动、静态NAT及NAT端口映射和PAT转换
(一)静态NAT
将一个私有地址,转换成一个共有地址,(一对一的),如下图:及将私有地址 192.168.10.10 转换成公有地址188.88.88.88
R1(config-if)#ip nat inside 将nat运用在接口inside方向
R1(config-if)#ip nat outside 将nat运用在接口outside方向
R1(config)#ip nat inside source static 192.168.10.0 188.88.88.88 配置静态nat转换
R1#clear ip nat translation * 清除所有nat转换条目,静态绑定的不会清除
R1#show run | s nat 查看nat配置信息
R1#show ip nat translations 查看nat转换条目
(二) 动态NAT
动态pat也是将一个私有地址“配对”一个公有地址(一对一),不同的是,需要到公有池拿地址,当公有池地址拿尽,私有地址将无法上网,如下图:及将私有地址 192.168.20.10 转换成公有地址188.88.88.1
R1(config)#ip nat pool dtnat 188.88.88.1 188.88.88.8 netmask 255.255.0.0 创建公有地址池名,及地址池段
R1(config)#ip access-list extended dtnat 创建acl列表
R1(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 any 只允许192.168.20段拿地址
R1(config)#ip nat inside source list dtnat pool dtnat 将acl运用在nat地址池
(三)NAT端口映射
外网需要访问内网服务,可通过端口映射外网口实现
1.通过nat端口映射(非23端口)
2.R1(config)#ip nat inside source static tcp 192.168.1.1 23 202.106.1.1 2323
R2#telnet 202.106.1.1 2321 telnet时需加端口号
2通过nat端口映射(出口路由端口)
R1(config)#ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet0/0 23
R2#telnet 202.106.1.1 直接telnet,无需加端口号
(四)PAT
多个私有地址对一个公有地址
1.复用路由器外部接口地址(出口路由端口)
m1(config)#ip nat inside source list jkpat interface fastEthernet 0/0 overload 调用acl列表,并复用路由器外部接口地址
R1(config)#ip access-list extended jkpat 创建acl列表
R1(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 any 只允许192.168.30段拿地址
2.复用外部全局地址上公网(即:公网池地址)
R1(config)#ip access-list extended wbpat 创建acl
R1(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 any 只允许192.168.40段拿地址
R1(config)#ip nat pool wbpat 188.88.188.188 188.88.188.188 netmask 255.255.255.0 创建地址池,但起始地址和结束地址一样
R1(config)#ip nat inside source list wbpat pool wbpat overload 将acl运用于地址池
例:
Sw1配置
!
enable secret 5 $1$JaRM$fGHpEp7K86hWT2tlu8rGN1
enable password 123
!
interface FastEthernet1/1
switchport access vlan 10
!
interface FastEthernet1/2
switchport access vlan 20
!
interface FastEthernet1/3
switchport access vlan 30
!
interface FastEthernet1/4
switchport access vlan 40
!
interface FastEthernet1/15
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
!
line vty 0 4
password 123
login
!
M1配置
!
enable secret 5 $1$It7v$xsKp.1aAthQFXIsMkC8CY.
!
interface FastEthernet1/0
no switchport
ip address 192.168.100.1 255.255.255.0
!
interface FastEthernet1/15
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.100.2
!
line vty 0 4
password 123
login
!
R1配置
!
interface FastEthernet0/0
ip address 202.106.1.1 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.100.2 255.255.255.0
ip nat inside
!
!
ip route 0.0.0.0 0.0.0.0 202.106.1.2
ip route 192.168.1.0 255.255.255.0 192.168.100.1
ip route 192.168.10.0 255.255.255.0 192.168.100.1
ip route 192.168.20.0 255.255.255.0 192.168.100.1
ip route 192.168.30.0 255.255.255.0 192.168.100.1
ip route 192.168.40.0 255.255.255.0 192.168.100.1
!
ip nat pool dtnat 188.88.88.1 188.88.88.8 netmask 255.255.0.0
ip nat pool wbpat 188.88.188.188 188.88.188.188 netmask 255.255.255.0
ip nat inside source list dtnat pool dtnat
ip nat inside source list jkpat interface FastEthernet0/0 overload
ip nat inside source list wbpat pool wbpat overload
ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet0/0 23
ip nat inside source static 192.168.10.10 188.88.88.88
ip nat inside source static tcp 192.168.10.1 23 202.106.1.1 2321 extendable
!
ip access-list extended dtnat
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended jkpat
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended wbpat
permit ip 192.168.40.0 0.0.0.255 any
!
R2配置
!
interface FastEthernet0/0
ip address 202.106.1.2 255.255.255.252
!
ip route 188.88.0.0 255.255.0.0 202.106.1.1
!
本文转自东方之子736651CTO博客,原文链接:http://blog.51cto.com/ecloud/1364305 ,如需转载请自行联系原作者
