2023年7月4日发(作者:)
CISCO NAT配置命令
21.1. 在路由器上启用基本的 NAT功能
Router#con figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(co nfig)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(c on fig)#ip nat in side source list 15 in terface FastEther netO/O overload
Router(c on fig)# in terface FastEther netO/2
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)# in terface FastEther netO/1
Router(co nfig-if)#ip address 192.168.2.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)# in terface Ether netO/O
Router(c on fig-if)#ip address 172.16.1.5 255.255.255.252
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)#e nd
Router#
注释例子中的配置实现了对地址段192.168.0.0/16
地址翻译功能
21.2. 动态分配外部地址
访问外部网络重写为172.16.1.5 的功能,基本的
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(co nfig)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(c on fig)#ip n at pool NATPOOL 172.16.1.100 172.16.1.150 netmask
255.255.255.0
Router(co nfig)#ip nat in side source list 15 pool NATPOOL
Router(c on fig)# in terface FastEther net 0/0
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit Router(c on fig)#i nterface FastEther net 0/1
Router(co nfig-if)#ip address 192.16821 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)#i nterface Ethernet1/0
Router(co nfig-if)#ip address 172.16.1.2 255.255.255.0
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)#e nd
Router#
注释ip nat inside source list 15 pool NATPOOL 定义了翻译出去的地址池,如果地址池可以地址用
完新的翻译将不成功,如果加上了 overload 参数将会从第一个地址开始翻译进行复用。另外这里的地址 池并不一定要和outside端口的地址在同一网段,只要有相应的路由就可以。
21.3. 静态分配外部地址
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(co nfig)#ip nat in side source static 192.168.1.15 172.16.1.10
Router(co nfig)#ip nat in side source static 192.168.1.16 172.16.1.11
Router(c on fig)# in terface FastEther net 0/0
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)#i nterface FastEther net 0/1
Router(co nfig-if)#ip address 192.168.2.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)#i nterface Ethernet1/0
Router(co nfig-if)#ip address 172.16.1.2 255.255.255.0
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)#e nd
Router#
21.4. 地址静态和动态翻译结合 Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z. Router(co nfig)#access-list 15 deny 192.168.1.15 0.0.0.0
Router(co nfig)#access-list 15 deny 192.168.1.16 0.0.0.0
Router(co nfig)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(co nfig)#ip nat in side source static 192.168.1.15 172.16.1.10
Router(co nfig)#ip nat in side source static 192.168.1.16 172.16.1.11
Router(c on fig)#ip n at pool NATPOOL 172.16.1.100 172.16.1.150 netmask
255.255.255.0
Router(c on fig)#ip nat in side source list 15 pool NATPOOL overload
Router(c on fig)# in terface FastEther net0/0
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)# in terface FastEther net0/1
Router(co nfig-if)#ip address 192.168.2.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)# in terface Ether net0/0
Router(co nfig-if)#ip address 172.16.1.2 255.255.255.0
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)#e nd
Router#
注释 这里的控制列表把所要静态内部地址排除了, 当然这一步也不是必须的, 因为静态翻译的优先级要高
于动态翻译的,不过静态翻译的外部地址必须要从动态翻译的地址池中排除。
21.5. 使用Route Maps 来进行翻译规则控制
Router1#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)# in terface FastEther net0/0
Router(c on fig-if)#ip address 172.16.1.5 255.255.255.252
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)# in terface FastEther net0/1
Router(c on fig-if)#ip address 172.16.2.5 255.255.255.252
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit Router(c on fig)# in terface FastEther net0/2
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0 Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)#ip nat in side source route-map ISP-1 in terface
FastEther netO/O overload
Router(c on fig)#ip nat in side source route-map ISP-2 in terface
FastEther netO/1 overload
Router(co nfig)#route-m ap ISP-1 permit 10
Router(c on fig-route-map)#match in terface FastEther net0/0
Router(c on fig-route-map)#exit
Router(c on fig)#route-m ap ISP-2 permit 10
Router(c on fig-route-map)#match in terface FastEther net0/1
Router(c on fig-route-map)#exit
Router(c on fig)#e nd
Router#
注释适用于多个outside端口的情况
21.6. 同时两个方向地址翻译
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)#access-list 15 de ny 192.168.1.15
Router(co nfig)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(co nfig)#access-list 16 de ny 172.16.5.25
Router(c on fig)#access-list 16 permit 172.16.0.0 0.0.255.255
Router(co nfig)#ip n at pool NATPOOL 172.16.1.100 172.16.1.150 netmask
255.255.255.0
Router(co nfig)#ip n at pool INBOUNDNAT 192.168.15.100 192.168.15.200
netmask 255.255.255.0
Router(c on fig)#ip nat in side source list 15 pool NATPOOL overload Router(co
nfig)#ip nat in side source list 16 pool INBOUNDNAT overload
Router(co nfig)#ip nat in side source static 192.168.1.15 172.16.1.10 Router(c on
fig)#ip n at outside source static 172.16.5.25 192.168.15.5 Router(c on fig)#ip
route 192.168.15.0 255.255.255.0 Ethernet0/0 Router(c on fig)# in terface
FastEther net 0/0
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit Router(c on fig)#i nterface FastEther net 0/1
Router(co nfig-if)#ip address 192.168.2.1 255.255.255.0 Router(c on fig-if)#ip nat in side
Router(c on fig-if)#i nterface EthernetO/O
Router(co nfig-if)#ip address 172.16.1.2 255.255.255.0
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)#e nd
Router#
21.7. 网络前缀重写简单的改变某个网络段的前缀
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z. Router(c on
fig)#ip nat outside source static n etwork 172.16.0.0 172.17.0.0 /16 n o-alias
Router(co nfig)#ip route 172.16.0.0 255.255.0.0 Ethernet1/0
Router(co nfig)#ip route 172.17.0.0 255.255.0.0 Ethernet1/0 Router(c on fig)# in
terface FastEther net 0/0
Router(co nfig-if)#ip address 10.1.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)#i nterface Ethernet1/0
Router(c on fig-if)#ip address 172.16.1.6 255.255.255.252
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)#e nd
Router#
注释适用于两个网络互访而地址段冲突的情况
21.8. 使用NAT来进行服务器负荷分担
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)# in terface FastEther net0/0
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(c on fig)# in terface FastEther net0/1
Router(co nfig-if)#ip address 192.168.2.1 255.255.255.0
Router(c on fig-if)#ip nat outsideRouter(c on fig-if)#exit
Router(co nfig)#ip n at pool WEBSERVERS 192.168.1.101 192.168.1.105
n etmask 255.255.255.0 type rotary
Router(c on fig)#access-list 20 permit host 192.168.1.100
Router(c on fig)#ip nat in side desti nation list 20 pool WEBSERVERS
Router(c on fig)#e nd
Router#
注释 这里不同点在于使用了 rotary的参数和使用了 destination 而不是source在翻译规则中,当然这 种是穷人的负载均衡解决方案
21.9. 基于状态的NAT切换
RouterA
Router-A#co nfigure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router-A(c on fig)#access-list 11 permit any
Router-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask
255.255.255.0
Router-A(co nfig)#ip nat in side source list 11 pool NATPOOL map pin g-id 1
Router-A(c on fig)# in terface FastEther net0/0
Router-A(c on fig-if)#ip address 192.168.1.3 255.255.255.0
Router-A(c on fig-if)#ip nat in side
Router-A(co nfig-if)#sta ndby 1 ip 192.168.1.1
Router-A(c on fig-if)#sta ndby 1 preempt
Router-A(co nfig-if)#sta ndby 1 name SNATGROUP
Router-A(c on fig-if)#exit
Router-A(c on fig)#i nterface Serial0/0
Router-A(co nfig-if)#ip address 172.17.55.2 255.255.255.252
Router-A(config-if)#ip nat outside
Router-A(c on fig-if)#exit
Router-A(config)#ip nat Stateful id 1
Router-A(c on fig-ip nat-s nat)#redu nda ncy SNATGROUP
Router(c on fig-ip nat-s nat-red)#mappi ng-id 1
Router(c on fig-ip nat-s nat-red)#exit
Router-A(c on fig)#e nd
Router-A# Router-B#co nfigure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router-B(c on fig)#access-list 11 permit any
Router-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150
netmask 255.255.255.0
Router-B(co nfig)#ip nat in side source list 11 pool NATPOOL map pin g-id 1
Router-B(c on fig)# in terface FastEther net0/0
Router-B(c on fig-if)#ip address 192.168.1.2 255.255.255.0
Router-B(c on fig-if)#ip nat in side
Router-B(co nfig-if)#sta ndby 1 ip 192.168.1.1
Router-B(c on fig-if)#sta ndby 1 priority 90
Router-B(c on fig-if)#sta ndby 1 preempt
Router-B(co nfig-if)#sta ndby 1 name SNATGROUP
Router-B(c on fig-if)#exit
Router-B(config)#interface Serial0/0
Router-B(co nfig-if)#ip address 172.17.55.6 255.255.255.252
Router-B(config-if)#ip nat outside
Router-B(c on fig-if)#exit
Router-B(config)#ip nat Stateful id 1
Router-B(c on fig-ip nat-s nat)#redu nda ncy SNATGROUP
Router(c on fig-ip nat-s nat-red)#mappi ng-id 1
Router(c on fig-ip nat-s nat-red)#exit
Router-B(c on fig)#e nd
Router-B#
注释虽然说通过使用 HSRP可以解决可用性的问题,但是不能同步 NAT翻译表,从12.2(佝T 以后思
其关键命令为ip nat Stateful
SNAT只和HSRP连用,不能跟
科引入了基于状态的 NAT( SNAT ),这样可以保持两台设备的翻译表同步,
要注意的是这里的 Stateful是大写开头的,这里是区分大小写的。另外
VRRP或者GLBP 一起作用。同时也可以使用多组
21.10. 调整NAT时长
HSRP的形式来保持负载均衡。
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)#ip nat tran slatio n tcp-timeout 500
Router(c on fig)#ip nat tran slatio n udp-timeout 30
Router(c on fig)#ip nat tran slatio n dn s-timeout 30
Router(c on fig)#ip nat tran slatio n icmp-timeout 30
Router(c on fig)#ip nat tran slatio n fin rst-timeout 30
Router(c on fig)#ip nat tran slatio n syn-timeout 30 Router(c on fig)#e nd
Router#
也可以限制翻译表的最大条目数
Router#con figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)#ip nat tran slatio n max-e ntries 1000
Router(c on fig)#e nd
Router#
注释 缺省TCP为24小时,UDP为5分钟,DNS为1分钟
21.11. 修改 FTP 的 TCP 端口
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)#access-list 19 permit 192.168.55.5
Router(c on fig)#ip nat service list 19 ftp tcp port 8021
Router(c on fig)#ip nat service list 19 ftp tcp port 21
Router(c on fig)#e nd
Router#
注释在12.2(4)T 后思科引入了 no-payload 关键词来防止对数据包载荷的地址信息进行修改
Router#c on figure termi nal
En ter con figurati on comma nds, one per line. End with CNTL/Z.
Router(c on fig)# in terface FastEther net0/0
Router(c on fig-if)#ip address 172.16.1.5 255.255.255.252
Router(c on fig-if)#ip nat outside
Router(c on fig-if)#exit
Router(c on fig)# in terface FastEther net0/1
Router(co nfig-if)#ip address 192.168.1.1 255.255.255.0
Router(c on fig-if)#ip nat in side
Router(c on fig-if)#exit
Router(co nfig)#ip nat in side source static 192.168.1.10 172.16.1.5 no-payload
Router(c on fig)#e nd
Router# Router#show ip nat tran slatio n
Router#clear ip nat tran slati on *
Router#clear ip nat tran slation in side 172.18.3.2
Router#clear ip nat tran slation outside 192.168.1.10
Router#show ip nat statistics
Router#clear ip nat statistics
注释
Router#show ip nat tran slatio n
Pro In side global In side local Outside local Outside global
"Inside global" 为内部设备翻译的地址 "Inside local" 为内部设备的真实地址 "Outside local"
备翻译的地址"Outside global" 为外部设备的真实地址, global addresses 在outside, local
addresses 在 inside.
排错
Router#debug ip nat
Router#debug ip nat detailed
Router#debug ip nat 15
Router#debug ip nat 15 detailed
为外部设
发布者:admin,转转请注明出处:http://www.yc00.com/xiaochengxu/1688420296a135718.html
评论列表(0条)