某企业NAT(snat)转换案例分析与配置
一、要求
如图所示,省市县路由器。县级路由器有到市级和省级的路由,但是市级和省级没有到达县级的路由信息,这将导致县级发送的包到达市级或省级路由器,但是回来时找不到路径而将数据包丢失。要求县级路由器R1通过nat转换技术访问市级和省级路由器,但是市级和省级路由器不能访问县级路由器。
配置思路:
由于市级和省级没有到达县级的路由信息,将使县级发送的数据包无法找到回来时到达1.0区域的路径。可通过在R1上配置动态NAT转换,将发出的包的源地址由原来的192.168.1.0网段的地址变为接口s0/0上的地址192.168.4.1,则数据包回来时将目的地址变为4.1,而到达4.1是有路径信息的。这样,发出的数据包就能返回。
实验环境:cisco 3620
二、拓扑图
三、配置步骤
R1
Router>en
Router#config t
Router(config)#line con 0
Router(config-line)#logg sync //日志同步
Router(config-line)#no exec-timeout // 取消超时
Router(config-line)#exit
R1(config)#int ser 0/0 //连接市级路由器的接口
R1(config-if)#ip add 192.168.4.1 255.255.255.0
R1(config-if)#no shut
R1(config)#int ser 0/1 //连接省级路由器的接口
R1(config-if)#ip add 192.168.5.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
R1(config-if)#int ser 0/2 //内部以太网接口
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config)#ip access-list extended 101 //扩展访问控制列表acl101,定义哪些网段做地址转换
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 //允许内网1.0网段访问市级以太网
R1(config-ext-nacl)#ex
R1(config)#access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 //扩展访问控制列表acl102,定义1.0到省级以太网3.0的网段做地址转换
R1(config)#ip nat pool pool1 192.168.4.1 192.168.4.1 netmask 255.255.255.0 //定义地址池pool1 ,包含到市级路由器的接口s0/0 IP
R1(config)#ip nat pool pool2 192.168.5.1 192.168.5.1 netmask 255.255.255.0//定义地址池pool2 ,包含到省级路由器的接口s0/1 IP
R1(config)#int ser 0/0 //外部接口
R1(config-if)#ip nat outside
R1(config-if)#int ser0/1 //外部接口
R1(config-if)#ip nat outside
R1(config-if)#int ser 0/2 //内部接口
R1(config-if)#ip nat inside
R1(config-if)#ex
R1(config)#ip nat inside source list 101 pool pool1 overload//将acl101映射到pool1
R1(config)#ip nat inside source list 102 pool pool2 overload//将acl102映射到pool2
R1(config)#ip route 192.168.2.0 255.255.255.0 192.168.4.2 //到市级以太网的路由
R1(config)#ip route 192.168.3.0 255.255.255.0 192.168.5.2 //到省级以太网的路由
R1(config)#end
R2
Router#config t
Router(config)#line con 0
Router(config-line)#logg sy
Router(config-line)#no exec-timeout
Router(config-line)#exit
Router(config)#host R2
R2(config)#int s0/0 //与县级路由器相连的接口
R2(config-if)#ip add 192.168.4.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int ser 0/1 //与内部以太网相连的接口
R2(config-if)#ip add 192.168.2.1 255.255.255.0
R2(config-if)#no shut
R3
Router#config t
Router(config)#line con 0
Router(config-line)#logg sy
Router(config-line)#no exec-timeout
Router(config-line)#exit
Router(config)#host R3
R3(config)#int ser 0/1 //与县级路由器相连的接口
R3(config-if)#ip add 192.168.5.1 255.255.255.0
R3(config-if)#no shut
R3(config-if)#ip add 192.168.5.2 255.255.255.0
R3(config-if)#int ser 0/0 //与内部以太网相连的接口
R3(config-if)#ip add 192.168.3.1 255.255.255.0
R3(config-if)#no shut
R4
Router#config t
Router(config)#line con 0
Router(config-line)#logg sy
Router(config-line)#no exec-timeout
Router(config-line)#exit
Router(config)#host R4
R4(config)#int ser 0/2
R4(config-if)#ip add 192.168.1.100 255.255.255.0
R4(config-if)#no shut
R4(config-if)#
R4(config-if)#ex
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 //配置网关地址为192.168.1.1
R4(config)#end
R5
Router>en
Router#config t
Router(config)#line con 0
Router(config-line)#logg sy
Router(config-line)#no exec-timeout
Router(config-line)#exit
Router(config)#host R5
R5(config)#int ser 0/1
R5(config-if)#ip add 192.168.2.100 255.255.255.0
R5(config-if)#no shut
R5(config-if)#ex
R5(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1 //配置网关地址为192.168.2.1
R5(config)#end
R6
Router>en
Router#config t
Router(config)#line con 0
Router(config-line)#logg sy
Router(config-line)#no exec-timeout
Router(config-line)#exit
Router(config)#sys
Router(config)#host
Router(config)#hostname R6
R6(config)#int ser 0/0
R6(config-if)#ip add 192.168.3.100 255.255.255.0
R6(config-if)#no shut
R6(config-if)#ex
R6(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1 //配置网关地址为192.168.3.1
四、测试
R1
//R1的配置信息
R1#show running-config
Building configuration...
Current configuration : 1098 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
ip subnet-zero
!
!
!
!
!
!
interface Serial0/0
ip address 192.168.4.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.5.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial0/2
ip address 192.168.1.1 255.255.255.0
ip nat inside
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
ip nat pool pool1 192.168.4.1 192.168.4.1 netmask 255.255.255.0
ip nat pool pool2 192.168.5.1 192.168.5.1 netmask 255.255.255.0
ip nat inside source list 101 pool pool1 overload
ip nat inside source list 102 pool pool2 overload
ip classless
ip route 192.168.2.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.5.2
ip http server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R1#show ip rou
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, Serial0/0
C 192.168.5.0/24 is directly connected, Serial0/1
C 192.168.1.0/24 is directly connected, Serial0/2
S 192.168.2.0/24 [1/0] via 192.168.4.2 //到2.0到路由信息
S 192.168.3.0/24 [1/0] via 192.168.5.2 //到3.0到路由信息
R1#
R2
R2#show run
Building configuration...
Current configuration : 576 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
!
ip subnet-zero
!
!
!
!
!
!
interface Serial0/0
ip address 192.168.4.2 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.2.1 255.255.255.0
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip http server
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R2#show ip rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, Serial0/0
C 192.168.2.0/24 is directly connected, Serial0/1
R2#
R3
R3#show run
Building configuration...
Current configuration : 576 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
!
ip subnet-zero
!
!
!
!
!
!
interface Serial0/0
ip address 192.168.3.1 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.5.2 255.255.255.0
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip http server
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R3#show ip rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.5.0/24 is directly connected, Serial0/1
C 192.168.3.0/24 is directly connected, Serial0/0
R3#
R4
R4#ping 192.168.2.100 //县级主机可以ping通市级主机
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/116/140 ms
R4#ping 192.168.3.100//县级主机可以ping通省级主机
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/91/108 ms
R5
R5#ping 192.168.1.100 //市级主机无法ping通县级主机
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R5#show ip rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
C 192.168.2.0/24 is directly connected, Serial0/1
S* 0.0.0.0/0 [1/0] via 192.168.2.1
R5#
R6
R6#ping 192.168.1.100 //省级主机无法ping通县级主机
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R6#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
C 192.168.3.0/24 is directly connected, Serial0/0
S* 0.0.0.0/0 [1/0] via 192.168.3.1
转载于:https://blog.51cto.com/jialiang10086/958182