目录:
- 静态NAT由于不怎么用,所以本文没有实验
- 动态NAT
- Easy IP
- NAT Server
拓扑
动态NAT:
(使内网中的主机能够通过几个固定的公网ip来访问公网)
思路:
- 因为要访问公网,所以配置位置就是内网的出接口,也就是R2的g0/0/1
- 因为用的是固定的几个公网地址,所以要配置一个公网地址池。
- 为什么要用ACL:写ACL是为了匹配可NAT网段的 , 比如 你们公司 内网有两个网段 一个 可以上网 一个 内部保密不可上网,你就可以用 ACL 来实现 对 NAT 转换网段的匹配。
# 接口IP地址和路由配置
# 接口IP地址和路由配置
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1-GigabitEthernet0/0/0]quit
[R1]ip route-static 0.0.0.0 0 192.168.1.254
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet 0/0/4
[R2-GigabitEthernet0/0/1]ip address 1.2.3.4 24
[R2-GigabitEthernet0/0/1]quit
[R2]ip route-static 0.0.0.0 0 1.2.3.254
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip address 1.2.3.254 24
配置地址池
[R2]nat address-group 1 1.2.3.10 1.2.3.20
配置ACL
[R2]acl 2000 [R2-acl-basic-2000]rule 5 permit source any
# 在R2的GigabitEthernet0/0/1接口配置动态NAT
[R2]interface GigabitEthernet 0/0/4
[R2-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
检查
[R1]ping 1.2.3.254
PING 1.2.3.254: 56 data bytes, press CTRL_C to break
Reply from 1.2.3.254: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 1.2.3.254: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 1.2.3.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=5 ttl=254 time=20 ms
[R2]display nat session all
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 192.168.1.1 62185 //转换前的源IP地址和源端口
DestAddr Port Vpn : 1.2.3.254 23
NAT-Info
New SrcAddr : 1.2.3.11 //转换后的源IP地址
New SrcPort : 49149 //转换后的源端口
New DestAddr : ----
New DestPort : ----
Total : 1
Easy IP
(利用路由器【服务商】本身的ip地址来访问公网,好处是省钱)
# 删除上一步骤的配置
[R2]interface GigabitEthernet 0/0/4
[R2-GigabitEthernet0/0/4]undo nat outbound 2000 address-group 1
# 配置Easy IP
[R2-GigabitEthernet0/0/4]nat outbound 2000
[R2]display nat session all
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 192.168.1.1 58546 //转换前的源IP地址和源端口
DestAddr Port Vpn : 1.2.3.4 23
NAT-Info
New SrcAddr : 1.2.3.4 //转换后的源IP地址,R2的GigabitEthernet 0/0/4的IP地址
New SrcPort : 49089 //转换后的源端口
New DestAddr : ----
New DestPort : ----
Total : 1
NAT Sercer
用于使公网可以访问内网(为公网用户提供服务)(以telnet为例)
# 在R2上配置NAT Server
[R2]interface GigabitEthernet 0/0/4
[R2-GigabitEthernet0/0/4] nat server protocol tcp global current-interface 2323 inside 192.168.1.1 telnet
配置aaa认证
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]quit
[R1]aaa
[R1-aaa]local-user test password irreversible-cipher Huawei@123
Info: Add a new user.
[R1-aaa]local-user test service-type telnet
[R1-aaa]local-user test privilege level 15
[R3]user-interface vty 0 4
[R3-ui-vty0-4]authentication-mode aaa
[R3-ui-vty0-4]quit
[R3]aaa
[R3-aaa]local-user test password irreversible-cipher Huawei@123
Info: Add a new user.
[R3-aaa]local-user test service-type telnet
[R3-aaa]local-user test privilege level 15
[R3-aaa]quit
测试:
<R3>telnet 1.2.3.4 2323
Press CTRL_] to quit telnet mode
Trying 1.2.3.4 ...
Connected to 1.2.3.4 ...
Login authentication
Username:test
Password:
<R1>