CCNA-NAT

NAT Network Address Translation 网络地址转换,
作用:用来修改IP 数据包中的源、目标地址
将多个私有地址,转换成一个公有地址(重要)

Private IP Addresses,私有IP地址,不允许出现在互联网上
A类:10.0.0.0 to 10.255.255.255 B类:172.16.0.0 to 172.31.255.255 C类:192.168.0.0 to 192.168.255.255

 

为何使用NAT 技术?
1.节约IP 地址(NAT+VLSM/CIDR)
2.安全考虑,隐藏内部真实IP
3.NAT TCP 负载均衡
4.解决地址冲突问题(公司合并,网络合并)

NAT技术所带来的问题
1.影响路由器的转发性能(修改IP地址、计算校验和等)
2.破坏了IP的端到端特性
3.与很多安全相关协议不兼容(IPSec/VPN的一种等)

 

NAT的分类
1.静态NAT IP一般较多,手工去配置映射很麻烦,所以很少用到
①手工配置NAT映射表
②一对一转换
2.动态NAT 没有那么多公网IP,所以很少用到
①定义地址池,动态创建NAT映射表
②一对一转换
3.PAT(NAT overload)主要
①多对一转换
②通过端口号识别不同数据流

静态NAT和动态NAT都是一对一的转换,可能是私有对公有的转换,也可能是公有对公有,私有对私有的转换,不是用来节约IP地址的,所以基本上不使用。一般所说的NAT转换都是PAT port addresses translation,端口地址转换,多对一转换


NAT 实验配置
1.Configuring and Verifying Static Translation
静态转换时手工配置一对一的转换
①Establishes static translation between and inside local address and an inside global address

Router(config) #ip nat inside source static local-ip global-ip

②Marks the interface as connected to the inside

Router(config-if) #ip net inside

③Marks the interface as connected to the outside

Router(config-if) #ip nat outside

④Displays active translation

Router #show ip nat translations

 

 

扩展:网关的原理就是配置一条到网关的缺省路由,如网关为192.168.1.254

Router(config) #ip route 0.0.0.0 0.0.0.0 192.168.1.254

 

2.Configuring and Verifying Dynamic Translation
①Defines a pool of global addresses to be allocated as needed,创建地址池

Router(config) #ip nat pool name start-ip end-ip {netmask netmask} | prefix-length prefix-length

②Defines a standard IP ACL permitting those inside local addresses that are to be translated,创建一个标准的访问控制列表,来规定哪些地址是可以转换的

Router(config) # access-list access-list-number permit source [source-wildcard]

③Establishes dynamic source translation, specifying the ACL that was defined in the previous step,将前两步结合在一起

Router(config) #ip nat inside source list access-list-number pool name

此处省略两步在端口上分别挂载内部(inside)和外部(outside)
④Displays active translations

Router(config) #show ip nat translation

 

清除之前的静态NAT配置:直接no掉
网上搜的clear ip nat translation * 针对静态不好用,在动态NAT配置中可以使用。
动态NAT 配置中,仅清空配置列表是不行的。还需要把绑定的动态NAT 池给no掉

Route(config) #no ip nat inside source list access-list-number pool pool-name

提示

Dynamic mapping in use, do you want to delete all entries?[no] 

默认是no,此时需要输入yes,按回车,就可以解绑动态NAT 池
关闭动态NAT 池

Router(config) #no ip nat pool iteredu

以上两种方法在生产环境中很少使用,仅测试用

 


3.Configuring Overloading
①Defines a standard IP ACL that will permit the inside local addresses that are to be translated

Router(config) #access-list access-list-number permit source source-wildcard

②Establishes dynamic source translation, specifying the ACL that was defined in the previous step

Router(config) #ip nat inside source list access-list-number interface interface overload

此处省略两步在端口上分别挂载内部(inside)和外部(outside)
③Displays active translation

Router #show ip nat translations

 

Clearing the NAT Translation Table
①Clears all dynamic address translation entries 清除所有动态NAT信息

Router # clear ip nat translation *

②Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation

Router # clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

③Clears a simple dynamic translation entry that contains an outsdie translation

Router #clear ip nat translation outside local-ip global-ip

④Clears an extended dynamic translation entry(PAT entry)

Router #clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]

 

查看消息
1.查看数据包信息:
可以放在目标路由器上,用来测试为开通NAT 时,显示的源地址IP

Router #debug ip packet

2.查看NAT服务器转换信息

Router #debug ip nat

 

上一篇:CCNA之OSI参考模型


下一篇:安装不上vc_redist的解决办法