静态NAT 动态NAT和PAT

时间 2019-11-08

标签静态 nat 动态 pat 栏目网站开发繁體版

原文原文链接

NAT术语网络

ØInside local address(内部本地地址)：app

一个Inside网络中的设备，在Inside的IP地址，即内部主机的实际地址ide

ØInside global address(内部全局地址)：测试

一个Inside网络中的设备，在Outside的IP地址，即内部主机经NAT转换后去往外部的地址ui

ØOutside local address(外部本地地址)：spa

一个Outside网络中的设备，在Inside的IP地址，即外部主机由NAT设备转换后的地址debug

ØOutside global address(外部全局地址)：调试

一个Outside网络中的设备，在Outside的IP地址，即外部主机的真实地址 blog

1、拓扑图：接口

2、实验步骤：

1）参照拓扑完成各设备的基本配置，利用命令no ip routing 关闭PC1的路由功能，要求完成基本配置后，各直连设备能够互ping对方

R1(config)#int f0/0

R1(config-if)#ip ad

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shut

R1(config)#no ip rou

R1(config)#no ip routi

R1(config)#no ip routing

R1#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/225/1056 ms

R2(config)#int s1/1

R2(config-if)#ip ad

R2(config-if)#ip address 20.1.1.2 255.255.255.0

R2(config-if)#no shut

R2#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/45/68 ms

ISP(config)#int f0/0

ISP(config-if)#ip ad

ISP(config-if)#ip address 192.168.1.2 255.255.255.0

ISP(config-if)#no shut

ISP(config-if)#int s1/1

ISP(config-if)#ip ad

ISP(config-if)#ip address 20.1.1.1 255.255.255.0

ISP(config-if)#no shut

ISP(config-if)#^Z

ISP#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/36 ms

ISP#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/52 ms

2）使用静态NAT实现PC1能够正常访问R2

在没有作NAT以前咱们先来看一下PC1是否能够正常访问R2

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

显然是不能够的

咱们如今开始配置NAT

ISP(config)#ip nat inside source static 192.168.1.1 20.1.1.1

ISP(config)#int f0/0

ISP(config-if)#ip na

ISP(config-if)#ip nat i

ISP(config-if)#ip nat inside

ISP(config-if)#int s1/1

ISP(config-if)#ip na

ISP(config-if)#ip nat o

ISP(config-if)#ip nat outside

再来测试一下

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/242/1060 ms

显然配置了静态的NAT就能够了。

3）分别使用ping和debug ip nat命令进行测试和调试，并在ISP上使用命令show ip nat translations仔细观察NAT表

R1#debug ip nat

IP NAT debugging is on

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/84 ms

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

--- 20.1.1.1192.168.1.1------

4）在路由器ISP上建立10个地址的动态地址池（200.200.200.1/24-200.200.200.10/24）

ISP(config)#ip nat pool pool1 ?

A.B.C.DStart IP address

netmaskSpecify the network mask

prefix-lengthSpecify the prefix length

ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10pr

ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24

5）删除前面配置的静态NAT，使用建立的动态地址池，用动态NAT实现PC1能够访问R2

ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24

ISP(config)#no ip nat inside source static 192.168.1.1 20.1.1.1

ISP(config)#ac

ISP(config)#access-list 1 pe

ISP(config)#access-list 1 permit a

ISP(config)#access-list 1 permit any

ISP(config)#ip nat inside source list 1 pool p

ISP(config)#ip nat inside source list 1 pool pool1

如今咱们来测试一下

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

咱们发现仍是不能够ping通

为啥呢？根据提示咱们发现木有回包，发现缘由后，咱们如今在R2上配置一条默认路由

R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1

配置好了再来测试一下

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms

哈哈，能够了。

6）分别使用ping和debug ip nat命令进行测试和调试，并使用命令show ip nat translations 仔细观察NAT表

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms

R1#

ISP#debug ip nat

IP NAT debugging is on

ISP#show ip na

ISP#show ip nat t

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

--- 200.200.200.1192.168.1.1------

ISP#

7）将PC1的IP 改成192.168.1.100 /24，再使用ping命令进行测试，经过命令show ip nat translations 查看NAT表，分析动态NAT有何不足之处？

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 ms

R1#

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

--- 200.200.200.1192.168.1.1------

icmp 200.200.200.2:6192.168.1.100:620.1.1.2:620.1.1.2:6

--- 200.200.200.2192.168.1.100------

ISP#

从上面咱们能够看出动态的NAT并不能够节省IP地址

8）在路由器ISP上删除地址池，利用接口，使用PAT实现PC1访问R2

ISP(config)#no ip nat inside source list 1 pool pool1

Dynamic mapping in use, do you want to delete all entries? [no]: y

ISP(config)#ip na

ISP(config)#ip nat

ISP(config)#ip nat is

ISP(config)#ip nat i

ISP(config)#ip nat inside s

ISP(config)#ip nat inside source l

ISP(config)#ip nat inside source list 1 int s1/1

ISP(config)#ip nat inside source list 1 int s1/1 o

ISP(config)#ip nat inside source list 1 int s1/1 ov

ISP(config)#ip nat inside source list 1 int s1/1 overload

overload必定要打上，由于IP地址的转转是要靠序列号来区分是那台主机转化的

9) 分别使用ping、telnet和debug ip nat命令进行测试和调试，并使用命令 show ip nat translations 查看NAT表，观察有何变化。Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ping 20.1.1.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/80 ms

R1#te

R1#tel

R1#telnet 192.168.1.2

Trying 192.168.1.2 ... Open

Password required, but none set

[Connection to 192.168.1.2 closed by foreign host]

R1#

R1#de

R1#deb

R1#debug ip na

R1#debug ip nat

IP NAT debugging is on

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

icmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

icmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8

ISP#

咱们会发现用PAT配置能够节省IP地址