NAT网络地址转换
NAT网络地址转化产生背景
- IPV4地址紧缺
- 保证内网的部分安全性
NAT的类型
- 静态NAT(固定IP地址)【应用场景,就是映射内网中某个特定服务,可以使用外网连接进去】
- 一对一转化,内外网映射(特别是服务器的IP,不让别人用)
- 端口映射
- 缺点:配置量大,公网地址要求多
//上图为全网图
访问23.1.1.10地址跳转到192.168.1.1地址
//测试连接状态
[R3]ping 23.1.1.10
PING 23.1.1.10: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 23.1.1.10 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss//global是公网地址,inside 是内网地址 [R2]nat static global 23.1.1.10 inside 192.168.1.1 //你在哪个接口启用 [R2]int g0/0/1 [R2-GigabitEthernet0/0/1]nat static enable
查看静态nat
[R2]dis nat static
Static Nat Information:
Global Nat Static
Global IP/Port : 23.1.1.10/----
Inside IP/Port : 192.168.1.1/----
Protocol : ----
VPN instance-name : ----
Acl number : ----
Netmask : 255.255.255.255
Description : ----
Total : 1[R3]ping 23.1.1.10
PING 23.1.1.10: 56 data bytes, press CTRL_C to break
Reply from 23.1.1.10: bytes=56 Sequence=1 ttl=254 time=20 ms
Reply from 23.1.1.10: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 23.1.1.10: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 23.1.1.10: bytes=56 Sequence=4 ttl=254 time=30 ms
--- 23.1.1.10 ping statistics ---
4 packet(s) transmitted
4 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/27/30 ms
单独映射telnet地址
//这里可以映射端口 [R2]nat static protocol tcp global 23.1.1.10 23 inside 192.168.1.1 6553 //在哪个接口上开启 [R2]int g0/0/1 [R2-GigabitEthernet0/0/1]nat static enable
<R3>telnet 192.168.1.1
Press CTRL_] to quit telnet mode
Trying 192.168.1.1 ...
Connected to 192.168.1.1 ...
Login authentication
Username:kk
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 10.1.12.1
Time : 2020-12-22 14:46:08-08:00
-----------------------------------------------------------------------------
<R1>
- 动态NAT(还是一个私网IP对于一个公网IP,公网IP随机分配)
- 使用公网IP地址池,好处:减少配置量
- 缺点:成本高
- 配置
- ACL抓取感兴趣流量
- 地址池
- 接口调用
//配置子地址sub [R1]int l 0 [R1-LoopBack0]ip add 192.168.1.2 32 sub [R1-LoopBack0]ip add 192.168.1.3 32 sub [R1-LoopBack0]ip add 192.168.1.4 32 sub [R1-LoopBack0]ip add 192.168.1.5 32 sub
//配置R2指向R3的默认路由
[R2]ip route-static 0.0.0.0 0 23.1.1.3
//R1指向R2的默认路由
[R1]ip route-static 0.0.0.0 0 10.1.12.2
//R3上配置loopback 114接口
[R3-LoopBack114]dis this
[V200R003C00]
#
interface LoopBack114
ip address 114.114.114.114 255.255.255.255
#
return//R1进行子接口地址测试
[R1]ping -a 192.168.1.2 114.114.114.114
PING 114.114.114.114: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 114.114.114.114 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
1.抓取ACL流量进行访问控制
[R2]acl 2000
[R2-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[R2-acl-basic-2000]rule 20 deny[R2-acl-basic-2000]dis this
[V200R003C00]
#
acl number 2000
rule 10 permit source 192.168.1.0 0.0.0.255
rule 20 deny
#
return2.配置地址池【这个地址池的公网数量一定要和你的内网IP需求的数量相对应,不然就会有的内网地址没有衣服穿等待】
//配置连续的5个地址,对于loopbacp0的5个地址
[R2]nat address-group 1 23.1.1.11 23.1.1.153.哪个接口调用【nat必须在出接口的地方设置】
[R2]int g0/0/1
//2000 是指基础ACL的编号,no-pat是指不使用端口nat,传输层不用
[R2-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat4.进行测试
[R1]ping -a 192.168.1.2 114.114.114.114
PING 114.114.114.114: 56 data bytes, press CTRL_C to break
Reply from 114.114.114.114: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 114.114.114.114: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 114.114.114.114: bytes=56 Sequence=3 ttl=254 time=30 ms
--- 114.114.114.114 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/43/60 ms查看nat表对于的信息
[R2]dis nat session all
NAT Session Table Information:
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.3
DestAddr Vpn : 114.114.114.114
Type Code IcmpId : 0 8 44018
NAT-Info
New SrcAddr : 23.1.1.11
New DestAddr : ----
New IcmpId : ----
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.4
DestAddr Vpn : 114.114.114.114
Type Code IcmpId : 0 8 44019
NAT-Info
New SrcAddr : 23.1.1.12
New DestAddr : ----
New IcmpId : ----
Protocol : ICMP(1)
SrcAddr Vpn : 192.168.1.5
DestAddr Vpn : 114.114.114.114
Type Code IcmpId : 0 8 44020
- 端口NAT【最常用的nat】
- 端口NAT就是一个公网地址,通过不同端口号对应不同的内网地址,默认是从1端口向下类推
- 单个公网地址通过一个IP地址不同端口号,对于N个私有IP地址
- 对应关系
- 公网IP:123.1.1.1
- PC1:123.1.1.1:1000
- PC2:123.1.1.1:1001
1.ACL抓取感兴趣流
acl 2000
rule 10 permit source 192.168.1.0 0.0.0.255
rule 20
2.出接口开启
int g0/0/1
nat outbound 2000该接口下的IP地址作为NAT地址
查看nat表的命令
dis nat session all verbose
继续阅读
我的微信
这是我的微信扫一扫
评论