本帖最后由 碧云天 于 2020-2-28 16:12 编辑
一.测试拓扑
测试总结:
1.使用ip nat inside destination只能将外部接口的地址做静态PAT,无法设置其他地址
2.使用route-map方式静态PAT的目标地址可以不是接口地址
3.使用route-map方式有一个缺点,如果用路由器外部接口地址做的NAT,路由器主动向外发起访问,可能会出现问题
---特别是端口范围是高位端口时,R2主动发起访问,源端口正好在端口范围,那么回包的时候,也会被转换
4.如果是用外部接口做静态PAT,还是建议用ip nat inside destination方式
二.基本配置
1.R1路由器
hostname R1
interface f0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
line vty 0 4
password cisco
login
rotary 10
transport input all
2.R2路由器
hostname R2
interface f0/0
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shutdown
interface f1/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shutdown
3.R3路由器
hostname R3
interface f1/0
ip address 10.1.1.3 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.2
line vty 0 4
password cisco
login
rotary 10
transport input all
三.Destination方式
1.R1配置地址池:
ip nat pool pool1 10.1.1.3 10.1.1.3 netmask 255.255.255.0 type rotary
2.R1配置ACL:
access-list 101 deny ip host 202.100.1.2 any
access-list 101 permit tcp any any range 23 3010
备注:前面最好增加外部接口地址的deny语句,否则用R2访问外部的时候也会进行了nat转换,比如telnet R1不通
3.R1配置NAT
ip nat inside destination list 101 pool pool1
4.验证
R1#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
R1#telnet 202.100.1.2 3010
Trying 202.100.1.2, 3010 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:41
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
四.使用route-map方式
1.配置ACL
access-list 109 permit tcp host 10.1.1.3 range 23 3010 host 202.100.1.2
2.配置route-map ,调用ACL
route-map NAT permit 10
match ip address 109
3.配置nat,调用router-map
ip nat inside source static 10.1.1.3 202.100.1.2 route-map NAT extendable
4.验证
R1#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
R1#telnet 202.100.1.2 3010
Trying 202.100.1.2, 3010 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:41
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
5.此时R2无法telnet R1,在R2的F1/0抓包可以看到,回包也被转换了,因为11001在端口范围之内
一.测试拓扑
测试总结:
1.使用ip nat inside destination只能将外部接口的地址做静态PAT,无法设置其他地址
2.使用route-map方式静态PAT的目标地址可以不是接口地址
3.使用route-map方式有一个缺点,如果用路由器外部接口地址做的NAT,路由器主动向外发起访问,可能会出现问题
---特别是端口范围是高位端口时,R2主动发起访问,源端口正好在端口范围,那么回包的时候,也会被转换
4.如果是用外部接口做静态PAT,还是建议用ip nat inside destination方式
二.基本配置
1.R1路由器
hostname R1
interface f0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
line vty 0 4
password cisco
login
rotary 10
transport input all
2.R2路由器
hostname R2
interface f0/0
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shutdown
interface f1/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shutdown
3.R3路由器
hostname R3
interface f1/0
ip address 10.1.1.3 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.2
line vty 0 4
password cisco
login
rotary 10
transport input all
三.Destination方式
1.R1配置地址池:
ip nat pool pool1 10.1.1.3 10.1.1.3 netmask 255.255.255.0 type rotary
2.R1配置ACL:
access-list 101 deny ip host 202.100.1.2 any
access-list 101 permit tcp any any range 23 3010
备注:前面最好增加外部接口地址的deny语句,否则用R2访问外部的时候也会进行了nat转换,比如telnet R1不通
3.R1配置NAT
ip nat inside destination list 101 pool pool1
4.验证
R1#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
R1#telnet 202.100.1.2 3010
Trying 202.100.1.2, 3010 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:41
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
四.使用route-map方式
1.配置ACL
access-list 109 permit tcp host 10.1.1.3 range 23 3010 host 202.100.1.2
2.配置route-map ,调用ACL
route-map NAT permit 10
match ip address 109
3.配置nat,调用router-map
ip nat inside source static 10.1.1.3 202.100.1.2 route-map NAT extendable
4.验证
R1#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
R1#telnet 202.100.1.2 3010
Trying 202.100.1.2, 3010 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:41
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
5.此时R2无法telnet R1,在R2的F1/0抓包可以看到,回包也被转换了,因为11001在端口范围之内
