動、靜態NAT及NAT端口映射和PAT轉換
(一)靜態NAT
將一個私有地址,轉換成一個共有地址,(一對一的),如下圖:及將私有地址 192.168.10.10 轉換成公有地址188.88.88.88
R1(config-if)#ip nat inside 將nat運用在接口inside方向
R1(config-if)#ip nat outside 將nat運用在接口outside方向
R1(config)#ip nat inside source static 192.168.10.0 188.88.88.88 配置靜態nat轉換
R1#clear ip nat translation * 清除所有nat轉換條目,靜態綁定的不會清除
R1#show run | s nat 查看nat配置信息
R1#show ip nat translations 查看nat轉換條目
(二)動態NAT
動態nat也是將一個私有地址“配對”一個公有地址(一對一),不同的是,需要到公有池拿地址,當公有池地址拿盡,私有地址將無法上網,如下圖:及將私有地址 192.168.20.10 轉換成公有地址188.88.88.1
R1(config)#ip nat pool dtnat 188.88.88.1 188.88.88.8 netmask 255.255.0.0 創建公有地址池名,及地址池段
R1(config)#ip access-list extended dtnat 創建acl列表
R1(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 any 只允許192.168.20段拿地址
R1(config)#ip nat inside source list dtnat pool dtnat 將acl運用在nat地址池
(三)NAT端口映射
外網需要訪問內網服務,可通過端口映射外網口實現
1.通過nat端口映射(非23端口)
2.R1(config)#ip nat inside source static tcp 192.168.1.1 23 202.106.1.1 2323
R2#telnet 202.106.1.1 2321 telnet時需加端口號
2通過nat端口映射(出口路由端口)
R1(config)#ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet0/0 23
R2#telnet 202.106.1.1 直接telnet,無需加端口號
(四)PAT
多個私有地址對一個公有地址
1.複用路由器外部接口地址(出口路由端口)
m1(config)#ip nat inside source list jkpat interface fastEthernet 0/0 overload 調用acl列表,並複用路由器外部接口地址
R1(config)#ip access-list extended jkpat 創建acl列表
R1(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 any 只允許192.168.30段拿地址
2.複用外部全局地址上公網(即:公網池地址)
R1(config)#ip access-list extended wbpat 創建acl
R1(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 any 只允許192.168.40段拿地址
R1(config)#ip nat pool wbpat 188.88.188.188 188.88.188.188 netmask 255.255.255.0 創建地址池,但起始地址和結束地址一樣
R1(config)#ip nat inside source list wbpat pool wbpat overload 將acl運用於地址池
例:
Sw1配置
!
enable secret 5 $1$JaRM$fGHpEp7K86hWT2tlu8rGN1
enable password 123
!
interface FastEthernet1/1
switchport access vlan 10
!
interface FastEthernet1/2
switchport access vlan 20
!
interface FastEthernet1/3
switchport access vlan 30
!
interface FastEthernet1/4
switchport access vlan 40
!
interface FastEthernet1/15
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
!
line vty 0 4
password 123
login
!
M1配置
!
enable secret 5 $1$It7v$xsKp.1aAthQFXIsMkC8CY.
!
interface FastEthernet1/0
no switchport
ip address 192.168.100.1 255.255.255.0
!
interface FastEthernet1/15
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.100.2
!
line vty 0 4
password 123
login
!
R1配置
!
interface FastEthernet0/0
ip address 202.106.1.1 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.100.2 255.255.255.0
ip nat inside
!
!
ip route 0.0.0.0 0.0.0.0 202.106.1.2
ip route 192.168.1.0 255.255.255.0 192.168.100.1
ip route 192.168.10.0 255.255.255.0 192.168.100.1
ip route 192.168.20.0 255.255.255.0 192.168.100.1
ip route 192.168.30.0 255.255.255.0 192.168.100.1
ip route 192.168.40.0 255.255.255.0 192.168.100.1
!
ip nat pool dtnat 188.88.88.1 188.88.88.8 netmask 255.255.0.0
ip nat pool wbpat 188.88.188.188 188.88.188.188 netmask 255.255.255.0
ip nat inside source list dtnat pool dtnat
ip nat inside source list jkpat interface FastEthernet0/0 overload
ip nat inside source list wbpat pool wbpat overload
ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet0/0 23
ip nat inside source static 192.168.10.10 188.88.88.88
ip nat inside source static tcp 192.168.10.1 23 202.106.1.1 2321 extendable
!
ip access-list extended dtnat
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended jkpat
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended wbpat
permit ip 192.168.40.0 0.0.0.255 any
!
R2配置
!
interface FastEthernet0/0
ip address 202.106.1.2 255.255.255.252
!
ip route 188.88.0.0 255.255.0.0 202.106.1.1
!