NAT实验.docx
《NAT实验.docx》由会员分享,可在线阅读,更多相关《NAT实验.docx(17页珍藏版)》请在冰点文库上搜索。
NAT实验
NAT转换实验
实验拓扑:
实验目的:
理解NAT地址转换的原理,熟悉NAT转换的配置过程。
进一步理解NAT在扩展IP
地址方面的巨大功效。
理解NAT如何将内部地址转换成外部地址的过程。
1.静态NAT
首先在R1上起2个环回接口loop0和loop1,为每一个loop口分配一个IP地址,模拟2台内部PC机,R1的S1看成到外网的接口。
而R3这里看成外部一台服务器。
PC机想要与R3通信,不许利用NAT来将内部PC地址转换成R1上S0的地址实现。
路由器的基本配置
R1#showipintb
InterfaceIP-AddressOK?
MethodStatusProocol
Ethernet0unassignedYESunsetadministrativelydowndown
Loopback0192.168.2.1YESmanualupup
Loopback1192.168.3.1YESmanualupup
Serial061.32.34.6YESmanualupup
Serial1unassignedYESunsetadministrativelydowndown
R2#showipintb
InterfaceIP-AddressOK?
MethodStatusProtocol
Ethernet0unassignedYESunsetadministrativelydowndown
Serial0unassignedYESTFTPupup
Serial161.32.34.5YESmanualupup
此时用扩展PING以192.168.2.1和192.168.3.1为源以61.32.34.5为目的
PING
R1#ping
Protocol[ip]:
TargetIPaddress:
%BadIPaddress
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.2.1
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
.....
Successrateis0percent(0/5)
R1#ping
Protocol[ip]:
TargetIPaddress:
%BadIPaddress
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.3.1
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
.....
Successrateis0percent(0/5)
显然无法ping通,即内部地址无法直接与外部地址通信,于是我们启用NAT
转换。
◎启动NAT静态转换。
R1(config)#intloop0
R1(config-if)#ipnatinside定义内部接口
R1(config-if)#intloop1
R1(config-if)#ipnatinside定义内部接口
R1(config-if)#ints0
R1(config-if)#ipnatoutside定义外部接口
R1(config)#ipnatinsidesourcestatic192.168.2.161.32.34.6
定义将内部的接口地址静态的的一对一的转换为61.32.34.6
R1(config)#ipnatinsidesourcestatic192.168.3.161.32.34.7
定义将内部的接口地址静态的的一对一的转换为61.32.34.7
此时用扩展Ping以192.168.2.1和192.168.3.1为源以61.32.34.5为目的
PING
R1#debugipnat开放debug进行ping包时候的抓包转换测试。
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.2.1
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=32/32/36
ms
00:
36:
36:
NAT:
s=192.168.2.1->61.32.34.6,d=61.32.34.5[20]
看到我们的源已经进行了转换,转换后的地址才可以与目的地址进行通信
00:
36:
36:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.1[20]
00:
36:
36:
NAT:
s=192.168.2.1->61.32.34.6,d=61.32.34.5[21]
00:
36:
36:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.1[21]
00:
36:
36:
NAT:
s=192.168.2.1->61.32.34.6,d=61.32.34.5[22]
00:
36:
36:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.1[22]
00:
36:
36:
NAT:
s=192.168.2.1->61.32.34.6,d=61.32.34.5[23]
00:
36:
36:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.1[23]
00:
36:
36:
NAT:
s=192.168.2.1->61.32.34.6,d=61.32.34.5[24]
00:
36:
36:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.1[24]
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.3.1
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=32/32/36
ms
00:
37:
40:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[25]
00:
37:
40:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[25]
00:
37:
40:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[26]
00:
37:
40:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[26]
00:
37:
40:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[27]
00:
37:
40:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[27]
00:
37:
40:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[28]
00:
37:
40:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[28]
00:
37:
40:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[29]
00:
37:
40:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[29]
有PING的结果可以看出,现在内部PC已经可以和外部通信了,并且通过
debug信息可以看到NAT转换已经开始运行。
但这种转换是NAT里最简单的
转换,下面我们学习其他几种NAT转换方式。
2.动态NAT
1.启动动态NAT
为loop0接口定义多个地址
R1(config-if)#ipadd192.168.2.1255.255.255.0
R1(config-if)#ipadd192.168.2.2255.255.255.0sec
R1(config-if)#ipadd192.168.2.3255.255.255.0sec
R1(config-if)#ipadd192.168.2.4255.255.255.0sec
R1(config-if)#ipadd192.168.2.5255.255.255.0sec
R1(config-if)#ipadd192.168.2.6255.255.255.0sec
R1(config-if)#ipadd192.168.2.7255.255.255.0sec
R1(config-if)#ipadd192.168.2.8255.255.255.0sec
R1(config-if)#ipadd192.168.2.9255.255.255.0sec
定义外部地址池
R1(config)#ipnatpooloutpool61.32.34.661.32.34.7netmask255.255.255.0
定义了一个转换池的名字叫做outpool,也就是说,你转换后的地址是从这个
池子里面出的。
定义允许的转换的内部地址
R1(config)#access-list10permithost192.168.2.1
R1(config)#access-list10permithost192.168.3.1
定义转换
R1(config)#ipnatinsidesourcelist10pooloutpool定义了内部需要转换的
是有access-list来控制的10,而转后后的地址是从outpool里面来提取的。
◎此时用扩展PING以192.168.2.2和192.168.2.3为源以61.32.34.5为目的
PING
观察转换效果
R1#debugipnat
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.2.3
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=40/41/44ms
01:
06:
35:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[65]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[65]
01:
06:
35:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[66]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[66]
01:
06:
35:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[67]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[67]
01:
06:
35:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[68]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[68]
01:
06:
35:
NAT:
s=192.168.3.1->61.32.34.7,d=61.32.34.5[69]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.7->192.168.3.1[69]
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.2.2
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=40/41/44ms
01:
13:
28:
NAT:
s=192.168.2.2->61.32.34.6,d=61.32.34.5[85]
01:
13:
28:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.2[85]
01:
13:
28:
NAT:
s=192.168.2.2->61.32.34.6,d=61.32.34.5[86]
01:
13:
28:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.2[86]
01:
13:
29:
NAT:
s=192.168.2.2->61.32.34.6,d=61.32.34.5[87]
01:
13:
29:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.2[87]
01:
13:
29:
NAT:
s=192.168.2.2->61.32.34.6,d=61.32.34.5[88]
01:
13:
29:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.2[88]
01:
13:
29:
NAT:
s=192.168.2.2->61.32.34.6,d=61.32.34.5[89]
01:
13:
29:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.2[89]
当我们清楚所有的NAT会话以后,再次PING的时候的转换则有
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.2.3
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=40/41/44ms
01:
06:
35:
NAT:
s=192.168.2.3->61.32.34.6,d=61.32.34.5[65]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.3[65]
01:
06:
35:
NAT:
s=192.168.2.3->61.32.34.6,d=61.32.34.5[66]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.3[66]
01:
06:
35:
NAT:
s=192.168.2.3->61.32.34.6,d=61.32.34.5[67]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.3[67]
01:
06:
35:
NAT:
s=192.168.2.3->61.32.34.6,d=61.32.34.5[68]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.1682.3[68]
01:
06:
35:
NAT:
s=192.168.2.3->61.32.34.6,d=61.32.34.5[69]
01:
06:
35:
NAT*:
s=61.32.34.5,d=61.32.34.6->192.168.2.3[69]
R1#ping
Protocol[ip]:
TargetIPaddress:
61.32.34.5
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.2.2
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Sending5,100-byteICMPEchosto61.32.34.5,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=40/41/44ms
01:
13:
28:
NAT:
s=192.168.2.2->61.32.34.7,d=61.32.34.5[85]
01:
13:
28:
NAT*
升级会员 