CCNA學習筆記(六)

使用NAT的缺點
1.增加路徑轉換的延遲。
2.失去對IP來源的可追溯性。
3.導致某些應用程式的通訊失敗的問題。

NAT的類型與使用時機
1.靜態NAT
從Local到Global有著一對一的靜態對應關係。
2.動態NAT
內部一群Local IP與一群外部Global IP做非固定的動態隨機對應，多少Local IP就需相同數量的Global IP，如Global IP數量不足，就會有部分電腦沒有IP使用。
3.超載NAT(Overloading)，又稱PAT(Port Address Translation)
多個Local IP，對應到一個Global IP+不同的Port Number，讓多台電腦共用一個Public IP連上Internet。

<靜態NAT>
轉換前

Packet Tracer PC Command Line 1.0
PC>telnet 10.1.1.254
Trying 10.1.1.254 ...Open

Router-2>sh users
    Line       User       Host(s)              Idle       Location
* 67 vty 0                idle                 00:00:00 192.168.1.1

  Interface    User               Mode         Idle     Peer Address

設定

Router-1(config)#ip nat inside source static 192.168.1.1 10.1.1.1
Router-1(config)#ip nat inside source static 192.168.1.2 10.1.1.2
Router-1(config)#ip nat inside source static 192.168.1.3 10.1.1.3
Router-1(config)#int fa0/0

Router-1(config-if)#ip nat inside
Router-1(config-if)#int fa0/1
Router-1(config-if)#ip nat outside

轉換後

PC>telnet 10.1.1.254
Trying 10.1.1.254 ...Open

Router-2>sh users
    Line       User       Host(s)              Idle       Location
  67 vty 0                idle                 00:06:33 192.168.1.1
* 68 vty 1                idle                 00:00:00 10.1.1.1

  Interface    User               Mode         Idle     Peer Address

<動態NAT>
Inside Local 192.168.1.1~254
Inside Global 10.1.1.1~3
1.宣告外部IP的範圍，指定一個pool(IP池)，ip nat pool+名稱+起始IP+結束IP+netmask。
2.宣告內部IP的範圍，使用ACL，access-list+編號+permit+內部IP範圍(使用wildcard mask)。
3.把設定好的ACL指定到設定好的pool，ip nat inside source list+(ACL編號)+pool+(pool名稱)。
4.最後在宣告Inside介面與Outside介面，ip nat inside，ip nat outside。

設定
Router-1(config)#ip nat pool lobo 10.1.1.1 10.1.1.3 netmask 255.255.255.0
Router-1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 (wildcard mask)

Router-1(config)#ip nat inside source list  ?
  interface  Specify interface for global address
  pool       Name pool of global addresses
Router-1(config)#ip nat inside source list 1 pool lobo

Router-1(config)#int fa0/0
Router-1(config-if)#ip nat inside
Router-1(config-if)#int fa0/1
Router-1(config-if)#ip nat outside
Router-1#sh run
!

interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.253 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
router rip
 network 10.0.0.0
 network 192.168.1.0
!
ip nat pool lobo 10.1.1.1 10.1.1.3 netmask 255.255.255.0
ip nat inside source list 1 pool lobo
ip classless
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!


結果(使用3台PC，telnet至Router-2)

Router-2#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
  67 vty 0                idle                 00:00:29 10.1.1.1
  68 vty 1                idle                 00:00:18 10.1.1.2
  69 vty 2                idle                 00:00:08 10.1.1.3


Router-1#sh ip nat statistics
Total translations: 3 (0 static, 3 dynamic, 3 extended)
Outside Interfaces: FastEthernet0/1
Inside Interfaces: FastEthernet0/0
Hits: 33  Misses: 49
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 1 pool lobo refCount 3
 pool lobo: netmask 255.255.255.0
       start 10.1.1.1 end 10.1.1.3
       type generic, total addresses 3 , allocated 3 (100%), misses 0

Router-1#sh ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
tcp 10.1.1.1:1025      192.168.1.1:1025   10.1.1.254:23      10.1.1.254:23
tcp 10.1.1.2:1025      192.168.1.2:1025   10.1.1.254:23      10.1.1.254:23
tcp 10.1.1.3:1025      192.168.1.3:1025   10.1.1.254:23      10.1.1.254:23

<PAT(NAT OverLoad)>

Inside Local 192.168.1.1~254
Inside Global 10.1.1.1
與動態NAT相似，只是pool宣告縮減為單一IP，另外在宣告NAT轉換時，後面加一個overload。

設定
Router-1(config)#ip nat pool robert 10.1.1.1 10.1.1.1 netmask 255.255.255.0
Router-1(config)#access-list 2 permit 192.168.1.0 0.0.0.255
Router-1(config)#ip nat inside source list 2 pool robert overload

Router-1(config)#int fa0/0
Router-1(config-if)#ip nat inside
Router-1(config-if)#int fa0/1
Router-1(config-if)#ip nat outside

Router-1#sh run
Building configuration...


interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.253 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
router rip
 network 10.0.0.0
 network 192.168.1.0
!
ip nat pool robert 10.1.1.1 10.1.1.1 netmask 255.255.255.0
ip nat inside source list 2 pool robert overload
ip classless
!
!
access-list 2 permit 192.168.1.0 0.0.0.255
!


Router-1#sh ip nat statistics 
Total translations: 3 (0 static, 3 dynamic, 3 extended)
Outside Interfaces: FastEthernet0/1
Inside Interfaces: FastEthernet0/0
Hits: 29  Misses: 12
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 2 pool robert refCount 3
 pool robert: netmask 255.255.255.0
       start 10.1.1.1 end 10.1.1.1
       type generic, total addresses 1 , allocated 1 (100%), misses 0

Router-1#sh ip nat translations 
Pro  Inside global     Inside local       Outside local      Outside global
tcp 10.1.1.1:1025      192.168.1.1:1025   10.1.1.254:23      10.1.1.254:23
tcp 10.1.1.1:1024      192.168.1.2:1025   10.1.1.254:23      10.1.1.254:23
tcp 10.1.1.1:1026      192.168.1.3:1025   10.1.1.254:23      10.1.1.254:23


Router-2#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
  67 vty 0                idle                 00:00:35 10.1.1.1
  68 vty 1                idle                 00:00:25 10.1.1.1
  69 vty 2                idle                 00:00:10 10.1.1.1

debug ip nat

Router-1#no debug ip nat 

IP NAT debugging is off

Router-1#debug ip nat

IP NAT debugging is on

Router-1#

NAT: s=192.168.1.1->10.1.1.1, d=10.1.1.254 [197]

NAT*: s=10.1.1.254, d=10.1.1.1->192.168.1.1 [213]

NAT: expiring 10.1.1.1 (192.168.1.1) icmp 128 (128)