21.1. 配置基本NAT功能
提問 在路由器上啟用基本的NAT功能
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload
Router(config)#interface FastEthernet0/2
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注釋 例子中的配置實現了對地址段192.168.0.0/16訪問外部網絡重寫為172.16.1.5的功能,基本的地址翻譯功能
21.2. 動態分配外部地址
提問 從某個特定的地址池來動態分配地址
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#ip nat inside source list 15 pool NATPOOL
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet1/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注釋 ip nat inside source list 15 pool NATPOOL 定義了翻譯出去的地址池,假如地址池可以地址用完新的翻譯將不成功,假如加上了overload參數將會從第一個地址開始翻譯進行復用。另外這里的地址池并不一定要和outside端口的地址在同一網段,只要有相應的路由就可以
21.3. 靜態分配外部地址
提問 翻譯某些特定的內部地址為特定的外部地址
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet1/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注釋 靜態地址翻譯
21.4. 地址靜態和動態翻譯結合
提問 靜態和動態地址翻譯相結合
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0
Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11
Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#ip nat inside source list 15 pool NATPOOL overload
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注釋 這里的控制列表把所要靜態內部地址排除了,當然這一步也不是必須的,因為靜態翻譯的優先級要高于動態翻譯的,不過靜態翻譯的外部地址必須要從動態翻譯的地址池中排除。
21.5. 使用Route Maps來進行翻譯規則控制
提問 使用Route Maps來進行更好的靜態地址翻譯
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 172.16.2.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/2
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload
Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload
Router(config)#route-map ISP-1 permit 10
Router(config-route-map)#match interface FastEthernet0/0
Router(config-route-map)#exit
Router(config)#route-map ISP-2 permit 10
Router(config-route-map)#match interface FastEthernet0/1
Router(config-route-map)#exit
Router(config)#end
Router#
注釋 適用于多個outside端口的情況
21.6. 同時兩個方向地址翻譯
提問 同時對內部地址和外部地址進行翻譯
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 15 deny 192.168.1.15
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#access-list 16 deny 172.16.5.25
Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255
Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0
Router(config)#ip nat inside source list 15 pool NATPOOL overload
Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload
Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5
Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#interface Ethernet0/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注釋 暫無
21.7. 網絡前綴重寫
提問 簡單的改變某個網絡段的前綴
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip nat outside source static network 172.16.0.0 172.17.0.0 /16 no-alias
Router(config)#ip route 172.16.0.0 255.255.0.0 Ethernet1/0
Router(config)#ip route 172.17.0.0 255.255.0.0 Ethernet1/0
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 10.1.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet1/0
Router(config-if)#ip address 172.16.1.6 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注釋 適用于兩個網絡互訪而地址段沖突的情況
21.8. 使用NAT來進行服務器負荷分擔
提問 多個服務器使用同一IP地址從而實現應用的負荷分擔
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105 netmask 255.255.255.0 type rotary
Router(config)#access-list 20 permit host 192.168.1.100
Router(config)#ip nat inside destination list 20 pool WEBSERVERS
Router(config)#end
Router#
注釋 這里不同點在于使用了rotary的參數和使用了destination而不是source在翻譯規則中,當然這種是窮人的負載均衡解決方案
21.9. 基于狀態的NAT切換
提問 在高可用性網絡中部署NAT,這樣一臺設備壞掉的情況下另一臺可以切換起到NAT作用
回答
RouterA
Router-A#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-A(config)#access-list 11 permit any
Router-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0
Router-A(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1
Router-A(config)#interface FastEthernet0/0
Router-A(config-if)#ip address 192.168.1.3 255.255.255.0
Router-A(config-if)#ip nat inside
Router-A(config-if)#standby 1 ip 192.168.1.1
Router-A(config-if)#standby 1 PReempt
Router-A(config-if)#standby 1 name SNATGROUP
Router-A(config-if)#exit
Router-A(config)#interface Serial0/0
Router-A(config-if)#ip address 172.17.55.2 255.255.255.252
Router-A(config-if)#ip nat outside
Router-A(config-if)#exit
Router-A(config)#ip nat Stateful id 1
Router-A(config-ipnat-snat)#redundancy SNATGROUP
Router(config-ipnat-snat-red)#mapping-id 1
Router(config-ipnat-snat-red)#exit
Router-A(config)#end
Router-A#
RouterB
Router-B#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-B(config)#access-list 11 permit any
Router-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0
Router-B(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1
Router-B(config)#interface FastEthernet0/0
Router-B(config-if)#ip address 192.168.1.2 255.255.255.0
Router-B(config-if)#ip nat inside
Router-B(config-if)#standby 1 ip 192.168.1.1
Router-B(config-if)#standby 1 priority 90
Router-B(config-if)#standby 1 preempt
Router-B(config-if)#standby 1 name SNATGROUP
Router-B(config-if)#exit
Router-B(config)#interface Serial0/0
Router-B(config-if)#ip address 172.17.55.6 255.255.255.252
Router-B(config-if)#ip nat outside
Router-B(config-if)#exit
Router-B(config)#ip nat Stateful id 1
Router-B(config-ipnat-snat)#redundancy SNATGROUP
Router(config-ipnat-snat-red)#mapping-id 1
Router(config-ipnat-snat-red)#exit
Router-B(config)#end
Router-B#
注釋 雖然說通過使用HSRP可以解決可用性的問題,但是不能同步NAT翻譯表,從12.2(13)T以后思科引入了基于狀態的NAT(SNAT),這樣可以保持兩臺設備的翻譯表同步,其要害命令為ip nat Stateful 要注重的是這里的Stateful是大寫開頭的,這里是區分大小寫的。另外SNAT只和HSRP連用,不能跟VRRP或者GLBP一起作用。同時也可以使用多組HSRP的形式來保持負載均衡。
21.10. 調整NAT 時長
提問 調整NAT翻譯表中條目的時長
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip nat translation tcp-timeout 500
Router(config)#ip nat translation udp-timeout 30
Router(config)#ip nat translation dns-timeout 30
Router(config)#ip nat translation icmp-timeout 30
Router(config)#ip nat translation finrst-timeout 30
Router(config)#ip nat translation syn-timeout 30
Router(config)#end
Router#
也可以限制翻譯表的最大條目數
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip nat translation max-entries 1000
Router(config)#end
Router#
注釋 缺省TCP為24小時,UDP為5分鐘,DNS為1分鐘
21.11. 修改FTP的TCP端口
提問 FTP服務器使用非正常端口
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 19 permit 192.168.55.5
Router(config)#ip nat service list 19 ftp tcp port 8021
Router(config)#ip nat service list 19 ftp tcp port 21
Router(config)#end
Router#
注釋 在12.2(4)T后思科引入了no-payload要害詞來防止對數據包載荷的地址信息進行修改
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source static 192.168.1.10 172.16.1.5 no-payload
Router(config)#end
Router#
21.12. 檢查NAT狀態
提問 查看當前NAT信息
回答
Router#show ip nat translation
Router#clear ip nat translation *
Router#clear ip nat translation inside 172.18.3.2
Router#clear ip nat translation outside 192.168.1.10
Router#show ip nat statistics
Router#clear ip nat statistics
注釋 Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
"Inside global" 為內部設備翻譯的地址"Inside local"為內部設備的真實地址"Outside local" 為外部設備翻譯的地址"Outside global" 為外部設備的真實地址,global addresses在outside, local addresses 在 inside.
<!--[if !supportLists]-->21.13. <!--[endif]-->NAT排錯
提問 對NAT進行排錯
回答
Router#debug ip nat
Router#debug ip nat detailed
Router#debug ip nat 15
Router#debug ip nat 15 detailed
注釋 無
新聞熱點
疑難解答
