NAT环境下,内网用户使用公网地址访问内网服务器

最新推荐文章于 2024-06-05 16:14:38 发布
最新推荐文章于 2024-06-05 16:14:38 发布
阅读量1.5w 收藏 35
点赞数 4
分类专栏: NAT  FTP  服务器 公网地址 文章标签: 运维 路由器 cisco ftp 服务器
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/phoenix1415/article/details/122834480
版权

一、环境

1、单位内部有一台服务器,提供web、ftp、ssh等服务,ip地址为私网地址。

2、出口使用cisco路由器,做端口映射,使服务器对外提供服务。

3、内部用户可以通过私网地址访问服务器,外网用户可以使用公网地址访问服务器。

二、需求

要求内部用户可以通过公网地址访问服务器

三、测试及结果

内网用户、服务器上外网和外网用户访问内网的服务器均正常。

 

NAT设备,改变了syn包的目的地址,但是没有改变syn包的源地址,导致服务器的syn ack包直接给了client,从而导致三次握手失败。

四、结论

上面的NAT属于传统NAT,无法实现内部用户可以通过公网地址访问内部服务器

五、其他解决方案

解决方案一          传统NAT+PBR(借鉴NAT-on-stick)

client访问server 

 client访问Internet

 Interner用户访问服务器

解决方案二     NVI模式(NAT virtual interface)

 六、验证实验拓扑

注:vIOS_R:使用解决方案二;NAT2使用传统解决方案,验证完成后NAT2使用解决方案一。  

、各设备基本配置

设备

操作系统

IP地址

网关

开放服务

其他

Win_client1

win2008R2

192.168.43.10/24

192.168.43.254

3389

同在vlan1

Linux_server1

centos7

192.168.43.20/24

192.168.43.254

web(80)ftp(21)

ssh(22)

Win_client2

win2008R2

192.168.10.10/24

192.168.10.254

3389

同在vlan10

Linux_server2

centos7

192.168.10.20/24

192.168.10.254

web(80)ftp(21)

ssh(22)

L2_SW:

interface Ethernet0/3

 switchport access vlan 10

 switchport mode access

interface Ethernet1/1

 switchport access vlan 10

 switchport mode access

interface Ethernet1/3

 switchport access vlan 10

 switchport mode access

vIOS_R:----------------------------------------------使用NVI模式

interface GigabitEthernet0/0

 ip address 192.168.43.254 255.255.255.0

 no ip redirects

 ip nat enable

interface GigabitEthernet0/1

 ip address 202.1.1.1 255.255.255.0

 ip nat enable

access-list 1 permit 192.168.43.0 0.0.0.255

ip nat source list 1 interface GigabitEthernet0/1 overload

ip nat source static tcp 192.168.43.20 21 202.1.1.1 21 extendable

ip nat source static tcp 192.168.43.20 22 202.1.1.1 22 extendable

ip nat source static tcp 192.168.43.20 80 202.1.1.1 80 extendable

ip nat source static tcp 192.168.43.10 3389 202.1.1.1 3389 extendable

ip route 0.0.0.0 0.0.0.0 202.1.1.254

NAT2: ----------------------------------------------使用传统NAT模式

interface Ethernet0/0

 ip address 192.168.10.254 255.255.255.0

 ip nat inside

interface GigabitEthernet0/0

 ip address 203.1.1.1 255.255.255.0

 ip nat outside

access-list 1 permit 192.168.10.0 0.0.0.255

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.20 21 203.1.1.1 21 extendable

ip nat inside source static tcp 192.168.10.20 22 203.1.1.1 22 extendable

ip nat inside source static tcp 192.168.10.20 80 203.1.1.1 80 extendable

ip nat inside source static tcp 192.168.10.10 3389 203.1.1.1 3389 extendable

ip route 0.0.0.0 0.0.0.0 203.1.1.254

OR:

interface Ethernet0/0

 ip address 11.11.11.1 255.255.255.0

interface GigabitEthernet0/0

 ip address 202.1.1.254 255.255.255.0

interface GigabitEthernet1/0

 ip address 203.1.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 11.11.11.254

Internet:

interface Ethernet0/0

ip address 11.11.11.254 255.255.255.0

ip route 202.1.1.0 255.255.255.0 11.11.11.1

ip route 203.1.1.0 255.255.255.0 11.11.11.1

  八、实验结果

1、Win_client1使用公网地址202.1.1.1访问内网服务器(Linux_server1)web服务、ftp服务、ssh服务

(192.168.43.10->202.1.1.1:80)访问成功!!!

(192.168.43.10->202.1.1.1:21   主动模式)访问成功!!!

(192.168.43.10->202.1.1.1:22)访问成功!!!

2、Win_client2使用公网地址203.1.1.1访问内网服务器(Linux_server2)web服务、ftp服务、ssh服务

web服务、ftp服务、ssh服务全部访问失败!!!

 3、Win_client1使用公网地址203.1.1.1访问内网服务器(Linux_server2)web服务、ftp服务、ssh服务

(192.168.43.10->203.1.1.1:80)访问成功!!!

(192.168.43.10->203.1.1.1:21   主动模式)访问成功!!!

(192.168.43.10->203.1.1.1:22)访问成功!!!

 4、Win_client2使用公网地址202.1.1.1访问内网服务器(Linux_server1)web服务、ftp服务、ssh服务

(192.168.10.10->202.1.1.1:80)访问成功!!!

(192.168.10.10->202.1.1.1:21  主动模式)访问成功!!!

(192.168.10.10->202.1.1.1:22)访问成功!!!

 5、Win_client1与Win_client2之间的3389互访 

(192.168.43.10->203.1.1.1:3389)访问成功!!!

(192.168.10.10->202.1.1.1:3389)访问成功!!!

   九、实验结果汇总

  十、总结

1、传统的NAT不支持内网用户使用外网地址访问内网的服务器

2、要实现内用用户使用外网地址访问内网的服务器,可以使用NVI(NAT virtual interface),同时内网接口上关闭重定向no ip redirects(数据包从接口进又从该接口出)

  传统NAT和支持NVI的NAT分析与对比

[传统NAT]

1、NAT基本配置:

interface Ethernet0/0

 ip address 192.168.10.254 255.255.255.0

 ip nat inside

interface GigabitEthernet0/0

 ip address 203.1.1.1 255.255.255.0

 ip nat outside

access-list 1 permit 192.168.10.0 0.0.0.255

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.20 21 203.1.1.1 21 extendable

ip nat inside source static tcp 192.168.10.20 22 203.1.1.1 22 extendable

ip nat inside source static tcp 192.168.10.20 80 203.1.1.1 80 extendable

ip nat inside source static tcp 192.168.10.10 3389 203.1.1.1 3389 extendable

ip route 0.0.0.0 0.0.0.0 203.1.1.254

2、传统NAT设备上开启debug ip nat和debug ip packet

3、在Win_client2使用公网地址203.1.1.1访问内网服务器Linux_server2 ssh服务

 4、NAT设备上debug信息

*Dec 31 15:11:07.340: NAT: Entry assigned id 332

*Dec 31 15:11:07.340: NAT*: s=192.168.10.10, d=203.1.1.1->192.168.10.20 [1230]---目的地址转换

*Dec 31 15:11:07.344: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20, len 52, input feature, MCI Check(85), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE—源地址没有转换

*Dec 31 15:11:07.348: IP: tableid=0, s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), routed via FIB-----------依赖路由表转发

*Dec 31 15:11:07.352: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, output feature, NAT Inside(11), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:11:07.356: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, redirected--------从一个接口进,又从该接口出,做重定向。

*Dec 31 15:11:07.364: IP: s=192.168.10.254 (local), d=192.168.10.10, len 56, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:11:07.368: IP: tableid=0, s=192.168.10.254 (local), d=192.168.10.10 (Ethernet0/0), routed via FIB

*Dec 31 15:11:07.368: IP: s=192.168.10.254 (local), d=192.168.10.10 (Ethernet0/0), len 56, sending

*Dec 31 15:11:07.372: IP: s=192.168.10.254 (local), d=192.168.10.10 (Ethernet0/0), len 56, output feature, NAT Inside(11), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:11:07.380: IP: s=192.168.10.254 (local), d=192.168.10.10 (Ethernet0/0), len 56, sending full packet   ---------网关告诉192.168.10.10,可以直接访问192.168.10.20

*Dec 31 15:11:07.388: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), g=192.168.10.20, len 52, forward-将源地址192.168.10.10目的地址192.168.10.20转发给192.168.10.20

*Dec 31 15:11:07.396: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, sending full packet

5、内部接口上关闭重定向,重新debug

int e0/0

no ip redirects

NAT2#

*Dec 31 15:26:16.404: NAT: Entry assigned id 341

*Dec 31 15:26:16.408: NAT*: s=192.168.10.10, d=203.1.1.1->192.168.10.20 [1233]-- ---目的地址转换

*Dec 31 15:26:16.412: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20, len 52, input feature, MCI Check(85), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:26:16.420: IP: tableid=0, s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), routed via FIB

*Dec 31 15:26:16.420: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, output feature, NAT Inside(11), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:26:16.428: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), g=192.168.10.20, len 52, forward   

*Dec 31 15:26:16.436: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, sending full packet

6、静态映射的公网地址不用接口地址,重新debug

ip nat inside source static tcp 192.168.10.20 22 203.1.1.10 22 extendable

NAT2(config)#

*Dec 31 15:34:50.300: NAT: Entry assigned id 343

*Dec 31 15:34:50.300: NAT*: s=192.168.10.10, d=203.1.1.10->192.168.10.20 [1236]

*Dec 31 15:34:50.304: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20, len 52, input feature, MCI Check(85), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:34:50.308: IP: tableid=0, s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), routed via FIB

*Dec 31 15:34:50.312: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, output feature, NAT Inside(11), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 15:34:50.320: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), g=192.168.10.20, len 52, forward

*Dec 31 15:34:50.328: IP: s=192.168.10.10 (Ethernet0/0), d=192.168.10.20 (Ethernet0/0), len 52, sending full packet

7、g0/0(outside接口)抓包

outside接口无数据包

8、e0/0 (inside接口)抓包

tcp三次握手不成功。203.1.1.1不响应192.168.10.10

192.168.10.10访问的是203.1.1.1,发送syn包,NAT设备将包转发给192.168.10.20,但是源地址还是192.168.10.10。192.168.10.20收到包后,发送syn ack包给192.168.10.10。源地址是192.168.10.20。192.168.10.10不理会192.168.10.20发来的包,因为192.168.10.10并没有发送syn包给192.168.10.20,而是发送syn包给203.1.1.1。理应由203.1.1.1发出syn ack包给192.168.10.10。

9、win_client2接口抓包

包16: 源地址192.168.10.10,目的地址203.1.1.1,目的地址转换成192.168.10.20,然后NAT设备将包(S:192.168.10.10,D:192.168.10.20)转发给192.168.10.20。

包17:192.168.10.20收到包后,发送syn ack包给192.168.10.10。源地址是192.168.10.20。

192.168.10.10不理会192.168.10.20发来的syn,ack包。

192.168.10.10发syn包给203.1.1.1,然后等待203.1.1.1回syn,ack包,不理会任何其他的syn,ack包。

192.168.10.10等不到203.1.1.1的syn,ack回包,重传;

192.168.10.20等不到192.168.10.10的ack包,重传;

10、Linux_server2接口抓包

包14是NAT设备转发而来的;

包15,服务器发送syn ack包给client;

192.168.10.20等不到192.168.10.10的ack包,重传;

11、传统NAT存在的问题

服务器的回包没有经过NAT设备直接发送到了客户端,然而客户端没有发出请求包给服务器,tcp三次握手不成功。

[支持NVI的NAT-解决方案二]

1、基本配置

vIOS_R:

interface GigabitEthernet0/0

 ip address 192.168.43.254 255.255.255.0

 no ip redirects

 ip nat enable

interface GigabitEthernet0/1

 ip address 202.1.1.1 255.255.255.0

 ip nat enable

access-list 1 permit 192.168.43.0 0.0.0.255

ip nat source list 1 interface GigabitEthernet0/1 overload

ip nat source static tcp 192.168.43.20 21 202.1.1.1 21 extendable

ip nat source static tcp 192.168.43.20 22 202.1.1.1 22 extendable

ip nat source static tcp 192.168.43.20 80 202.1.1.1 80 extendable

ip nat source static tcp 192.168.43.10 3389 202.1.1.1 3389 extendable

ip route 0.0.0.0 0.0.0.0 202.1.1.254

2、开启debug ip nat debug ip packet

3、在Win_client1使用公网地址202.1.1.1访问内网服务器Linux_server1 ssh服务

 4、NAT设备上debug信息

NAT2#

*Dec 31 20:21:30.760: IP: s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1, len 52, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.761: IP: s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1, len 52, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.763: IP: s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1, len 52, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.764: IP: tableid=0, s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1 (GigabitEthernet0/1), routed via RIB -------------------------路由

*Dec 31 20:21:30.768: NAT: s=192.168.43.10->202.1.1.1, d=202.1.1.1 [1572]-----源地址转换

*Dec 31 20:21:30.769: NAT: s=202.1.1.1, d=202.1.1.1->192.168.43.20 [1572]----目的地址转换

//S:192.168.43.10->D:202.1.1.1-------------------------------S:202.1.1.1->D:192.168.43.20

*Dec 31 20:21:30.769: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), len 52, output feature, Post-routing NAT NVI Output(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.771: IP: Output changed by feature=24: GigabitEthernet0/1 -> GigabitEthernet0/0

*Dec 31 20:21:30.772: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), len 52, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.775: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), g=192.168.43.20, len 52, forward

*Dec 31 20:21:30.780: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), len 52, sending full packet

/syn

*Dec 31 20:21:30.788: IP: s=192.168.43.20 (GigabitEthernet0/0), d=202.1.1.1, len 52, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.791: IP: s=192.168.43.20 (GigabitEthernet0/0), d=202.1.1.1, len 52, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.794: IP: s=192.168.43.20 (GigabitEthernet0/0), d=202.1.1.1, len 52, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.796: IP: tableid=0, s=192.168.43.20 (GigabitEthernet0/0), d=202.1.1.1 (GigabitEthernet0/1), routed via RIB                  ------路由,返回包

*Dec 31 20:21:30.797: NAT: s=192.168.43.20->202.1.1.1, d=202.1.1.1 [0]-----源地址转换

*Dec 31 20:21:30.797: NAT: s=202.1.1.1, d=202.1.1.1->192.168.43.10 [0]----目的地址转换

/S:192.168.43.20->D:202.1.1.1--------------S:202.1.1.1->192.168.43.10

*Dec 31 20:21:30.798: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.10 (GigabitEthernet0/0), len 52, output feature, Post-routing NAT NVI Output(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.800: IP: Output changed by feature=24: GigabitEthernet0/1 -> GigabitEthernet0/0

*Dec 31 20:21:30.800: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.10 (GigabitEthernet0/0), len 52, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.802: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.10 (GigabitEthernet0/0), g=192.168.43.10, len 52, forward

*Dec 31 20:21:30.806: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.10 (GigabitEthernet0/0), len 52, sending full packet

syn,ack

*Dec 31 20:21:30.813: IP: s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1, len 40, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.815: IP: s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1, len 40, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.816: IP: s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1, len 40, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.819: IP: tableid=0, s=192.168.43.10 (GigabitEthernet0/0), d=202.1.1.1 (GigabitEthernet0/1), routed via RIB

*Dec 31 20:21:30.820: NAT: s=192.168.43.10->202.1.1.1, d=202.1.1.1 [1573]

*Dec 31 20:21:30.820: NAT: s=202.1.1.1, d=202.1.1.1->192.168.43.20 [1573]

*Dec 31 20:21:30.821: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), len 40, output feature, Post-routing NAT NVI Output(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.823: IP: Output changed by feature=24: GigabitEthernet0/1 -> GigabitEthernet0/0

*Dec 31 20:21:30.824: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), len 40, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 31 20:21:30.826: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), g=192.168.43.20, len 40, forward

*Dec 31 20:21:30.830: IP: s=202.1.1.1 (GigabitEthernet0/0), d=192.168.43.20 (GigabitEthernet0/0), len 40, sending full packet

//ack

5、g0/1(outside接口)抓包

outside接口无数据

6、g0/0(inside接口)抓包

tcp三次握手

ssh client和ssh server之间信息交换

7、Win_client1接口抓包

源地址192.168.43.10,目的地址202.1.1.1,服务22,TCP三次握手成功

8、Linux_server1接口抓包

源地址202.1.1.1,目的地址192.168.43.20,服务22,TCP三次握手成功 

9、分析总结

源192.168.43.10访问目的202.1.1.1:22源和目的同时转换转换成源202.1.1.1访问192.168.43.20:22

返回的包:源192.168.43.20访问目的202.1.1.1,源和目的同时转换转换成源202.1.1.1访问192.168.43.10。

数据包的收发都是在接口g0/0上完成-所以需要在内网接口上关闭ip重定向----关键配置。

解决方案一   传统NAT的改造(基于NAT-on-stick)

1、基本配置

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

 ip nat inside

interface Ethernet0/0

 ip address 203.1.1.1 255.255.255.0

 ip nat outside

interface Ethernet0/1

 ip address 2.2.2.1 255.255.255.0 secondary

 ip address 192.168.10.254 255.255.255.0

 no ip redirects

 ip nat outside

ip policy route-map pbrnat

access-list 100 permit ip 192.168.10.0 0.0.0.255 host 192.168.10.20

ip nat pool natpool 2.2.2.2 2.2.2.10 prefix-length 24

ip nat inside source list 100 pool natpool overload

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 101 interface Ethernet0/0 overload

ip nat inside source static tcp 192.168.10.20 21 203.1.1.1 21 extendable

ip nat inside source static tcp 192.168.10.20 22 203.1.1.1 22 extendable

ip nat inside source static tcp 192.168.10.20 80 203.1.1.1 80 extendable

route-map pbrnat permit 10

 set interface Loopback0

2、开启debug ip nat /debug ip packet/ debug ip policy

3、在Win_client2使用公网地址203.1.1.1访问内网服务器Linux_Server2 web服务

4、NAT设备上debug信息

NAT-on-stick#debug ip nat

NAT-on-stick#debug ip pack

NAT-on-stick#debug ip policy

NAT-on-stick#

*Jan  5 13:31:01.802: NAT*: s=192.168.10.10, d=203.1.1.1->192.168.10.20 [1766]

outside接口上收包,做目的地址转换----先NAT,再路由

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, FIB policy match

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, PBR Counted

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, input feature, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 52, policy match

*Jan  5 13:31:01.802: IP: route map pbrnat, item 10, permit

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, policy routed

*Jan  5 13:31:01.802: IP: Ethernet0/1 to Loopback0 212.130.112.136

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, input feature, Policy Routing(103), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, input feature, MCI Check(109), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, output feature, NAT Inside(8), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, output feature, Common Flow Table(29), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, output feature, Stateful Inspection(30), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, output feature, NAT ALG proxy(63), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), g=212.130.112.136, len 52, forward

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 52, sending full packet

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 52, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 52, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 52, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 52, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: NAT: s=192.168.10.10->2.2.2.2, d=192.168.10.20 [1766]关键地方

*Jan  5 13:31:01.802: IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 52, output feature, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 52, output feature, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 52, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 52, output feature, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.802: IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), g=192.168.10.20, len 52, forward

*Jan  5 13:31:01.802: IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 52, sending full packet/syn包

*Jan  5 13:31:01.805: NAT*: s=192.168.10.20, d=2.2.2.2->192.168.10.10 [0]

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, FIB policy match

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, PBR Counted

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, input feature, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10, len 52, policy match

*Jan  5 13:31:01.805: IP: route map pbrnat, item 10, permit

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, policy routed

*Jan  5 13:31:01.805: IP: Ethernet0/1 to Loopback0 212.130.112.136

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, input feature, Policy Routing(103), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0)

NAT-on-stick#, len 52, input feature, MCI Check(109), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, output feature, NAT Inside(8), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, output feature, Common Flow Table(29), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, output feature, Stateful Inspection(30), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE, len 40, input feature

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, output feature, NAT ALG proxy(63), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), g=212.130.112.136, len 52, forward

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Ethernet0/1), d=192.168.10.10 (Loopback0), len 52, sending full packet

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Loopback0), d=192.168.10.10, len 52, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Loopback0), d=192.168.10.10, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE, len 52, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Loopback0), d=192.168.10.10, len 52, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Loopback0), d=192.168.10.10, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=192.168.10.20 (Loopback0), d=192.168.10.10, len 52, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20

*Jan  5 13:31:01.805: NAT: s=192.168.10.20->203.1.1.1, d=192.168.10.10 [0]----inside->outside源地址转换   

*Jan  5 13:31:01.805: IP: s=203.1.1.1 (Loopback0), d=192.168.10.10 (Ethernet0/1), len 52, output feature, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=203.1.1.1 (Loopback0), d=192.168.10.10 (Ethernet0/1), len 52, output feature, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=203.1.1.1 (Loopback0), d=192.168.10.10 (Ethernet0/1), len 52, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE, len 40, input feature

*Jan  5 13:31:01.805: IP: s=203.1.1.1 (Loopback0), d=192.168.10.10 (Ethernet0/1), len 52, output feature, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.805: IP: s=203.1.1.1 (Loopback0), d=192.168.10.10 (Ethernet0/1), g=192.168.10.10, len 52, forward

*Jan  5 13:31:01.805: IP: s=203.1.1.1 (Loopback0), d=192.168.10.10 (Ethernet0/1), len 52, sending full packet//syn,ack

*Jan  5 13:31:01.806: NAT*: s=192.168.10.10, d=203.1.1.1->192.168.10.20 [1767]

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, FIB policy match

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, PBR Counted, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, input feature

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, input feature, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, policy match

*Jan  5 13:31:01.806: IP: route map pbrnat, item 10, permit

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, policy routed

*Jan  5 13:31:01.806: IP: Ethernet0/1 to Loopback0 212.130.112.136, len 40, input feature

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, input feature, Policy Routing(103), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, input feature, MCI Check(109), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, NAT Inside(8), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.806: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE, Common Flow Table(29), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, Stateful Inspection(30), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, NAT ALG proxy(63), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), g=212.130.112.136, len 40, forward

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0)

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20, len 40, sending full packet

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Jan  5 13:31:01.807: IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, len 40, policy match

IP: route map pbrnat, item 10, permit

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, policy routed

IP: Ethernet0/1 to Loopback0 212.130.112.136

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, input feature, Policy Routing(103), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, input feature, MCI Check(109), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, NAT Inside(8), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, Common Flow Table(29), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, Stateful Inspection(30), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, output feature, NAT ALG proxy(63), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), g=212.130.112.136, len 40, forward

IP: s=192.168.10.10 (Ethernet0/1), d=192.168.10.20 (Loopback0), len 40, sending full packet

IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=192.168.10.10 (Loopback0), d=192.168.10.20, len 40, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

NAT: s=192.168.10.10->2.2.2.2, d=192.168.10.20 [1774]

IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 40, output feature, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 40, output feature, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 40, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 40, output feature, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), g=192.168.10.20, len 40, forward

IP: s=2.2.2.2 (Loopback0), d=192.168.10.20 (Ethernet0/1), len 40, sending full packet

//ack包

5、e0/0(outside接口)抓包

outside接口无数据

6、e0/1(inside接口)抓包

TCP三次握手

syn::192.168.10.10:49217->203.1.1.1:80  源和目的同时转换

 2.2.2.2:49217->192.168.10.20:80

syn,ack::192.168.10.20:80->2.2.2.2:49217 

源和目的同时转换 203.1.1.1:80->192.168.10.10:49217

ack:: 192.168.10.10:49217->203.1.1.1:80  源和目的同时转换

 2.2.2.2:49217->192.168.10.20:80 

7、win_client2接口抓包

源地址192.168.10.10,目的地址203.1.1.1,tcp建立成功

8、Linux_server2接口抓包

源地址2.2.2.2,目的地址192.168.10.20,tcp建立成功

9、win_client2访问Internet、win_client1远程桌面和Linux_server1 web服务

 10、win_client1访问win_client2远程桌面和Linux_server2的web服务

NAT环境下内网用户使用外网地址访问内网的服务器-总结

1、实现方式有两种:NVI模式、NAT+PBR+loopback方式(NAT-on-stick)

2、NVI模式简单,NAT+PBR+loopback方式复杂。推荐使用NVI模式

3、两种方式都需要在内网接口上关闭ip重定向 no ip redirects

4、一般情况下cisco路由上使用ip nat inside/ip nat outside或者ip nat enable命令后,会自动生成一个NVI接口。

 5、如果使用ip nat inside/ip nat outside,没有自动生成一个NVI接口,则该版本不支持NAT+PBR+loopback方式(NAT-on-stick)

6、cisco ios12.4之前的版本支持NAT+PBR+loopback方式,cisco ios15.2版本因为PBR的关系,即使配置了也不会生效。

7、对于ftp应用,NVI模式下,只能使用主动模式;

如果需要使用被动模式,需要做一些额外配置:

a、确定服务器上的被动端口,一般是一段大于1024的端口范围,比如10000-10010;

b、在NAT设备上做端口映射

ip nat source static tcp 192.168.43.20 10000 202.1.1.1 10000 extendable

ip nat source static tcp 192.168.43.20 10001 202.1.1.1 10001 extendable

ip nat source static tcp 192.168.43.20 10002 202.1.1.1 10002 extendable

ip nat source static tcp 192.168.43.20 10003 202.1.1.1 10003 extendable

ip nat source static tcp 192.168.43.20 10004 202.1.1.1 10004 extendable

ip nat source static tcp 192.168.43.20 10005 202.1.1.1 10005 extendable

ip nat source static tcp 192.168.43.20 10006 202.1.1.1 10006 extendable

ip nat source static tcp 192.168.43.20 10007 202.1.1.1 10007 extendable

ip nat source static tcp 192.168.43.20 10008 202.1.1.1 10008 extendable

ip nat source static tcp 192.168.43.20 10009 202.1.1.1 10009 extendable

ip nat source static tcp 192.168.43.20 10010 202.1.1.1 10010 extendable

 8、对于ftp应用,NAT+PBR+loopback(NAT-on-stick) 模式下,只能使用被动模式;

如果要使用主动模式,需要增加一条配置:将源地址为服务器的包做NAT。

access-list 100 permit ip host 192.168.10.20 192.168.10.0 0.0.0.255

原有配置:

access-list 100 permit ip 192.168.10.0 0.0.0.255 host 192.168.10.20

ip nat pool natpool 2.2.2.2 2.2.2.10 prefix-length 24

ip nat inside source list 100 pool natpool overload

phoenix1415
关注
  • 4
    点赞
  • 35
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
专栏目录
内网用户通过域名或公网IP访问内部服务器的解决办法[参照].pdf
10-13
内网用户通过域名或公网IP访问内部服务器的解决办法[参照].pdf
内网用户通过公网IP地址访问内部服务器(华为DNS-MAP应用案例)
weixin_33973600的博客
02-05 1232
网络拓扑: 客户需求: 1. 使用AR28作为NAT设备作easy nat实现内网公网访问 2.内部服务器能够被外网以域名方式访问,域名已注册,能被公网dns服务器正确解析为61.*.*.93 3. 内网用户也能象外网用户一样通过域名访问内网服务器 解决方法及原理: 针对用户的这种需求,我们现在终于有了可以实现的...
NAT端口映射,实现外网访问内网服务器
最新发布
pyc68的博客
06-05 2633
本篇文章利用Cisco Packet Tracer网络模拟进行NAT端口映射,实现外网访问内网服务器
NAT 详解
热门推荐
freeking101的博客
09-13 13万+
NAT技术(一、二、三、四、五) 系列:https://blog.51cto.com/wwwcisco/category1.html CCNA学习笔记之NAT:http://sweetpotato.blog.51cto.com/533893/1392884 网络地址转换NAT原理及应用:http://blog.csdn.net/xiaofei0859/article/details/663...
HUAWEI Ensp | NAT转换访问公网
weixin_43185479的博客
02-03 9109
一、组网需求 企业内网用户需要访问外网时,可以通过配置NAT,将IP数据报文头中的内网IP地址转换为外网IP地址,实现内部网络访问外部网络的功能。当用户拥有的外网IP地址个数较少时,配置了NAT设备出接口的IP地址和其他应用之后,没有可用的空闲外网IP地址,此时可以选择Easy IP方式的动态NAT,实现内网主机访问外网的功能。Easy IP方式直接使用出接口的IP地址作为内网主机转换后的外网IP...
私网与公网的桥梁 NAT
qq_51574973的博客
02-12 792
ACL 私网公网
内网用户通过公网IP地址访问内部服务器
weixin_34013044的博客
06-30 2562
网络环境: Web门户服务器:192.168.22.8/24,网关为192.168.22.1 内网PC网段:192.168.X.X/24,网关为192.168.X.1,第一个X表示部门 因为Web门户网站需要提供给外网用户访问,同时内网用户也需要访问。故在边界防火墙做了目的地址NAT公网地址为222.*.*.98/29(与互联地址为同网段),端口80;内网地址为192...
内网通过公网地址访问内部服务器
weixin_34168700的博客
11-06 410
一、组网拓扑: 二、组网需求: 要求内部用户访问内部服务器时,可通过外网映射的地址访问服务器(WWW,FTP等)。 三、配置实例如下: <Quidway>dis cur # sysname Quidway # firewall packet-filter enable firewall packet-filter default permi...
内网用户通过域名或公网IP访问内部服务器的解决办法
04-23
首先,我们需要定义一个ACL规则,以允许内网用户访问内部服务器。 acl number 3001 rule 0 permit ip source 192.168.1.1 0.0.0.255 其次,我们需要在E0/0口配置NAT Server, protocol为tcp,global IP地址为202....
内部主机通过公网地址访问内网服务器配置案例
04-15
标题中的“内部主机通过公网地址访问内网服务器配置案例”主要涉及的是网络配置技术,特别是如何使得局域网(LAN)内的主机能够通过公网地址访问并被外部网络上的主机访问到。这种技术在企业环境中非常常见,因为它...
CISCO路由器设置 内网用户通过域名访问内网服务器.doc
07-05
在某些情况下,内部网络用户可能无法使用公网域名访问内网服务器,而只能通过内网的 DNS 或者 IP 才可以访问。这是由于路由器NAT 之后,内部网络用户无法使用公网域名访问内网服务器的原因。下面,我们将介绍如何...
什么是内网公网NAT.doc
12-19
总的来说,内网公网NAT是构建和管理网络的关键概念,它们共同确保了网络通信的可靠性和安全性,同时也优化了IP地址使用。对于理解计算机网络的基本运作机制,掌握这些基本概念是非常必要的。
华为ensp中nat server 公网访问内网服务器
博客之路,前途漫漫
04-16 6290
NAT服务器是一种在网络边界设备上配置的服务,它允许外部网络的用户访问内部网络中的服务或主机,同时隐藏了内部网络的真实IP地址。通过NAT服务器,内部网络中的服务或主机可以对外部网络提供服务,同时保护了内部网络的隐私和安全。应用场景NAT服务器可以实现三方面功能:对内部网络服务的访问提供了便捷,如Web、邮件、FTP服务器;隐藏了内部网络的真实IP地址,加强了安全性;并能有效节省公共IP地址资源,通过一个公共IP地址映射多个内部网络主机或服务。
基于nat协议下通过端口映射实现外网访问内网网站
m0_65463546的博客
07-15 2578
4在ABR路由器(R1)上配置nat和acl(来获取兴趣流量)实现内网可以访问外网,外网可以访问内网的网站。2因为涉及终端数量较少,不适用DHCP自动获取,手动配置终端、路由器、client、服务器地址。3因为本次实验模拟外网访问内网网站,所以在内网ABR服务器写一条指向外网的缺省路由。1R2为ISP设备,只能再该设备上配置ip,不得在进行其它任何配置。1ip地址规划(因为涉及网段较少,ip地址在拓扑图可直接查看)3R1仅拥有一个共有ip地址,在G0\0\1接口上。通过ip地址端口映射访问。...
NAT网络地址转换,内网访问外网
weixin_44563202的博客
04-21 6329
NAT内外网ip地址转换,
如何实现在内网输入公网IP地址可以直接访问内网服务器
weixin_34289744的博客
02-28 3547
在实际的应用中很多的企业都会有这样的需求,公司的服务器内网中,在路由器或者防火墙当中做端口或IP地址映射,这样直接访问公网的IP地址就可以访问到内部的服务器。但是很多企业管理员都希望在内网中也可以像公网一样直接输入公网的IP或域名就可以访问到公司的内部服务器。 我实际应用中也遇到过很多这样的问题,在此我讲自己总结的几大厂商的做个总结在...
ICMP重定向及其攻防技术
weixin_30633405的博客
11-20 741
1、ICMP重定向概念: ICMP重定向技术,是用来提示主机改变自己的主机路由从而使路由路径最优化的一种ICMP报文。其概念理解的要义是原主机路由不是最佳路由,而其默认网关提醒主机优化自身的主机路由而发送的报文。 最能说明ICMP重定向意义的典型拓扑如下: 2、ICMP重定向细节: (1)报文格式: 帧首部 IP首部 ...
cisco 关闭不必要服务
weixin_33851429的博客
08-17 873
1.no ip redirects 路由器A和路由器B在同一个网段中。现在有PC的网关设置为A的地址 192.18.3.1. 在发送数据过程中可能会出现发往 192.168.2.X 网段的数据。这样数据包会先到A的接口再流向B。 ip redirects 可以使用ICMP 包。告知PC 以后发往192.168.2.X 的数据直接发...
共享上网和端口映射
fulingfang的专栏
05-21 2250
 以下这篇文章不是写的,转自网上=========================================由于公网IP地址有限,不少ISP都采用多个内网用户通过代理和网关路由共用一个公网IP上INTERNET的方法,这样就限制了这些用户在自己计算机上架设个人网站,要实现在这些用户端架设网站,最关键的一点是,怎样把多用户内网IP和一个他们唯一共享上网的IP进行映射!就象在局域网或网吧内一样
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值