CISCO路由器網絡地址轉換（NAT）

實驗名稱：思科路由器網絡地址轉換（NAT）

實驗目的：實現所有內網IP使用少量的公網IP連接Internet 

實驗介紹：

       借助NAT技術，內網私有地址向路由器發送數據包時，私有地址被轉換成合法的公網IP地址，從而實現大量內網計算機通過少量公網IP地址和互聯網通信的需求。NAT技術解決了IP地址枯竭問題，還提高了內網的安全性。

實驗拓撲

實驗配置步驟

一.設置計算機IP地址

1.PC1設置IP地址

2.PC2設置IP地址

3.PC3設置IP地址

二.配置路由器

1.配置R1

   Router#conf t

   R1(config)#hostname R1

   R1(config)#int f0/0

   R1(config-if)#ip add 192.168.75.30 255.255.255.0

   R1(config-if)#ip nat inside

   R1(config-if)#no shutdown

   R1(config-if)#exi

   R1(config)#int f1/0

   R1(config-if)#ip add 202.96.0.1 255.255.255.248

   R1(config-if)#ip nat outside

   R1(config-if)#no shutdown

   R1(config-if)#exi

   R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 1/0

2.配置R2

   R2#conf t

   R2(config)#hostname R2

   R2(config)#int f0/0

   R2(config-if)#ip add 192.168.0.1 255.255.255.0

   R2(config-if)#no shutdown

   R2(config-if)#exi

   R2(config)#int f1/0

   R2(config-if)#ip add 202.96.0.2 255.255.255.248

   R2(config-if)#no shutdown

   R2(config-if)#exi

三、配置靜態NAT

1.在R1上將PC1 192.168.75.2 映射到202.96.0.1

        將PC2 192.168.75.3 映射到202.96.0.3

   R1(config)#ip nat inside source static 192.168.75.2 202.96.0.1

   R1(config)#ip nat inside source static 192.168.75.3 202.96.0.3

2.在PC1上ping PC3測試

   PC>ping 192.168.0.2 

   Pinging 192.168.0.2 with 32 bytes of data:

   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

   Ping statistics for 192.168.0.2:
       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
   Approximate round trip times in milli-seconds:
       Minimum = 0ms, Maximum = 9ms, Average = 2ms

3.在PC2上ping PC3測試

   PC>ping 192.168.0.2
   Pinging 192.168.0.2 with 32 bytes of data:

   Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
   Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

   Ping statistics for 192.168.0.2:
       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
   Approximate round trip times in milli-seconds:
       Minimum = 0ms, Maximum = 1ms, Average = 0ms

4.在路由器R1上查看

  R1#sh ip nat translations
  Pro  Inside global     Inside local       Outside local      Outside global
  ---  202.96.0.1        192.168.75.2       ---                ---
  ---  202.96.0.3        192.168.75.3       ---                ---

  R1#sh ip nat translations
  Pro  Inside global     Inside local       Outside local      Outside global
  icmp 202.96.0.1:73     192.168.75.2:73    192.168.0.2:73     192.168.0.2:73
  icmp 202.96.0.1:74     192.168.75.2:74    192.168.0.2:74     192.168.0.2:74
  icmp 202.96.0.1:75     192.168.75.2:75    192.168.0.2:75     192.168.0.2:75
  icmp 202.96.0.1:76     192.168.75.2:76    192.168.0.2:76     192.168.0.2:76
  icmp 202.96.0.3:45     192.168.75.3:45    192.168.0.2:45     192.168.0.2:45
  icmp 202.96.0.3:46     192.168.75.3:46    192.168.0.2:46     192.168.0.2:46
  icmp 202.96.0.3:47     192.168.75.3:47    192.168.0.2:47     192.168.0.2:47
  icmp 202.96.0.3:48     192.168.75.3:48    192.168.0.2:48     192.168.0.2:48
  ---  202.96.0.1        192.168.75.2       ---                ---
  ---  202.96.0.3        192.168.75.3       ---                ---

小結

內網計算機被一對一的映射成了公網IP地址，使用此方法可以實現從外網訪問內網特定網絡設備，但安全性差，實際使用價值不高

四、配置動態NAT

1.路由器R1上移除兩條靜態IP映射

  R1(config)#no ip nat inside source static 192.168.75.2 202.96.0.1
  R1(config)#no ip nat inside source static 192.168.75.3 202.96.0.3

2.路由器R1上配置包含內網所有IP地址的ACL

  R1(config)#access-list 1 permit 192.168.75.0 0.0.0.255

3.配置合法的IP地址池

   R1(config)#ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.248

4.關聯ACL和IP地址池

   R1(config)#ip nat inside source list 1 pool abc

5.在PC1上ping PC3測試

   PC>ping 192.168.0.2 

  Pinging 192.168.0.2 with 32 bytes of data:

  Request timed out.
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=2ms TTL=126

  Ping statistics for 192.168.0.2:
      Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 2ms, Average = 0ms

6.在PC2上ping PC3測試

   PC>ping 192.168.0.2

  Pinging 192.168.0.2 with 32 bytes of data:

  Request timed out.
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
  Reply from 192.168.0.2: bytes=32 time=0ms TTL=126

  Ping statistics for 192.168.0.2:
      Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 0ms, Average = 0ms

7.在路由器R1上查看

   R1#sh ip nat translations 

   Pro  Inside global     Inside local       Outside local      Outside global
   icmp 202.96.0.5:81     192.168.75.2:81    192.168.0.2:81     192.168.0.2:81
   icmp 202.96.0.5:82     192.168.75.2:82    192.168.0.2:82     192.168.0.2:82
   icmp 202.96.0.5:83     192.168.75.2:83    192.168.0.2:83     192.168.0.2:83
   icmp 202.96.0.5:84     192.168.75.2:84    192.168.0.2:84     192.168.0.2:84
   icmp 202.96.0.4:5      192.168.75.3:5     192.168.0.2:5      192.168.0.2:5
   icmp 202.96.0.4:6      192.168.75.3:6     192.168.0.2:6      192.168.0.2:6
   icmp 202.96.0.4:7      192.168.75.3:7     192.168.0.2:7      192.168.0.2:7
   icmp 202.96.0.4:8      192.168.75.3:8     192.168.0.2:8      192.168.0.2:8

小結

映射關系是隨機的，最大映射數為配置的合法公網IP地址有多少個，實際還是不能滿足日常需要

五、端口多路復用PAT

1. 在關聯ACL和IP地址池后面加上關鍵詞 overload

   R1(config)#ip nat inside source list 1 pool abc overload

2.在PC1、PC2上Ping PC3后，在路由器R1上查看

   R1#sh ip nat translations 

   Pro  Inside global     Inside local       Outside local      Outside global
   icmp 202.96.0.5:85     192.168.75.2:85    192.168.0.2:85     192.168.0.2:85
   icmp 202.96.0.5:86     192.168.75.2:86    192.168.0.2:86     192.168.0.2:86
   icmp 202.96.0.5:87     192.168.75.2:87    192.168.0.2:87     192.168.0.2:87
   icmp 202.96.0.5:88     192.168.75.2:88    192.168.0.2:88     192.168.0.2:88
   icmp 202.96.0.5:10     192.168.75.3:10    192.168.0.2:10     192.168.0.2:10
   icmp 202.96.0.5:11     192.168.75.3:11    192.168.0.2:11     192.168.0.2:11
   icmp 202.96.0.5:12     192.168.75.3:12    192.168.0.2:12     192.168.0.2:12
   icmp 202.96.0.5:9      192.168.75.3:9     192.168.0.2:9      192.168.0.2:9

小結

內網計算機訪問Internet 地址都映射成了同一個合法公網IP地址，內網計算機共用一個公網IP地址就能上互聯網，最實用技術。

擴展知識

1.企業里常需要把特定內網計算機的某一端口映射到公網，在思科路由器上如何設置呢？

 ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable                        映射80端口用于發布網站
 ip nat inside source static tcp 192.168.75.2 3080 202.96.0.2 3389 extendable                    映射3389端口用于遠程桌面連接

 ip nat inside source static tcp 192.168.75.2 3090 202.96.0.2 3090 extendable                    映射特別端口用于軟件發布

 ip nat inside source static tcp 192.168.75.2 22 202.96.0.2 22 extendable                        映射22端口用于SSH遠程連接

2.如果我們只有一個公網地址且已經分配給了R1的F1/0口，怎么反復利用或超載？

R1(config)#ip nat inside source list 10 interface f1/0 overload //在R1上不設置地址池，因為只有一個公網地址，而只對F1/0接口的地址超載

或者

R1(config)#ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248

3.怎么計算路由器NAT轉換條目數？

一條NAT轉換條目要占用160字節內存，因此NAT的轉換數目受路由器的內存限制。