R1:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host R1
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#int s2/0
R1(config-if)#ip add 200.1.1.1 255.255.255.0
R1(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R1(config)#
R1(config)#ip route 200.1.2.0 255.255.255.0 200.1.1.2 //配置静态路由
R1(config)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 200.1.1.0/24 is directly connected, Serial2/0
S 200.1.2.0/24 [1/0] via 200.1.1.2
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s2/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R1(config)#access-list 1 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R1(config)#access-list 1 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
R1(config)#access-list 1 permit 192.168.1.0 ?
A.B.C.D Wildcard bits
<cr>
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 ?
<cr>
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 //定义访问控制列表
R1(config)#ip nat ?
inside Inside address translation
outside Outside address translation
pool Define pool of addresses
R1(config)#ip nat pool ?
WORD Pool name
R1(config)#ip nat pool david ?
A.B.C.D Start IP address
R1(config)#ip nat pool david 200.1.1.3 ?
A.B.C.D End IP address
R1(config)#ip nat pool david 200.1.1.3 200.1.1.3 ?
netmask Specify the network mask
R1(config)#ip nat pool david 200.1.1.3 200.1.1.3 netmask ?
A.B.C.D Network mask
R1(config)#ip nat pool david 200.1.1.3 200.1.1.3 netmask 255.255.255.0 ?
<cr>
R1(config)#ip nat pool david 200.1.1.3 200.1.1.3 netmask 255.255.255.0
R1(config)#ip nat inside ?
source Source address translation
R1(config)#ip nat inside source ?
list Specify access list describing local addresses
static Specify static local->global mapping
R1(config)#ip nat inside source list 1 ?
interface Specify interface for global address
pool Name pool of global addresses
R1(config)#ip nat inside source list 1 pool ?
WORD Name pool of global addresses
R1(config)#ip nat inside source list 1 pool david ?
overload Overload an address translation
<cr>
R1(config)#ip nat inside source list 1 pool david overload ?
<cr>
R1(config)#ip nat inside source list 1 pool david overload
R1(config)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip nat ?
statistics Translation statistics
translations Translation entries
R1#show ip nat translations //没有主机访问Web Server的时候,没有记录
R1#
R1#show ip nat translations //有主机访问Web Server,产生记录
Pro Inside global Inside local Outside local Outside global
tcp 200.1.1.3:1026 192.168.1.2:1026 200.1.2.2:80 200.1.2.2:80
R1#show ip nat translations //来自1.2和1.3的主机访问
Pro Inside global Inside local Outside local Outside global
tcp 200.1.1.3:1026 192.168.1.2:1026 200.1.2.2:80 200.1.2.2:80
tcp 200.1.1.3:1025 192.168.1.3:1025 200.1.2.2:80 200.1.2.2:80
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.1.1.3:1026 192.168.1.2:1026 200.1.2.2:80 200.1.2.2:80
tcp 200.1.1.3:1027 192.168.1.2:1027 200.1.2.2:80 200.1.2.2:80
tcp 200.1.1.3:1025 192.168.1.3:1025 200.1.2.2:80 200.1.2.2:80
tcp 200.1.1.3:1024 192.168.1.3:1026 200.1.2.2:80 200.1.2.2:80
R1#
R2:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int fa0/0
R2(config-if)#ip add 200.1.2.1 255.255.255.0
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#int s2/0
R2(config-if)#ip add 200.1.1.2 255.255.255.0
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
R2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config-if)#
R2(config-if)#
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 200.1.1.1
R2(config)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.1.0/24 [1/0] via 200.1.1.1
C 200.1.1.0/24 is directly connected, Serial2/0
C 200.1.2.0/24 is directly connected, FastEthernet0/0
R2#
测试:
PC1:
Packet Tracer PC Command Line 1.0
PC>ipconfig
IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.1
PC>ping 200.1.2.2
Pinging 200.1.2.2 with 32 bytes of data:
Reply from 200.1.2.2: bytes=32 time=15ms TTL=126
Reply from 200.1.2.2: bytes=32 time=16ms TTL=126
Reply from 200.1.2.2: bytes=32 time=16ms TTL=126
Reply from 200.1.2.2: bytes=32 time=15ms TTL=126
Ping statistics for 200.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 16ms, Average = 15ms
PC>
PC-WEB:
ip nat命令解释
access-list-number:访问控制列表的表号。它指定由哪个访问控制列表来定义源地址的规则。
pool-name:IP地址池名字。该地址池定义了用于NAT转换的内部全局地址。
overload:启用端口复用,使每个全局地址可以和多个本地地址建立映射(全局地址+端口号)
范例1:
R1(config)#ip nat pool np 200.10.10.1 200.10.10.9 netmask 255.255.255.0
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 Ruijie(config)#access-list 1 permit 172.16.0.0 0.0.255.255
R1(config)#ip nat inside source list 1 pool np overload
本例定义了一个内部源地址动态NAT,内部本地地址为192.168.1.和172.16..*的格式,由access-list 1定义,只有这两种地址才会进行NAT转换。内部全局地址为200.10.10.1~200.10.10.9,共9个地址,由地址池np定义。每个全局地址都可以和多个本地地址建立映射,用端口号区分各个映射
local-address:内部本地地址。是主机在网络内部的IP地址,一般是未注册的私有地址。
global-address:内部全局地址。是内部主机在外部网络表现出的地址,一般是注册的合法地址(公网地址)。
ip nat inside source static local-address global-address [permit-inside]//实现的是一对一的NAT映射
ip nat inside source static protocol local-address local-port global-address global-port [permit-inside] //实现一个全局地址可映射多个内部地址,用端口号区分各个映射
范例1:
R1(config)#ip nat inside source static 192.168.1.6 200.10.10.2
本例定义了一个内部源地址静态NAT,内部本地地址为192.168.1.6,内部全局地址为200.10.10.2。外网用户只能用200.10.10.2访问这台主机,内网用户只能用192.168.1.6访问这台主机,如果加上permit-inside关键字,内网用户也能用200.10.10.2访问。
范例2:
R1(config)#ip nat inside source static tcp 192.168.1.6 80 200.10.10.2 80
R1(config)#ip nat inside source static tcp 192.168.1.8 80 200.10.10.2 8080
本例定义了两个内部源地址静态NAT,两个服务都是Web服务,内网用户可以用http://192.168.1.6和http://192.168.1.8访问这两个网站,外网用户需要用http://200.10.10.2和http://200.10.10.2:8080访问这两个网站