全部博文(1015)
分类:
2010-07-14 14:40:12
| 不同部门进行的NAT转换 | |
|
| |
| 网友:心跳男人 发布于: 2007.02.09 14:21 (共有条评论) | | |
 大型企业向ISP购买多个公网IP后,将其分别放入不同的NAT-pool以供不同的部门进行NAT转换 STEP1:底层配置.定义内外口. R1: interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 secondary ip address 10.0.0.1 255.255.255.0 ip nat inside //将F0/0口定义为内口 duplex half ! interface Serial2/1 ip address 12.0.0.2 255.255.255.0 ip nat outside //S2/1定义为外口 serial restart-delay 0 STEP2:为了模拟两个VLAN网关,R1需要起辅助地址 ip ad 10.0.0.1 255.255.255.0 ip ad 192.168.1.1 255.255.255.0 secondary //192.168.1.1为辅助地址,同为F0/0下 STEP3:为两个VLAN的用户设定网关 PC4(config)#ip default-gateway 10.0.0.1 PC5(config)#ip default-gateway 192.168.0.1 STEP4:将从ISP所购买的这些IP地址创建针对不同VLAN用户的地址池. R1(config)#ip nat pool VLAN1 12.0.0.11 12.0.0.21 prefix-length 24 //定义外网地址池的范围,并起一个池的名字 R1(config)#ip nat pool VLAN2 12.0.0.22 12.0.0.31 prefix-length 24 //也可用netmask 255.255.255.0代替prefix-length 24 STEP5:定义内网的用户群 R1(config)#access 1 permit 10.0.0.0 0.0.0.255 //定义访问列表1的内部地址池范围 R1(config)#access 2 permit 192.168.0.0 0.0.0.255 //定义访问列表2要转换的内部地址池范围 STEP6:定义转化 R1(config)#ip nat inside source list 1 pool VLAN1 overload //允许用户群1本地地址转换为所定义的外部地址池中的地址 R1(config)#ip nat inside source list 2 pool VLAN2 overload 些时在PC4上做测试,PING 23.0.0.2 PING不通查原因 PC4(config)#do ping 23.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.0.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) C4(config)#do ping 12.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/94/96 ms 说明PC4能正常和R1通信,些时查R1路由表,也能看到有一条默认路由指向S2/1接口. R1#sh ip rou Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, FastEthernet0/0 C 192.168.0.0/24 is directly connected, FastEthernet0/0 12.0.0.0/24 is subnetted, 1 subnets C 12.0.0.0 is directly connected, Serial2/1 S* 0.0.0.0/0 is directly connected, Serial2/1 说明R1能把PC4的PING包路由出去,现在去查一下看R2是的路由表. 23.0.0.0/24 is subnetted, 1 subnets C 23.0.0.0 is directly connected, Serial2/2 12.0.0.0/24 is subnetted, 1 subnets C 12.0.0.0 is directly connected, Serial2/1 发现R2上只有到R3的直连,发现原来是没有跑路由协议 在R2和R3上路RIPv2 R2(config)#router rip R2(config-router)#ve 2 R2(config-router)#net 12.0.0.0 R2(config-router)#net 23.0.0.0 R3(config)#router rip R3(config-router)#ve 2 R3(config-router)#net 23.0.0.0 些时在R1上DEBUG看一下 R1# 00:28:43: NAT: s=10.0.0.2->12.0.0.12, d=23.0.0.2 [15] //S源地址,D目标地址 00:28:43: NAT*: s=23.0.0.2, d=12.0.0.12->10.0.0.2 [15] 00:28:43: NAT: s=10.0.0.2->12.0.0.12, d=23.0.0.2 [16] 00:28:44: NAT*: s=23.0.0.2, d=12.0.0.12->10.0.0.2 [16] 00:29:00: NAT: s=192.168.0.2->12.0.0.22, d=23.0.0.2 [12] 00:29:01: NAT*: s=23.0.0.2, d=12.0.0.22->192.168.0.2 [12] 00:29:01: NAT: s=192.168.0.2->12.0.0.22, d=23.0.0.2 [13] 00:29:01: NAT*: s=23.0.0.2, d=12.0.0.22->192.168.0.2 [13] 些时看到三个不同的内部地址都已被成功的转换成不同的外网地址 R1(config)#do sh run Building configuration... Current configuration : 1514 bytes ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname R1 ! ! ip subnet-zero ip cef ! ! no ip domain-lookup ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 secondary ip address 10.0.0.1 255.255.255.0 no ip proxy-arp duplex half ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 ip address 12.0.0.2 255.255.255.0 no ip proxy-arp ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! interface Serial3/0 no ip address shutdown serial restart-delay 0 ! interface Serial3/1 no ip address shutdown serial restart-delay 0 ! interface Serial3/2 no ip address shutdown serial restart-delay 0 ! interface Serial3/3 no ip address shutdown serial restart-delay 0 ! ip nat pool VLAN1 12.0.0.11 12.0.0.21 prefix-length 24 ip nat pool VLAN2 12.0.0.22 12.0.0.31 prefix-length 24 ip nat inside source list 1 pool VLAN1 overload ip nat inside source list 2 pool VLAN2 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial2/1 no ip http server no ip http secure-server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.0.0 0.0.0.255 ! line con 0 exec-timeout 0 0 password cisco logging synchronous login stopbits 1 line aux 0 stopbits 1 line vty 5 15 ! ! End 以上为R1配置,在经过开启和关闭proxy-arp后还是PING不通R3,当用sh ru看R1的配置的时候发现原来是自己在配置的时候没有定义内网口和外内口,在做NAT转换的时候一定要定义内网和外网口,不然的话做NAT后路由是不知道你所定义地址从那发出去,也不知道从那收回包. |
