实验九 NAT配置

更新时间:2024-01-27 05:03:01 阅读量: 教育文库 文档下载

说明:文章内容仅供预览,部分内容可能不全。下载后的文档,内容与下面显示的完全一致。下载之前请确认下面内容是否您想要的,是否完整无缺。

实验九 NAT配置

一、实验目的

掌握Basic NAT的配置方法 掌握NAPT的配置方法 掌握Easy IP的配置方法 掌握NAT Server的配置方法

二、实验描述及组网图

网络迅速发展,IPv4地址不敷使用,为了解决IPv4地址短缺的问题,IETF提出了NAT解决方案。

NAT技术主要作用是将私有地址转换成公有地址。Basic NAT虽然可以实现私有地址和公有地址的转换但不如NAPT普及,NAPT采用端口号更能提高公网IP的利用效率,适用与私网作为客户端访问公网服务器的场合;Easy IP配置最为简单,一般用于拨号接入Internet或动态获得IP地址的场合;NAT Server则用于私网对外提供服务,由公网主动向私网设备发起连接的场合。

实验组网如图所示,实验使用两台主机(PC_A,PC_B)、三台MSR路由器(jiance1, jiance2, jiance3)。

PC_A,PC_B位于私网,网关为jiance1。jiance2为NAT设备,有一个私网接口S1/0和一个公网接口E1/0,公网接口与公网路由器jiance3互连,地址池范围是:200.1.1.11~200.1.1.11。公网jiance3上loopback 0是一个公网接口地址,作为公网服务器测试。

三、实验过程

实验任务一:配置Basic NAT

本实验中,实现私网主机PC_A和PC_B访问公网服务器220.1.1.1,通过在jiance2上配置在Basic NAT,动态的为私网主机分配公网地址。 步骤一:搭建实验环境

依照拓扑图搭建实验环境。

步骤二:基本配置

为PC_A配置IP地址为192.168.1.100/24,网关为192.168.1.1;配置PC_B的IP地址为192.168.2.100/24,网关为192.168.2.1;为jiance1,jiance2,jiance3各接口配置IP地址,并且确认各设备间直连网络能相互ping通。IP地址配完后在jiance1, jiance2静态配置私网内各网段的路由及默认路由,确保PC_A,PC_B能ping通200.1.1.1。为了对去往服务器的数据包提供路由,还需要在出口路由器jiance2上配置一条静态路由,指向JIANCE3。配置如下: jiance1:

[jiance1]interface Ethernet 0/0

[jiance1-Ethernet0/0]ip address 192.168.1.1 24 [jiance1]interface Ethernet 0/1

[jiance1-Ethernet0/1]ip address 192.168.2.1 24 [jiance1]interface Serial 1/0

[jiance1-Serial1/0]ip address 10.2.1.1 24

[jiance1]ip route-static 0.0.0.0 0 10.2.1.2 jiance2:

[jiance2]interface Serial 1/0

[jiance2-Serial1/0]ip address 10.2.1.2 24 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]ip address 200.1.1.1 24 [jiance2]ip route-static 192.168.0.0 16 10.2.1.1 [jiance2]ip route-static 0.0.0.0 0 200.1.1.2 jiance3:

[jiance3]interface Ethernet 0/0

[jiance3-Ethernet0/0]ip address 200.1.1.2 24 [jiance3-Ethernet0/0]quit [jiance3]interface LoopBack 0

[jiance3-LoopBack0]ip address 220.1.1.1 32 [jiance3-LoopBack0]quit

[jiance3]ip route-static 200.1.1.0 24 200.1.1.1 在PC_A上ping JIANCE2公网的出口地址200.1.1.1:

C:\\Documents and Settings\\jiance_pca>ping 200.1.1.1 Pinging 200.1.1.1 with 32 bytes of data:

Reply from 200.1.1.1: bytes=32 time=20ms TTL=254 Reply from 200.1.1.1: bytes=32 time=20ms TTL=254 Reply from 200.1.1.1: bytes=32 time=20ms TTL=254 Reply from 200.1.1.1: bytes=32 time=20ms TTL=254

Ping statistics for 200.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 20ms, Average = 20ms

在PC_B上ping jiance2公网的出口地址200.1.1.1:

C:\\Documents and Settings\\jiance_pcb>ping 200.1.1.1 Pinging 200.1.1.1 with 32 bytes of data:

Reply from 200.1.1.1: bytes=32 time=20ms TTL=254 Reply from 200.1.1.1: bytes=32 time=20ms TTL=254 Reply from 200.1.1.1: bytes=32 time=20ms TTL=254 Reply from 200.1.1.1: bytes=32 time=20ms TTL=254

Ping statistics for 200.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 20ms, Average = 20ms

步骤三:检查连通性

分别在PC_A,PC_B上ping服务器(IP地址为:220.1.1.1)。 在PC_A上ping服务器:

C:\\Documents and Settings\\jiance_pca>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 在PC_B上ping服务器:

C:\\Documents and Settings\\jiance_pcb>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

结果显示,从PC_A,PC_B上无法ping通服务器。这是因为私网地址在公网上无法被路由,从服务器回应的ping报文在JIANCE3上无法找到192.168.0.0/24网段的路由。

步骤四:配置Basic NAT

在jiance2上配置Basic NAT

通过ACL定义一条允许192.168.0.0/16网段的规则 [jiance2]acl number 2000

[jiance2-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.255.255 [jiance2-acl-basic-2000]rule deny source any 配置NAT地址池1,地址的范围是:200.1.1.11~200.1.1.11

[jiance2]nat address-group 1 200.1.1.11 200.1.1.11

进入接口模式,将地址池1与ACL 2000关联,应用到接口上方向为outbound [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]nat outbound 2000 address-group 1 no-pat

步骤五:检查连通性

先用PC_A ping服务器(IP地址为:220.1.1.1),然后立即用PC_B ping服务器。显示如 下:

C:\\Documents and Settings\\jiance_pca>ping 220.1.1.1 Pinging 200.1.1.1 with 32 bytes of data:

Reply rom 220.1.1.1: bytes=32 time=23ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 23ms, Average = 21ms

在PC_B上ping服务器:

C:\\Documents and Settings\\jiance2>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

结果显示PC_A能ping通公网服务器,而PC_B不能ping通服务器。 思考下为什么?

这是因为Basic NAT只能对地址作一对一的转换,PC_A已经进行公有地址转换,要想PC_B也能访问服务器,必须要等到PC_A访问结束。我们可以先将原来的NAT条目删除,再测试PC_B得连通性。

在jiance2上先清除NAT条目: reset nat session

Clearing NAT session table, please wait...

在PC_B ping服务器:

C:\\Documents and Settings\\jiance_pcb>ping 220.1.1.1

Pinging 200.1.1.1 with 32 bytes of data:

Reply from 220.1.1.1: bytes=32 time=23ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 23ms, Average = 21ms

步骤六:显示和调试NAT信息

用PC_A ping服务器后立即在JIANCE2上查看NAT表

display nat session

There are currently 2 NAT sessions:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

- 200.1.1.11 --- 192.168.1.100 --- --- --- VPN: 0, status: NOPAT, TTL: 00:04:00, Left: 00:03:50

1 200.1.1.11 768 192.168.1.100 768 220.1.1.1 768

VPN: 0, status: NOPAT, TTL: 00:01:00, Left: 00:00:50 从显示信息可以看出,该ICMP报文源地址192.168.1.100已经转换成公网地址200.1.1.11,目的端口号和源端口号均为768。 一分钟后再次观察:

display nat session

There are currently 1 NAT session:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

- 200.1.1.11 --- 192.168.1.100 --- --- --- VPN: 0, status: NOPAT, TTL: 00:04:00, Left: 00:03:00 发现表中后两项消失了,四分钟后再次观察:

[jiance2]display nat session

No NAT sessions are currently active!

从实验结果可以发现四分钟后所有表项都消失了。因为NAT表项具有一个老化时间(aging-time),一旦超过老化时间,NAT会自动删除表项,前一条由系统为配置建立的的NAT表项,老化时间为4分钟,后一项五元组表项由流触发而建立的,老化时间为1分钟。

老化时间可以通过display nat aging-time查看路由器的NAT默认老化时间。

[jiance2]display nat aging-time NAT aging-time value information:

tcp ---- aging-time value is 86400 (seconds) udp ---- aging-time value is 300 (seconds) icmp ---- aging-time value is 60 (seconds) pptp ---- aging-time value is 86400 (seconds) dns ---- aging-time value is 60 (seconds) tcp-fin ---- aging-time value is 60 (seconds) tcp-syn ---- aging-time value is 60 (seconds) ftp-ctrl ---- aging-time value is 7200 (seconds) ftp-data ---- aging-time value is 300 (seconds) 通过命令display address-group查看地址池信息 [jiance2]display nat address-group NAT address-group information:

1 : from 200.1.1.11 to 200.1.1.11 可以看到地址池的范围是:200.1.1.11~200.1.1.11

步骤七:清除Basic NAT相关配置

删除NAT地址池

[jiance2]undo nat address-group 1 Address-group is being used!

结果表明地址池的地址正在被使用,因此必须先删除NAT绑定 在接口下删除NAT绑定

[jiance2]interface Ethernet 1/0

[jiance2-Ethernet1/0]undo nat outbound 2000 address-group 1 no-pat 删除NAT地址池

[jiance2]undo nat address-group 1 再用display查看地址池

[jiance2]display nat address-group NAT address-group information:

No address-groups have been configured 发现地址池已经成功被删除了

实验任务二:NAPT配置

私网PC_A,PC_B需要访问公网服务器,但由于公网地址有限,可以通过配置NAPT动 态的为PC_A,PC_B分配公网地址和协议端口。 步骤一:搭建实验环境及基本配置

如同实验任务一中步骤一、二

步骤二:检查连通性

分别在PC_A,PC_B上ping服务器(IP地址为:220.1.1.1)。显示如下: 在PC_A上ping服务器:

C:\\Documents and Settings\\jiance_pca>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 在PC_B上ping服务器:

C:\\Documents and Settings\\jiance_pcb>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 结果显示,从PC_A,PC_B上无法ping通服务器。

步骤三:配置NAPT

在JIANCE2上配置NAPT:

用ACL定义一条源地址属于192.168..0.0/16网段的流 [jiance2]acl number 2000

[jiance2-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.255.255 [jiance2-acl-basic-2000]rule deny source any 配置NAT地址池1,地址池中只有一个地址200.1.1.11 [jiance2]nat address-group 1 200.1.1.11 200.1.1.11

进入接口视图将NAT地址池1与ACL 2000绑定,接口方向为出方向 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]nat outbound 2000 address-group 1 此时命令中未携带no-pat关键字,表示NAT要对数据包进行端口转换

步骤四:测试连通性

从PC_A,PC_B上ping公网服务器 PC_A测试:

C:\\Documents and Settings\\jiance_pca>ping 220.1.1.1 Pinging 200.1.1.1 with 32 bytes of data:

Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 23ms, Average = 21ms

PC_B上测试:

C:\\Documents and Settings\\jiance_pcb>ping 220.1.1.1

Pinging 200.1.1.1 with 32 bytes of data:

Reply from 220.1.1.1: bytes=32 time=22ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 23ms, Average = 21ms 发现PC_A,PC_B都能ping通服务器。

步骤五:检查NAT表项

ping通后立即在JIANCE2上查看NAT表项:

[jiance2]display nat session

There are currently 2 NAT sessions:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

1 200.1.1.11 12289 192.168.2.100 43984 220.1.1.1 43984 VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:51

1 200.1.1.11 12288 192.168.1.100 768 220.1.1.1 768 VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:52 从表项中可以看出源地址192.168.1.100,192.168.2.100转换成同一个公网地址200.1.1.11,但端口号是不同的,192.168.1.100转换的端口号为768,而192.168.2.100转换的端口号位43984,通过不同的端口号来分辨数据是发给192.168.1.100还是192.168.2.100,NAPT靠这种方式对数据包的IP层和传输层信息同时进行转换,从而显著的提高IP地址的利用率。

步骤六:恢复配置

在jiance2上删除NAPT相关配置 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]undo nat outbound 2000 address-group 1 [jiance2-Ethernet0/0]quit

[jiance2]undo nat address-group 1

实验任务三:Easy IP的配置

要实现私网里的主机需要访问服务器,但出口路由器JIANCE2上的出接口地 址动态获取的,因此我们需要在JIANCE2上配置Easy IP。 步骤一:搭建实验环境及基本配置

如同实验任务一中步骤一、二

步骤二:检查连通性

分别在PC_A,PC_B上ping服务器(IP地址为:220.1.1.1)。结果是从PC_A,PC_B 上无法ping通服务器。

步骤三:在jiance2上配置Easy IP

通过ACL定义一条源地址为192.168.0.0/24网段的流 [jiance2]acl number 2000

[jiance2-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.255.255 [jiance2-acl-basic-2000]rule deny source any 在接口视图下将ACL 2000与其关联,方向为出方向 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]nat outbound 2000

步骤四:检查连通性

从PC_A,PC_B上ping服务器,都能够ping通

步骤五:检查NAT表项

[jiance2]display nat session

There are currently 2 NAT sessions:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

1 200.1.1.1 12289 192.168.2.100 43985 220.1.1.1 43985 VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:43

1 200.1.1.1 12288 192.168.1.100 768 220.1.1.1 768 VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:44

实验任务四:配置NAT Server

前面三个实验任务都实现了私网主机访问公网服务器,,而且都是由私网主机主动发起 连接的,如果公网要访问私网主机PC_A的话,PC_A需要对外提供服务,需要在 JIANCE2上配置NAT Server。 步骤一:配置NAT Server

在jiance2上配置NAT Server

[jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]nat server protocol icmp global 200.1.1.11 inside 192.168.1.100

步骤二:检查连通性

从服务器上ping PC_A的公网地址200.1.1.11

[jiance3]ping -a 220.1.1.1 200.1.1.11

PING 200.1.1.11: 56 data bytes, press CTRL_C to break

Reply from 200.1.1.11: bytes=56 Sequence=1 ttl=62 time=28 ms Reply from 200.1.1.11: bytes=56 Sequence=2 ttl=62 time=28 ms Reply from 200.1.1.11: bytes=56 Sequence=3 ttl=62 time=28 ms Reply from 200.1.1.11: bytes=56 Sequence=4 ttl=62 time=27 ms Reply from 200.1.1.11: bytes=56 Sequence=5 ttl=62 time=28 ms

--- 200.1.1.11 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 27/27/28 ms

步骤三:查看NAT Server

在jiance2上查看NAT Server表项 [jiance2]display nat server

Server(s) in private network information:

Currently 1 internal server(s) configured Interface:Ethernet1/0, Protocol:1(icmp),

[global] 200.1.1.11: ---- [local] 192.168.1.100: ---- 表项信息中显示出公网地址和私网地址一对一的映射关系,可以看出私网内的主机 三192.168.1.100使用公网地址200.1.1.11对外提供服务。

本文来源:https://www.bwwdw.com/article/xxsw.html

Top