一、
二、匹配规则:
inside:先路由,后NAT
outside:先NAT,后路由
三、四种NAT:
ip nat inside source static 192.168.1.2 202.67.54.3
从inside进入,从outside出去的源IP地址为192.168.1.2转换为202.67.54.3
ip nat inside destination static 192.168.1.2 202.67.54.3
从inside进入,outside出去的目的IP为192.168.1.2转换为202.67.54.3
ip nat outside source static 192.168.1.2 202.67.54.3
从outside进入,inside出去的源IP为192.168.1.2转换为202.67.54.3
ip nat outside destination static 192.168.1.2 202.67.54.3
从outside进入,inside出去的目的IP为192.168.1.2转换为202.67.54.3
第一条等价于第四条,第二条等价于第三条
四、实验现象
ip nat inside 一定是出outside才会发生转换
ip nat outside 一定是出inside才会发生转换
http://www.2cto.com/net/201309/244766.html
五、实操
前提条件:保证内网路由可达。
另外在实际操作中,外网是不需要知道内网路由的。下面这是为了演示outside口的特性才在两边加了默认路由
各设备配置:
R0:
Router#show running-config
Building configuration...
Current configuration : 757 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
ip address 8.8.8.7 255.255.255.0
ip nat inside
clock rate 64000
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip nat outside source static 1.1.1.2 2.2.2.4
ip classless
ip route 0.0.0.0 0.0.0.0 8.8.8.8
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
R1:
Router#show running-config
Building configuration...
Current configuration : 662 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
ip address 8.8.8.8 255.255.255.0
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 8.8.8.7
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
PC1:
参考:http://www.2cto.com/net/201309/244766.html
但还是不明白回包流程为什么会失败,也许他解释的太抽象,有理解的,请举个小例子给我解释下回包为什么会失败,不胜感激
总结:outside口禁ping 和禁telnet,因为包发出去了,但是回包不了。
附件:http://down.51cto.com/data/2366645
本文转自飞奔的小GUI博客51CTO博客,原文链接http://blog.51cto.com/9237101/1923618如需转载请自行联系原作者
ziwenzhou
