一、基础
Cisco路由器配置中NAT的主要命令:静态NAT:1、指定NAT内部接口在内网相应接口的接口配置模式下执行:ip nat inside2、指定NAT外部接口在外网相应接口的接口配置模式下执行:ip nat outside3、在内部本地地址与内部全局地址之间建立静态地址转换关系:ip nat inside source static 内部本地地址 内部全局地址4、在外部全局地址与外部本地地址之间建立静态地址转换关系:ip nat outside source static 外部全局地址 外部本地地址5、show ip nat translations:显示当前存在的NAT转换信息。 show ip nat statics:查看NAT的统计信息。 show ip nat translations verbose:显示当前存在的NAT转换的详细信息。 debug ip nat:跟踪NAT操作,显示出每个被转换的数据包。 Clear ip nat translations *:删除NAT映射表中的所有内容.动态地址NAT:1、指定NAT内部接口在内网相应接口的接口配置模式下执行:ip nat inside2、指定NAT外部接口在外网相应接口的接口配置模式下执行:ip nat outside3、在全局配置模式下,定义一个标准的access-list规则,声明允许哪些内部本地地址可以进行动态地址转换:access-list list-number permit 源地址 通配符其中,list-number为1-99之间的一个任意整数。4、在全局配置模式下,定义内部全局地址池:ip nat pool 地址池名 起始IP地址 终止IP地址 netmask 子网掩码其中,地址池名可以任意设定,但最好有一定的说明意义。5、在全局配置模式下,定义符合先前定义的access-list规则的IP数据包与先前定义的地址池中的IP地址进行转换:ip nat inside source list list-number pool 内部全局地址池名6、no ip nat pool name 删除全局地址池no access-list access-list-number 删除访问列表no ip nat inside source 删除动态源地址转换网络地址端口转换NAPT:1、指定NAT内部接口在内网相应接口的接口配置模式下执行:ip nat inside2、指定NAT外部接口在外网相应接口的接口配置模式下执行:ip nat outside3、在全局配置模式下,定义内部全局地址池:ip nat pool 地址池名 起始IP地址 终止IP地址 netmask 子网掩码其中,地址池名可以任意设定,但最好有一定的说明意义。4、在全局配置模式下,定义一个标准的access-list规则,声明允许哪些内部本地地址可以进行复用地址转换:access-list list-number permit 源地址 通配符其中,list-number为1-99之间的一个任意整数。5、在全局配置模式下,定义符合先前定义的access-list规则的IP数据包与先前定义的地址池中的IP地址进行复用地址转换:ip nat inside source list list-number pool 内部全局地址池名 overload
注:
内部本地地址、内部全局地址、外部本地地址、外部全局地址
ip nat inside/outside针对的是不同方向的流量/数据包。
ip nat inside是指从内网发送的数据包,提取包头的源IP地址,转换为外网地址;ip nat outside是指从外网返回的数据包,提取包头的目的ip地址,转换为内网地址。
inside/outside不是用来区分NAT路由器的内外部接口,而是用来区分需要NAT地址转换的不同方向的流量。inside指内部网络;outside指内部网络需要连接的网络,一般指互联网
二、实例
1、静态nat
基本命令
ip nat inside source static 192.168.1.10 13.0.1.3ip nat insideip nat outside
这里先使用静态nat使pc1能与R2连接通信
先配置pc1和pc2的ip
再配置路由器R1和R2
R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#int f0/0R1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#int*Mar 1 00:02:12.327: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Mar 1 00:02:13.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR1(config-if)#int f1/0R1(config-if)#ip address 13.0.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#*Mar 1 00:02:41.819: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up*Mar 1 00:02:42.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to upR1(config-if)#exitR1(config)#ip nat inside source static 192.168.1.10 13.0.1.3R1(config-if)#int f0/0R1(config-if)#ip nat insideR1(config-if)#*Mar 1 00:03:29.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upR1(config-if)#int f1/0R1(config-if)#ip nat outside
R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#int f0/0R2(config-if)#ip address 13.0.1.2 255.255.255.0R2(config-if)#no sh
测试
2、动态NAT
使用动态nat使pc2与R2通信
R1(config)#ip nat pool test 13.0.1.10 13.0.1.20 netmask 255.255.255.0!定义内部全局地址池R1(config)#access-list 10 permit 192.168.1.0 0.0.0.255!定义访问控制列表,内部本地地址范围R1(config)#ip nat inside source list 10 pool test!建立映射关系R1(config)#int f0/0R1(config-if)#ip nat inside !定义内部网络接口R1(config)#int f1/0R1(config-if)#ip nat outside!定义外部网络接口
将192.168.1.0/24网段的内部主机动态转换到全局地址13.0.1.10-13.0.1.20之间的ip,内部网络的其他网段(非192.168.1)的主机不允许做NAT
测试
3、PAT
1)静态PAT
R1(config)#ip nat inside source static {UDP|TCP} local-address port global-address port
例:
这里我们将C1的telnet服务映射到13.0.1.3的999端口,来测试一下静态PAT
R3模拟为主机C1,并且开启telnet服务
c1#conf tEnter configuration commands, one per line. End with CNTL/Z.c1(config)#no ip routingc1(config)#int f0/0c1(config-if)#ip address 192.168.1.2 255.255.255.0c1(config-if)#no shc1(config-if)#*Mar 1 00:03:16.475: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Mar 1 00:03:17.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upc1(config-if)#exitc1(config)#ip defc1(config)#ip default-gc1(config)#ip default-gateway 192.168.1.1c1(config)#endc1#sho*Mar 1 00:04:06.223: %SYS-5-CONFIG_I: Configured from console by consolec1#show ip routeDefault gateway is 192.168.1.1HostGateway Last Use Total Uses InterfaceICMP redirect cache is emptyc1#!开启telnetc1#conf tEnter configuration commands, one per line. End with CNTL/Z.c1(config)#line vty 0 4c1(config-line)#login% Login disabled on line 130, until 'password' is set% Login disabled on line 131, until 'password' is set% Login disabled on line 132, until 'password' is set% Login disabled on line 133, until 'password' is set% Login disabled on line 134, until 'password' is setc1(config-line)#password zwishc1(config-line)#access-list 101 permit ip any anyc1(config-line)#end
R2
R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#int f0/0R2(config-if)#ip address 13.0.1.2 255.255.255.0R2(config-if)#no shR2(config-if)#*Mar 1 00:06:58.331: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Mar 1 00:06:59.331: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR2(config-if)#
R1配置静态PAT
R1#enR1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#int f0/0R1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#int*Mar 1 00:06:06.983: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Mar 1 00:06:07.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR1(config-if)#int f1/0R1(config-if)#ip address 13.0.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#*Mar 1 00:06:27.363: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up*Mar 1 00:06:28.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to upR1(config-if)#exitR1(config)#ip nat inside source static tcp 192.168.1.2 23 13.0.1.3 999R1(config)#int f0/0R1(config-if)#ip nat insideR1(config-if)#int f1/0R1(config-if)#ip nat outsideR1(config-if)#exit
这里最重要异步就是将192.168.1.2的telnet服务映射到了13.0.1.3的999端口
最后配置好了,用R2来telenet登陆一下C1,telnet 13.0.1.3 999
成功!
抓个包看一下,源地址和目的地址分别为13.0.1.2和192.168.1.2
2)动态PAT
R1配置
R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#int f0/0R1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#int f1/0R1(config-if)#*Mar 1 00:01:11.115: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Mar 1 00:01:12.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR1(config-if)#int f1/0R1(config-if)#ip address 192.168.1.1 255.255.255.0% 192.168.1.0 overlaps with FastEthernet0/0R1(config-if)#ip address 13.0.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#*Mar 1 00:05:50.503: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up*Mar 1 00:05:51.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to upR1(config-if)#exitR1(config)#ip nat pool test 13.0.1.3 13.0.1.3 netmask 255.255.255.0R1(config)#ac*Mar 1 00:07:20.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upR1(config)#access-list 10 permit 192.168.1.0 0.0.0.255R1(config)#ip nat inside source list 10 pool test overloadR1(config)#int f0/0R1(config-if)#ip nat insideR1(config-if)#int f1/0R1(config-if)#ip nat outside
R2
R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#int f0/0R2(config-if)#ip address 13.0.1.2 255.255.255.0R2(config-if)#no shR2(config-if)#*Mar 1 00:06:05.027: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Mar 1 00:06:06.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR2(config-if)#
pc1和pc2
VPCS[1]> ip 192.168.1.2 192.168.1.1 24Checking for duplicate address...PC1 : 192.168.1.2 255.255.255.0 gateway 192.168.1.1VPCS[1]> 2VPCS[2]> ip 192.168.1.3 192.168.1.1 24Checking for duplicate address...PC2 : 192.168.1.3 255.255.255.0 gateway 192.168.1.1VPCS[2]> showNAME IP/MASK GATEWAY MACLPORT RHOST:PORTVPCS1 192.168.1.2/24 192.168.1.1 00:50:79:66:68:00 20000 127.0.0.1:30000fe80::250:79ff:fe66:6800/64VPCS2 192.168.1.3/24 192.168.1.1 00:50:79:66:68:01 20001 127.0.0.1:30001fe80::250:79ff:fe66:6801/64
pc1和pc2分别ping R2,发现源地址都是13.0.1.3
