// 配置接口
R1(config-if)#int e0/1
R1(config-if)#ip address 101.1.1.1 255.255.255.0
R1(config-if)#no shutdown
// 配置上网路由
R1(config)#ip route 0.0.0.0 0.0.0.0 101.1.1.254

PC1

PC1(config)#int e0/0
PC1(config-if)#ip address dhcp
PC1(config-if)#no shutdown

ISP

// 配置接口
ISP(config)#int e0/1
ISP(config-if)#ip address 101.1.1.254 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#int e0/0
ISP(config-if)#ip address 202.1.1.254 255.255.255.0 
ISP(config-if)#no shutdown
// 配置OSPF
ISP(config-if)#router ospf 90
ISP(config-router)#router-id 1.1.1.1
ISP(config-router)#network 0.0.0.0 255.255.255.255 area 0
ISP(config-router)#exit

R2

R2(config)#int e0/0 
R2(config-if)#ip address 202.1.1.1 255.255.255.0
R2(config-if)#no shutdown
// 配置上网路由
R2(config-if)#ip route 0.0.0.0 0.0.0.0 202.1.1.254

HTTP_Server

HTTP_Server(config)#no ip routing
HTTP_Server(config)#int e0/1
HTTP_Server(config-if)#ip address 10.1.1.1 255.255.255.0
HTTP_Server(config-if)#no shutdown
HTTP_Server(config-if)#exit
HTTP_Server(config)#ip default-gateway 10.1.1.254

// 开启http服务
HTTP_Server(config)#ip http server 
HTTP_Server(config)#ip http timeout-policy idle 600 life  86400 requests 10

注:
s(config)# ip http ?
idle 600 连接超时时间(10分钟内无操作则自动断开)
life 86400 最长连接时间(最大24小时)
request 10000 最多允许并发连接数

指定本地认证
server(config)#ip http authentication local
server(config)#username kjh privilege 15 secret cisco

关闭http服务用命令
no ip domain lookup
no ip bootp server
no ip http server
no ip http secure-server

DNS_Server

DNS_Server(config)#int e0/2 
DNS_Server(config-if)#ip address 10.1.2.1 255.255.255.0
DNS_Server(config-if)#no shutdown
DNS_Server(config-if)#exit
DNS_Server(config)#ip default-gateway 10.1.2.254
DNS_Server(config)#no ip routing

// 开启DNS服务
DNS_Server(config)#ip dns server
DNS_Server(config)#ip host www.sa-nas.net 202.1.1.1

// 本机找不到时,到以下指定的DNS服务器查询
DNS_Server(config)#ip name server 8.8.8.8

配置在R2上配置静态NAT，将内网DNS Server关联到公网IP：202.1.1.2

R2(config-if)#int e0/0
R2(config-if)#ip nat outside
R2(config-if)#int e0/2
R2(config-if)#ip nat inside
R2(config-if)#exit

// 静态NAT
R2(config)#ip nat inside source static 10.1.2.1 202.1.1.2
R2(config)#do show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- 202.1.1.2          10.1.2.1 

测试结果

DNS_Server#ping 202.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
DNS_Server#

R2

R2(config-if)#do show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 202.1.1.2:2       10.1.2.1:2         202.1.1.254:2      202.1.1.254:2
--- 202.1.1.2          10.1.2.1           ---                ---
R2(config-if)#

配置在R2上配置静态NAT，将内网HTTP Server的TCP 80端口关联到公网IP：202.1.1.1 的 81 端口

R2(config-if)#int e0/1
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#ip nat inside source static tcp 10.1.1.1 80 202.1.1.1 81
R2(config)#do show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
tcp 202.1.1.1:81       10.1.1.1:80        ---                ---
icmp 202.1.1.2:3       10.1.2.1:3         202.1.1.254:3      202.1.1.254:3
--- 202.1.1.2          10.1.2.1           ---                ---
R2(config)#do show ip nat statistics   
Total active translations: 3 (2 static, 1 dynamic; 2 extended)
Peak translations: 5, occurred 13:38:08 ago
Outside interfaces:
  Ethernet0/0
Inside interfaces: 
  Ethernet0/1, Ethernet0/2
Hits: 97  Misses: 0
CEF Translated packets: 74, CEF Punted packets: 19
Expired translations: 14
Dynamic mappings:

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R2(config)#

配置在R1上配置端口复用PAT，使得PC1能访问到DNS服务器和HTTP服务器

R1(config)#int e0/0
R1(config-if)#ip nat inside
R1(config-if)#int e0/1
R1(config-if)#ip nat outside
R1(config-if)#exit

// 配置acl,用于端口利用PAT
R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)#ip nat inside source list 1 interface e0/1 overload

测试结果

PC1

PC1#ping www.sa-nas.net
Translating "www.sa-nas.net"...domain server (202.1.1.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PC1#telnet www.sa-nas.net 81
Trying www.sa-nas.net (202.1.1.1, 81)... Open
get
HTTP/1.1 400 Bad Request
Date: Thu, 09 Nov 2023 06:18:41 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to www.sa-nas.net closed by foreign host]
PC1#

R1

R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 101.1.1.1:4       192.168.10.1:4     202.1.1.1:4        202.1.1.1:4
tcp 101.1.1.1:49190    192.168.10.1:49190 202.1.1.1:81       202.1.1.1:81
udp 101.1.1.1:58319    192.168.10.1:58319 202.1.1.2:53       202.1.1.2:53
R1#show ip nat stat
R1#show ip nat statistics 
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Peak translations: 4, occurred 13:48:30 ago
Outside interfaces:
  Ethernet0/1
Inside interfaces: 
  Ethernet0/0
Hits: 92  Misses: 0
CEF Translated packets: 80, CEF Punted packets: 12
Expired translations: 11
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Ethernet0/1 refcount 3

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1#