實驗名稱:思科路由器網(wǎng)絡(luò)地址轉(zhuǎn)換(NAT)
創(chuàng)新互聯(lián)專業(yè)為企業(yè)提供啟東網(wǎng)站建設(shè)���、啟東做網(wǎng)站、啟東網(wǎng)站設(shè)計����、啟東網(wǎng)站制作等企業(yè)網(wǎng)站建設(shè)、網(wǎng)頁設(shè)計與制作���、啟東企業(yè)網(wǎng)站模板建站服務(wù)�����,十余年啟東做網(wǎng)站經(jīng)驗��,不只是建網(wǎng)站�����,更提供有價值的思路和整體網(wǎng)絡(luò)服務(wù)���。
實驗?zāi)康模簩崿F(xiàn)所有內(nèi)網(wǎng)IP使用少量的公網(wǎng)IP連接Internet
實驗介紹:
借助NAT技術(shù)�,內(nèi)網(wǎng)私有地址向路由器發(fā)送數(shù)據(jù)包時�����,私有地址被轉(zhuǎn)換成合法的公網(wǎng)IP地址����,從而實現(xiàn)大量內(nèi)網(wǎng)計算機通過少量公網(wǎng)IP地址和互聯(lián)網(wǎng)通信的需求。NAT技術(shù)解決了IP地址枯竭問題��,還提高了內(nèi)網(wǎng)的安全性��。
實驗拓撲
實驗配置步驟
一.設(shè)置計算機IP地址
1.PC1設(shè)置IP地址
2.PC2設(shè)置IP地址
3.PC3設(shè)置IP地址
二.配置路由器
1.配置R1
Router#conf t
R1(config)#hostname R1
R1(config)#int f0/0
R1(config-if)#ip add 192.168.75.30 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#no shutdown
R1(config-if)#exi
R1(config)#int f1/0
R1(config-if)#ip add 202.96.0.1 255.255.255.248
R1(config-if)#ip nat outside
R1(config-if)#no shutdown
R1(config-if)#exi
R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 1/0
2.配置R2
R2#conf t
R2(config)#hostname R2
R2(config)#int f0/0
R2(config-if)#ip add 192.168.0.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exi
R2(config)#int f1/0
R2(config-if)#ip add 202.96.0.2 255.255.255.248
R2(config-if)#no shutdown
R2(config-if)#exi
三�����、配置靜態(tài)NAT
1.在R1上將PC1 192.168.75.2 映射到202.96.0.1
將PC2 192.168.75.3 映射到202.96.0.3
R1(config)#ip nat inside source static 192.168.75.2 202.96.0.1
R1(config)#ip nat inside source static 192.168.75.3 202.96.0.3
2.在PC1上ping PC3測試
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
3.在PC2上ping PC3測試
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
4.在路由器R1上查看
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 202.96.0.1 192.168.75.2 --- ---
--- 202.96.0.3 192.168.75.3 --- ---
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.1:73 192.168.75.2:73 192.168.0.2:73 192.168.0.2:73
icmp 202.96.0.1:74 192.168.75.2:74 192.168.0.2:74 192.168.0.2:74
icmp 202.96.0.1:75 192.168.75.2:75 192.168.0.2:75 192.168.0.2:75
icmp 202.96.0.1:76 192.168.75.2:76 192.168.0.2:76 192.168.0.2:76
icmp 202.96.0.3:45 192.168.75.3:45 192.168.0.2:45 192.168.0.2:45
icmp 202.96.0.3:46 192.168.75.3:46 192.168.0.2:46 192.168.0.2:46
icmp 202.96.0.3:47 192.168.75.3:47 192.168.0.2:47 192.168.0.2:47
icmp 202.96.0.3:48 192.168.75.3:48 192.168.0.2:48 192.168.0.2:48
--- 202.96.0.1 192.168.75.2 --- ---
--- 202.96.0.3 192.168.75.3 --- ---
小結(jié)
內(nèi)網(wǎng)計算機被一對一的映射成了公網(wǎng)IP地址,使用此方法可以實現(xiàn)從外網(wǎng)訪問內(nèi)網(wǎng)特定網(wǎng)絡(luò)設(shè)備���,但安全性差����,實際使用價值不高
四���、配置動態(tài)NAT
1.路由器R1上移除兩條靜態(tài)IP映射
R1(config)#no ip nat inside source static 192.168.75.2 202.96.0.1
R1(config)#no ip nat inside source static 192.168.75.3 202.96.0.3
2.路由器R1上配置包含內(nèi)網(wǎng)所有IP地址的ACL
R1(config)#access-list 1 permit 192.168.75.0 0.0.0.255
3.配置合法的IP地址池
R1(config)#ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.248
4.關(guān)聯(lián)ACL和IP地址池
R1(config)#ip nat inside source list 1 pool abc
5.在PC1上ping PC3測試
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=2ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
6.在PC2上ping PC3測試
PC>ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
7.在路由器R1上查看
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.5:81 192.168.75.2:81 192.168.0.2:81 192.168.0.2:81
icmp 202.96.0.5:82 192.168.75.2:82 192.168.0.2:82 192.168.0.2:82
icmp 202.96.0.5:83 192.168.75.2:83 192.168.0.2:83 192.168.0.2:83
icmp 202.96.0.5:84 192.168.75.2:84 192.168.0.2:84 192.168.0.2:84
icmp 202.96.0.4:5 192.168.75.3:5 192.168.0.2:5 192.168.0.2:5
icmp 202.96.0.4:6 192.168.75.3:6 192.168.0.2:6 192.168.0.2:6
icmp 202.96.0.4:7 192.168.75.3:7 192.168.0.2:7 192.168.0.2:7
icmp 202.96.0.4:8 192.168.75.3:8 192.168.0.2:8 192.168.0.2:8
小結(jié)
映射關(guān)系是隨機的,最大映射數(shù)為配置的合法公網(wǎng)IP地址有多少個���,實際還是不能滿足日常需要
五�����、端口多路復(fù)用PAT
1. 在關(guān)聯(lián)ACL和IP地址池后面加上關(guān)鍵詞 overload
R1(config)#ip nat inside source list 1 pool abc overload
2.在PC1����、PC2上Ping PC3后��,在路由器R1上查看
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.96.0.5:85 192.168.75.2:85 192.168.0.2:85 192.168.0.2:85
icmp 202.96.0.5:86 192.168.75.2:86 192.168.0.2:86 192.168.0.2:86
icmp 202.96.0.5:87 192.168.75.2:87 192.168.0.2:87 192.168.0.2:87
icmp 202.96.0.5:88 192.168.75.2:88 192.168.0.2:88 192.168.0.2:88
icmp 202.96.0.5:10 192.168.75.3:10 192.168.0.2:10 192.168.0.2:10
icmp 202.96.0.5:11 192.168.75.3:11 192.168.0.2:11 192.168.0.2:11
icmp 202.96.0.5:12 192.168.75.3:12 192.168.0.2:12 192.168.0.2:12
icmp 202.96.0.5:9 192.168.75.3:9 192.168.0.2:9 192.168.0.2:9
小結(jié)
內(nèi)網(wǎng)計算機訪問Internet 地址都映射成了同一個合法公網(wǎng)IP地址�����,內(nèi)網(wǎng)計算機共用一個公網(wǎng)IP地址就能上互聯(lián)網(wǎng),最實用技術(shù)����。
擴展知識
1.企業(yè)里常需要把特定內(nèi)網(wǎng)計算機的某一端口映射到公網(wǎng),在思科路由器上如何設(shè)置呢�����?
ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable 映射80端口用于發(fā)布網(wǎng)站
ip nat inside source static tcp 192.168.75.2 3080 202.96.0.2 3389 extendable 映射3389端口用于遠程桌面連接
ip nat inside source static tcp 192.168.75.2 3090 202.96.0.2 3090 extendable 映射特別端口用于軟件發(fā)布
ip nat inside source static tcp 192.168.75.2 22 202.96.0.2 22 extendable 映射22端口用于SSH遠程連接
2.如果我們只有一個公網(wǎng)地址且已經(jīng)分配給了R1的F1/0口�,怎么反復(fù)利用或超載?
R1(config)#ip nat inside source list 10 interface f1/0 overload //在R1上不設(shè)置地址池���,因為只有一個公網(wǎng)地址�,而只對F1/0接口的地址超載
或者
R1(config)#ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248
3.怎么計算路由器NAT轉(zhuǎn)換條目數(shù)�?
一條NAT轉(zhuǎn)換條目要占用160字節(jié)內(nèi)存,因此NAT的轉(zhuǎn)換數(shù)目受路由器的內(nèi)存限制���。
本文名稱:CISCO路由器網(wǎng)絡(luò)地址轉(zhuǎn)換(NAT)
分享網(wǎng)址:
http://weahome.cn/article/pjposi.html
重慶分公司
重慶分公司
