NAT术语:
inside:需要翻译成外部地址的网络
outside:外部地址,Internet地址
local:出现于内网
global:出现于外网
inside local:分配给处于内网的主机的IP地址,地址是全局唯一的,一般分配的是由RFC 1918里定义的私有地址(private IP address)
inside global:用来替代inside local的对外的,可用于Internet上的地址,即被翻译后的地址.地址全局唯一,由ISP分配
outside local:外网主机相对于内网所用的IP地址.地址可以从RFC 1918中定义的进行分配
outside global:分配给外网主机的外部地址
simple translation entry:把一个IP地址映射到另外一个地址上去的翻译方式
extended translation entry:把IP地址和端口(port)的组合翻译成另外一个地址和端口的组合
static address translation:静态翻译,把一个local对应到global上去
dynamic address translation:动态翻译,local和global池(pool)建立动态对应关系
port address translation(PAT):通过使用地址和端口的结合来达到多个local对应一个global的状态.端口号用来区别不同的local.这样的技术也叫overloading.如下图:
如何配置NAT?
接口配置模式下:
1.配置NAT为inside/ouside:
ip nat { inside | outside }
在全局配置模式下:
2.定义地址池的起始地址和完结地址,掩码等:
ip nat pool <name <start-ip <end-ip { netmask <netmask | prefix-length <prefix-length } [ type { rotary } ]
3.启用inside源地址翻译:
ip nat inside source { list <acl pool <name [overload] | static <local-ip<global-ip }
list <acl pool <name [overload]是动态翻译,匹配ACL的包翻译成地址池里的global地址.可选参数overload允许TCP/UDP的端口翻译(多对一的映射)
static <local-ip<global-ip为静态翻译
4.启用inside目标地址翻译:
ip nat inside destination { list <acl pool <name | static <global-ip <local-ip }
5.启用outside源地址翻译:
ip nat outside source { list <acl pool <name | static <global-ip <local-ip }
list <acl pool <name为动态翻译
static <global-ip <local-ip为静态翻译
6.启用outside目标地址翻译:
ip nat outside source { list <acl pool <name | static <global-ip <local-ip }
7.配置NAT超时设置:
ip nat translation timeout <seconds
特权模式下(EXEC mode):
8.查看生效的NAT设置:
show ip nat translations [ verbose ]
9.查看NAT统计信息:
show ip nat statistics
10.清除所有动态NAT配置:
clear ip nat translation *
11.清除单个动态NAT配置:
clear ip nat translation <global-ip
12.清除特定NAT配置:
clear ip nat translation <global-ip <local-ip <protocol <global-port <local-port
13.debug:
debug ip nat [ <list ] [ detailed ]
一些高级配置:
1.更灵活的地址池的配置:
ip nat pool <name { netmask <mask | prefix-length <length } [ type { rotary } ]
这样可以允许定义不连续地址池,接下来定义地址空间:
address <start <end
例子:
Router(config)#ip nat pool fred prefix-length 24
Router(config-ipnat-pool)#address 171.69.233.225 171.69.233.226
Router(config-ipnat-pool)#address 171.69.233.228 171.69.233.238
这样就定义了一个171.69.233.225-226和and 171.69.233.228-238的地址池
2.翻译为接口地址:
ip nat inside source list <number interface <interface overload
如果接口shut或者接口没有设置IP地址的话,NAT不会生效
3.映射某个服务到某个主机上(比如邮件服务):
ip nat inside source static { tcp | udp } <localaddr <localport <globaladdr <globalport
4.对route map的支持:
ip nat inside source route-map <name pool <name
例子:
ip nat pool provider1-space 171.69.232.1 171.69.232.254 prefix-length 24
ip nat pool provider2-space 131.108.43.1 131.108.43.254 prefix-length 24
ip nat inside source route-map provider1-map pool provider1-space
ip nat inside source route-map provider2-map pool provider2-space
!
interface Serial0/0
ip nat outside
!
interface Serial0/1
ip nat outside
!
interface Fddi1/0
ip nat inside
!
route-map provider1-map permit 10
match ip address 1
match interface Serial0/0
!
route-map provider2-map permit 10
match ip address 1
match interface Serial0/1