NAT网络地址转换实验报告
en
conf t
hos r4
int fa0/0
ip ad 40.0.0.2 255.255.255.252
no sh
int fa1/0
ip ad10.0.0.2 255.255.255.252
no sh
int fa2/0
ip ad20.0.0.2 255.255.255.252
no sh
int fa3/0
access-list 101 deny ip any 40.0.0.0 0.255.255.255
access-list 101 permit ip any any
ip nat inside source list 101 pool isp2 overload
R3无此网段,导致内网PC3不能ping通F1/0接口地址,在R1上添加以下ACL便可以ping通:
access-list 100 permit ip any20.0.0.0 0.255.255.255
access-list 100 permit ip any 40.0.0.0 0.255.255.255
ip nat pool isp120.0.0.2 20.0.0.10 netmask 255.0.0.0
ip route 192.168.2.0 255.255.255.0 192.168.10.2
ip route 192.168.3.0 255.255.255.0 192.168.10.2
ip route20.0.0.0 255.0.0.0 10.0.0.2
ip route 40.0.0.0 255.0.0.010.0.0.2
ip nat inside
no sh
int fa2/0
ip ad10.0.0.1 255.255.255.252
ip nat outside
no sh
int fa3/0
ip ad10.0.0.5 255.255.255.252
ip nat outside
no sh
exit
ip route 192.168.1.0 255.255.255.0 192.168.10.2
ip route0.0.0.0 0.0.0.0 10.0.0.6
ip route0.0.0.0 0.0.0.0 10.0.0.2 100
双线接入\\
access-list 100 permit ip any20.0.0.0 0.255.255.255
access-list 100 permit ip any 40.0.0.0 0.255.255.255
end
5)R5配置(模拟web服务器)
en
conf t
int fa0/0
ip ad 192.168.0.2 255.255.255.0
no sh
exi
ip default-gateway 192.168.0.1
no ip routing
end
6)分析
将R3配置为动态NAT转换时,外网不能ping通R3的外网地址,如果将R3改为静态转换后,则能ping,原因可能是动态转换在没有数据发生时不会建立NAT转换表,当ping包到达目的地表后由于没有NAT转换表而补丢弃。
ip nat inside source static tcp 192.168.1.2 21 30.0.0.1 1000 extendable
ip nat inside source static tcp 192.168.2.2 8020.0.0.1 8080 extendable
ip nat inside source static tcp 192.168.2.2 80 30.0.0.1 8080 extendable
2)SW1配置
en
conf t
hos sw1
int fa0/0
no switchport
ip ad 192.168.10.2 255.255.255.252
no sh
end
vl da
vl 2
vl 3
vl 4
exit
conf t
int fa0/1
sw ac vl 2
no sh
int fa0/2
sw ac vl 3
7)验证
R3可以访问总公司web服务,但不能ping通。
R3可以ping通外网及沈阳分公司主机。而沈阳分公司主机不能ping能R3。实
验二:配置双线接入路由器
实验步骤:
实验拓扑图:
1)R1配置
en
conf t
hos r1
int fa1/0
ip ad 192.168.10.1 255.255.255.252
ip ad 30.0.0.2 255.255.255.252
no sh
exi
ip route 222.222.222.0 255.255.255.19220.0.0.1
ip route 124.0.0.0 255.255.255.24010.0.0.1
ip route 123.0.0.0 255.255.255.240 30.0.0.1
ip nat pool isp2 30.0.0.2 30.0.0.10 netmask 255.0.0.0
ip nat inside source list 100 pool isp1 overload
ip nat inside source list 101 pool isp2 overload
ip nat inside source static tcp 192.168.1.2 2120.0.0.1 1000 extendable
实验名称:第八章NAT网络地址转换
实验要求的环境:
硬件环境:cisco交换机6台,路由器2台,pc2台
软件环境:
需要的软件工具、软件安装包:小凡
实验目的:
1)理解NAT的实现方式及工作过程
2)了解NAT支持的数据流及NAT的各种应用
3)掌握NAT的配置及分析排查各类NAT故障
任务:
实验一:配置NAT实现公司互通
ip route20.0.0.0 255.0.0.0 10.0.0.1
ip route 30.0.0.0 255.0.0.010.0.0.1
end
4)R3配置
en
conf t
hos r3
int fa1/0
ip ad10.0.0.6 255.0.0.0
no sh
int fa0/0
ip ad 50.0.0.1 255.0.0.0
ip nat outside
no sh
exit
ip route0.0.0.0 0.0.0.0 10.0.0.2
ip nat inside source static tcp 192.168.0.2 80 124.0.0.1 80 extendable
2)R2配置
en
conf t
hos r2
int fa0/0
access-list 101 deny ip any20.0.0.0 0.255.255.255
access-list 101 deny ip any 40.0.0.0 0.255.255.255
access-list 101 permit ip any any
ip nat pool isp120.0.0.2 20.0.0.10 netmask 255.0.0.0
Access-list 100 permit ip any10.0.0.0 0.0.0.3
7)验证
1.公司访问不同ISP的网站可以通过不同的ISP接入线进行访问,当其中一条线路出现故障时,可以利用另一个ISP线路进行访问。
2.将公司的FTP、WEB服务器通过映射端口发布到外网后,外网ISP1可以通过http://20.0.0.1:8080和ftp://20.0.0.1:1000访问公司的web和FTP服务,ISP 2的用户可以通过http://30.0.0.1:8080和ftp://30.0.0.0:1000来访问公司的web和FTP服务
ip ad 192.168.1.1 255.255.255.0
ip nat inside
no sh
int fa1/0
ip ad 30.0.0.1 255.255.255.252
ip nat outside
no sh
exi
ip route0.0.0.0 0.0.0.0 30.0.0.2
ip nat inside source static 192.168.1.2 123.0.0.1
ip nat inside source list 100 pool isp1 overload
而非访问此允许的网段的内部局部地址则被转换为内部全局地址30.0.0.0的网段,通过ISP2可以访问除了20.0.0.0和40.0.0.0网段的其它任意网段:
access-list 101 deny ip any20.0.0.0 0.255.255.255
no sh
exit
ip route0.0.0.0 0.0.0.0 192.168.10.1
end
3)R2配置
en
conf t
hos r2
int fa1/0
ip ad10.0.0.2 255.255.255.252
no sh
int fa0/0
ip ad 40.0.0.1 255.0.0.0
no sh
exit
no sh
exit
ip route20.0.0.0 255.0.0.0 10.0.0.5
ip route 30.0.0.0 255.0.0.010.0.0.5
end
