靜態NAT 動態NAT和PAT

NAT術語

ØInside local address(內部本地地址)：

一個Inside網絡中的設備，在Inside的IP地址，即內部主機的實際地址

ØInside global address(內部全局地址)：

一個Inside網絡中的設備，在Outside的IP地址，即內部主機經NAT轉換後去往外部的地址

ØOutside local address(外部本地地址)：

一個Outside網絡中的設備，在Inside的IP地址，即外部主機由NAT設備轉換後的地址

ØOutside global address(外部全局地址)：

一個Outside網絡中的設備，在Outside的IP地址，即外部主機的真實地址

1、拓撲圖：

2、實驗步驟：

1）參照拓撲完成各設備的基本配置，利用命令no ip routing 關閉PC1的路由功能，要求完成基本配置後，各直連設備能夠互ping對方

R1(config)#int f0/0

R1(config-if)#ip ad

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shut

R1(config)#no ip rou

R1(config)#no ip routi

R1(config)#no ip routing

R1#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/225/1056 ms

R2(config)#int s1/1

R2(config-if)#ip ad

R2(config-if)#ip address 20.1.1.2 255.255.255.0

R2(config-if)#no shut

R2#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/45/68 ms

ISP(config)#int f0/0

ISP(config-if)#ip ad

ISP(config-if)#ip address 192.168.1.2 255.255.255.0

ISP(config-if)#no shut

ISP(config-if)#int s1/1

ISP(config-if)#ip ad

ISP(config-if)#ip address 20.1.1.1 255.255.255.0

ISP(config-if)#no shut

ISP(config-if)#^Z

ISP#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/36 ms

ISP#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/52 ms

2）使用靜態NAT實現PC1能夠正常訪問R2

在沒有作NAT以前咱們先來看一下PC1是否能夠正常訪問R2

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

顯然是不能夠的

咱們如今開始配置NAT

ISP(config)#ip nat inside source static 192.168.1.1 20.1.1.1

ISP(config)#int f0/0

ISP(config-if)#ip na

ISP(config-if)#ip nat i

ISP(config-if)#ip nat inside

ISP(config-if)#int s1/1

ISP(config-if)#ip na

ISP(config-if)#ip nat o

ISP(config-if)#ip nat outside

再來測試一下

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/242/1060 ms

顯然配置了靜態的NAT就能夠了。

3）分別使用ping和debug ip nat命令進行測試和調試，並在ISP上使用命令show ip nat translations仔細觀察NAT表

R1#debug ip nat

IP NAT debugging is on

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/84 ms

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

--- 20.1.1.1192.168.1.1------

4）在路由器ISP上建立10個地址的動態地址池（200.200.200.1/24-200.200.200.10/24）

ISP(config)#ip nat pool pool1 ?

A.B.C.DStart IP address

netmaskSpecify the network mask

prefix-lengthSpecify the prefix length

ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10pr

ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24

5）刪除前面配置的靜態NAT，使用建立的動態地址池，用動態NAT實現PC1能夠訪問R2

ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24

ISP(config)#no ip nat inside source static 192.168.1.1 20.1.1.1

ISP(config)#ac

ISP(config)#access-list 1 pe

ISP(config)#access-list 1 permit a

ISP(config)#access-list 1 permit any

ISP(config)#ip nat inside source list 1 pool p

ISP(config)#ip nat inside source list 1 pool pool1

如今咱們來測試一下

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

咱們發現仍是不能夠ping通

爲啥呢？根據提示咱們發現木有回包，發現緣由後，咱們如今在R2上配置一條默認路由

R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1

配置好了再來測試一下

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms

哈哈，能夠了。

6）分別使用ping和debug ip nat命令進行測試和調試，並使用命令show ip nat translations 仔細觀察NAT表

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms

R1#

ISP#debug ip nat

IP NAT debugging is on

ISP#show ip na

ISP#show ip nat t

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

--- 200.200.200.1192.168.1.1------

ISP#

7）將PC1的IP 改成192.168.1.100 /24，再使用ping命令進行測試，經過命令show ip nat translations 查看NAT表，分析動態NAT有何不足之處？

R1#ping 20.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 ms

R1#

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

--- 200.200.200.1192.168.1.1------

icmp 200.200.200.2:6192.168.1.100:620.1.1.2:620.1.1.2:6

--- 200.200.200.2192.168.1.100------

ISP#

從上面咱們能夠看出動態的NAT並不能夠節省IP地址

8）在路由器ISP上刪除地址池，利用接口，使用PAT實現PC1訪問R2

ISP(config)#no ip nat inside source list 1 pool pool1

Dynamic mapping in use, do you want to delete all entries? [no]: y

ISP(config)#ip na

ISP(config)#ip nat

ISP(config)#ip nat is

ISP(config)#ip nat i

ISP(config)#ip nat inside s

ISP(config)#ip nat inside source l

ISP(config)#ip nat inside source list 1 int s1/1

ISP(config)#ip nat inside source list 1 int s1/1 o

ISP(config)#ip nat inside source list 1 int s1/1 ov

ISP(config)#ip nat inside source list 1 int s1/1 overload

overload必定要打上，由於IP地址的轉轉是要靠序列號來區分是那臺主機轉化的

9) 分別使用ping、telnet和debug ip nat命令進行測試和調試，並使用命令         show ip nat translations 查看NAT表，觀察有何變化。Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ping 20.1.1.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/80 ms

R1#te

R1#tel

R1#telnet 192.168.1.2

Trying 192.168.1.2 ... Open

Password required, but none set

[Connection to 192.168.1.2 closed by foreign host]

R1#

R1#de

R1#deb

R1#debug ip na

R1#debug ip nat

IP NAT debugging is on

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

icmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8

ISP#show ip nat translations

Pro Inside globalInside localOutside localOutside global

icmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8

ISP#

咱們會發現用PAT配置能夠節省IP地址