Tag Archives: NAT route-map

[原创]巧用PBR实现不同网段走不同ISP,且互备实验(一个不算完美的解决方法)

Posted on by
1

上次试验没有完全成功,因为默认路由的问题导致ROUTE-MAP匹配有时会错乱。详细描述见:http://www.mycisco.cn/post/150.html

这次试验利用了PBR,来控制精确的选择出口.思路:
利用PBR优先使用第一个可用接口,给每个PBR故意设置不同顺序

配置:
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0
 ip nat inside
 ip policy route-map isp1-nextif
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.2.4 255.255.255.0
 ip nat inside
 ip policy route-map isp2-nextif
 half-duplex!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 10.0.0.1 255.255.255.0
 no shu
 ip nat outside
 serial restart-delay 0
!
interface Serial1/1
 ip address 20.0.0.1 255.255.255.0
 no shu
 ip nat outside
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp1-2 pool isp2 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip nat inside source route-map toisp2-1 pool isp1 overload

!这里需要注意,试验证明采用POOL时候,工作起来不是很正常
当我关闭ISP1所连的S1/0接口后
这个时候1网段的应该走ISP2接口,调试表明确实走了ISP2那个口
但是
这个时候NAT表里只容许1网段的转成ISP2的地址
2网段的数据包 报NAT失败 包被丢弃
NAT配置中将POOL改成使用接口,则无此问题
所以这里不要使用地址池,只能使用接口做NAT。 


ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
!这个默认路由已经可以省略了,PBR优先于它。
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
 match ip address 100
 match interface Serial1/0
!
route-map toisp2 permit 10
 match ip address 101
 match interface Serial1/1
!
route-map toisp1-2 permit 10
 match ip address 100
 match interface Serial1/1
!
route-map toisp2-1 permit 10
 match ip address 101
 match interface Serial1/0
!
route-map isp2-nextif permit 10
 match ip address 101
 set interface s1/0 s1/1

!
route-map isp1-nextif permit 10
 match ip address 100
 set interface s1/1 s1/0
!利用PBR优先使用第一个可用接口的特性
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

测试中没发现其他什么问题,如有问题请留言,感谢。

Share

[原创]巧用route-map顺序实现不同网段走不同ISP,且互备实验,问题源自91lab论坛网友提问

Posted on by
1

问题源自91LAB论坛上一位网友的提问,自己就作了这个试验.转载请写明来源http://www.mycisco.cn.谢谢.

此实验存在一个问题,即2条静态路由无效有效控制选路.正因为静态路由的问题导致了route-map匹配有时不按照期望的那样去匹配.看这个实验,权当是进行排错了.如果能准确找到错误原因和原理也不枉花费的时间…….

这个地址是一个解决方法http://www.mycisco.cn/post/152.html
不过最好看完这个有问题的试验,再看上面的地址比较容易明白

 

r4#sh run
Building configuration…

Current configuration : 1639 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.2.4 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 10.0.0.1 255.255.255.0
 ip nat outside
 shutdown
 serial restart-delay 0
!        
interface Serial1/1
 ip address 20.0.0.1 255.255.255.0
 ip nat outside
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
 match ip address 100
 match interface Serial1/0
!
route-map toisp2 permit 10
 match ip address 101
 match interface Serial1/1
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
end
============以上是原始配置From:http://www.mycisco.cn 纳米========
实现192.168.1.0/24网段走ISP1 被转成10.0.0.1
实现192.168.2.0/24网段走ISP2  被转成20.0.0.1
但存在一个问题,即当S0/1或S0/2 down掉后,NAT就失败了,因为不符合ROUTE-MAP的条件了,见测试:
(关掉了S1/0)
r4#ping
Protocol [ip]:
Target IP address: 10.10.10.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.4
…..
Success rate is 0 percent (0/5)

r4#sh ip nat translations 为空,没有发生转换。
=======
上面没有实现一个ISP接口坏掉,另一个顶上。
于是想了一个这样的方法,给每个网段再配一个ROUTE-MAP:还匹配原来的ACL,但匹配的接口是另一个连接ISP的接口,这样一个坏了,还有一个能匹配。
先做192.168.1.0/24网段的测试看看,见以下配置:
r4#sh run
Building configuration…

Current configuration : 1639 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.2.4 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 10.0.0.1 255.255.255.0
 ip nat outside
 shutdown
 serial restart-delay 0
!        
interface Serial1/1
 ip address 20.0.0.1 255.255.255.0
 ip nat outside
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp1-2 pool isp2 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
 match ip address 100
 match interface Serial1/0
!
route-map toisp2 permit 10
 match ip address 101
 match interface Serial1/1
!
route-map toisp1-2 permit 10
 match ip address 100
 match interface Serial1/1
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
end   
=====
看测试结果,此时S1/0仍然是关闭的:
r4#ping
Protocol [ip]:
Target IP address: 10.10.10.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout

is 2 seconds:
Packet
sent with a source address of 192.168.1.4
…..
Success rate is 0 percent (0/5)
r4#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 20.0.0.1:14       192.168.1.4:14     10.10.10.10:14     10.10.10.10:14
注意上面为什么不通!因为这个时候NAT所用的接口池已经是S1/1接口上的了,而我是环境,与S1/1连接的路由器上面没有10.10.10.10这个地址.
From:http://www.mycisco.cn 纳米
看上面的NAT转换表可以证明,发生了转换,而且是用的另一个接口.同理,继续配上192.168.2.0/24网段的备份并测试,配置及测试见下:
r4#sh run
Building configuration…

Current configuration : 1768 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.2.4 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 10.0.0.1 255.255.255.0
 ip nat outside
 serial restart-delay 0
!
interface Serial1/1
 ip address 20.0.0.1 255.255.255.0
 ip nat outside
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp1-2 pool isp2 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip nat inside source route-map toisp2-1 pool isp1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
 match ip address 100
 match interface Serial1/0
!
route-map toisp2 permit 10
 match ip address 101
 match interface Serial1/1
!
route-map toisp1-2 permit 10
 match ip address 100
 match interface Serial1/1
!
route-map toisp2-1 permit 10
 match ip address 101
 match interface Serial1/0
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
end

r4#ping
Protocol [ip]:
Target IP address: 20.20.20.20
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/36 ms
r4#
r4#sh ip nat
r4#sh ip nat trans
r4#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 20.0.0.1:16       192.168.2.4:16     20.20.20.20:16     20.20.20.20:16
=====
上面说明,当S1/1正常的时候,是走的正常的转换,没有使用到备份ISP.
r4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r4(config)#int s1/1 ‘关闭S1/1准备检验
r4(config-if)#shu  
r4(config-if)#end
r4#ping
Protocol [ip]:
01:33:28: %SYS-5-CONFIG_I: Configured from console by console

01:33:29: %LINK-5-CHANGED: Interface Serial1/1, changed state to administratively down
01:33:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down

Target IP address: 20.20.20.20
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.4
…..
Success rate is 0 percent (0/5)
r4#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.0.0.1:17       192.168.2.4:17     20.20.20.20:17     20.20.20.20:17
====
看,关闭S1/1,本来是走ISP2所连的接口的,现在被转成了ISP1所连的S1/0接口的地址.当然上面不通是正常的,理由如上面一样,因为是测试环境,ISP1上没有10.10.10.10的地址.

继续深挖,上面的配置看上去好像没有问题,实际上它是正好利用了4个ROUTE-MAP的顺序,因为CISCO路由器在进行有ROUTE-MAP的NAT的时候,是先查ROUTE-MAP的,如果当前ROUTE-MAP里的条件都匹配,那么路由器就会使用调用了该ROUTE-MAP的那条NAT语句,所以这个配置才实现了2个接口都正常时,各个网段走各自的ISP,一旦某个接口DOWN,就走另一个ISP.

对于CISCO路由器到底是不是真的按照先ROUTE-MAP,由ROUTE-MAP再检查ACL这样的顺序,请访问这个地址看试验证明.
另:那个证明的试验是CISCO2500系列下作的,IOS是12.3的非企业版.这次我用的是DYnamips 3620, 12.2非企业版IOS.两次试验都证明了是按照ROUTE-MAP–>ACL的顺序,但是两次也稍微有些不同,2500系列作的ROUTE-MAP排序是按照ROUTE-MAP的名称的字母顺序排的,而这次3620做的,大家看,是按照我配置的先后顺序排的(我实际测试了下,确实是按照配置顺序配的),
这个在实际作的时候应该注意.因为顺序不一样了,很可能就造成本来想192.168.1.0/24走的ISP1,却因为走ISP2(备份)的配置在最前面而导致每次都走ISP2.

(后补充,超级郁闷,不具体说了,大家测试下,在不同IOS上,将上面的配置编辑下,然后复制进去,测试测试看看那几个ROUTE-MAP到底是怎么排序的,我测试ISP1-2,ISP2-1位置可以对调
但想让ISP1-2排最上面,始终不行,复制进去后,一SHOW,就又变成我上面的正常顺序了.晕了,大家测试测试看看吧,把结果留言到这里,感谢!) t>

对这样的需求,解决办法肯定还有别的,更好的方法,我总觉得,我这样的配置处理效率不是很高(甚至还有我没有想到的错误),请大家到这里留言提出其他方法,一起学习下.

巧用route-map顺序实现不同网段走不同ISP,且互备实验.pdf

Share

[原创]对NAT中术语和转换关系的理解和研究

Posted on by
2

在NAT中有4个术语:内部本地,内部全局,外部本地,外部全局.这四个术语如果不细致理解,确实让人感到非常的乱,但理解后其实并不难.

内部本地 内部全局 外部本地 外部全局

(相同颜色处于同一层次平面)
上面四个术语描述的IP地址,可以这样理解:
内部本地和外部全局,是通信中正式的真正源/目的地址
内部全局和外部本地是在NAT过程中的一个中间量.

内部全局是内部本地在全局平面(外部网络)的表现,也就是说 内部全局在外部网络(全局平面)中代表了内部本地
外部本地是外部全局在本地平面(内部网络)的表现,也就是说 外部本地在内部网络(本地平面)中代表了外部全局
如图:

看下面的图进一步理解这样的关系,这个图是我自己理解关系时候想象出来的,通过这个图可以比较直观的理清关系,在这个图中我引入了2个名词本地平面/全局平面.

 

只有处在同一平面的才能进行直接的数据传输

那么内部本地(SA)要想和外部全局(DA)通信,该如何进行?
首先:要想能正常传输,必须要让数据处于同一个平面,现在2者不在同一平面,由于数据方向是内部本地-->外部全局,要统一到全局平面,所以需要把内部本地转换成内部全局,用内部全局代表了内部本地,内部全局与外部全局就处于同一平面,就可以正常通信.

同理,外部全局(SA)要和内部本地(DA)通信,由于数据方向是外部全局--->内部本地,要统一到本地平面,外部全局就需要被转换到外部本地,用然后外部本地与内部本地通信.

事实上,我们可以这样理解路由器的行为:

从内部本地发向外部全局的数据,数据包的源地址是内部本地,目的地址是外部本地,在经过路由器的inside接口后,源地址被替换为内部全局,而目的地址被替换为外部全局,也就是说实现了从本地平面向全局平面的迁移,在这里,如果转换前后的目标地址相同(外部本地和外部全局),就可以认为是普通的由内到外的NAT,如果转换前后的目标地址不同(外部本地和外部全局),就可以将这种方式用来处理路由器两边网络存在地址重叠的情况.

从外部全局发向内部本地的数据,数据保的源地址是外部全局,目的地址是内部全局,在经过路由器的outside接口后,源地址被替换为外部本地,而目的地址被替换为内部本地,也就是说实现了从全局平面向本地平面的迁移,在这里,如果转换前后的目标地址相同(内部全局和内部本地)相同,就可以认为是普通的由外向内的NAT,如果转换前后的目标地址不同,就可以将这种方式用来处理路由器两边网络存在地址重叠的情况.

============

NAT 具体命令理解

1,由内向外的转换,在路由器的inside口处发生了NAT转换行为

r1-2514(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

从上面可以看出,在inside边可以对数据包中的源地址或者目标地址进行转换.

r1-2514(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

从上面可以看出,针对源地址进行转换可以使用acl 或者 route-map来表述一个本地地址,意思是数据包中源地址符合这些的都要被转换. 也可以使用static进行静态映射,指定一个静态的从本地到全局的映射.

r1-2514(config)#ip nat inside source list 1 ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

从上面输出可以看出接下来要给一个全局地址,数据包中的源地址将被这个全局地址替代.

对于静态映射,还可以指定协议 端口号:
When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts.

ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>

Example:

ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25

In this example, outside-initiated connections to the SMTP port (25) will be sent to the inside host 192.168.10.1.
在inside边对目标进行转换:
r1-2514(config)#ip nat inside destination ?
  list  Specify access list describing global addresses
从上面输出可以看出,路由器要求输入一个表示全局地址的ACL
r1-2514(config)#ip nat inside destination list 1 ?
  pool  Name pool of local addresses
  pool  Name pool of local addresses
接着要求输入一个本地地址池
所以这是一个针对从outside向inside方向数据的NAT,凡是在这个方向数据包中目标地址符合ACL描述的全部被转换成POOL中的本地地址.这可以被用来进行TCP的负载均衡,即外部都请求同一个全局地址,而在路由器的inside边,这些请求的目标地址全部被转换成地址池中的地址,而且是循环使用地址池中的地址,从而达到负载均衡,但是这种方法只适合TCP流,同时不适宜用在WEB服务的负载均担上.详细解释看这里:

Destination Address Rotary Translation

A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, a destination address matching one of those on an access list will be replaced with an address from a rotary pool. Allocation is done in a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect).

This feature was designed to provide protocol translation load distribution. It is not designed nor intended to be used as a substitute technology for Cisco's LocalDirector product. Destination address rotary translation should not be used to provide web service load balancing because, like vanilla DNS, it knows nothing about service availability. As a result, if a web server were to become offline, the destination address rotary translation feature would continue to send requests to the downed server.

2.由外向内,在OUTSIDE边发生的行为:
r1-2514(config)#ip nat outside ?                
  source  Source address translation
从上面可以看出在OUTSIDE边,只能对数据包中的源地址转换
r1-2514(config)#ip nat outside source ?
  list       Specify access list describing global addresses
  route-map  Specify route-map
  static     Specify static global->local mapping
从上面可以看出接下来路由器要求给定一个全局地址的描述,可以是ACL route-map 或者 静态的.
r1-2514(config)#ip nat outside source list 1 ?
  pool  Name pool of local addresses
从上面可以看出,路由器接着又要求给定一个本地地址,这说明 这个命令是对从外到内的数据包,进行源地址字段的替换,它将外部全局地址转换成内部地址(内部本地或者内部全局,内部本地和内部全局可以相同也可以不同)
ip nat outside source { list <acl> pool <name> | static <global-ip> <local-ip> }

The first form (list..pool..) enables dynamic translation. Packets from addresses that match those on the simple access list are translated using local addresses allocated from the named pool.
The second form (static) of the command sets up a single static translation.
一个例子:
CO

NFIGURATION EXAMPLES

The following sample configuration translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network.
ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
ip nat inside source list 1 pool net-20
!
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface Ethernet1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
The next sample configuration translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network. Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24.
ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
定义一个名称为 net-20的内部全局地址池
ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0
定义一个名称为net-10的外部本地地址池
ip nat inside source list 1 pool net-20
ip nat outside source list 1 pool net-10
注意inside /outside全部调用了list 1 这说明 内外两边的源地址是重叠地址,通过将内部的源地址转换成net-20中地址和外部的9.114.11.0网络通信。将外部的源地址转换成net-10中的地址来与内部这边的9.114.11.0网络通信
!
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface Ethernet1
ip address 9.114.11.39 255.255.255.0
ip nat inside
!
access-list 1 permit 9.114.11.0 0.0.0.255
NAT的一些扩展特性:
1。更灵活的地址池分配方法
More flexible pool configuration:
The pool configuration syntax has been extended to allow discontiguous ranges of addresses. The following syntax is now allowed:
ip nat pool <name> { netmask <mask> | prefix-length <length> } [ type { rotary } ]
This command will put the user into IP NAT Pool configuration mode, where a sequence of address ranges can be configured. There is only one command in this mode:
address <start> <end>
Example:
Router(config)#ip nat pool fred prefix-length 24
Router(config-ipnat-pool)#address 171.69.233.225 171.69.233.226
Router(config-ipnat-pool)#address 171.69.233.228 171.69.233.238
This configuration creates a pool containing addresses 171.69.233.225-226 and 171.69.233.228-238 (171.69.233.227 has been omitted).
2。使用接口作地址,满足那些没有固定IP情况的需要
Translating to interface's address:
As a convenience for users wishing to translate all inside addresses to the address assigned to an interface on the router, the NAT code allows one to simply name the interface when configuring the dynamic translation rule:
ip nat inside source list <number> interface <interface> overload
If there is no address on the interface, or it the interface is not up, no translation will occur.
Example:
ip nat inside source list 1 interface Serial0 overload
3。利用端口的静态转换
Static translations with ports:
When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts.
ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>
Example:
ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25
In this example, outside-initiated connections to the SMTP port (25) will be sent to the inside host 192.168.10.1.
4。利用route-map实现多ISP策]]

>

Share