实验名称:思科路由器网络地址转换(NAT)实验目的:实现所有内网IP使用少量的公网IP连接Internet实验介绍: 借助NAT技术,内网私有地址向路由器发送数据包时,私有地址被转换成合法的公网IP地址,从而实现大量内网计算机通过少量公网IP地址和互联网通信的需求。NAT技术解决了IP地址枯竭问题,还提高了内网的安全性。实验拓扑
实验配置步骤一.设置计算机IP地址1.PC1设置IP地址2.PC2设置IP地址3.PC3设置IP地址二.配置路由器1.配置R1 Router#conf t R1(config)#hostname R1 R1(config)#int f0/0 R1(config-if)#ip add 192.168.75.30 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exi R1(config)#int f1/0 R1(config-if)#ip add 202.96.0.1 255.255.255.248 R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exi R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 1/02.配置R2 R2#conf t R2(config)#hostname R2 R2(config)#int f0/0 R2(config-if)#ip add 192.168.0.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exi R2(config)#int f1/0 R2(config-if)#ip add 202.96.0.2 255.255.255.248 R2(config-if)#no shutdown R2(config-if)#exi三、配置静态NAT1.在R1上将PC1 192.168.75.2 映射到202.96.0.1 将PC2 192.168.75.3 映射到202.96.0.3 R1(config)#ip nat inside source static 192.168.75.2 202.96.0.1 R1(config)#ip nat inside source static 192.168.75.3 202.96.0.32.在PC1上ping PC3测试PC>ping 192.168.0.2 Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms3.在PC2上ping PC3测试PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Averag免费云主机域名e = 0ms4.在路由器R1上查看 R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— 202.96.0.1 192.168.75.2 — —
— 202.96.0.3 192.168.75.3 — —
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.1:73 192.168.75.2:73 192.168.0.2:73 192.168.0.2:73
icmp 202.96.0.1:74 192.168.75.2:74 192.168.0.2:74 192.168.0.2:74
icmp 202.96.0.1:75 192.168.75.2:75 192.168.0.2:75 192.168.0.2:75
icmp 202.96.0.1:76 192.168.75.2:76 192.168.0.2:76 192.168.0.2:76
icmp 202.96.0.3:45 192.168.75.3:45 192.168.0.2:45 192.168.0.2:45
icmp 202.96.0.3:46 192.168.75.3:46 192.168.0.2:46 192.168.0.2:46
icmp 202.96.0.3:47 192.168.75.3:47 192.168.0.2:47 192.168.0.2:47
icmp 202.96.0.3:48 192.168.75.3:48 192.168.0.2:48 192.168.0.2:48
— 202.96.0.1 192.168.75.2 — —
— 202.96.0.3 192.168.75.3 — —小结内网计算机被一对一的映射成了公网IP地址,使用此方法可以实现从外网访问内网特定网络设备,但安全性差,实际使用价值不高
四、配置动态NAT1.路由器R1上移除两条静态IP映射 R1(config)#no ip nat inside source static 192.168.75.2 202.96.0.1
R1(config)#no ip nat inside source static 192.168.75.3 202.96.0.32.路由器R1上配置包含内网所有IP地址的ACLR1(config)#access-list 1 permit 192.168.75.0 0.0.0.2553.配置合法的IP地址池 R1(config)#ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.2484.关联ACL和IP地址池 R1(config)#ip nat inside source list 1 pool abc5.在PC1上ping PC3测试 PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=2ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms6.在PC2上ping PC3测试 PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms7.在路由器R1上查看 R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.5:81 192.168.75.2:81 192.168.0.2:81 192.168.0.2:81
icmp 202.96.0.5:82 192.168.75.2:82 192.168.0.2:82 192.168.0.2:82
icmp 202.96.0.5:83 192.168.75.2:83 192.168.0.2:83 192.168.0.2:83
icmp 202.96.0.5:84 192.168.75.2:84 192.168.0.2:84 192.168.0.2:84
icmp 202.96.0.4:5 192.168.75.3:5 192.168.0.2:5 192.168.0.2:5
icmp 202.96.0.4:6 192.168.75.3:6 192.168.0.2:6 192.168.0.2:6
icmp 202.96.0.4:7 192.168.75.3:7 192.168.0.2:7 192.168.0.2:7
icmp 202.96.0.4:8 192.168.75.3:8 192.168.0.2:8 192.168.0.2:8小结映射关系是随机的,最大映射数为配置的合法公网IP地址有多少个,实际还是不能满足日常需要
五、端口多路复用PAT1.在关联ACL和IP地址池后面加上关键词overload R1(config)#ip nat inside source list 1 pool abcoverload2.在PC1、PC2上Ping PC3后,在路由器R1上查看 R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.5:85 192.168.75.2:85 192.168.0.2:85 192.168.0.2:85
icmp 202.96.0.5:86 192.168.75.2:86 192.168.0.2:86 192.168.0.2:86
icmp 202.96.0.5:87 192.168.75.2:87 192.168.0.2:87 192.168.0.2:87
icmp 202.96.0.5:88 192.168.75.2:88 192.168.0.2:88 192.168.0.2:88
icmp 202.96.0.5:10 192.168.75.3:10 192.168.0.2:10 192.168.0.2:10
icmp 202.96.0.5:11 192.168.75.3:11 192.168.0.2:11 192.168.0.2:11
icmp 202.96.0.5:12 192.168.75.3:12 192.168.0.2:12 192.168.0.2:12
icmp 202.96.0.5:9 192.168.75.3:9 192.168.0.2:9 192.168.0.2:9小结内网计算机访问Internet 地址都映射成了同一个合法公网IP地址,内网计算机共用一个公网IP地址就能上互联网,最实用技术。
扩展知识1.企业里常需要把特定内网计算机的某一端口映射到公网,在思科路由器上如何设置呢?ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable 映射80端口用于发布网站
ip nat inside source static tcp 192.168.75.2 3080202.96.0.23389 extendable 映射3389端口用于远程桌面连接ip nat inside source static tcp 192.168.75.2 3090202.96.0.23090 extendable 映射特别端口用于软件发布ip nat inside source static tcp 192.168.75.2 22202.96.0.222 extendable 映射22端口用于SSH远程连接
2.如果我们只有一个公网地址且已经分配给了R1的F1/0口,怎么反复利用或超载?R1(config)#ip nat inside source list 10 interface f1/0 overload//在R1上不设置地址池,因为只有一个公网地址,而只对F1/0接口的地址超载或者R1(config)#ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248
3.怎么计算路由器NAT转换条目数?一条NAT转换条目要占用160字节内存,因此NAT的转换数目受路由器的内存限制。
工作模式::特权模式[huawei]:全局模式[huawei-Ethernet0/0/0]:接口模式命令大致划分:v特权模式下大多都是Display查看类和对系统操作类命令。v全局模式下大多都是配置类命令。v接口模式下大多都是对于接口的配置命令。华为H3C基础…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
