NAT:地址转换,有以下几种方式
- 1对1地址转换
- 1对多地址转换(PAT)
- 多对多地址转换(pool)
【实验拓扑】
拓扑说明,R1、R6、R4为局域网,R4为出口网关,连接两条链路到internet
【拓扑基本配置】
R1:
inter fa 0/0
ip address 10.0.0.1 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
inter ethernet 0/0
ip address 10.0.0.4 255.255.255.0
no shut
!
inter Loopback0
ip add 150.1.4.4 255.255.255.0
ip ospf network point-to-point
不配置高亮这条命令,对方学习到的loopback地址为32为掩码,这是由于OSPF的特性导致,注意loopback地址是150网段,而serial接口是155网段,不要混淆
!
interface Serial 0/0
encaps frame-relay
no shutdown
!
interface Serial 0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
!
interface Serial 0/1
no shutdown
ip address 155.1.45.4 255.255.255.0
!
router ospf 1
router-id 150.1.4.4
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
network 150.1.4.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 update-source Loopback0
neighbor 150.1.5.5 ebgp-multihop
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial 0/0
encapsulation frame-relay
no shut
!
interface Serial 0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial 0/1
no shutdown
clockrate 64000
ip address 155.1.45.5 255.255.255.0
!
router ospf 1
router-id 150.1.5.5
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
network 150.1.5.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 ebgp-multihop
neighbor 150.1.4.4 default-originate
R6:
inter gig 0/0
ip address 10.0.0.6 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.4
【实验1:在R4上设置Pool进行地址转换】
1、要求运营商分配的公网地址范围为150.1.4.100-150.1.4.254,在R4上配置地址转换
2、配置R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip nat pool NAT_POOL 150.1.4.100 150.1.4.254 prefix 24!ip access-list standard INSIDE_NETWORKpermit 10.0.0.0 0.0.0.255!ip nat inside source list INSIDE_NETWORK pool NAT_POOL3、验证R4#show ip nat statisticsTotal active translations: 0 (0 static, 0 dynamic; 0 extended)Outside interfaces:Serial0/1, Serial0/0.1Inside interfaces:Ethernet0/0Hits: 0 Misses: 0CEF Translated packets: 0, CEF Punted packets: 0Expired translations: 0Dynamic mappings:-- Inside Source[Id: 1] access-list INSIDE_NETWORK pool NAT_POOL refcount 0pool NAT_POOL: netmask 255.255.255.0start 150.1.4.100 end 150.1.4.254type generic, total addresses 155, allocated 0 (0%), misses 0Queued Packets: 0R4# debug ip nat detailed在R4上开启debug查看IP NAT detailed debugging is onR1#ping 150.1.5.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/46/48 msR4#NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [125]NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [125]NAT*: s=10.0.0.1->150.1.4.101, d=150.1.5.5 [125]NAT: installing alias for address 150.1.4.101NAT*: o: icmp (150.1.5.5, 6) -> (150.1.4.101, 6) [125]NAT*: s=150.1.5.5, d=150.1.4.101->10.0.0.1 [125]NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [126]NAT*: s=10.0.0.1->150.1.4.101, d=150.1.5.5 [126]NAT*: o: icmp (150.1.5.5, 6) -> (150.1.4.101, 6) [126]NAT*: s=150.1.5.5, d=150.1.4.101->10.0.0.1 [126]NAT*: i: icmp (10.0.0.1, 6) -> (150.1.5.5, 6) [127]看到转换的结果
R4# show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 155.1.45.4:2 10.0.0.1:2 150.1.5.5:2 150.1.5.5:2
【实验2,1对多配置(PAT)】
1、要求,在R4上利用loopback0地址实现1对多地址转换
2、配置
R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip access-list standard INSIDE_NETWORKpermit 10.0.0.0 0.0.0.255!ip nat inside source list INSIDE_NETWORK interface loopback 0 overload和上面相比,少量pool,多了interface 以及最后的overload,验证方法和实验1 相同
【实验3,NAT冗余】
1、要求我们看到R4有两个出口,需要通过两个出口地址进行转换,并且实现冗余nat思考:如果我们设置如下两条是否实现了负载均衡ip nat instide source list INSIDE_NETWORK interface s0/1 overloadip nat instide source list INSIDE_NETWORK interface s0/1 overload经过验证,我们输入第二条,将会把第一条替换,因此我们需要利用其它方法,route-map2、配置R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip access-list standard INSIDE_NETWORKpermit 10.0.0.0 0.0.0.255!route-map FR_INTERFACEmatch interface Serial 0/0.1match ip address INSIDE_NETWORK!route-map SERIAL_INTERFACEmatch interface Serial 0/1match ip address INSIDE_NETWORK!ip nat inside source route-map FR_INTERFACE int Serial 0/0.1 overloadip nat inside source route-map SERIAL_INTERFACE int Serial 0/1 overload3、验证R4#show ip nat statisticsTotal active translations: 0 (0 static, 0 dynamic; 0 extended)Outside interfaces:Serial0/0.1, Serial0/1Inside interfaces:Ethernet0/0Hits: 0 Misses: 0CEF Translated packets: 0, CEF Punted packets: 0Expired translations: 0Dynamic mappings:-- Inside Source[Id: 1] route-map FR_INTERFACE interface Serial0/0.1 refcount 0[Id: 2] route-map SERIAL_INTERFACE interface Serial0/1 refcount 0Queued Packets: 0R1#ping 150.1.5.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 60/60/61 msR1#R4#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 155.1.0.4:0 10.0.0.1:0 150.1.5.5:0 150.1.5.5:0
R4#conf tEnter configuration commands, one per line. End with CNTL/Z.R4(config)#int se 0/0R4(config-if)#shutR4(config-if)#^ZR4#R1#ping 150.1.5.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR4#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 155.1.45.4:5 10.0.0.6:5 150.1.5.5:5 150.1.5.5:5
【实验4,策略NAT】
1、实验要求:TCP23端口通过s0/1 进行nat,其它端口通s0/0.1进行nat2、实验配置R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip access-list ext INSIDE_TELNETpermit tcp 10.0.0.0 0.0.0.255 any eq 23!ip access-list ext INSIDE_OTHERdeny tcp 10.0.0.0 0.0.0.255 any eq 23permit ip 10.0.0.0 0.0.0.255 any!route-map FR_INTERFACEset interface Serial 0/0.1match ip address INSIDE_TELNET!route-map SERIAL_INTERFACEset interface Serial 0/1match ip address INSIDE_OTHER!ip nat inside source route-map FR_INTERFACE int Serial 0/0.1 overloadip nat inside source route-map SERIAL_INTERFACE int Serial 0/1 overload
【实验5,静态NAT配置】
R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip nat inside source static 10.0.0.1 150.1.4.1ip nat inside source static 10.0.0.6 150.1.4.6
【实验6,静态PAT配置,一般用不到】
R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip nat inside source static tcp 10.0.0.1 23 interf Loopback0 1023ip nat inside source static tcp 10.0.0.6 23 interf Loopback0 6023
【静态策略NAT,根据目的地址设置不同的转换地址】
R4:interface Ethernet 0/0ip nat inside!interface Serial 0/1ip nat outside!interface Serial 0/0.1ip nat outside!ip access-list extended TO_LOOPBACK0permit ip 10.0.0.0 0.0.0.255 150.1.5.0 0.0.0.255!ip access-list extended TO_LOOPBACK1permit ip 10.0.0.0 0.0.0.255 150.1.55.0 0.0.0.255!route-map DIVERT1 permit 10match ip address TO_LOOPBACK0!route-map DIVERT2 permit 10match ip address TO_LOOPBACK1!ip nat inside source static 10.0.0.1 150.1.4.5 route-map DIVERT1 reversible no-aliasip nat inside source static 10.0.0.1 150.1.4.55 route-map DIVERT2 reversible no-alias根据访问的目的地址设置静态转换,访问150.1.5.0 的目的地址转换为150.1.4.5访问160.1.55.0 的目的地址转换为150.1.4.55reversible check route-map for out->in trafficno-alias Do not create an alias for the global address
!interface Loopback0ip ospf network point-to-pointR5:interface Loopback1ip address 150.1.55.55 255.255.255.0!router ospf 1network 150.1.55.55 0.0.0.0 area 0
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/993058
