一.测试拓扑:
---参考链接:
二.基本思路:
A.通过配置ip nat inside destination list 101 pool pool1实现访问外部接口的端口范围来访问内部主机端口范围
B.NAT地址池的地址其实是内网主机地址
C.为了方便测试,在PC1上启动端口映射小工具,将多个端口映射到与其直连的路由器R2的tcp 23端口上
D.可以通过ACL的目的地址不同,实现目标地址不是外部接口地址的静态PAT
E.如果PAT的地址不是外部接口地址,需要新建一条静态PAT的条目,否则路由器接口不会进行代理arp
三.配置步骤:
A.基本配置:
①R1:
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
---可以不配置路由
②R2:
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
interface Ethernet0/1
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
③PC1:
B.静态PAT配置:
①配置地址池:
ip nat pool pool1 10.1.1.10 10.1.1.10 netmask 255.255.255.0 type rotary
②配置ACL:
access-list 101 permit tcp any any range 100 300
③配置NAT:
ip nat inside destination list 101 pool pool1
④验证:
R1#telnet 202.100.1.2 100
Trying 202.100.1.2, 100 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:24:47
*130 vty 0 idle 00:00:00 10.1.1.10
Interface User Mode Idle Peer Address
R2>q
[Connection to 202.100.1.2 closed by foreign host]
R1#telnet 202.100.1.2 101
Trying 202.100.1.2, 101 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:25:36
*130 vty 0 idle 00:00:00 10.1.1.10
Interface User Mode Idle Peer Address
R2>q
[Connection to 202.100.1.2 closed by foreign host]
R1#telnet 202.100.1.2 300
Trying 202.100.1.2, 300 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:25:50
*130 vty 0 idle 00:00:00 10.1.1.10
Interface User Mode Idle Peer Address
R2>q
⑤修改ACL:
no access-list 101 permit tcp any any range 100 300
access-list 101 permit tcp any host 202.100.1.3 range 100 300
⑥R1增加静态PAT条目,并进行验证:
ip nat inside source static tcp 10.1.1.10 23 202.100.1.3 100
R1#telnet 202.100.1.3 300
Trying 202.100.1.3, 300 ... Open
User Access Verification
Password:
R2>q
阅读(948) | 评论(0) | 转发(0) |