静态NAT 动态NAT和PAT
2013-05-26 21:37
489 查看
NAT术语ØInside local address(内部本地地址):一个Inside网络中的设备,在Inside的IP地址,即内部主机的实际地址ØInside global address(内部全局地址):一个Inside网络中的设备,在Outside的IP地址,即内部主机经NAT转换后去往外部的地址ØOutside local address(外部本地地址):一个Outside网络中的设备,在Inside的IP地址,即外部主机由NAT设备转换后的地址ØOutside global address(外部全局地址):一个Outside网络中的设备,在Outside的IP地址,即外部主机的真实地址 1、拓扑图:
2、实验步骤:1)参照拓扑完成各设备的基本配置,利用命令no ip routing 关闭PC1的路由功能,要求完成基本配置后,各直连设备可以互ping对方R1(config)#int f0/0R1(config-if)#ip adR1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shutR1(config)#no ip rouR1(config)#no ip routiR1(config)#no ip routing R1#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/225/1056 msR2(config)#int s1/1R2(config-if)#ip adR2(config-if)#ip address 20.1.1.2 255.255.255.0R2(config-if)#no shutR2#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 36/45/68 msISP(config)#int f0/0ISP(config-if)#ip adISP(config-if)#ip address 192.168.1.2 255.255.255.0ISP(config-if)#no shutISP(config-if)#int s1/1ISP(config-if)#ip adISP(config-if)#ip address 20.1.1.1 255.255.255.0ISP(config-if)#no shutISP(config-if)#^ZISP#ping 192.168.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/36 msISP#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/52 ms2)使用静态NAT实现PC1可以正常访问R2在没有做NAT之前我们先来看一下PC1是否可以正常访问R2R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)显然是不可以的我们现在开始配置NATISP(config)#ip nat inside source static 192.168.1.1 20.1.1.1ISP(config)#int f0/0ISP(config-if)#ip naISP(config-if)#ip nat iISP(config-if)#ip nat inside ISP(config-if)#int s1/1ISP(config-if)#ip naISP(config-if)#ip nat oISP(config-if)#ip nat outside再来测试一下R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/242/1060 ms显然配置了静态的NAT就可以了。3)分别使用ping和debug ip nat命令进行测试和调试,并在ISP上使用命令show ip nat translations仔细观察NAT表R1#debug ip nat IP NAT debugging is onR1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/84 msISP#show ip nat translations Pro Inside globalInside localOutside localOutside global--- 20.1.1.1192.168.1.1------4)在路由器ISP上创建10个地址的动态地址池(200.200.200.1/24-200.200.200.10/24)ISP(config)#ip nat pool pool1 ?A.B.C.DStart IP addressnetmaskSpecify the network maskprefix-lengthSpecify the prefix lengthISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 245)删除前面配置的静态NAT,使用创建的动态地址池,用动态NAT实现PC1可以访问R2ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24ISP(config)#no ip nat inside source static 192.168.1.1 20.1.1.1ISP(config)#acISP(config)#access-list 1 peISP(config)#access-list 1 permit aISP(config)#access-list 1 permit anyISP(config)#ip nat inside source list 1 pool pISP(config)#ip nat inside source list 1 pool pool1现在我们来测试一下R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)我们发现还是不可以ping通为啥呢?根据提示我们发现木有回包,发现原因后,我们现在在R2上配置一条默认路由R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1配置好了再来测试一下R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms哈哈,可以了。6)分别使用ping和debug ip nat命令进行测试和调试,并使用命令show ip nat translations 仔细观察NAT表R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 msR1#ISP#debug ip nat IP NAT debugging is onISP#show ip naISP#show ip nat tISP#show ip nat translations Pro Inside globalInside localOutside localOutside global--- 200.200.200.1192.168.1.1------ISP#7)将PC1的IP 改为192.168.1.100 /24,再使用ping命令进行测试,通过命令show ip nat translations 查看NAT表,分析动态NAT有何不足之处?R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ISP#show ip nat translations Pro Inside globalInside localOutside localOutside global--- 200.200.200.1192.168.1.1------icmp 200.200.200.2:6192.168.1.100:620.1.1.2:620.1.1.2:6--- 200.200.200.2192.168.1.100------ISP#从上面我们可以看出动态的NAT并不可以节省IP地址8)在路由器ISP上删除地址池,利用接口,使用PAT实现PC1访问R2ISP(config)#no ip nat inside source list 1 pool pool1Dynamic mapping in use, do you want to delete all entries? [no]: yISP(config)#ip naISP(config)#ip natISP(config)#ip nat isISP(config)#ip nat i ISP(config)#ip nat inside sISP(config)#ip nat inside source lISP(config)#ip nat inside source list 1 int s1/1ISP(config)#ip nat inside source list 1 int s1/1 oISP(config)#ip nat inside source list 1 int s1/1 ovISP(config)#ip nat inside source list 1 int s1/1 overloadoverload一定要打上,因为IP地址的转转是要靠序列号来区分是那台主机转化的9) 分别使用ping、telnet和debug ip nat命令进行测试和调试,并使用命令 show ip nat translations 查看NAT表,观察有何变化。Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/80 msR1#teR1#telR1#telnet 192.168.1.2Trying 192.168.1.2 ... OpenPassword required, but none set[Connection to 192.168.1.2 closed by foreign host]R1#R1#deR1#debR1#debug ip naR1#debug ip nat IP NAT debugging is onISP#show ip nat translations Pro Inside globalInside localOutside localOutside globalicmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8ISP#show ip nat translations Pro Inside globalInside localOutside localOutside globalicmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8ISP#我们会发现用PAT配置可以节省IP地址
本文出自 “活着就是为了改变世界” 博客,请务必保留此出处http://caijingjie.blog.51cto.com/5341985/1210654
2、实验步骤:1)参照拓扑完成各设备的基本配置,利用命令no ip routing 关闭PC1的路由功能,要求完成基本配置后,各直连设备可以互ping对方R1(config)#int f0/0R1(config-if)#ip adR1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shutR1(config)#no ip rouR1(config)#no ip routiR1(config)#no ip routing R1#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/225/1056 msR2(config)#int s1/1R2(config-if)#ip adR2(config-if)#ip address 20.1.1.2 255.255.255.0R2(config-if)#no shutR2#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 36/45/68 msISP(config)#int f0/0ISP(config-if)#ip adISP(config-if)#ip address 192.168.1.2 255.255.255.0ISP(config-if)#no shutISP(config-if)#int s1/1ISP(config-if)#ip adISP(config-if)#ip address 20.1.1.1 255.255.255.0ISP(config-if)#no shutISP(config-if)#^ZISP#ping 192.168.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/36 msISP#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/52 ms2)使用静态NAT实现PC1可以正常访问R2在没有做NAT之前我们先来看一下PC1是否可以正常访问R2R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)显然是不可以的我们现在开始配置NATISP(config)#ip nat inside source static 192.168.1.1 20.1.1.1ISP(config)#int f0/0ISP(config-if)#ip naISP(config-if)#ip nat iISP(config-if)#ip nat inside ISP(config-if)#int s1/1ISP(config-if)#ip naISP(config-if)#ip nat oISP(config-if)#ip nat outside再来测试一下R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/242/1060 ms显然配置了静态的NAT就可以了。3)分别使用ping和debug ip nat命令进行测试和调试,并在ISP上使用命令show ip nat translations仔细观察NAT表R1#debug ip nat IP NAT debugging is onR1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/84 msISP#show ip nat translations Pro Inside globalInside localOutside localOutside global--- 20.1.1.1192.168.1.1------4)在路由器ISP上创建10个地址的动态地址池(200.200.200.1/24-200.200.200.10/24)ISP(config)#ip nat pool pool1 ?A.B.C.DStart IP addressnetmaskSpecify the network maskprefix-lengthSpecify the prefix lengthISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 245)删除前面配置的静态NAT,使用创建的动态地址池,用动态NAT实现PC1可以访问R2ISP(config)#ip nat pool pool1 200.200.200.1 200.200.200.10prefix-length 24ISP(config)#no ip nat inside source static 192.168.1.1 20.1.1.1ISP(config)#acISP(config)#access-list 1 peISP(config)#access-list 1 permit aISP(config)#access-list 1 permit anyISP(config)#ip nat inside source list 1 pool pISP(config)#ip nat inside source list 1 pool pool1现在我们来测试一下R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)我们发现还是不可以ping通为啥呢?根据提示我们发现木有回包,发现原因后,我们现在在R2上配置一条默认路由R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1配置好了再来测试一下R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 ms哈哈,可以了。6)分别使用ping和debug ip nat命令进行测试和调试,并使用命令show ip nat translations 仔细观察NAT表R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/76 msR1#ISP#debug ip nat IP NAT debugging is onISP#show ip naISP#show ip nat tISP#show ip nat translations Pro Inside globalInside localOutside localOutside global--- 200.200.200.1192.168.1.1------ISP#7)将PC1的IP 改为192.168.1.100 /24,再使用ping命令进行测试,通过命令show ip nat translations 查看NAT表,分析动态NAT有何不足之处?R1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ISP#show ip nat translations Pro Inside globalInside localOutside localOutside global--- 200.200.200.1192.168.1.1------icmp 200.200.200.2:6192.168.1.100:620.1.1.2:620.1.1.2:6--- 200.200.200.2192.168.1.100------ISP#从上面我们可以看出动态的NAT并不可以节省IP地址8)在路由器ISP上删除地址池,利用接口,使用PAT实现PC1访问R2ISP(config)#no ip nat inside source list 1 pool pool1Dynamic mapping in use, do you want to delete all entries? [no]: yISP(config)#ip naISP(config)#ip natISP(config)#ip nat isISP(config)#ip nat i ISP(config)#ip nat inside sISP(config)#ip nat inside source lISP(config)#ip nat inside source list 1 int s1/1ISP(config)#ip nat inside source list 1 int s1/1 oISP(config)#ip nat inside source list 1 int s1/1 ovISP(config)#ip nat inside source list 1 int s1/1 overloadoverload一定要打上,因为IP地址的转转是要靠序列号来区分是那台主机转化的9) 分别使用ping、telnet和debug ip nat命令进行测试和调试,并使用命令 show ip nat translations 查看NAT表,观察有何变化。Success rate is 100 percent (5/5), round-trip min/avg/max = 20/240/1072 msR1#ping 20.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/80 msR1#teR1#telR1#telnet 192.168.1.2Trying 192.168.1.2 ... OpenPassword required, but none set[Connection to 192.168.1.2 closed by foreign host]R1#R1#deR1#debR1#debug ip naR1#debug ip nat IP NAT debugging is onISP#show ip nat translations Pro Inside globalInside localOutside localOutside globalicmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8ISP#show ip nat translations Pro Inside globalInside localOutside localOutside globalicmp 20.1.1.1:8192.168.1.100:820.1.1.2:820.1.1.2:8ISP#我们会发现用PAT配置可以节省IP地址
本文出自 “活着就是为了改变世界” 博客,请务必保留此出处http://caijingjie.blog.51cto.com/5341985/1210654
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 【有图有真相】静态NAT、动态NAT、PAT、端口映射的详细配置过程
- PAT、动态nat、静态nat配置
- 静态NAT、动态NAT、PAT(端口多路复用)的配置
- 静态、动态NAT、PAT的配置
- 基于静态NAT和PAT配置
- 【华为】华为模拟器模拟静态、动态NAT、PAT技术
- 静态一对一NAT全局地址同时用于PAT
- 实验六、静态、动态NAT和PAT
- 动、静态NAT及NAT端口映射和PAT转换
- cisco asa 5520 8.4 (一)-- 静态nat-pat
- CCNA之六:静态、动态NAT和PAT
- 静态、动态NAT、PAT的配置
- NAT及静态转换 、 动态转换及PAT 、 总结和答疑
- 静态NAT和动态PAT技术
- 实验六、静态、动态NAT和PAT
- Cisco 静态NAT、动态NAT配置
- 静态、动态NAT和PAT
- Centos V12 NAT模式设置静态ip
- 配置静态nat