分类: 系统运维
2008-05-24 23:47:26
Router(config-if)#ip address 172.16.1.6 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#
注释 适用于两个网络互访而地址段冲突的情况
21.8. 使用NAT来进行服务器负荷分担
提问 多个服务器使用同一IP地址从而实现应用的负荷分担
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105 netmask 255.255.255.0 type rotary
Router(config)#access-list 20 permit host 192.168.1.100
Router(config)#ip nat inside destination list 20 pool WEBSERVERS
Router(config)#end
Router#
注释 这里不同点在于使用了rotary的参数和使用了destination而不是source在翻译规则中,当然这种是穷人的负载均衡解决方案
21.9. 基于状态的NAT切换
提问 在高可用性网络中部署NAT,这样一台设备坏掉的情况下另一台可以切换起到NAT作用
回答
RouterA
Router-A#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-A(config)#access-list 11 permit any
Router-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0
Router-A(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1
Router-A(config)#interface FastEthernet0/0
Router-A(config-if)#ip address 192.168.1.3 255.255.255.0
Router-A(config-if)#ip nat inside
Router-A(config-if)#standby 1 ip 192.168.1.1
Router-A(config-if)#standby 1 preempt
Router-A(config-if)#standby 1 name SNATGROUP
Router-A(config-if)#exit
Router-A(config)#interface Serial0/0
Router-A(config-if)#ip address 172.17.55.2 255.255.255.252
Router-A(config-if)#ip nat outside
Router-A(config-if)#exit
Router-A(config)#ip nat Stateful id 1
Router-A(config-ipnat-snat)#redundancy SNATGROUP
Router(config-ipnat-snat-red)#mapping-id 1
Router(config-ipnat-snat-red)#exit
Router-A(config)#end
Router-A#
RouterB
Router-B#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-B(config)#access-list 11 permit any
Router-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0
Router-B(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1
Router-B(config)#interface FastEthernet0/0
Router-B(config-if)#ip address 192.168.1.2 255.255.255.0
Router-B(config-if)#ip nat inside
Router-B(config-if)#standby 1 ip 192.168.1.1
Router-B(config-if)#standby 1 priority 90
Router-B(config-if)#standby 1 preempt
Router-B(config-if)#standby 1 name SNATGROUP
Router-B(config-if)#exit
Router-B(config)#interface Serial0/0
Router-B(config-if)#ip address 172.17.55.6 255.255.255.252
Router-B(config-if)#ip nat outside
Router-B(config-if)#exit
Router-B(config)#ip nat Stateful id 1
Router-B(config-ipnat-snat)#redundancy SNATGROUP
Router(config-ipnat-snat-red)#mapping-id 1
Router(config-ipnat-snat-red)#exit
Router-B(config)#end
Router-B#
注释 虽然说通过使用HSRP可以解决可用性的问题,但是不能同步NAT翻译表,从12.2(13)T以后思科引入了基于状态的NAT(SNAT),这样可以保持两台设备的翻译表同步,其关键命令为ip nat Stateful 要注意的是这里的Stateful是大写开头的,这里是区分大小写的。另外SNAT只和HSRP连用,不能跟VRRP或者GLBP一起作用。同时也可以使用多组HSRP的形式来保持负载均衡。
21.10. 调整NAT 时长
提问 调整NAT翻译表中条目的时长
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip nat translation tcp-timeout 500
Router(config)#ip nat translation udp-timeout 30
Router(config)#ip nat translation dns-timeout 30
Router(config)#ip nat translation icmp-timeout 30
Router(config)#ip nat translation finrst-timeout 30
Router(config)#ip nat translation syn-timeout 30
Router(config)#end
Router#
也可以限制翻译表的最大条目数
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip nat translation max-entries 1000
Router(config)#end
Router#
注释 缺省TCP为24小时,UDP为5分钟,DNS为1分钟
21.11. 修改FTP的TCP端口
提问 FTP服务器使用非正常端口
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 19 permit 192.168.55.5
Router(config)#ip nat service list 19 ftp tcp port 8021
Router(config)#ip nat service list 19 ftp tcp port 21
Router(config)#end
Router#
注释 在12.2(4)T后思科引入了no-payload关键词来防止对数据包载荷的地址信息进行修改
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source static 192.168.1.10 172.16.1.5 no-payload
Router(config)#end
Router#
21.12. 检查NAT状态
提问 查看当前NAT信息
回答
Router#show ip nat translation
Router#clear ip nat translation *
Router#clear ip nat translation inside 172.18.3.2
Router#clear ip nat translation outside 192.168.1.10
Router#show ip nat statistics
Router#clear ip nat statistics
注释 Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
"Inside global" 为内部设备翻译的地址"Inside local"为内部设备的真实地址"Outside local" 为外部设备翻译的地址"Outside global" 为外部设备的真实地址,global addresses在outside, local addresses 在 inside.
21.13. NAT排错
提问 对NAT进行排错
回答
Router#debug ip nat
Router#debug ip nat detailed
Router#debug ip nat 15
Router#debug ip nat 15 detailed
注释 无
