利用两种不同的NAT配置实现两个接口的双向静态NAT测试

一.测试拓扑：

二.测试需求

1.ServerA已经配置静态一对一的地址实现从Interternet的访问

2.RouterA和RouterB为专线

3.需要ServerA访问ServerB的源地址映射为193.170.3.200

三.测试思路

1.利用nat和route-map实现按照需要进行NAT转换

---实际测试，不能满足要求

2.分2组nat，一组传统方式ip nat inside、ip nat outside，另一组为ip nat enable

四.基本配置

1.服务器ServerA：

interface Ethernet0/0

     ip address 172.16.10.200 255.255.255.0

     no shut

ip route 0.0.0.0 0.0.0.0 172.16.10.254

2.路由器RouterC：

interface Ethernet0/0

     ip address 172.16.10.254 255.255.255.0   

     no shut 
interface Ethernet0/1
     ip address 10.1.1.2 255.255.255.0
     no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.1

3.路由器RouterA：

interface Ethernet0/0
     ip address 202.100.1.1 255.255.255.0
     no shut  
interface Ethernet0/1
     ip address 192.169.2.105 255.255.255.0
     no shut  
interface Ethernet0/2
     ip address 10.1.1.1 255.255.255.0
     no shut  

ip route 0.0.0.0 0.0.0.0 202.100.1.2

ip route 172.16.10.0 255.255.255.0 10.1.1.2
ip route 192.168.92.0 255.255.255.0 192.169.2.106

interface Ethernet0/0

     ip nat outside

interface Ethernet0/2

     ip nat inside

ip access-list extended PAT

     deny   ip host 172.16.10.200 192.168.92.0 0.0.0.255
     permit ip 172.16.10.0 0.0.0.255 any

ip nat inside source list PAT interface Ethernet0/0 overload

ip nat inside source static 172.16.10.200 202.100.1.200

---验证：

ServerA#ping 202.100.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/75/108 ms

Internet#debug ip icmp 
ICMP packet debugging is on
Internet#
*Mar  1 06:28:08.946: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
Internet#
*Mar  1 06:28:10.942: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
*Mar  1 06:28:11.038: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
*Mar  1 06:28:11.138: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
*Mar  1 06:28:11.198: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200

4.路由器Internet：

interface Ethernet0/0
     ip address 202.100.1.2 255.255.255.0

     no shut  

5.路由器RouterB：

interface Ethernet0/0
     ip address 192.169.2.106 255.255.255.0
     no shut  

interface Ethernet0/1
     ip address 192.168.92.254 255.255.255.0
     no shut  

ip route 172.16.10.0 255.255.255.0 192.169.2.105

五.NAT加route-map测试

A.路由器RouterA

1.定义ACL

ip access-list extended Inside
     permit ip host 172.16.10.200 host 192.168.92.64
ip access-list extended Outside
     permit ip host 172.16.10.200 any 

2.配置route-map

route-map Inside permit 10
     match ip address Inside
route-map Outside permit 10
     match ip address Outside 

3.删除原有的静态NAT

no ip nat inside source static 172.16.10.200 202.100.1.200

no ip nat inside source list PAT interface Ethernet0/0 overload

4.配置带 route-map的静态NAT

ip nat inside source static 172.16.10.200 202.100.1.200 route-map Outside

ip nat inside source static 172.16.10.200 193.170.3.200 route-map Inside 

interface Ethernet0/1

     ip nat outside

B.路由器RouterB

ip route 193.170.3.0 255.255.255.0 192.169.2.105

C.测试：

ServerA#ping 202.100.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ServerA#

Internet#
*Mar  1 06:59:10.862: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar  1 06:59:12.870: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar  1 06:59:14.890: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar  1 06:59:16.846: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar  1 06:59:18.846: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#

ServerA#ping 192.168.92.64

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/121/160 ms
ServerA#

ServerB#debug ip icmp 
ICMP packet debugging is on
ServerB#
*Mar  1 00:55:06.027: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar  1 00:55:06.187: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar  1 00:55:06.339: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar  1 00:55:06.427: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar  1 00:55:06.495: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
ServerB#

-----出去的时候没有做源地址转换

Internet#telnet 202.100.1.200
Trying 202.100.1.200 ... Open


User Access Verification

Password: 
ServerA>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:49   
*130 vty 0                idle                 00:00:00 202.100.1.2

  Interface    User               Mode         Idle     Peer Address

ServerA>quit

ServerB#telnet 193.170.3.200
Trying 193.170.3.200 ... Open


User Access Verification

Password: 
ServerA>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:52   
*130 vty 0                idle                 00:00:00 192.168.92.64

  Interface    User               Mode         Idle     Peer Address

ServerA>quit

-----从外面进来时做聊目标地址转换

六.两种NAT配合使用测试

A.RouterA删除前面配置的nat并恢复原始配置中的NAT配置

no ip nat inside source static 172.16.10.200 202.100.1.200 route-map Outside

no ip nat inside source static 172.16.10.200 193.170.3.200 route-map Inside 

interface Ethernet0/1

     no ip nat outside

no route-map Inside permit 10
no route-map Outside permit 10

no ip access-list extended Inside
no ip access-list extended Outside

ip nat inside source static 172.16.10.200 202.100.1.200

ip nat inside source list PAT interface Ethernet0/0 overload

B.RouterA配置ip nat enable

interface Ethernet0/2
     ip nat enable

interface Ethernet0/1
     ip nat enable

C.配置静态NAT:

ip nat source static 172.16.10.200 193.170.3.200

D.测试：

ServerA#ping 192.168.92.64

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ServerA#

ServerB#
*Mar  1 01:18:22.823: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar  1 01:18:24.807: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar  1 01:18:26.819: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar  1 01:18:28.779: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar  1 01:18:30.779: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#

Internet#
*Mar  1 07:24:07.350: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar  1 07:24:09.342: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar  1 07:24:11.334: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar  1 07:24:13.286: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar  1 07:24:15.314: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#

----发现此时RouterA对回包没有做目标地址转换，把包丢给了Internet路由器

D.路由器RouterA增加secondary地址并测试:

interface Ethernet0/1
ip address 193.170.3.1 255.255.255.0 secondary

ServerA#ping 192.168.92.64

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 128/153/168 ms

ServerB#
*Mar  1 01:31:28.219: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
*Mar  1 01:31:28.399: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar  1 01:31:30.379: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
*Mar  1 01:31:30.531: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar  1 01:31:32.515: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#

----通了，但是很有规律的丢包，并且比较严重

ServerA#ping 192.168.92.64 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
Success rate is 50 percent (50/100), round-trip min/avg/max = 56/128/204 ms

七.使用loopback口和两种NAT配合使用测试

---经过上面配置后，有50%的丢包，测试可能是e0/2同时配置了两种NAT,所以增加loopback口，取消原先e0/2的ip nat enable

A.路由器RouterA增加loopback0，配置ip nat enable

interface Loopback0
     ip address 1.1.1.1 255.255.255.252
     ip nat enable

B.路由器RouterA配置route-map并在e0/2接口应用

ip access-list extended ToServerB
     permit ip host 172.16.10.200 host 192.168.92.64

route-map ToServerB permit 10
     match ip address ToServerB
     set interface Loopback0

interface Ethernet0/2

     no  ip nat enable

     ip policy route-map ToServerB

C.经过上述配置后仍然还有50%的丢包，于是保存配置，重启RouterA，此时没有丢包

-----这时采用第六步的配置也是正常的，说明可能是模拟器的缘故导致

本文转自 碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/1691596，如需转载请自行联系原作者