CCNA培訓(xùn)課實(shí)驗(yàn)總結(jié)筆記.doc

CCNA培訓(xùn)課總結(jié)筆記-NAT轉(zhuǎn)換實(shí)驗(yàn)(十二) 2008-09-28 09:36:18標(biāo)簽：筆記 培訓(xùn) NAT CCNA 轉(zhuǎn)換推送到技術(shù)圈 版權(quán)聲明：原創(chuàng)作品，允許轉(zhuǎn)載，轉(zhuǎn)載時(shí)請(qǐng)務(wù)必以超鏈接形式標(biāo)明文章 原始出處 、作者信息和本聲明。否則將追究法律責(zé)任。/192876/102598實(shí)驗(yàn)?zāi)康睦斫釴AT地址轉(zhuǎn)換的原理,熟悉NAT地址轉(zhuǎn)換的配置命令及過程.理解NAT轉(zhuǎn)換在節(jié)省IP地址資源方面的強(qiáng)大作用,理解NAT地址轉(zhuǎn)換過程中是如何將內(nèi)部地址轉(zhuǎn)換為外部地址的.實(shí)驗(yàn)拓?fù)鋱D一、靜態(tài)NAT實(shí)驗(yàn)內(nèi)容:原理是先在R1上建立兩個(gè)環(huán)回接口loopback0、loopback1,為每一個(gè)loopback口分配一個(gè)IP地址,用來模擬2臺(tái)內(nèi)部的PC機(jī).R1的S1/0看成外網(wǎng)的接口,而R2即當(dāng)作是外部的某臺(tái)服務(wù)器.若PC要想與R2通信的話,只能利用NAT來將內(nèi)部的IP地址轉(zhuǎn)換成R1上的S1/0口的地址來實(shí)現(xiàn).路由器上的配置R1上的配置RouterenRouter#conf t粘貼上基本的路由配置命令Router(config)#enable password ciscoRouter(config)#no ip domain-lookupRouter(config)#line con 0Router(config-line)# exec-timeout 0 0Router(config-line)# logging synchronousRouter(config-line)#Router(config-line)#line aux 0Router(config-line)# exec-timeout 0 0Router(config-line)# logging synchronousRouter(config-line)#line vty 0 4Router(config-line)#Router(config-line)# Router(config-line)# exec-timeout 0 0Router(config-line)# password ciscoRouter(config-line)#Router(config-line)# loginRouter(config-line)#Router(config-line)#Router(config-line)#alias exec a sh ip int briRouter(config)#alias exec b sh ip routeRouter(config)#alias exec c sh ip route ripRouter(config)#alias exec d sh run配置好名稱,接口和邏輯接口的IP地址Router(config)#host R1R1(config)#int loopback0R1(config-if)#ip add R1(config-if)#int loopback1R1(config-if)#ip add R1(config-if)#int s1/0R1(config-if)#ip add R1(config-if)#clock rate 64000R1(config-if)#no shutR2上的配置粘貼命令省略掉Router(config)#host R2R2(config)#int s1/1R2(config-if)#ip add R2(config-if)#no shut好了,現(xiàn)在從R1用擴(kuò)展的ping以、為源地址以為目的地址驗(yàn)證一下R1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of .Success rate is 0 percent (0/5)R1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of .Success rate is 0 percent (0/5)明顯是不能通的,因?yàn)閮?nèi)部地址無法直接與外部地址通信.那就讓我們用下NAT來進(jìn)行轉(zhuǎn)換看下.在R1的S1/0上啟用NAT靜態(tài)轉(zhuǎn)換R1(config)#int s1/0R1(config-if)#int loopback0R1(config-if)#ip nat insideR1(config-if)#exitR1(config)#int loop1R1(config-if)#ip nat insideR1(config-if)#exitR1(config)#int s1/0R1(config-if)#ip nat outsideR1(config-if)#exitR1(config)#ip nat inside source static (將內(nèi)部的loop0地址靜態(tài)的一對(duì)一轉(zhuǎn)換為)R1(config)#ip nat inside source static (將內(nèi)部的loop1地址靜態(tài)的一對(duì)一轉(zhuǎn)換為)好了,現(xiàn)在用內(nèi)部的邏輯地址擴(kuò)展pingR2的目的為地址R1#debug ip nat (開放debug進(jìn)行發(fā)送ping)包時(shí)抓包轉(zhuǎn)換測(cè)試)IP NAT debugging is onR1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 48/76/96 msR1#*Mar 1 00:11:13.227: NAT: s=-, d= 10(這里很清楚地看到邏輯的源地址已經(jīng)進(jìn)行了轉(zhuǎn)換,將轉(zhuǎn)換后的地址與目的地址通信)*Mar 1 00:11:13.319: NAT*: s=, d=- 10*Mar 1 00:11:13.319: NAT: s=-, d= 11*Mar 1 00:11:13.415: NAT*: s=, d=- 11*Mar 1 00:11:13.415: NAT: s=-, d= 12*Mar 1 00:11:13.463: NAT*: s=, d=- 12*Mar 1 00:11:13.463: NAT: s=-, d= 13*Mar 1 00:11:13.535: NAT*: s=, d=- 13*Mar 1 00:11:13.535: NAT: s=-, d= 14R1#*Mar 1 00:11:13.607: NAT*: s=, d=- 14R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 68/76/96 msR1#*Mar 1 00:13:47.739: NAT: s=-, d= 15*Mar 1 00:13:47.807: NAT*: s=, d=- 15*Mar 1 00:13:47.807: NAT: s=-, d= 16*Mar 1 00:13:47.879: NAT*: s=, d=- 16*Mar 1 00:13:47.879: NAT: s=-, d= 17*Mar 1 00:13:47.975: NAT*: s=, d=- 17*Mar 1 00:13:47.975: NAT: s=-, d= 18*Mar 1 00:13:48.047: NAT*: s=, d=- 18*Mar 1 00:13:48.047: NAT: s=-, d= 19R1#*Mar 1 00:13:48.119: NAT*: s=, d=- 19經(jīng)過ping的結(jié)果可以知道,現(xiàn)在內(nèi)部PC能夠和外部的服務(wù)器進(jìn)行通信了.再加上debug命令調(diào)試,可以清楚地看到NAT地址轉(zhuǎn)換的進(jìn)行.靜態(tài)NAT轉(zhuǎn)換是最簡(jiǎn)單的地址轉(zhuǎn)換.如果有大量的地址轉(zhuǎn)換的話要根據(jù)地址一對(duì)一地去轉(zhuǎn)換,輸入命令很多,配置起來很麻煩.二、動(dòng)態(tài)NAT首先給R1的loopback0定義多個(gè)邏輯地址來模仿多個(gè)PC機(jī)R1(config)#int loop0R1(config-if)#ip add R1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondary接下來定義外部轉(zhuǎn)換的地址池R1(config)#ip nat pool outpool netmask (定義一個(gè)轉(zhuǎn)換地址池名稱為outpool,內(nèi)部地址轉(zhuǎn)換后的地址都是從這個(gè)outpool里面的地址的)R1(config)#access-list 10 permit host (這里即是定義內(nèi)部轉(zhuǎn)換的地址)R1(config)#access-list 10 permit host R1(config)#access-list 10 permit host R1(config)#access-list 10 permit host R1(config)#access-list 10 permit host 定義轉(zhuǎn)換R1(config)#ip nat inside source list 10 pool outpool (定義了內(nèi)部地址轉(zhuǎn)換要通過accesslist 10的驗(yàn)證控制,轉(zhuǎn)換后的地址即是從outpool里面挑選)好了,配置好動(dòng)態(tài)NAT轉(zhuǎn)換了,下面讓我們來驗(yàn)證一下轉(zhuǎn)換的效果如何用擴(kuò)展的ping以和為源地址,以為目的地址,注意觀察轉(zhuǎn)換效果R1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of *Mar 1 00:21:56.091: NAT: s=-, d= 25*Mar 1 00:21:56.183: NAT*: s=, d=- 25.!*Mar 1 00:21:58.087: NAT: s=-, d= 26*Mar 1 00:21:58.199: NAT*: s=, d=- 26*Mar 1 00:21:58.199: NAT: s=-, d= 27*Mar 1 00:21:58.295: NAT*: s=, d=- 27.!*Mar 1 00:22:00.199: NAT: s=-, d= 28*Mar 1 00:22:00.239: NAT*: s=, d=- 28*Mar 1 00:22:00.239: NAT: s=-, d= 29*Mar 1 00:22:00.311: NAT*: s=, d=- 29.Success rate is 40 percent (2/5), round-trip min/avg/max = 40/76/112 msR1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/120 msR1#*Mar 1 00:24:04.467: NAT: s=-, d= 35*Mar 1 00:24:04.559: NAT*: s=, d=- 35*Mar 1 00:24:04.559: NAT: s=-, d= 36*Mar 1 00:24:04.631: NAT*: s=, d=- 36*Mar 1 00:24:04.631: NAT: s=-, d= 37*Mar 1 00:24:04.727: NAT*: s=, d=- 37*Mar 1 00:24:04.727: NAT: s=-, d= 38*Mar 1 00:24:04.847: NAT*: s=, d=- 38*Mar 1 00:24:04.847: NAT: s=-, d= 39R1#*Mar 1 00:24:04.919: NAT*: s=, d=- 39R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 48/76/120 msR1#*Mar 1 00:27:24.771: NAT: s=-, d= 65*Mar 1 00:27:24.815: NAT*: s=, d=- 65*Mar 1 00:27:24.815: NAT: s=-, d= 66*Mar 1 00:27:24.887: NAT*: s=, d=- 66*Mar 1 00:27:24.887: NAT: s=-, d= 67*Mar 1 00:27:25.007: NAT*: s=, d=- 67*Mar 1 00:27:25.007: NAT: s=-, d= 68*Mar 1 00:27:25.079: NAT*: s=, d=- 68*Mar 1 00:27:25.079: NAT: s=-, d= 69R1#*Mar 1 00:27:25.151: NAT*: s=, d=- 69可以看到轉(zhuǎn)換的外部地址是變化著的,即是動(dòng)態(tài)的轉(zhuǎn)換.R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of *Mar 1 00:27:37.035: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:39.031: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:41.031: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:43.031: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:45.031: NAT: translation failed (E), dropping packet s= d=.Success rate is 0 percent (0/5)到這里要留意一下了,當(dāng)用三個(gè)地址連續(xù)地ping的時(shí)候,到第三個(gè)地址時(shí)提示出現(xiàn)在了錯(cuò)誤.NAT放棄了地址的轉(zhuǎn)換.細(xì)心的你可能發(fā)現(xiàn)了我們的外部轉(zhuǎn)換地址只有2個(gè),所以即使是動(dòng)態(tài)轉(zhuǎn)換也只能轉(zhuǎn)換兩個(gè)內(nèi)部地址.如果要進(jìn)行第3個(gè)地址轉(zhuǎn)換的話,就只能等到前面的2個(gè)地址轉(zhuǎn)換有一個(gè)轉(zhuǎn)換停止.由此可看出這樣的轉(zhuǎn)換也有很大的局限性.如果想要實(shí)現(xiàn)多個(gè)地址去轉(zhuǎn)換一個(gè)地址的話,就要用到新的轉(zhuǎn)換方法了,也就下面所說的NAT超載轉(zhuǎn)換.三、NAT超載轉(zhuǎn)換(PAT轉(zhuǎn)換)NAT超載的配置其實(shí)很簡(jiǎn)單,只需要在動(dòng)態(tài)NAT配置命令的后面多加一個(gè)“overload”即可R1(config)#ip nat inside source list 10 pool outpool overload (overload表示重復(fù)地選取地址池中的地址進(jìn)行轉(zhuǎn)換.其實(shí)是采用了邏輯地址的多個(gè)端口來進(jìn)行映射交換,也就是一個(gè)被用來轉(zhuǎn)換的外部地址可以取不同的端口對(duì)應(yīng)內(nèi)部的地址,這種技術(shù)稱作PAT)現(xiàn)在連續(xù)地用地址、、、、擴(kuò)展地去ping對(duì)端R2的S1/1(),看一下能否連續(xù)地進(jìn)行轉(zhuǎn)換?會(huì)不會(huì)又像上面的動(dòng)態(tài)NAT轉(zhuǎn)換出現(xiàn)錯(cuò)誤的信息?R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/120 msR1#*Mar 1 00:10:58.127: NAT: s=-, d= 15*Mar 1 00:10:58.243: NAT*: s=, d=- 15*Mar 1 00:10:58.243: NAT: s=-, d= 16*Mar 1 00:10:58.339: NAT*: s=, d=- 16*Mar 1 00:10:58.339: NAT: s=-, d= 17*Mar 1 00:10:58.435: NAT*: s=, d=- 17*Mar 1 00:10:58.435: NAT: s=-, d= 18*Mar 1 00:10:58.531: NAT*: s=, d=- 18*Mar 1 00:10:58.531: NAT: s=-, d= 19R1#*Mar 1 00:10:58.627: NAT*: s=, d=- 19R1#pingProtocol ip: Target IP address: % Bad IP addressR1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 72/96/120 msR1#*Mar 1 00:11:12.671: NAT: s=-, d= 20*Mar 1 00:11:12.787: NAT*: s=, d=- 20*Mar 1 00:11:12.787: NAT: s=-, d= 21*Mar 1 00:11:12.859: NAT*: s=, d=- 21*Mar 1 00:11:12.859: NAT: s=-, d= 22*Mar 1 00:11:12.955: NAT*: s=, d=- 22*Mar 1 00:11:12.955: NAT: s=-, d= 23*Mar 1 00:11:13.075: NAT*: s=, d=- 23*Mar 1 00:11:13.075: NAT: s=-, d= 24R1#*Mar 1 00:11:13.147: NAT*: s=, d=- 24R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 72/100/120 msR1#*Mar 1 00:11:30.719: NAT: s=-, d= 25*Mar 1 00:11:30.811: NAT*: s=, d=- 25*Mar 1 00:11:30.811: NAT: s=-, d= 26*Mar 1 00:11:30.931: NAT*: s=, d=- 26*Mar 1 00:11:30.931: NAT: s=-, d= 27*Mar 1 00:11:31.003: NAT*: s=, d=- 27*Mar 1 00:11:31.003: NAT: s=-, d= 28*Mar 1 00:11:31.099: NAT*: s=, d=- 28*Mar 1 00:11:31.099: NAT: s=-, d= 29R1#*Mar 1 00:11:31.219: NAT*: s=, d=- 29R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20