cisco NAT网络地址转换

NAT（Network Address Translation）网络地址转换，NAT提供一个连接互联网简单的方式，将内部网络用户的私网地址转换成外部公网地址，并在NAT地址转换表中记录转换项。当外部网络数据返回时，将根据NAT转换表项，将目标IP地址替换成初始的内部用户的IP地址，把数据包转发给内部网络的连接。

NAT术语：

Inside local: Host on the inside network

转换之前内部源地址，一般使用的是私有地址

Inside global: Usually assigned by an ISP and allows the   customer outside access

转换之后内部主机的地址。需要申请才取得的IP地址

Outside local :Host on the outside network（多数情况下）

转换之前目标主机的地址 ，分配给位于外部网络上的主机的IP地址，该地址是从全局可寻路径的地址或网络空间中分配的。                     

Outside global: Host on the outside network 

转换之后目标主机的名字，大多数情况下，外部本地地址等于外部全局地址。

拓扑：

R1：--作为出口网关

interface Ethernet0/0

 ip address 201.100.98.1 255.255.255.248

interface Ethernet0/1

 no ip address

interface Ethernet0/1.10

 encapsulation dot1Q 10

 ip address 192.168.1.254 255.255.255.0

interface Ethernet0/1.20

 encapsulation dot1Q 20

 ip address 192.168.2.254 255.255.255.0

R1#show run | s ip route

ip route 0.0.0.0 0.0.0.0 201.100.98.6

R1#

SW1：

Vlan 10

Vlan 20

interface Ethernet0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 duplex auto

interface Ethernet0/2

 switchport access vlan 10

 switchport mode access

 duplex auto

 spanning-tree portfast

interface Ethernet0/3

 switchport access vlan 20

 switchport mode access

 duplex auto

 spanning-tree portfast

R2：---模拟ISP设备

interface Ethernet0/0

 ip address 201.100.98.6 255.255.255.248

interface Ethernet0/1

 ip address 172.16.1.254 255.255.255.0

VPC1> ip 192.168.1.1 255.255.255.0 192.168.1.254

Checking for duplicate address...

PC1 : 192.168.1.1 255.255.255.0 gateway 192.168.1.254

VPC2：

Router(config)#host VPC2

VPC2(config)#no ip routing

VPC2(config)#ip default-gateway 172.16.1.254

VPC2(config)#int e0/0

VPC2(config-if)#ip add 172.16.1.1 255.255.255.0

VPC2(config-if)#no shut

Server：

Server(config)#no ip routing

Server(config)#ip default-gateway 192.168.2.254

Server(config)#int e0/0

Server(config-if)#ip add 192.168.2.1 255.255.255.0

Server(config-if)#no shut

 

 

静态NAT：

手动建立一个内部IP地址到一个外部IP地址的映射关系

 ----该方式经常用于企业网的内部设备需要能够被外部网络访问到的场合

 

需求：

（1）内网所有PC及服务器均能访问外网。

R1：

ip nat inside source static 192.168.1.1 201.100.98.1

ip nat inside source static 192.168.2.1 201.100.98.2

interface Ethernet0/0

ip nat outside

interface Ethernet0/1.10

ip nat inside

interface Ethernet0/1.20

ip nat inside

查看NAT：

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 201.100.98.1       192.168.1.1        ---                ---

--- 201.100.98.2       192.168.2.1        ---                ---

R1#

R1#show ip nat statistics

Total active translations: 2 (2 static, 0 dynamic; 0 extended)

Peak translations: 15, occurred 00:29:56 ago

Outside interfaces:

  Ethernet0/0

Inside interfaces:

  Ethernet0/1.10, Ethernet0/1.20

Hits: 110  Misses: 0

CEF Translated packets: 110, CEF Punted packets: 0

Expired translations: 51

Dynamic mappings:

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

此时在VPC1 ping VPC2

R1# debug ip nat

R1#

*Oct 27 04:30:30.055: NAT*: s=192.168.1.1->201.100.98.1, d=172.16.1.1 [59878]

*Oct 27 04:30:30.057: NAT*: s=172.16.1.1, d=201.100.98.1->192.168.1.1 [59878]

*Oct 27 04:30:31.058: NAT*: s=192.168.1.1->201.100.98.1, d=172.16.1.1 [59879]

*Oct 27 04:30:31.058: NAT*: s=172.16.1.1, d=201.100.98.1->192.168.1.1 [59879]

 

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 201.100.98.1:59113 192.168.1.1:59113 172.16.1.1:59113   172.16.1.1:59113

icmp 201.100.98.1:59369 192.168.1.1:59369 172.16.1.1:59369   172.16.1.1:59369

icmp 201.100.98.1:59625 192.168.1.1:59625 172.16.1.1:59625   172.16.1.1:59625

icmp 201.100.98.1:59881 192.168.1.1:59881 172.16.1.1:59881   172.16.1.1:59881

icmp 201.100.98.1:60137 192.168.1.1:60137 172.16.1.1:60137   172.16.1.1:60137

--- 201.100.98.1       192.168.1.1        ---                ---

--- 201.100.98.2       192.168.2.1        ---                ---

Server 访问VPC2：

Server#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R1#

*Oct 27 04:31:56.025: NAT*: s=192.168.2.1->201.100.98.2, d=172.16.1.1 [10]

*Oct 27 04:31:56.025: NAT*: s=172.16.1.1, d=201.100.98.2->192.168.2.1 [10]

*Oct 27 04:31:56.026: NAT*: s=192.168.2.1->201.100.98.2, d=172.16.1.1 [11]

*Oct 27 04:31:56.026: NAT*: s=172.16.1.1, d=201.100.98.2->192.168.2.1 [11]

*Oct 27 04:31:56.026: NAT*: s=192.168.2.1->201.100.98.2, d=172.16.1.1 [12]

*Oct 27 04:31:56.027: NAT*: s=172.16.1.1, d=201.100.98.2->192.168.2.1 [12]

*Oct 27 04:31:56.027: NAT*: s=192.168.2.1->201.100.98.2, d=172.16.1.1 [13]

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 201.100.98.1       192.168.1.1        ---                ---

icmp 201.100.98.2:2    192.168.2.1:2      172.16.1.1:2       172.16.1.1:2

icmp 201.100.98.2:3    192.168.2.1:3      172.16.1.1:3       172.16.1.1:3

--- 201.100.98.2       192.168.2.1        ---                ---

思考：NAT 发生在路由之前还是之后？

处理被处理使用NAT的命令根据信息包是否去从内部网络外部网络或从外部网络内部网络。内部到外部的转换发生在路由之后，外部到内部的转换发生在路由之前。

也就是内部到外部，先路由后转换。外部到内部，先转换后路由。

 

（2） 外网用户能够通过公网地址 201.100.98.3端口号8080访问内网服务器 192.168.2.1 的www服务。

 

Server(config)#ip http server

R1：

ip nat inside source static tcp 192.168.2.1 80 201.100.98.3 8080

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 201.100.98.1       192.168.1.1        ---                ---

tcp 201.100.98.3:8080  192.168.2.1:80     ---                ---

--- 201.100.98.2       192.168.2.1        ---                ---

VPC2#telnet 201.100.98.3 8080

Trying 201.100.98.3, 8080 ... Open

get

HTTP/1.1 400 Bad Request

Date: Sat, 27 Oct 2018 04:56:23 GMT

Server: cisco-IOS

Accept-Ranges: none

400 Bad Request

[Connection to 201.100.98.3 closed by foreign host]

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 201.100.98.1       192.168.1.1        ---                ---

tcp 201.100.98.3:8080  192.168.2.1:80     172.16.1.1:64618   172.16.1.1:64618

tcp 201.100.98.3:8080  192.168.2.1:80     ---                ---

--- 201.100.98.2       192.168.2.1        ---                ---

 

动态NAT：

将一个内部IP地址转换为一组外部IP地址（地址池）中的一个IP地址

----常用于整个公司公用多个公网IP地址访问Internet时

 

R1：

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 10 permit 192.168.2.0 0.0.0.255

ip nat pool NAT 201.100.98.1 201.100.98.5 netmask 255.255.255.248

ip nat inside source list 10 pool NAT

R1#show ip nat translations   //

Pro Inside global      Inside local       Outside local      Outside global

--- 201.100.98.1       192.168.1.1        ---                ---

tcp 201.100.98.3:8080  192.168.2.1:80     ---                ---

--- 201.100.98.2       192.168.2.1        ---                ---

R1#show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 1 extended)

Peak translations: 15, occurred 02:35:19 ago

Outside interfaces:

  Ethernet0/0

Inside interfaces:

  Ethernet0/1.10, Ethernet0/1.20

Hits: 214  Misses: 0

CEF Translated packets: 214, CEF Punted packets: 0

Expired translations: 61

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 10 pool NAT refcount 0

 pool NAT: netmask 255.255.255.248

        start 201.100.98.1 end 201.100.98.5

        type generic, total addresses 5, allocated 0 (0%), misses 0

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

R1#

 

 

 

 

 

PAT：

动态NAT的一种特殊形式，利用不同端口号将多个内部IP地址转换为一个外部IP地址，也称为PAT、NAPT或端口复用NAT

----常用于整个公司公用1个公网IP地址访问Internet时

 

复用内部的全局地址

1.将一个内部全局地址用于同时代表多个内部局部地址

2.主要用IP地址和端口号的组合来唯一区分各个内部主机

 

配置NPAT转换中，必须使用overload关键字，这样路由器才会将源端口也进行转换，已达到地址超载的目的。如果不指定overload关键字，路由器将执行动态NAT转换

 

R1：

access-list 10 permit 192.168.1.0 0.0.0.255

 

ip nat inside source list 10 interface Ethernet0/0 overload   

 

R1#show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 1 extended)

Peak translations: 15, occurred 02:46:09 ago

Outside interfaces:

  Ethernet0/0

Inside interfaces:

  Ethernet0/1.10, Ethernet0/1.20

Hits: 234  Misses: 0

CEF Translated packets: 234, CEF Punted packets: 0

Expired translations: 67

Dynamic mappings:

-- Inside Source

[Id: 3] access-list 10 interface Ethernet0/0 refcount 0

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 201.100.98.1:13578 192.168.1.1:13578 172.16.1.1:13578   172.16.1.1:13578

icmp 201.100.98.1:13834 192.168.1.1:13834 172.16.1.1:13834   172.16.1.1:13834

icmp 201.100.98.1:14090 192.168.1.1:14090 172.16.1.1:14090   172.16.1.1:14090

icmp 201.100.98.1:14346 192.168.1.1:14346 172.16.1.1:14346   172.16.1.1:14346

icmp 201.100.98.1:14602 192.168.1.1:14602 172.16.1.1:14602   172.16.1.1:14602

tcp 201.100.98.3:8080  192.168.2.1:80     ---                ---

 

R1#show ip nat translations verbose

Pro Inside global      Inside local       Outside local      Outside global

icmp 201.100.98.1:22030 192.168.1.1:22030 172.16.1.1:22030   172.16.1.1:22030

    create 00:00:10, use 00:00:10 timeout:60000, left 00:00:49, Map-Id(In): 3,

    flags:

extended, use_count: 0, entry-id: 84, lc_entries: 0

icmp 201.100.98.1:22286 192.168.1.1:22286 172.16.1.1:22286   172.16.1.1:22286

    create 00:00:09, use 00:00:09 timeout:60000, left 00:00:50, Map-Id(In): 3,

flags:

从上面可以看出ICMP转换条目的超时时间默认为1分钟。