table of Contents
2 to configure the wireless router
Dynamic NAT configuration experiment 3
4 Static NAT Configuration Lab
1 PAT Configuration Lab
1.1 experimental content
The internal network and a public network interconnecting the network topology as shown below, allowing the internal private IP address assigned network terminal initiates the process of accessing a public network, the public network terminal initiates a process of allowing access to the internal network server. It requires using the router R1 (Port Address Translation, Port Address Translation) technology to achieve the above functions.
1.2 Principle
1 router routing table does not exist in the routing entry for the destination network 192.168.1.0/24, the internal network 192.168.1.0/24 is transparent for the router 1
Internal network terminal can only be connected to a common network interface 0 router IP address 192.1.3.1 as the source IP address of the public network IP packets sent to the terminal.
Similarly, the terminal must be a public network as the destination IP address 192.1.3.1 to transmit the internal IP packet network terminals
Public network IP address 192.1.3.1 terminal identification entire internal network, to be able to correctly distinguish the internal network each terminal, TCP / UDP packet with port number of the terminal to uniquely identify each of the internal network, ICMP messages with an identifier unique each terminal labeled internal network. Because the port number and identifier only local significance, we need a router for each internal terminal 1 assigns a unique identifier or a port number, and address translation entries private IP, local port number (local identifier), global IP, global port number (global identifier) to establish an association between the port number or identifier and an internal network terminal.
NAT entry is created in the internal network terminal sends the TCP / UDP packet (or ICMP packet) to the public network terminal, so the dynamic PAT can only achieve the internal network terminal initiates the process of accessing the public network . If you want a public network terminal initiates the process of accessing the internal network server, you must associate the global port 80 with private IP192.168.1.3 server in the router so that the public can use the network terminal and the global IP address 192.1.3.1 1 global server port 80 access to the internal network.
1.3 key command
1 association between the private address and the global address
Global mode
access-list 1 permit 192.168.1.0 0.0.0.255 // allow NAT operation specified private IP address 192.168.1.0/24
ip nat inside source list 1 interface FastEthernet 0/1 overload // source IP address belonging to an access control list specifies the number of IP packets private IP address range PAT operation, using the global IP address of the interface address 0/1 by routers generate a unique port number (or identifier), and thus create dynamic address translation entries indicate an association between the private IP address and port number of the world or global identifiers for
2 Create a static address forwarding entries
Global mode
ip nat inside source static tcp 192.168.1.3 80 192.1.3.1 80
Conversion item 192.168.1.3 (local IP address), 80 (local port number), 192.1.3.1 (global address), 80 (global port number)
3 Specify the internal network and the public network
Global mode
interface FastEther 0/0
ip nat inside // specify a particular port is connected to the internal network interface
exit
interface FastEthernet 0/1
Port ip nat outside // specify a particular port to connect an external network
exit
2 to configure the wireless router
2.1 experimental content
Small internal Internet network access procedure, as shown below, to allow the internal network terminal initiates a process of accessing the Internet, the Internet terminal can not access the internal network terminal initiates the process, but allows Internet browser terminal initiates the access mode of the internal network web server process 1
2.2 Principle
Because the internal network terminal is assigned a private IP address, it is necessary to start the wireless router PAT function. PAT enabled wireless router function, allowing only the internal network terminal initiates the process of accessing the Internet. If the requirements for running Internet terminal to initiate the process of accessing the internal network Web server 1, you need to enable port mapping function wireless router, 192.168.1.3 will bind together the global port 80 and web server private IP address 1
Dynamic NAT configuration experiment 3
3.1 experimental content
Structure of the internal network and the public network interconnection network as shown below, allowing the internal private IP address assigned network terminal initiates the process of accessing a public network, the public network to allow access to the internal network server initiates the terminal 1 of the process. 0 NAT router using the technology required to achieve these functions
3.2 Principle
PAT requires private IP address mapped to a single global IP address, therefore, can not be a global IP address uniquely identifies the internal network terminal, the terminal needs to uniquely identify the internal network through a global port number, or global identifier, therefore, the package can only TCP / UDP packets IP packets or encapsulated packets ICMP packets embodiment PAT operation.
Dynamic NAT allows you to map private IP addresses to a set of global IP addresses by defining global IP address pool specified in this group global IP address , the number of global IP addresses global IP address pool determines the internal network terminal can access the public network at the same time number . The mapping between the address and a global IP address to a global IP address pool inside private IP network terminal is dynamically established, the internal network terminal upon completion of the process of access to public networks, will revoke the established mapping, the release of global IP addresses, other internal network terminal can access the public network mapping between the global IP address by building their own private IP address .
3.3 key command
1 association between global IP address pool with a group of private IP addresses
Global mode
access-list 1 permit 192.168.1.0 0.0.0.255 //允许进行NAT操作的私有IP地址范围192.168.1.0/24
ip nat pool al 192.1.1.1 192.1.1 13 netmask 255.255.255.240 //定义一个全球IP地址池,a1是池名,192.1.1.1是起始地址,192.1.1.13是结束地址 255.255.255.240是一组全球IP地址的子网掩码
ip nat inside source list 1 pool a1 //将编号为1的访问控制列表指定的私有IP地址范围与名为a1的全球IP地址池绑定在一起
路由器对其中的IP分组进行NAT操作,从全球IP地址池中选择一个未分配的全球IP地址,创建地址转换项 IP分组原地址,全球IP地址
2 创建静态地址转换项
全局模式
ip nat inside source static 192.168.1.3 192.1.1.14 //创建静态地址转换项 192.168.1.3 192.1.1.14
4 静态NAT配置实验
4.1 实验内容
实现两个内部网络互连的网络结构如下图所示,由于内部网络1和内部网络2独立分配私有IP地址,因此两个内部网络可以分配相同的私有IP地址空间。要求通过NAT技术实现以下功能
1 允许内部网络1中的终端访问内部网络2中的服务器2
2 允许内部网络2中的终端访问内部网络1中的服务器1
4.2 实验原理
分配给某个内部网络中的私有IP地址空间对另一个内部网络中的终端是不可见的,因此,任何一个内部网络中的终端必须用全球IP地址访问其他内部网络中的终端。
虽然不同内部网络可以分配相同的私有IP地址空间,但这些私有IP地址建立映射的全球IP地址必须是唯一的。
如果需要实现由其他网络中的终端发起访问内部网络中的服务器的过程,必须建立服务器1的私有IP地址(192.168.1.3)与全球IP地址(192.1.2.14)之间的映射,对其他网络中的终端用该全球IP地址访问服务器1
