CISCO NAT 配置命令21.1.在路由器上启用基本的NAT功能Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overloadRouter(config)#interface FastEthernet0/2Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface FastEthernet0/1Router(config-if)#ip address 192.168.2.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface Ethernet0/0Router(config-if)#ip address 172.16.1.5 255.255.255.252Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#endRouter#注释例子中的配置实现了对地址段192.168.0.0/16访问外部网络重写为172.16.1.5的功能，基本的地址翻译功能21.2. 动态分配外部地址Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0Router(config)#ip nat inside source list 15 pool NATPOOLRouter(config)#interface FastEthernet 0/0Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface FastEthernet 0/1Router(config-if)#ip address 192.168.2.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface Ethernet1/0Router(config-if)#ip address 172.16.1.2 255.255.255.0Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#endRouter#注释ip nat inside source list 15 pool NATPOOL 定义了翻译出去的地址池，如果地址池可以地址用完新的翻译将不成功，如果加上了overload参数将会从第一个地址开始翻译进行复用。

另外这里的地址池并不一定要和outside端口的地址在同一网段，只要有相应的路由就可以。

21.3. 静态分配外部地址Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10 Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11 Router(config)#interface FastEthernet 0/0Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface FastEthernet 0/1Router(config-if)#ip address 192.168.2.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface Ethernet1/0Router(config-if)#ip address 172.16.1.2 255.255.255.0Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#endRouter#21.4. 地址静态和动态翻译结合Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10 Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11 Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0Router(config)#ip nat inside source list 15 pool NATPOOL overload Router(config)#interface FastEthernet0/0Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface FastEthernet0/1Router(config-if)#ip address 192.168.2.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface Ethernet0/0Router(config-if)#ip address 172.16.1.2 255.255.255.0Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#endRouter#注释这里的控制列表把所要静态内部地址排除了，当然这一步也不是必须的，因为静态翻译的优先级要高于动态翻译的，不过静态翻译的外部地址必须要从动态翻译的地址池中排除。

21.5. 使用Route Maps来进行翻译规则控制Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#interface FastEthernet0/0Router(config-if)#ip address 172.16.1.5 255.255.255.252Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#interface FastEthernet0/1Router(config-if)#ip address 172.16.2.5 255.255.255.252Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#interface FastEthernet0/2Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#exitRouter(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overloadRouter(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overloadRouter(config)#route-map ISP-1 permit 10Router(config-route-map)#match interface FastEthernet0/0Router(config-route-map)#exitRouter(config)#route-map ISP-2 permit 10Router(config-route-map)#match interface FastEthernet0/1Router(config-route-map)#exitRouter(config)#endRouter#注释适用于多个outside端口的情况21.6. 同时两个方向地址翻译Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list 15 deny 192.168.1.15Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255Router(config)#access-list 16 deny 172.16.5.25Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0Router(config)#ip nat inside source list 15 pool NATPOOL overload Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10 Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5 Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0 Router(config)#interface FastEthernet 0/0Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface FastEthernet 0/1Router(config-if)#ip address 192.168.2.1 255.255.255.0Router(config-if)#interface Ethernet0/0Router(config-if)#ip address 172.16.1.2 255.255.255.0Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#endRouter#21.7. 网络前缀重写简单的改变某个网络段的前缀Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#ip nat outside source static network 172.16.0.0 172.17.0.0 /16 no-aliasRouter(config)#ip route 172.16.0.0 255.255.0.0 Ethernet1/0 Router(config)#ip route 172.17.0.0 255.255.0.0 Ethernet1/0 Router(config)#interface FastEthernet 0/0Router(config-if)#ip address 10.1.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface Ethernet1/0Router(config-if)#ip address 172.16.1.6 255.255.255.252Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#endRouter#注释适用于两个网络互访而地址段冲突的情况21.8. 使用NAT来进行服务器负荷分担Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#interface FastEthernet0/0Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat insideRouter(config-if)#exitRouter(config)#interface FastEthernet0/1Router(config-if)#ip address 192.168.2.1 255.255.255.0Router(config-if)#ip nat outsideRouter(config-if)#exitRouter(config)#ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105 netmask 255.255.255.0 type rotaryRouter(config)#access-list 20 permit host 192.168.1.100Router(config)#ip nat inside destination list 20 pool WEBSERVERS Router(config)#endRouter#注释这里不同点在于使用了rotary的参数和使用了destination而不是source在翻译规则中，当然这种是穷人的负载均衡解决方案21.9. 基于状态的NAT切换RouterARouter-A#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router-A(config)#access-list 11 permit anyRouter-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0Router-A(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1 Router-A(config)#interface FastEthernet0/0Router-A(config-if)#ip address 192.168.1.3 255.255.255.0Router-A(config-if)#ip nat insideRouter-A(config-if)#standby 1 ip 192.168.1.1Router-A(config-if)#standby 1 preemptRouter-A(config-if)#standby 1 name SNATGROUPRouter-A(config-if)#exitRouter-A(config)#interface Serial0/0Router-A(config-if)#ip address 172.17.55.2 255.255.255.252Router-A(config-if)#ip nat outsideRouter-A(config-if)#exitRouter-A(config)#ip nat Stateful id 1Router-A(config-ipnat-snat)#redundancy SNATGROUPRouter(config-ipnat-snat-red)#mapping-id 1Router(config-ipnat-snat-red)#exitRouter-A(config)#endRouter-A#RouterBRouter-B#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router-B(config)#access-list 11 permit anyRouter-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0Router-B(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1 Router-B(config)#interface FastEthernet0/0Router-B(config-if)#ip address 192.168.1.2 255.255.255.0Router-B(config-if)#ip nat insideRouter-B(config-if)#standby 1 ip 192.168.1.1Router-B(config-if)#standby 1 priority 90Router-B(config-if)#standby 1 preemptRouter-B(config-if)#standby 1 name SNATGROUPRouter-B(config-if)#exitRouter-B(config)#interface Serial0/0Router-B(config-if)#ip address 172.17.55.6 255.255.255.252Router-B(config-if)#ip nat outsideRouter-B(config-if)#exitRouter-B(config)#ip nat Stateful id 1Router-B(config-ipnat-snat)#redundancy SNATGROUPRouter(config-ipnat-snat-red)#mapping-id 1Router(config-ipnat-snat-red)#exitRouter-B(config)#endRouter-B#注释虽然说通过使用HSRP可以解决可用性的问题，但是不能同步NAT翻译表，从12.2(13)T以后思科引入了基于状态的NAT（SNAT），这样可以保持两台设备的翻译表同步，其关键命令为ip nat Stateful 要注意的是这里的Stateful是大写开头的，这里是区分大小写的。