技术在于专研
分类: 系统运维
2007-02-09 14:21:37
大型企业向ISP购买多个公网IP后,将其分别放入不同的NAT-pool以供不同的部门进行NAT转换
STEP1:底层配置.定义内外口.
R1:
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside //将F0/0口定义为内口
duplex half
!
interface Serial2/1
ip address 12.0.0.2 255.255.255.0
ip nat outside //S2/1定义为外口
serial restart-delay 0
STEP2:为了模拟两个VLAN网关,R1需要起辅助地址
ip ad 10.0.0.1 255.255.255.0
ip ad 192.168.1.1 255.255.255.0 secondary //192.168.1.1为辅助地址,同为F0/0下
STEP3:为两个VLAN的用户设定网关
PC4(config)#ip default-gateway 10.0.0.1
PC5(config)#ip default-gateway 192.168.0.1
STEP4:将从ISP所购买的这些IP地址创建针对不同VLAN用户的地址池.
R1(config)#ip nat pool VLAN1 12.0.0.11 12.0.0.21 prefix-length 24 //定义外网地址池的范围,并起一个池的名字
R1(config)#ip nat pool VLAN2 12.0.0.22 12.0.0.31 prefix-length 24 //也可用netmask 255.255.255.0代替prefix-length 24
STEP5:定义内网的用户群
R1(config)#access 1 permit 10.0.0.0 0.0.0.255 //定义访问列表1的内部地址池范围
R1(config)#access 2 permit 192.168.0.0 0.0.0.255 //定义访问列表2要转换的内部地址池范围
STEP6:定义转化
R1(config)#ip nat inside source list 1 pool VLAN1 overload //允许用户群1本地地址转换为所定义的外部地址池中的地址
R1(config)#ip nat inside source list 2 pool VLAN2 overload
些时在PC4上做测试,PING 23.0.0.2 PING不通查原因
PC4(config)#do ping 23.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
C4(config)#do ping 12.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/94/96 ms
说明PC4能正常和R1通信,些时查R1路由表,也能看到有一条默认路由指向S2/1接口.
R1#sh ip rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
C 192.168.0.0/24 is directly connected, FastEthernet0/0
12.0.0.0/24 is subnetted, 1 subnets
C 12.0.0.0 is directly connected, Serial2/1
S* 0.0.0.0/0 is directly connected, Serial2/1
说明R1能把PC4的PING包路由出去,现在去查一下看R2是的路由表.
23.0.0.0/24 is subnetted, 1 subnets
C 23.0.0.0 is directly connected, Serial2/2
12.0.0.0/24 is subnetted, 1 subnets
C 12.0.0.0 is directly connected, Serial2/1
发现R2上只有到R3的直连,发现原来是没有跑路由协议
在R2和R3上路RIPv2
R2(config)#router rip
R2(config-router)#ve 2
R2(config-router)#net 12.0.0.0
R2(config-router)#net 23.0.0.0
R3(config)#router rip
R3(config-router)#ve 2
R3(config-router)#net 23.0.0.0
些时在R1上DEBUG看一下
R1#
00:28:43: NAT: s=10.0.0.2->12.0.0.12, d=23.0.0.2 [15] //S源地址,D目标地址
00:28:43: NAT*: s=23.0.0.2, d=12.0.0.12->10.0.0.2 [15]
00:28:43: NAT: s=10.0.0.2->12.0.0.12, d=23.0.0.2 [16]
00:28:44: NAT*: s=23.0.0.2, d=12.0.0.12->10.0.0.2 [16]
00:29:00: NAT: s=192.168.0.2->12.0.0.22, d=23.0.0.2 [12]
00:29:01: NAT*: s=23.0.0.2, d=12.0.0.22->192.168.0.2 [12]
00:29:01: NAT: s=192.168.0.2->12.0.0.22, d=23.0.0.2 [13]
00:29:01: NAT*: s=23.0.0.2, d=12.0.0.22->192.168.0.2 [13]
些时看到三个不同的内部地址都已被成功的转换成不同的外网地址
R1(config)#do sh run
Building configuration...
Current configuration : 1514 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
no ip proxy-arp
duplex half
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
ip address 12.0.0.2 255.255.255.0
no ip proxy-arp
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip nat pool VLAN1 12.0.0.11 12.0.0.21 prefix-length 24
ip nat pool VLAN2 12.0.0.22 12.0.0.31 prefix-length 24
ip nat inside source list 1 pool VLAN1 overload
ip nat inside source list 2 pool VLAN2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/1
no ip http server
no ip http secure-server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
stopbits 1
line aux 0
stopbits 1
line vty 5 15
!
!
End
以上为R1配置,在经过开启和关闭proxy-arp后还是PING不通R3,当用sh ru看R1的配置的时候发现原来是自己在配置的时候没有定义内网口和外内口,在做NAT转换的时候一定要定义内网和外网口,不然的话做NAT后路由是不知道你所定义地址从那发出去,也不知道从那收回包.
