迷彩 潜伏 隐蔽 伪装
分类:
2012-06-22 12:30:40
原文地址:Cisco 静态 Nat配置 作者:wfeng520
nat
第一步:预
第二步:定义每个路由器的接口IP地址
R1#show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial2/0 unassigned YES unset administratively down down
Serial2/1 192.168.0.1 YES manual up up
Serial2/2 unassigned YES unset administratively down down
Serial2/3 unassigned YES unset administratively down down
Serial3/0 unassigned YES unset administratively down down
Serial3/1 unassigned YES unset administratively down down
Serial3/2 unassigned YES unset administratively down down
Serial3/3 unassigned YES unset administratively down down
R2#show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial2/0 unassigned YES unset administratively down down
Serial2/1 192.168.0.2 YES manual up up
Serial2/2 131.1.1.2 YES manual up up
Serial2/3 unassigned YES unset administratively down down
Serial3/0 unassigned YES unset administratively down down
Serial3/1 unassigned YES unset administratively down down
Serial3/2 unassigned YES unset administratively down down
Serial3/3 unassigned YES unset administratively down down
R3#show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial2/0 unassigned YES unset administratively down down
Serial2/1 131.1.1.3 YES manual up up
Serial2/2 unassigned YES unset administratively down down
Serial2/3 unassigned YES unset administratively down down
Serial3/0 unassigned YES unset administratively down down
Serial3/1 unassigned YES unset administratively down down
Serial3/2 unassigned YES unset administratively down down
Serial3/3 unassigned YES unset administratively down down
第三步:在R2上定义转换
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R2(config)#ip nat pool NAT 131.1.1.5 131.1.1.100 netmask 255.255.255.0
R2(config)#ip nat inside source list 1 pool nat
R2(config)#end
在R2上ping131.1.1.3
R2#ping 131.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.1.3, timeout is 2 seconds:
!!!!!
第四步:忘了进行在R2上定义NAT的inside和outside
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int s2/1
R2(config-if)#ip nat inside
R2(config-if)#int s2/2
R2(config-if)#ip nat outside
第五步:在R1上对ping 131.1.1.3
R1#ping 131.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.1.3, timeout is 2 seconds:
U.U.U
第六步:打开R2上的debug ip icmp
R2#debug ip icmp
ICMP packet debugging is on
R2#
00:26:57: %SYS-5-CONFIG_I: Configured from console by console
R2#
00:27:02: ICMP: dst (131.1.1.3) host unreachable sent to 192.168.0.1
R2#
00:27:04: ICMP: dst (131.1.1.3) host unreachable sent to 192.168.0.1
R2#
00:27:06: ICMP: dst (131.1.1.3) host unreachable sent to 192.168.0.1
R2#
00:27:25: ICMP: dst (131.1.1.3) host unreachable sent to 192.168.0.1
R2#
00:27:27: ICMP: dst (131.1.1.3) host unreachable sent to 192.168.0.1
R2#
00:27:29: ICMP: dst (131.1.1.3) host unreachable sent to 192.168.0.1
第七步:在R2上进行ping
R2#ping
Protocol [ip]:
Target IP address: 131.1.1.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
第八步: 经过郑sir的指导查出在R2上定义了接口都是outside(晕)
重新修改后
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 131.1.1.5 192.168.0.2 --- ---
--- 131.1.1.6 192.168.0.1 --- ---
第九步:在R1上ping 131.1.1.3
R1#ping 131.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/109/196 ms
查看R2上的NAT转换
R2#
01:13:02: NAT*: s=192.168.0.1->131.1.1.6, d=131.1.1.3 [65]
01:13:02: NAT*: s=131.1.1.3, d=131.1.1.6->192.168.0.1 [65]
01:13:02: NAT*: s=192.168.0.1->131.1.1.6, d=131.1.1.3 [66]
01:13:02: NAT*: s=131.1.1.3, d=131.1.1.6->192.168.0.1 [66]
01:13:02: NAT*: s=192.168.0.1->131.1.1.6, d=131.1.1.3 [67]
01:13:02: NAT*: s=131.1.1.3, d=131.1.1.6->192.168.0.1 [67]
01:13:02: NAT*: s=192.168.0.1->131.1.1.6, d=131.1.1.3 [68]
01:13:02: NAT*: s=131.1.1.3, d=131.1.1.6->192.168.0.1 [68]
01:13:02: NAT*: s=192.168.0.1->131.1.1.6, d=131.1.1.3 [69]
01:13:02: NAT*: s=131.1.1.3, d=131.1.1.6->192.168.0.1 [69]
第十步:在R2上扩展ping
R2#ping
Protocol [ip]:
Target IP address: 131.1.1.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/46/92 ms
R2#
01:09:42: NAT: s=192.168.0.2->131.1.1.5, d=131.1.1.3 [50]
01:09:42: NAT*: s=131.1.1.3, d=131.1.1.5->192.168.0.2 [50]
01:09:42: ICMP: echo reply rcvd, src 131.1.1.3, dst 192.168.0.2
01:09:42: NAT: s=192.168.0.2->131.1.1.5, d=131.1.1.3 [51]
01:09:42: NAT*: s=131.1.1.3, d=131.1.1.5->192.168.0.2 [51]
01:09:42: ICMP: echo reply rcvd, src 131.1.1.3, dst 192.168.0.2
01:09:42: NAT: s=192.168.0.2->131.1.1.5, d=131.1.1.3 [52]
01:09:43: NAT*: s=131.1.1.3, d=131.1.1.5->192.168.0.2 [52]
01:09:43: ICMP: echo reply rcvd, src 131.1.1.3, dst 192.168.0.2
01:09:43: NAT: s=192.168.0.2->131.1.1.5, d=131.1.1.3 [53]
01:09:43: NAT*: s=131.1.1.3, d=131.1.1.5->192.168.0.2 [53]
R2#
01:09:43: ICMP: echo reply rcvd, src 131.1.1.3, dst 192.168.0.2
01:09:43: NAT: s=192.168.0.2->131.1.1.5, d=131.1.1.3 [54]
01:09:43: NAT*: s=131.1.1.3, d=131.1.1.5->192.168.0.2 [54]
01:09:43: ICMP: echo reply rcvd, src 131.1.1.3, dst 192.168.0.2