绵阳梓潼网站制作公司

CISCO路由器网络地址转换(NAT)-创新互联

实验名称:思科路由器网络地址转换(NAT)

创新互联专注于企业营销型网站建设、网站重做改版、平遥网站定制设计、自适应品牌网站建设、H5高端网站建设成都做商城网站、集团公司官网建设、成都外贸网站制作、高端网站制作、响应式网页设计等建站业务,价格优惠性价比高,为平遥等各大城市提供网站开发制作服务。

实验目的:实现所有内网IP使用少量的公网IP连接Internet

实验介绍:

    借助NAT技术,内网私有地址向路由器发送数据包时,私有地址被转换成合法的公网IP地址,从而实现大量内网计算机通过少量公网IP地址和互联网通信的需求。NAT技术解决了IP地址枯竭问题,还提高了内网的安全性。

实验拓扑

CISCO路由器网络地址转换(NAT)

CISCO路由器网络地址转换(NAT)

实验配置步骤

一.设置计算机IP地址

1.PC1设置IP地址

CISCO路由器网络地址转换(NAT)CISCO路由器网络地址转换(NAT)

2.PC2设置IP地址

CISCO路由器网络地址转换(NAT)CISCO路由器网络地址转换(NAT)

3.PC3设置IP地址

CISCO路由器网络地址转换(NAT)CISCO路由器网络地址转换(NAT)

二.配置路由器

1.配置R1

  Router#conf t

  R1(config)#hostname R1

  R1(config)#int f0/0

  R1(config-if)#ip add 192.168.75.30 255.255.255.0

  R1(config-if)#ip nat inside

  R1(config-if)#no shutdown

  R1(config-if)#exi

  R1(config)#int f1/0

  R1(config-if)#ip add 202.96.0.1 255.255.255.248

  R1(config-if)#ip nat outside

  R1(config-if)#no shutdown

  R1(config-if)#exi

  R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 1/0

2.配置R2

  R2#conf t

  R2(config)#hostname R2

  R2(config)#int f0/0

  R2(config-if)#ip add 192.168.0.1 255.255.255.0

  R2(config-if)#no shutdown

  R2(config-if)#exi

  R2(config)#int f1/0

  R2(config-if)#ip add 202.96.0.2 255.255.255.248

  R2(config-if)#no shutdown

  R2(config-if)#exi

三、配置静态NAT

1.在R1上将PC1 192.168.75.2 映射到202.96.0.1

    将PC2 192.168.75.3 映射到202.96.0.3

  R1(config)#ip nat inside source static 192.168.75.2 202.96.0.1

  R1(config)#ip nat inside source static 192.168.75.3 202.96.0.3

2.在PC1上ping PC3测试

   PC>ping 192.168.0.2

  Pinging 192.168.0.2 with 32 bytes of data:

  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

  Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 9ms, Average = 2ms

3.在PC2上ping PC3测试

   PC>ping 192.168.0.2
  Pinging 192.168.0.2 with 32 bytes of data:

  Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

  Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

4.在路由器R1上查看

 R1#sh ip nat translations
 Pro Inside global    Inside local      Outside local     Outside global
 --- 202.96.0.1       192.168.75.2      ---               ---
 --- 202.96.0.3       192.168.75.3      ---               ---

 R1#sh ip nat translations
 Pro Inside global    Inside local      Outside local     Outside global
 icmp 202.96.0.1:73    192.168.75.2:73   192.168.0.2:73    192.168.0.2:73
 icmp 202.96.0.1:74    192.168.75.2:74   192.168.0.2:74    192.168.0.2:74
 icmp 202.96.0.1:75    192.168.75.2:75   192.168.0.2:75    192.168.0.2:75
 icmp 202.96.0.1:76    192.168.75.2:76   192.168.0.2:76    192.168.0.2:76
 icmp 202.96.0.3:45    192.168.75.3:45   192.168.0.2:45    192.168.0.2:45
 icmp 202.96.0.3:46    192.168.75.3:46   192.168.0.2:46    192.168.0.2:46
 icmp 202.96.0.3:47    192.168.75.3:47   192.168.0.2:47    192.168.0.2:47
 icmp 202.96.0.3:48    192.168.75.3:48   192.168.0.2:48    192.168.0.2:48
 --- 202.96.0.1       192.168.75.2      ---               ---
 --- 202.96.0.3       192.168.75.3      ---               ---

小结

内网计算机被一对一的映射成了公网IP地址,使用此方法可以实现从外网访问内网特定网络设备,但安全性差,实际使用价值不高

四、配置动态NAT

1.路由器R1上移除两条静态IP映射

 R1(config)#no ip nat inside source static 192.168.75.2 202.96.0.1
 R1(config)#no ip nat inside source static 192.168.75.3 202.96.0.3

2.路由器R1上配置包含内网所有IP地址的ACL

  R1(config)#access-list 1 permit 192.168.75.0 0.0.0.255

3.配置合法的IP地址池

  R1(config)#ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.248

4.关联ACL和IP地址池

  R1(config)#ip nat inside source list 1 pool abc

5.在PC1上ping PC3测试

  PC>ping 192.168.0.2

 Pinging 192.168.0.2 with 32 bytes of data:

 Request timed out.
 Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
 Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
 Reply from 192.168.0.2: bytes=32 time=2ms TTL=126

 Ping statistics for 192.168.0.2:
   Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
 Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum = 2ms, Average = 0ms

6.在PC2上ping PC3测试

  PC>ping 192.168.0.2

 Pinging 192.168.0.2 with 32 bytes of data:

 Request timed out.
 Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
 Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
 Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

 Ping statistics for 192.168.0.2:
   Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
 Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum = 0ms, Average = 0ms

7.在路由器R1上查看

  R1#sh ip nat translations

  Pro Inside global    Inside local      Outside local     Outside global
  icmp 202.96.0.5:81    192.168.75.2:81   192.168.0.2:81    192.168.0.2:81
  icmp 202.96.0.5:82    192.168.75.2:82   192.168.0.2:82    192.168.0.2:82
  icmp 202.96.0.5:83    192.168.75.2:83   192.168.0.2:83    192.168.0.2:83
  icmp 202.96.0.5:84    192.168.75.2:84   192.168.0.2:84    192.168.0.2:84
  icmp 202.96.0.4:5     192.168.75.3:5    192.168.0.2:5     192.168.0.2:5
  icmp 202.96.0.4:6     192.168.75.3:6    192.168.0.2:6     192.168.0.2:6
  icmp 202.96.0.4:7     192.168.75.3:7    192.168.0.2:7     192.168.0.2:7
  icmp 202.96.0.4:8     192.168.75.3:8    192.168.0.2:8     192.168.0.2:8

小结

映射关系是随机的,大映射数为配置的合法公网IP地址有多少个,实际还是不能满足日常需要

五、端口多路复用PAT

1. 在关联ACL和IP地址池后面加上关键词 overload

  R1(config)#ip nat inside source list 1 pool abc overload

2.在PC1、PC2上Ping PC3后,在路由器R1上查看

  R1#sh ip nat translations

  Pro Inside global    Inside local      Outside local     Outside global
  icmp 202.96.0.5:85    192.168.75.2:85   192.168.0.2:85    192.168.0.2:85
  icmp 202.96.0.5:86    192.168.75.2:86   192.168.0.2:86    192.168.0.2:86
  icmp 202.96.0.5:87    192.168.75.2:87   192.168.0.2:87    192.168.0.2:87
  icmp 202.96.0.5:88    192.168.75.2:88   192.168.0.2:88    192.168.0.2:88
  icmp 202.96.0.5:10    192.168.75.3:10   192.168.0.2:10    192.168.0.2:10
  icmp 202.96.0.5:11    192.168.75.3:11   192.168.0.2:11    192.168.0.2:11
  icmp 202.96.0.5:12    192.168.75.3:12   192.168.0.2:12    192.168.0.2:12
  icmp 202.96.0.5:9     192.168.75.3:9    192.168.0.2:9     192.168.0.2:9

小结

内网计算机访问Internet 地址都映射成了同一个合法公网IP地址,内网计算机共用一个公网IP地址就能上互联网,最实用技术。

扩展知识

1.企业里常需要把特定内网计算机的某一端口映射到公网,在思科路由器上如何设置呢?

 ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable             映射80端口用于发布网站
 ip nat inside source static tcp 192.168.75.2 3080 202.96.0.2 3389 extendable           映射3389端口用于远程桌面连接

 ip nat inside source static tcp 192.168.75.2 3090 202.96.0.2 3090 extendable           映射特别端口用于软件发布

 ip nat inside source static tcp 192.168.75.2 22 202.96.0.2 22 extendable             映射22端口用于SSH远程连接

2.如果我们只有一个公网地址且已经分配给了R1的F1/0口,怎么反复利用或超载?

R1(config)#ip nat inside source list 10 interface f1/0 overload //在R1上不设置地址池,因为只有一个公网地址,而只对F1/0接口的地址超载

或者

R1(config)#ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248

3.怎么计算路由器NAT转换条目数?

一条NAT转换条目要占用160字节内存,因此NAT的转换数目受路由器的内存限制。

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


分享文章:CISCO路由器网络地址转换(NAT)-创新互联
网页路径:http://myzitong.com/article/ccsids.html

其他资讯