模擬器網(wǎng)絡(luò)培訓(xùn)ccna 8 2nat

NAT(Network

Address

Translation)網(wǎng)絡(luò)地址轉(zhuǎn)換NAT-網(wǎng)絡(luò)地址轉(zhuǎn)換An

IP

address

is

either

local

or

global.Local

IPv4

addresses

are

seen

in

the

inside

network.Global

IPv4

addresses

are

seen

in

the

outside

network.NAT地址轉(zhuǎn)換的具體過程N(yùn)AT術(shù)語(yǔ)內(nèi)部本地轉(zhuǎn)換之前內(nèi)部源地址的名字外部本地轉(zhuǎn)換之前目標(biāo)主機(jī)的名字內(nèi)部全局轉(zhuǎn)換之后內(nèi)部主機(jī)的名字外部全局轉(zhuǎn)換之后外部目標(biāo)主機(jī)的名字內(nèi)部本地Internet內(nèi)部全局外部全局外部本地insideoutsideoutsideinsideNAT三種類型1

靜態(tài)NAT將內(nèi)部本地地址與內(nèi)部全局地址進(jìn)行一對(duì)一的明確轉(zhuǎn)換。這種方法主要用在內(nèi)部網(wǎng)絡(luò)中有對(duì)外提供服務(wù)的服務(wù)器，如WEB、MAIL服務(wù)器時(shí)。該方法的缺點(diǎn)是需要獨(dú)占寶貴的合法IP地址。即，如果某個(gè)合法IP地址已經(jīng)被NAT靜態(tài)地址轉(zhuǎn)換定義，即使該地址當(dāng)前沒有被使用，也不能被用作其它的地址轉(zhuǎn)換。Establishes

static

translation

between

an

inside

local

address

and

aninside

global

addressRouter(config)#

ip

nat

inside

source

static

local-ip

global-ipMarks

the

interface

as

connected

to

the

insideRouter(config-if)#

ip

nat

insideMarks

the

interface

as

connected

to

the

outsideRouter(config-if)#

ip

nat

outsideDisplays

active

translationsRouter#

show

ip

nat

translations配置靜態(tài)NAT轉(zhuǎn)換配置靜態(tài)NAT轉(zhuǎn)換-舉例Router#

show

ip

nat

translationsPro

Inside

global---192.168.1.2Inside

local10.1.1.2Outside

local---Outside

global---interface

s0ip

address

192.168.1.1

255.255.255.0ip

nat

outside!interface

e0ip

address

10.1.1.1

255.255.255.0ip

nat

inside!ip

nat

inside

source

static

10.1.1.2

192.168.1.2NAT三種類型2

動(dòng)態(tài)NAT動(dòng)態(tài)地址轉(zhuǎn)換也是將內(nèi)部本地地址與內(nèi)部全局地址進(jìn)行一對(duì)一的轉(zhuǎn)換。但是，是從內(nèi)部全局地址池中動(dòng)態(tài)地選擇一個(gè)未使用的地址對(duì)內(nèi)部本地地址進(jìn)行轉(zhuǎn)換。該地址是由未被使用的地址組成的地址池中在定義時(shí)排在最前面的一個(gè)。當(dāng)數(shù)據(jù)傳輸完畢后，路由器將把使用完的內(nèi)部全局地址放回到地址池中，以供其它內(nèi)部本地地址進(jìn)行轉(zhuǎn)換。但是在該地址被使用時(shí)，不能用該地址再進(jìn)行一次轉(zhuǎn)換。Establishes

dynamic

source

translation,

specifying

the

ACL

that

wasdefined

in

the

previous

stepRouter(config)#

ip

nat

inside

source

listaccess-list-number

pool

nameDefines

a

pool

of

global

addresses

to

be

allocated

as

neededRouter(config)#

ip

nat

pool

name

start-ip

end-ip{netmasknetmask

|

prefix-length

prefix-length}Defines

a

standard

IP

ACL

permitting

those

inside

local

addressesthat

are

to

be

translatedRouter(config)#

access-list

access-list-number

permitsource

[source-wildcard]Displays

active

translationsRouter#

show

ip

nat

translations配置動(dòng)態(tài)NAT轉(zhuǎn)換配置動(dòng)態(tài)NAT轉(zhuǎn)換-舉例Router#

show

ip

nat

translations

Pro

Inside

global Inside

localOutside

localOutside

global---171.69.233.209192.168.1.100---------171.69.233.210192.168.1.101------NAT三種類型3端口復(fù)用復(fù)用地址轉(zhuǎn)換也稱為端口地址轉(zhuǎn)換（Port

Address

Translation，PAT），首先是一種動(dòng)態(tài)地址轉(zhuǎn)換。路由器將通過記錄地址、應(yīng)用程序端口等唯一標(biāo)識(shí)一個(gè)轉(zhuǎn)換。通過這種轉(zhuǎn)換，可以使多個(gè)內(nèi)部本地地址同時(shí)與同一個(gè)內(nèi)部全局地址進(jìn)行轉(zhuǎn)換并對(duì)外部網(wǎng)絡(luò)進(jìn)行訪問。對(duì)于只申請(qǐng)到少量IP地址甚至只有一個(gè)合法IP地址，卻經(jīng)常有很多用戶同時(shí)要求上網(wǎng)的情況，這種轉(zhuǎn)換方式非常有用理想狀況下，一個(gè)單一的IP地址可以使用的端口數(shù)為4000個(gè)理解PAT地址轉(zhuǎn)換(Overloading)配置PAT地址轉(zhuǎn)換(Overloading)Establishes

dynamic

source

translation,

specifying

the

ACL

that

wasdefined

in

the

previous

stepRouter(config)#

ip

nat

inside

source

listaccess-list-number

interface

interface

overloadDefines

a

standard

IP

ACL

that

will

permit

the

inside

local

addressesthat

are

to

be

translatedRouter(config)#

access-list

access-list-number

permitsource

source-wildcardDisplays

active

translationsRouter#

show

ip

nat

translations配置PAT地址轉(zhuǎn)換(Overloading)-舉例Router#

show

ip

nat

translationsPro

Inside

global Inside

localTCP172.17.38.1:1050

192.168.3.7:1050TCP172.17.38.1:1776

192.168.4.12:1776Outside

local10.1.1.1:2310.2.2.2:25Outside

global10.1.1.1:2310.2.2.2:25hostname

Router!interface

Ethernet0ip

address

192.168.3.1

255.255.255.0ip

natinside!interface

Ethernet1ip

address

192.168.4.1

255.255.255.0ip

natinside!interface

Serial0description

To

ISPip

address

172.17.38.1

255.255.255.0ip

natoutside!ip

nat

inside

source

list

1

interface

Serial0

overload!ip

route

0.0.0.0

0.0.0.0

Serial0!access-list

1

permit

192.168.3.0

0.0.0.255access-list

1

permit

192.168.4.0

0.0.0.255!Clears

a

simple

dynamic

translation

entry

that

contains

an

insidetranslation

or

both

an

inside

and

outside

translationRouter#

clear

ip

nat

translation

inside

global-iplocal-ip

[outside

local-ip

global-ip]Clears

all

dynamic

address

translation

entriesRouter#

clear

ip

nat

translation

*Clears

a

simple

dynamic

translation

entry

that

contains

an

outsidetranslationRouter#

clear

ip

nat

translation

outsidelocal-ip

global-ipClears

an

extended

dynamic

translation

entry

(PAT

entry)Router#

clear

ip

nat

translation

protocol

inside

global-ipglobal-port

local-ip

local-port

[outside

local-iplocal-port

global-ip

global-port]清除NAT

轉(zhuǎn)換表項(xiàng)問題：在NAT表中沒有轉(zhuǎn)換項(xiàng)Verify

that:–There

are

no

inbound

ACLs

thatare

denyingthepacketsentry

to

the

NATrouter–The

ACL

referenced

by

the

NAT

command

is

permittingallnecessary

networks–There

are

enough

addresses

in

the

NAT

pool–The

router

interfaces

are

appropriately

defined

as

NATinside

or

NAToutsideRouter#

show

ip

nat

statisticsTotal

active

translations:

1

(1

static,

0

dynamic;

0

extended)Outside

interfaces:Ethernet0,

Serial2Inside

interfaces:Ethernet1Hits:

5 Misses:

0…顯示相關(guān)的轉(zhuǎn)換信息：debug

and

show

命令Router#

debug

ip

natNAT:

s=192.168.1.95->172.31.233.209,

d=172.31.2.132

[6825]NAT:

s=172.31.2.132,

d=172.31.233.209->192.168.1.95

[21852]NAT:

s=192.168.1.95->172.31.233.209,

d=172.31.1.161

[6826]NAT*:

s=172.31.1.161,

d=172.31.233.209->192.168.1.95

[23311]NAT*:

s=192.168.1.95->172.31.233.209,

d=172.31.1.161

[6827]NAT*:

s=192.168.1.95->172.31.233.209,

d=172.31.1.161

[6828]NAT*:

s=172.31.1.161,

d=172.31.233.209->192.168.1.95

[23312]NAT*:

s=172.31.1.161,

d=172.31.233.209->192.168.1.95

[23313]Verify:What

the

NAT

configuration

is

supposed

to

plishThat

the

NAT

entry

exists

in

the

translation

tableand

that

it

is

accurateThat

the

translation

is

actually

taking

place

bymonitoring

the

NAT

process

or

statisticsThat

the

NAT

router

has

the

appropriate

route

inthe

routing

table

if

the

packet

is

going

from

insideto

outsideThat

all

necessary

routers

have

a

return

route

backto

the

translated

address問題：NAT表中存在轉(zhuǎn)換項(xiàng)，但是沒有被使用問題:不能ping通遠(yuǎn)程的主機(jī)There

are

no

translations

in

the

table.RouterA#show

ip

nat

translationsProInside

global Inside

localOutside

localOutside

global------------------The

router

interfacesare

inappropriately

definedas

NAT

insideand

NAT

outside.RouterA#

show

ip

nat

statisticsTotal

active

translations:

0

(0

static,

0

dynamic;

0

extended)Outside

interfaces:Ethernet0Inside

interfaces:Serial0Hits:

0 Misses:

0…Pings

are

still

failing

and

there

are

still

no

translations

in

the

table.There

is

an

incorrect

wildcard

bit

mask

in

the

ACL

that

definesthe

addresses

to

be

translated.RouterA#

show

access-listStandard

IP

access

list

2010

permit

0.0.0.0,

wildcard

bits

255.255.255.0Translations

are

now

occurring.Pings

are

still

failing.RouterA#Proshow

ip

nat

translationsInside

global Inside

localOutside

localOutside

global---172.16.17.20

192.168.1.2------Router

B

has

no

route

to

the

translated

network

address

of

172.16.0.0.RouterB#

sh

ip

routeCodes:

C

-

connected,

S

-

static,

R

-

RIP,

M

-

mobile,

B

-

BGPGateway

of

last

resort

is

not

setCRR10.0.0.0/24

is

subnetted,

1

subnets10.1.1.0/24

is

directly

connected,

Serial0192.168.2.0/24

is

subnetted,

1

subnets192.168.2.0/24

is

directly

connected,

Ethernet0192.168.1.0/24

is

variably

subnetted,

3

subnets,

2

masks192.168.1.0/24