如下多级联NAT路由拓扑图:
多级路由器NAT与单个路由器NAT一样的。对于下行路由器来说,它只不过是上行路由器(外网)中的局域网“PC”而已。由于默认路由的作用,即使不做NAT任何目标IP都可以出去。但目标PC回复时由于没有目标IP路由可达,而做NAT后,目标PC回复时的目标IP是NAT路由器的出品IP,之后利用端口区别还原转换到NAT路由器下行IP。
路由器做NAT,inside→outside先路由找到出口(接口)并转发在这个出口上,由于达到ACL条件所以做NAT强制将源IP转换成出口IP并从此接口转发出去;outside→inside直接从NAT*中把目标IP还原转换成源PC的IP,再路由找出目标IP并转发出去。其实现过程如下:
PC3:ping 188.188.90.34 。 PC3数据包中(源IP192.168.100.2,目标ip 188.188.90.34)
三级NAT(router4):
router4#
IP: s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward (确定转发数据的接口)
NAT: s=192.168.100.2->192.168.200.20, d=188.188.90.34 [96] (做地址转换)
NAT*: s=188.188.90.34, d=192.168.200.20->192.168.100.2 [112] (做地址转换)
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), routed via RIB (查找路由表)
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), g=192.168.100.2, len 128, forward (确定转发数据接口)
IP: tableid=0, s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.100.2->192.168.200.20, d=188.188.90.34 [97]
NAT*: s=188.188.90.34, d=192.168.200.20->192.168.100.2 [113]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), g=192.168.100.2, len 128, forward
IP: tableid=0, s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.100.2->192.168.200.20, d=188.188.90.34 [98]
NAT*: s=188.188.90.34, d=192.168.200.20->192.168.100.2 [114]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), g=192.168.100.2, len 128, forward
IP: tableid=0, s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.100.2 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.100.2->192.168.200.20, d=188.188.90.34 [99]
NAT*: s=188.188.90.34, d=192.168.200.20->192.168.100.2 [115]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.100.2 (FastEthernet0/1), g=192.168.100.2, len 128, forward
Router#
上面分隔的四个部分分别表示ping过程的四个包,且绿色表示前往,蓝色表示回应。
在这里只分析第一个包,
inside→outside整个到达目标设备的过程中,目标IP188.188.90.43都没有改变。从第一行绿色指从路由表查找路径出口;第二行指确定数据包转发接口;第三做NAT将源IP192.168.100.2转换为出口IP,并转发出去。
outside→inside回应的数据包中整个过程的源IP188.188.90.43没有改变。第四行蓝色可以看到数据包从一进来就做了NAT*转换,注意NAT上有一个星号”*“表示使用原来的NAT表,将目标IP192.168.200.20转换成192.168.100.2;第五行蓝色表示将查找路由表;第六行蓝色表示确定数据包转发接口并转发出去。
其余三个包实现过程都是如第一个包。
总结:
NAT地址转换顺序:inside→outside先路由再转换;outside→inside先转换再路由。
下面给出一、二级NAT路由器做参考:
一级NAT路由器Router2#
IP: tableid=0, s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), routed via RIB
IP: s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), g=188.188.90.17, len 128, forward
NAT: s=192.168.1.10->188.188.90.18, d=188.188.90.34 [12]
NAT*: s=188.188.90.34, d=188.188.90.18->192.168.1.10 [4]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), g=192.168.1.10, len 128, forward
IP: tableid=0, s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), routed via RIB
IP: s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), g=188.188.90.17, len 128, forward
NAT: s=192.168.1.10->188.188.90.18, d=188.188.90.34 [13]
NAT*: s=188.188.90.34, d=188.188.90.18->192.168.1.10 [5]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), g=192.168.1.10, len 128, forward
IP: tableid=0, s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), routed via RIB
IP: s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), g=188.188.90.17, len 128, forward
NAT: s=192.168.1.10->188.188.90.18, d=188.188.90.34 [14]
NAT*: s=188.188.90.34, d=188.188.90.18->192.168.1.10 [6]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), g=192.168.1.10, len 128, forward
IP: tableid=0, s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), routed via RIB
IP: s=192.168.1.10 (FastEthernet0/0), d=188.188.90.34 (FastEthernet0/1), g=188.188.90.17, len 128, forward
NAT: s=192.168.1.10->188.188.90.18, d=188.188.90.34 [15]
NAT*: s=188.188.90.34, d=188.188.90.18->192.168.1.10 [7]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/1), d=192.168.1.10 (FastEthernet0/0), g=192.168.1.10, len 128, forward
Router2#
二级NAT路由器Router6#
Router6#
IP: tableid=0, s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.200.20->192.168.1.10, d=188.188.90.34 [12]
NAT*: s=188.188.90.34, d=192.168.1.10->192.168.200.20 [4]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), g=192.168.200.20, len 128, forward
NAT: expiring 192.168.1.10 (192.168.200.20) icmp 3 (3)
IP: tableid=0, s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.200.20->192.168.1.10, d=188.188.90.34 [13]
NAT*: s=188.188.90.34, d=192.168.1.10->192.168.200.20 [5]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), g=192.168.200.20, len 128, forward
IP: tableid=0, s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.200.20->192.168.1.10, d=188.188.90.34 [14]
NAT*: s=188.188.90.34, d=192.168.1.10->192.168.200.20 [6]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), g=192.168.200.20, len 128, forward
IP: tableid=0, s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), routed via RIB
IP: s=192.168.200.20 (FastEthernet0/1), d=188.188.90.34 (FastEthernet0/0), g=188.188.90.34, len 128, forward
NAT: s=192.168.200.20->192.168.1.10, d=188.188.90.34 [15]
NAT*: s=188.188.90.34, d=192.168.1.10->192.168.200.20 [7]
IP: tableid=0, s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), routed via RIB
IP: s=188.188.90.34 (FastEthernet0/0), d=192.168.200.20 (FastEthernet0/1), g=192.168.200.20, len 128, forward