nat路由地址转换 nat lo0:2.2 r1(R2) s1/0 ---- s2/0 r1(R1) lo0 1.1 s1/0 -------- s2/0 r3 lo0 3.3step 1...r1: en config t hostname R2 no ip domain-lookup lin 0 exec-timeout 0 0 logging syn
nat路由地址转换 nat lo0:2.2 r1(R2) s1/0 ---- s2/0 r1(R1) lo0 1.1 s1/0 -------- s2/0 r3 lo0 3.3 step 1... r1: en config t hostname R2 no ip domain-lookup lin 0 exec-timeout 0 0 logging syn exit int lo 0 ip add 2.2.2.2 255.255.255.255 exit int s1/0 ip add 192.168.0.2 255.255.255.0 no shutdown exit r2 en config t hostname R1 no ip domain-lookup lin 0 exec-timeout 0 0 logging syn exit int lo 0 ip add 1.1.1.1 255.255.255.255 exit int s2/0 ip add 192.168.0.1 255.255.255.0 no shutdown exit int s1/0 ip add 13.1.1.1 255.255.255.0 no shutdown exit r3 en config t hostname R3 no ip domain-lookup lin 0 exec-timeout 0 0 logging syn exit int lo 0 ip add 3.3.3.3 255.255.255.255 exit int s2/0 ip add 13.1.1.3 255.255.255.0 no shutdown exit R1 ping 13.1.1.3 r1 ping 192.168.0.2 --------------------------------------------------------------------------- step 2 r1 config t access-list 10 permit 192.168.0.0 0.0.0.255 end r1 show ip access-list r1 config t ip nat pool ? ip nat pool natpool ? ip nat pool natpool 13.1.1.1 ? ip nat pool natpool 13.1.1.1 13.1.1.1 ? (只有13.1.1.1这个地址)/ / ip nat pool natpool 13.1.1.1 13.1.1.2 (有两个地址) ip nat pool natpool 13.1.1.1 13.1.1.2 netmask / / ip nat pool natpool 13.1.1.1 13.1.1.2 prefix-length ? ip nat pool natpool 13.1.1.1 13.1.1.2 prefix-length 24 end r1 config t interface s1/0 ip nat outside exit interface s2/0 ip nat inside exit ip nat ? ip nat inside ? ip nat inside source ? ip nat inside source list ? ip nat inside source list 10 ? ip nat inside source list 10 pool ? ip nat inside source list 10 pool natpool end r1 show ip nat ? r1 show ip nat ------------------------------------------------------------------------------------ step 3 r2 config t no ip routing (关掉让r2的路由功能) end r2 show ip route r2 config t ip routing (打开r2路由功能) end r2 show ip route r2 config t no ip routing end ----------------------------------------------------------------------------------- step 4 r2 ping 3.3.3.3 r2 config t ip default-gateway 192.168.0.1 (设定默认网关路由 ,这个需在路由器关闭路由功能下做) end r2 ping 3.3.3.3 r2 debug ip packet r2 unade all r1 config t intface s1/0 no ip rote-cache exit r1 debug ip packet r1 unde all r1 show ip route r1 config t ip route 3.3.3.3 255.255.255.255 s1/0 13.1.1.3 end r1 show ip route r1 show run r1 config t no ip route 3.3.3.3 255.255.255.255 s1/0 13.1.1.3 (因为把R3当成ISP只能写默认路由) end r1 config t ip route 0.0.0.0 0.0.0.0.0 s1/0 13.1.1.3 (默认路由) end r1 show ip route r2 ping 3.3.3.3 r2 debug ip packet r2 ping 3.3.3.3 r1 debug ip packet r1 config t interface s1/0 no ip route-cache end r2 ping 3.3.3.3 r1 unde all r3 debug ip packet r3 unde all ---------------------------------------------------------------------------------- step 5 r1 show ip nat translations r1 show run (看地址池有多少地址) r2 config t intface s1/0 ip add 192.168.0.3 255.255.255.0 secondary (起辅助地址模拟另一PC ) end R2 ping 3.3.3.3 source 192.168.0.2 r2 ping 3.3.3.3 source 192.168.0.3 r1 show ip nat translations r2 conifig t int s1/0 ip add 192.168.0.4 255.255.255.0 secondary (起辅助地址再模拟一PC) end r2 ping 3.3.3.3 source 192.168.0.4 u u u u (这次ping不通 因为nat是一对一的地址转换) r1 show ip nat translations (可以看到两个地址已被占用了) r1 clear ip nat translation * (清空) r1 show ip nat translations (应该空的) r2 ping 3.3.3.3 source 192.168.0.4 !!!!! r2 ping 3.3.3.3 source 192.168.0.3 !!!!! r2 ping 3.3.3.3 source 192.168.0.2 uuuu (它不通没地址了) r1 show ip nat translations r1 debug ip packet r2 debug ip packet r3 debug ip packet r1 clear ip nat translation * r2 ping 3.3.3.3 source 192.168.0.2 --------------------------------------------------------------------------------------- r2 s:192.168.0.2 d 3.3.3.3 r1 s: 13.1.1.1 d: 3.3.3.3 ip nat inside source list 10 pool natpool natpool: 13.1.1.1---13.1.1.2 rcvd:收到 传统的路由网中 第三层地址不会因为路由器的转发而改变 NAT 就是把一个或者多个地址转换成另一个地址 -------------------------------------------------------------------------------- pat 先配好IP地址 r1 show ip int bri r2 show ip int bri r3 show ip int bri r2 config t no ip routing no ip default-gateway 192.168.0.1 exit r1 config t ip route 0.0.0.0 0.0.0.0 13.1.1.3 end r1 config t access-list 10 permit 192.168.0.0 0.0.0.255 interface s2/0 ip nat inside inter s1/0 ip nat outside end r1 config t ip nat inside source list 10 ? ip nat inside source list 10 interface s1/0 ? ip nat inside source list 10 interface s1/0 overload end r3 config t line vty 0 4 no login end r1 telnet 3.3.3.3 trying 3.3.3.3.... open r3> r1#disconnect 1 closing connection to 3.3.3.3 [confirm] r2 telnet 3.3.3.3 trying 3.3.3.3.... open r3> r1 show ip nat translations r2 config t inter s1/0 ip add 192.168.0.3 255.255.255.0 secondary end r2 ping 3.3.3.3 source 192.168.0.3 r1 show ip nat translations r2 config t int s1/0 ip add 192.168.0.4 255.255.255.0 secondary ip add 192.168.0.5 255.255.255.0 secondary end r2 ping 3.3.3.3 source 192.168.0.5 !!!!! r2 ping 3.3.3.3 source 192.168.0.4 !!!!! r2 ping 3.3.3.3 source 192.168.0.3 !!!!! r2 ping 3.3.3.3 source 192.168.0.2 !!!!! r1 show ip nat translations (注意icmp 的端口号) r1 clear ip nat translation * r1 show ip nat translation r1 config t int s2/0 no ip route-cache int s1/0 no ip route-cache end r3 debug ip packet detail r2 telnet 3.3.3.3 r3> r2#disconnect 1 closing connection to 3.3.3.3 [confirm] r2 config t interface s1/0 ip add 192.168.100.1 255.255.255.0 secondary (看100网段会不会被转换) end r1 show ip access-list (不匹配下面的 是不会被转换的) ---------------------------------------------------------------------------------- 静态NAT 和 端口影谢 r3 ping 192.168.0.2 ..... r3 show ip route r3 config t ip route 192.168.0.0 255.255.255.0 13.1.1.1 end r3 ping 192.168.0.2 !!!!! r3 config t no ip route 192.168.0.0 255.255.255.0 13.1.1.1 (R3是ISP怎么能有你的私网地址) end r3 show ip route r2 show run int s1/0 r2 config t int s1/0 ip add 192.168.0.100 255.255.255.0 secondary end r1 show ip route r1 config t ip nat inside source static ? ip nat inside source static 192.168.0.100 ? ip nat inside source static 192.168.0.100 13.1.1.100 (做静态影谢) end r1 show ip nat translations r3 ping 13.1.1.100 (其实就PING 192.168.0.100) !!!!! r3 debug ip packet r2 debug ip packet r1 debug ip packet r3 ping 13.1.1.100 --------------------------------------------------------------------------------------- 端口影谢 r2 config t line vty 0 4 no login end r1 show run config t no ip nat inside source static 192.168.0.100 13.1.1.100 (删掉) end r3 unde all r1 config t ip nat inside source ? ip nat inside source static ? ip nat inside source static tcp ? ip nat inside source static tcp 192.168.0.100 ? ip nat inside source static tcp 192.168.0.100 23 ? ip nat inside source static tcp 192.168.0.100 23 13.1.1.100 ? ip nat inside source static tcp 192.168.0.100 23 13.1.1.100 23 end r3 telnet 13.1.1.100 trying 13.1.1.100...open r2> r1 show ip nat translations r2 show run r2 ping 3.3.3.3 source 192.168.0.4 (不影响别的PAT工作) !!!! r1 show ip nat translations -------------------------------------------------------------------------------- NAT 优化 注意下面的timeout时间是乱来的 具体设置要有丰厚的经验。 r2 ping 3.3.3.3 source 192.168.0.2 !!!! r2 ping 3.3.3.3 source 192.168.0.3 !!!! r2 ping 3.3.3.3 source 192.168.0.4 !!!! r2 ping 3.3.3.3 source 192.168.0.100 !!!! r1 unde all r1 show ip nat translations r1 config t ip nat ? ip nat service ? ip nat translations ? (dns-timeout finrst-timeout:tcp3次握手 icmp-timeout:默认2秒 max-port-timeout:最 大的条目 pptp-timeout syn-timeout tcp-timeout timeout udp-timeout ) ip nat translations dns-timeout ? ip nat translations dns-timeout 30 ip nat translations max-timeout ? ip nat translations max-timeout 500 ip nat translations icmp-timeout 100 end r1 clear ip nat translation * r1 show ip nat translation r1 config t &nside source static tcp 192.168.0.100 23 13.1.1.100 23 extendable static endtry in use, do you want to delete child entries ? [no] y end r1 show ip nat translations r2 telnet 3.3.3.3 trying 3.3.3.3 ... open r3> r1 show ip nat translations ------------------------------------------------------------------------------------- NAT 和ACL 是两个结合起来 做企业上网的问题 NAT 表 web dns pop ftp 网络做完第二步就是优化 ------------------------------------------------------------------------ s=192.168.0.2 (local) d=3.3.3.3 (seriall1/1) tcp src=16544 dst=23 forward:转发 tcp 4层协议是有端口号的 icmp 是没有端口号的
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
