-
静态NAT,动态NAT,NAPT(实验配置+原理讲解)
目录
静态NAT,动态NAT,NAPT
静态地址转换:只能实现一个私网与一个公网的一对一映射
动态地址转换:创建地址池,当私网地址需要访问外网时,从地址池中取出一个地址与私有地址一对一临时映射。
NAPT:NAT是一对一的转换,NAPT是多对一的转换,即多个内部地址使用同一地址不同端口转换成外部地址进行通信的。
接下来通过实验现象观察:
实验一:静态NAT地址转换
案例如下:
设备配置如下:
配置交换机LSW1
- <Huawei>sys
- Enter system view, return user view with Ctrl+Z.
- [Huawei]sysname LSW1
- [LSW1]vlan batch 10
- Sep 25 2023 19:47:17-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
- 5.191.3.1 configurations have been changed. The current change number is 4, the
- change loop count is 0, and the maximum number of records is 4095.
- Info: This operation may take a few seconds. Please wait for a moment...done.
- [LSW1]
- Sep 25 2023 19:47:27-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
- 5.191.3.1 configurations have been changed. The current change number is 5, the
- change loop count is 0, and the maximum number of records is 4095.
- [LSW1]undo info-center enable
- Info: Information center is disabled.
- [LSW1]port-group pgv10
- [LSW1-port-group-pgv10]group-member g0/0/11
- [LSW1-port-group-pgv10]group-member g0/0/12
- [LSW1-port-group-pgv10]group-member g0/0/24
- [LSW1-port-group-pgv10]port link-type access
- [LSW1-GigabitEthernet0/0/11]port link-type access
- [LSW1-GigabitEthernet0/0/12]port link-type access
- [LSW1-GigabitEthernet0/0/24]port link-type access
- [LSW1-port-group-pgv10]port default vlan 10
- [LSW1-GigabitEthernet0/0/11]port default vlan 10
- [LSW1-GigabitEthernet0/0/12]port default vlan 10
- [LSW1-GigabitEthernet0/0/24]port default vlan 10
- [LSW1-port-group-pgv10]qu
- [LSW1]display vlan
- The total number of vlans is : 2
- --------------------------------------------------------------------------------
- U: Up; D: Down; TG: Tagged; UT: Untagged;
- MP: Vlan-mapping; ST: Vlan-stacking;
- #: ProtocolTransparent-vlan; *: Management-vlan;
- --------------------------------------------------------------------------------
- VID Type Ports
- --------------------------------------------------------------------------------
- 1 common UT:GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
- GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
- GE0/0/9(D) GE0/0/10(D) GE0/0/13(D) GE0/0/14(D)
- GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
- GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
- GE0/0/23(D)
- 10 common UT:GE0/0/11(U) GE0/0/12(U) GE0/0/24(U)
- VID Status Property MAC-LRN Statistics Description
- --------------------------------------------------------------------------------
- 1 enable default enable disable VLAN 0001
- 10 enable default enable disable VLAN 0010
- [LSW1]
配置交换机LSW2
- <Huawei>sys
- Enter system view, return user view with Ctrl+Z.
- [Huawei]sysname LSW2
- [LSW2]VLAN batch 10
- Info: This operation may take a few seconds. Please wait for a moment...done.
- [LSW2]undo info-center enable
- Info: Information center is disabled.
- [LSW2]port-group pgv10
- [LSW2-port-group-pgv10]group-member g0/0/11
- [LSW2-port-group-pgv10]group-member g0/0/12
- [LSW2-port-group-pgv10]group-member g0/0/24
- [LSW2-port-group-pgv10]port link-type access
- [LSW2-GigabitEthernet0/0/11]port link-type access
- [LSW2-GigabitEthernet0/0/12]port link-type access
- [LSW2-GigabitEthernet0/0/24]port link-type access
- [LSW2-port-group-pgv10]port default vlan 10
- [LSW2-GigabitEthernet0/0/11]port default vlan 10
- [LSW2-GigabitEthernet0/0/12]port default vlan 10
- [LSW2-GigabitEthernet0/0/24]port default vlan 10
- [LSW2-port-group-pgv10]qu
- [LSW2]display vlan
- The total number of vlans is : 2
- --------------------------------------------------------------------------------
- U: Up; D: Down; TG: Tagged; UT: Untagged;
- MP: Vlan-mapping; ST: Vlan-stacking;
- #: ProtocolTransparent-vlan; *: Management-vlan;
- --------------------------------------------------------------------------------
- VID Type Ports
- --------------------------------------------------------------------------------
- 1 common UT:GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
- GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
- GE0/0/9(D) GE0/0/10(D) GE0/0/13(D) GE0/0/14(D)
- GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
- GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
- GE0/0/23(D)
- 10 common UT:GE0/0/11(U) GE0/0/12(U) GE0/0/24(U)
- VID Status Property MAC-LRN Statistics Description
- --------------------------------------------------------------------------------
- 1 enable default enable disable VLAN 0001
- 10 enable default enable disable VLAN 0010
配置路由器IP地址和静态路由
RTA
- <Huawei>sys
- Enter system view, return user view with Ctrl+Z.
- [Huawei]sysname RTA
- [RTA]int g0/0/0
- [RTA-GigabitEthernet0/0/0]ip address 192.168.10.1 24
- Sep 25 2023 19:53:27-08:00 RTA %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
- on the interface GigabitEthernet0/0/0 has entered the UP state.
- [RTA-GigabitEthernet0/0/0]qu
- [RTA]int g0/0/1
- [RTA-GigabitEthernet0/0/1]ip address 192.168.30.1 24
- Sep 25 2023 19:53:48-08:00 RTA %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
- on the interface GigabitEthernet0/0/1 has entered the UP state.
- [RTA-GigabitEthernet0/0/1]qu
- [RTA]int g0/0/2
- [RTA-GigabitEthernet0/0/2]ip address 202.168.211.1 24
- Sep 25 2023 19:54:09-08:00 RTA %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
- on the interface GigabitEthernet0/0/2 has entered the UP state.
- [RTA-GigabitEthernet0/0/2]qu
- #配置静态默认路由,允许访问外部网络
- [RTA]ip route-static 0.0.0.0 0 202.168.211.2
- [RTA]display IP routing-table
- Route Flags: R - relay, D - download to fib
- ------------------------------------------------------------------------------
- Routing Tables: Public
- Destinations : 14 Routes : 14
- Destination/Mask Proto Pre Cost Flags NextHop Interface
- 0.0.0.0/0 Static 60 0 RD 202.168.211.2 GigabitEthernet
- 0/0/2
- 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
- 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- 192.168.10.0/24 Direct 0 0 D 192.168.10.1 GigabitEthernet
- 0/0/0
- 192.168.10.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/0
- 192.168.10.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/0
- 192.168.30.0/24 Direct 0 0 D 192.168.30.1 GigabitEthernet
- 0/0/1
- 192.168.30.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/1
- 192.168.30.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/1
- 202.168.211.0/24 Direct 0 0 D 202.168.211.1 GigabitEthernet
- 0/0/2
- 202.168.211.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/2
- 202.168.211.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/2
- 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
RTB
- <Huawei>sys
- Enter system view, return user view with Ctrl+Z.
- [Huawei]sysname RTB
- [RTB]int g0/0/2
- [RTB-GigabitEthernet0/0/2]ip address 202.168.211.2 24
- [RTB-GigabitEthernet0/0/2]
- Sep 25 2023 19:57:18-08:00 RTB %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
- on the interface GigabitEthernet0/0/2 has entered the UP state.
- [RTB-GigabitEthernet0/0/2]qu
- [RTB]dis IP routing-table
- Route Flags: R - relay, D - download to fib
- ------------------------------------------------------------------------------
- Routing Tables: Public
- Destinations : 7 Routes : 7
- Destination/Mask Proto Pre Cost Flags NextHop Interface
- 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
- 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- 202.168.211.0/24 Direct 0 0 D 202.168.211.2 GigabitEthernet
- 0/0/2
- 202.168.211.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/2
- 202.168.211.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
- 0/0/2
- 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- [RTB]
PC-10-1与PC-10-2,PC-30-2以及RTA的通信
- PC>ping 192.168.10.12
- Ping 192.168.10.12: 32 data bytes, Press Ctrl_C to break
- From 192.168.10.12: bytes=32 seq=1 ttl=128 time=47 ms
- From 192.168.10.12: bytes=32 seq=2 ttl=128 time=16 ms
- From 192.168.10.12: bytes=32 seq=3 ttl=128 time=31 ms
- From 192.168.10.12: bytes=32 seq=4 ttl=128 time=31 ms
- From 192.168.10.12: bytes=32 seq=5 ttl=128 time=31 ms
- --- 192.168.10.12 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 16/31/47 ms
- PC>ping 192.168.30.12
- Ping 192.168.30.12: 32 data bytes, Press Ctrl_C to break
- Request timeout!
- From 192.168.30.12: bytes=32 seq=2 ttl=127 time=46 ms
- From 192.168.30.12: bytes=32 seq=3 ttl=127 time=79 ms
- From 192.168.30.12: bytes=32 seq=4 ttl=127 time=46 ms
- From 192.168.30.12: bytes=32 seq=5 ttl=127 time=79 ms
- --- 192.168.30.12 ping statistics ---
- 5 packet(s) transmitted
- 4 packet(s) received
- 20.00% packet loss
- round-trip min/avg/max = 0/62/79 ms
- PC>ping 202.168.211.1
- Ping 202.168.211.1: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.1: bytes=32 seq=1 ttl=255 time=31 ms
- From 202.168.211.1: bytes=32 seq=2 ttl=255 time=47 ms
- From 202.168.211.1: bytes=32 seq=3 ttl=255 time=47 ms
- From 202.168.211.1: bytes=32 seq=4 ttl=255 time=31 ms
- From 202.168.211.1: bytes=32 seq=5 ttl=255 time=32 ms
- --- 202.168.211.1 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 31/37/47 ms
PC-30-1与PC-10-2,PC-30-2和路由器RTA通信
- PC>ping 192.168.10.12
- Ping 192.168.10.12: 32 data bytes, Press Ctrl_C to break
- Request timeout!
- Request timeout!
- From 192.168.10.12: bytes=32 seq=3 ttl=127 time=62 ms
- From 192.168.10.12: bytes=32 seq=4 ttl=127 time=63 ms
- From 192.168.10.12: bytes=32 seq=5 ttl=127 time=63 ms
- --- 192.168.10.12 ping statistics ---
- 5 packet(s) transmitted
- 3 packet(s) received
- 40.00% packet loss
- round-trip min/avg/max = 0/62/63 ms
- PC>ping 192.168.30.12
- Ping 192.168.30.12: 32 data bytes, Press Ctrl_C to break
- From 192.168.30.12: bytes=32 seq=1 ttl=128 time=32 ms
- From 192.168.30.12: bytes=32 seq=2 ttl=128 time=31 ms
- From 192.168.30.12: bytes=32 seq=3 ttl=128 time=47 ms
- From 192.168.30.12: bytes=32 seq=4 ttl=128 time=31 ms
- From 192.168.30.12: bytes=32 seq=5 ttl=128 time=31 ms
- --- 192.168.30.12 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 31/34/47 ms
- PC>ping 202.168.211.1
- Ping 202.168.211.1: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.1: bytes=32 seq=1 ttl=255 time=63 ms
- From 202.168.211.1: bytes=32 seq=2 ttl=255 time=47 ms
- From 202.168.211.1: bytes=32 seq=3 ttl=255 time=31 ms
- From 202.168.211.1: bytes=32 seq=4 ttl=255 time=31 ms
- From 202.168.211.1: bytes=32 seq=5 ttl=255 time=31 ms
- --- 202.168.211.1 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 31/40/63 ms
因为RTB与PC主机不在同一个网段,所以需要用到nat
对RTA配置静态NAT
- [RTA]int g0/0/2
- #将PC-10-1的地址映射到202.168.211.10
- [RTA-GigabitEthernet0/0/2]nat static global 202.168.211.10 inside 192.168.10.11
- #将PC-30-1的地址映射到202.168.211.30
- [RTA-GigabitEthernet0/0/2]nat static global 202.168.211.30 inside 192.168.30.11
- [RTA-GigabitEthernet0/0/2]qu
- [RTA]display nat static
- Static Nat Information:
- Interface : GigabitEthernet0/0/2
- Global IP/Port : 202.168.211.10/----
- Inside IP/Port : 192.168.10.11/----
- Protocol : ----
- VPN instance-name : ----
- Acl number : ----
- Netmask : 255.255.255.255
- Description : ----
- Global IP/Port : 202.168.211.30/----
- Inside IP/Port : 192.168.30.11/----
- Protocol : ----
- VPN instance-name : ----
- Acl number : ----
- Netmask : 255.255.255.255
- Description : ----
- Total : 2
- [RTA]display nat session all verbose
- NAT Session Table Information:
- Total : 0
用各主机 ping RTB,PC-10-2与PC-30-2不能ping通,因为没有做地址映射,所以
静态NAT需要为每个需要映射的内部主机分配一个公有IP地址,因此会占用较多的IP地址资源。
- #PC-10-1
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.2: bytes=32 seq=1 ttl=254 time=31 ms
- From 202.168.211.2: bytes=32 seq=2 ttl=254 time=47 ms
- From 202.168.211.2: bytes=32 seq=3 ttl=254 time=47 ms
- From 202.168.211.2: bytes=32 seq=4 ttl=254 time=31 ms
- From 202.168.211.2: bytes=32 seq=5 ttl=254 time=47 ms
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 31/40/47 ms
- #PC-10-2
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- Request timeout!
- Request timeout!
- Request timeout!
- Request timeout!
- Request timeout!
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 0 packet(s) received
- 100.00% packet loss
- #PC-30-1
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.2: bytes=32 seq=1 ttl=254 time=63 ms
- From 202.168.211.2: bytes=32 seq=2 ttl=254 time=15 ms
- From 202.168.211.2: bytes=32 seq=3 ttl=254 time=47 ms
- From 202.168.211.2: bytes=32 seq=4 ttl=254 time=31 ms
- From 202.168.211.2: bytes=32 seq=5 ttl=254 time=31 ms
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 15/37/63 ms
- #PC-30-2
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- Request timeout!
- Request timeout!
- Request timeout!
- Request timeout!
- Request timeout!
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 0 packet(s) received
- 100.00% packet loss
实验二:动态NAT配置
案例如下:
对以上实验进行如下配置,即可继续进行实验:
- <RTA>sys
- Enter system view, return user view with Ctrl+Z.
- [RTA]int g0/0/2
- [RTA-GigabitEthernet0/0/2]undo nat static global 202.168.211.10 inside 192.168.1
- 0.11
- [RTA-GigabitEthernet0/0/2]undo nat static global 202.168.211.30 inside 192.1683
- 0.11
- [RTA-GigabitEthernet0/0/2]
路由器RTA配置动态NAT
1.配置地址池
2.配置ACL
3.配置出方向动态地址转换
- #1.配置地址池
- # 地址池是一些连续的 IP 地址集合。地址池的起始地址必须小于等于结束地址,且起始地址到结束地址之间的地址个数不能大于255。
- #配置一个从202.168.211.10到202.168.211.13的地址池,地址池索引号为1。
- [RTA]nat address-group 1 202.168.211.10 202.168.211.13
- #配置一个从202.168.211.30到202.168.211.33的地址池,地址池索引号为1。
- [RTA]nat address-group 2 202.168.211.30 202.168.211.33
- #查看地址池
- [RTA]dis nat address-group
- NAT Address-Group Information:
- --------------------------------------
- Index Start-address End-address
- --------------------------------------
- 1 202.168.211.10 202.168.211.13
- 2 202.168.211.30 202.168.211.33
- --------------------------------------
- Total : 2
- #2.配置ACL(AccessControl List,访问控制列表)。
- # 允许特定地址进行NAT 地址转换。
- #编号为2000~2999的ACL为基本ACL(BasicAccess-List
- # 配置ACL 2010,仅允许对192.168.10.0/24 网段中的源地址进行地址转换
- [RTA]acl 2010
- [RTA-acl-basic-2010]rule permit source 192.168.10.0 0.0.0.255
- [RTA-acl-basic-2010]qu
- # 配置ACL 2030,仅允许对192.168.30.0/24 网段中的源地址进行地址转换
- [RTA]acl 2030
- [RTA-acl-basic-2030]rule permit source 192.168.30.0 0.0.0.255
- [RTA-acl-basic-2030]qu
- [RTA]dis acl all
- Total quantity of nonempty ACL number is 2
- Basic ACL 2010, 1 rule
- Acl's step is 5
- rule 5 permit source 192.168.10.0 0.0.0.255
- Basic ACL 2030, 1 rule
- Acl's step is 5
- rule 5 permit source 192.168.30.0 0.0.0.255
- [RTA]dis acl 2010
- Basic ACL 2010, 1 rule
- Acl's step is 5
- rule 5 permit source 192.168.10.0 0.0.0.255
- [RTA]dis acl 2030
- Basic ACL 2030, 1 rule
- Acl's step is 5
- rule 5 permit source 192.168.30.0 0.0.0.255
- #3.配置出方向动态地址转换
- #在端口 GE 0/0/2上配置出方向动态地址转换
- [RTA]int g0/0/2
- # nat outbound命令用来将一个访问控制列表ACL和一个地址池关联起来,表示ACL 中规定的地址可以使用地址池进行地址转换
- # no-pat 表示使用一对一地址转换,只转换地址而不转换端口。
- [RTA-GigabitEthernet0/0/2]nat outbound 2010 address-group 1 no-pat
- [RTA-GigabitEthernet0/0/2]nat outbound 2030 address-group 2 no-pat
- [RTA-GigabitEthernet0/0/2]qu
- [RTA]display nat outbound
- NAT Outbound Information:
- --------------------------------------------------------------------------
- Interface Acl Address-group/IP/Interface Type
- --------------------------------------------------------------------------
- GigabitEthernet0/0/2 2010 1 no-pat
- GigabitEthernet0/0/2 2030 2 no-pat
- --------------------------------------------------------------------------
- Total : 2
- [RTA]dis nat outbound acl 2010
- NAT Outbound Information:
- --------------------------------------------------------------------------
- Interface Acl Address-group/IP/Interface Type
- --------------------------------------------------------------------------
- GigabitEthernet0/0/2 2010 1 no-pat
- --------------------------------------------------------------------------
- Total : 1
- #gigabitethernet要全写
- [RTA]dis nat outbound int gigabitethernet 0/0/2
- NAT Outbound Information:
- --------------------------------------------------------------------------
- Interface Acl Address-group/IP/Interface Type
- --------------------------------------------------------------------------
- GigabitEthernet0/0/2 2010 1 no-pat
- GigabitEthernet0/0/2 2030 2 no-pat
- --------------------------------------------------------------------------
- Total : 2
- #查看NAT地址转换表所有表项的详细信息
- [RTA]display nat session all verbose
- NAT Session Table Information:
- Total : 0
现在各PC主机都能ping通RTB,因为192.168.10.0/24网段与192.168.30.0/24网段都进行了地址映射
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.2: bytes=32 seq=1 ttl=254 time=63 ms
- From 202.168.211.2: bytes=32 seq=2 ttl=254 time=62 ms
- From 202.168.211.2: bytes=32 seq=3 ttl=254 time=63 ms
- From 202.168.211.2: bytes=32 seq=4 ttl=254 time=62 ms
- Request timeout!
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 4 packet(s) received
- 20.00% packet loss
- round-trip min/avg/max = 62/62/63 ms
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.2: bytes=32 seq=1 ttl=254 time=47 ms
- From 202.168.211.2: bytes=32 seq=2 ttl=254 time=47 ms
- From 202.168.211.2: bytes=32 seq=3 ttl=254 time=31 ms
- From 202.168.211.2: bytes=32 seq=4 ttl=254 time=31 ms
- Request timeout!
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 4 packet(s) received
- 20.00% packet loss
- round-trip min/avg/max = 31/39/47 ms
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.2: bytes=32 seq=1 ttl=254 time=47 ms
- From 202.168.211.2: bytes=32 seq=2 ttl=254 time=78 ms
- From 202.168.211.2: bytes=32 seq=3 ttl=254 time=63 ms
- From 202.168.211.2: bytes=32 seq=4 ttl=254 time=78 ms
- Request timeout!
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 4 packet(s) received
- 20.00% packet loss
- round-trip min/avg/max = 47/66/78 ms
- PC>ping 202.168.211.2
- Ping 202.168.211.2: 32 data bytes, Press Ctrl_C to break
- From 202.168.211.2: bytes=32 seq=1 ttl=254 time=62 ms
- From 202.168.211.2: bytes=32 seq=2 ttl=254 time=32 ms
- From 202.168.211.2: bytes=32 seq=3 ttl=254 time=31 ms
- From 202.168.211.2: bytes=32 seq=4 ttl=254 time=31 ms
- Request timeout!
- --- 202.168.211.2 ping statistics ---
- 5 packet(s) transmitted
- 4 packet(s) received
- 20.00% packet loss
- round-trip min/avg/max = 31/39/62 ms
查看NAT地址转换表,可以看到,内网地址映射到外网,202.168.211.1与202.168.211.2直连,所以可以与RTB通信
- [RTA]display nat session all
- NAT Session Table Information:
- Protocol : ICMP(1)
- SrcAddr Vpn : 192.168.10.11
- DestAddr Vpn : 202.168.211.2
- Type Code IcmpId : 0 8 33494
- NAT-Info
- New SrcAddr : 202.168.211.11
- New DestAddr : ----
- New IcmpId : ----
- Protocol : ICMP(1)
- SrcAddr Vpn : 192.168.10.11
- DestAddr Vpn : 202.168.211.2
- Type Code IcmpId : 0 8 33496
- NAT-Info
- New SrcAddr : 202.168.211.13
- New DestAddr : ----
- New IcmpId : ----
- Protocol : ICMP(1)
- SrcAddr Vpn : 192.168.10.11
- DestAddr Vpn : 202.168.211.2
- Type Code IcmpId : 0 8 33495
用PC-10-1 ping RTB路由器, 通过对RTB的g0/0/2端口抓包可以看出,内网地址映射为地址池的地址,与RTB进行通信
这里也可以发现,一台PC占用了地址池的所有地址,即对地址池的所有地址轮流使用,这样两台PC就不能做到同时ping,但是现实里是不会这样的
两台PC同时ping的效果
实验三:NAPT配置
动态NAT与NAPT的区别:
动态NAT 使用公有地址池,并以先到先得的原则分配这些地址。 当具有私有IP地址的主机请求访问互联网时,动态NAT会从地址池中选择一个未被其他主机占用的IP地址进行一对一的转换。 当数据会话结束后,路由器会释放掉公有IP地址回到地址池,以提供其他内部私有IP地址的转换。 如果同一时刻地址池中地址被NAT转换完毕,则其他私有地址不能够被NAT转换。
NAPT代表网络地址端口转换。 它是一种NAT(网络地址转换),允许专用网络中的多个设备共享单个公共IP地址,NAPT 通过使用 IP 地址和端口号的组合来执行转换。
按照以上实验配置交换机和路由器,对RTA配置动态NAT
1.配置地址池
2.配置ACL,允许特定地址进行NAT地址转换
3.配置出方向动态地址转换
- # 1.配置地址池
- # 配置一个从202.168.211.10到202.168.211.10 的地址池,地址池索引号为 1。
- [RTA]nat address-group 1 202.168.211.10 202.168.211.10
- #查看地址池
- [RTA]dis nat address-group
- NAT Address-Group Information:
- --------------------------------------
- Index Start-address End-address
- --------------------------------------
- 1 202.168.211.10 202.168.211.10
- --------------------------------------
- Total : 1
- # 2.配置 ACL,允许特定地址进行 NAT 地址转换。
- # 配置ACL 2100,仅允许对192.168.0.0/19网段中的源地址进行地址转换
- [RTA]acl 2100
- [RTA-acl-basic-2100]rule permit source 192.168.0.0 0.0.31.255
- [RTA-acl-basic-2100]qu
- [RTA]dis acl all
- Total quantity of nonempty ACL number is 1
- Basic ACL 2100, 1 rule
- Acl's step is 5
- rule 5 permit source 192.168.0.0 0.0.31.255
- # 3.配置出方向动态地址转换
- # 在端口 GE 0/0/2 上配置出方向动态地址转换,允许转换地址和端口
- [RTA]dis acl 2010
- [RTA]int g0/0/2
- [RTA-GigabitEthernet0/0/2]nat outbound 2100 address-group 1
- [RTA-GigabitEthernet0/0/2]qu
- [RTA]display nat outbound
- NAT Outbound Information:
- --------------------------------------------------------------------------
- Interface Acl Address-group/IP/Interface Type
- --------------------------------------------------------------------------
- GigabitEthernet0/0/2 2100 1 pat
- --------------------------------------------------------------------------
- Total : 1
- [RTA]display nat outbound acl 2100
- NAT Outbound Information:
- --------------------------------------------------------------------------
- Interface Acl Address-group/IP/Interface Type
- --------------------------------------------------------------------------
- GigabitEthernet0/0/2 2100 1 pat
- --------------------------------------------------------------------------
- Total : 1
- [RTA]display nat outbound int gigabitethernet 0/0/2
- NAT Outbound Information:
- --------------------------------------------------------------------------
- Interface Acl Address-group/IP/Interface Type
- --------------------------------------------------------------------------
- GigabitEthernet0/0/2 2100 1 pat
- --------------------------------------------------------------------------
- Total : 1
- [RTA]display nat session all verbose
- NAT Session Table Information:
- Total : 0
- [RTA]
可以看到NAT的动态转换和NAPT配置的区别主要在于
- #动态地址转换
- #一对一
- # no-pat 表示使用一对一地址转换,只转换地址而不转换端口。
- [RTA-GigabitEthernet0/0/2]nat outbound 2010 address-group 1 no-pat
- [RTA-GigabitEthernet0/0/2]nat outbound 2030 address-group 2 no-pat
- #NAPT
- #多对一
- #多个内部地址使用同一地址(202.168.211.10)不同端口转换成外部地址进行通信的。
- [RTA]int g0/0/2
- [RTA-GigabitEthernet0/0/2]nat outbound 2100 address-group 1
如有描述错误,请大佬们不吝赐教,感谢佬们!!💖💖💖
-
相关阅读:
线程的状态
【Web安全】SQL各类注入与绕过
松霖转债上市价格预测(昨天的)
web前端进阶<7>:3d图像翻转效果
Powershell命令行设置代理
哪些偏门项目可以做到?自媒体做到月赚一万以上很难吗?
Android OpenGL ES 学习(七) – 纹理
二分图最佳匹配(kuhn munkras 算法 O(m*m*n))
必看!TMS320C6678+Kintex-7开发板——FPGA案例开发资料(下)
CSRF 002
- 原文地址:https://blog.csdn.net/weixin_69884785/article/details/133279393
- 最新文章
-
C++11 线程同步接口std::condition_variable和std::future的简单使用
Go runtime 调度器精讲(十一):总览全局
Spring框架漏洞总结
Angular 18+ 高级教程 – 国际化 Internationalization i18n
基于Tauri2+Vue3搭建桌面端程序|tauri2+vite5多窗口|消息提醒|托盘闪烁
ComfyUI 基础教程(五) —— 应用 IP-Adapter 实现图像风格迁移
网络空间的“边水往事”?针对华语黑产及用户进行攻击的 APT-K-UN3 活动分析
伪装“黑神话悟空修改器”传播木马的活动分析
全球蓝屏后,微软决定将安全踢出Windows内核
Java读取寄存器数据的方法