H3C 官方模拟器H3C Cloud Lab实验二十四:
网络地址转换NAT
拓扑图:
一、实验要求
1、理解网络地址转换的概念、作用及分类;
2、熟练掌握几种常见的网络地址转换(Static NAT 、Basic NAT、NAPT、Easy IP);
3、掌握NAT Server的应用场合及配置方法;
二、网络测试,内网计算机无法访问外网
三、几种NAT配置方法
1、Static NAT
在RT中作如下配置:
[RT]nat static outbound 172.16.1.1 198.1.1.101 //静态地址转换内外地址绑定
[RT]nat static outbound 172.16.1.2 198.1.1.102 //静态地址转换内外地址绑定
[RT]int s1/0
[RT-Serial1/0]nat static enable //接口开启nat static功能
[RT-Serial1/0]quit
用pc1ping198.1.1.2测试,连通!
[RT]dis nat static //查看静态地址转换信息
Static NAT mappings:
Totally 2 outbound static NAT mappings.
IP-to-IP:
Local IP : 172.16.1.1
Global IP : 198.1.1.101
Config status: Active
IP-to-IP:
Local IP : 172.16.1.2
Global IP : 198.1.1.102
Config status: Active
Interfaces enabled with static NAT:
Totally 1 interfaces enabled with static NAT.
Interface: Serial1/0
Config status: Active
[RT]dis nat ssion verbo //查看转换会话详细信息
Slot 0:
Initiator:
Source IP/port: 172.16.1.1/49920
Destination IP/port: 198.1.1.2/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
Responder:
Source IP/port: 198.1.1.2/49920
Destination IP/port: 198.1.1.101/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Serial1/0
State: ICMP_REPLY
Application: OTHER
Start time: 2015-05-26 10:38:04 TTL: 4s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total ssions found: 1
[RT]
2、Basic NAT
在RT中先清除静态NAT配置:
[RT]undo nat static outbound 172.16.1.1 //删除nat绑定
[RT]undo nat static outbound 172.16.1.2 //删除nat绑定
[RT]int s1/0
[RT-Serial1/0]undo nat static enable //关闭nat static使能
[RT-Serial1/0]
作如下配置:
[RT]acl basic 2000 //创建允许转换的地址范围
[RT-acl-ipv4-basic-2000]rule permit source 172.16.1.0 0.0.0.255
[RT-acl-ipv4-basic-2000]quit
[RT]nat address-group 0 //创建外部地址池,将动态分配给内网主机使用
[RT-address-group-0]address 198.1.1.11 198.1.1.20
[RT-address-group-0]quit
[RT]int s1/0
[RT-Serial1/0]nat outbound ?
INTEGER<2000-3999> U an ACL to specify the address to be translated
address-group Specify a NAT address group
ds-lite-b4 Configure NAT for DS-Lite B4
port-block-group Specify a NAT port block group
port-prerved Attempt to prerve the original source port number during
PAT
vpn-instance Specify a VPN instance
<cr>
[RT-Serial1/0]nat outbound 2000 address-group 0 ?
no-pat Disable Port Address Translation (PAT)
port-prerved Attempt to prerve the original source port number during PAT
vpn-instance Specify a VPN instance
<cr>
[RT-Serial1/0]nat outbound 2000 address-group 0 no-pat //在端口上设置nat
用pc1ping198.1.1.2测试,连通!
[RT]dis nat ssion verbo //查看nat会话详细信息
Slot 0:
Initiator:
Source IP/port: 172.16.1.1/50688
Destination IP/port: 198.1.1.2/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
Responder:
Source IP/port: 198.1.1.2/50688
Destination IP/port: 198.1.1.11/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Serial1/0
State: ICMP_REPLY
Application: OTHER
Start time: 2015-05-26 10:56:06 TTL: 19s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total ssions found: 1
[RT]
3、NAPT
在RT中先清除Basic NAT配置:
[RT]int s1/0
[RT-Serial1/0]undo nat outbound 2000 //删除nat绑定
[RT-Serial1/0]quit
[RT]undo nat address-group 0
//删除nat地址池,注意没有删除允许转换的内网地址
[RT]
作如下配置:
[RT]nat address-group 0 //重新创建外部地址池,注意地址数量
[RT-address-group-0]add 198.1.1.6 198.1.1.6
[RT-address-group-0]quit
[RT]int s1/0
[RT-Serial1/0]nat outbound 2000 address-group 0 //注意与上例的区别
[RT-Serial1/0]
分别用pc1、pc2 ping198.1.1.2测试,均连通!
[RT]dis nat ssion verbo
Slot 0:
Initiator:
Source IP/port: 172.16.1.2/46592
Destination IP/port: 198.1.1.2/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
Responder:
Source IP/port: 198.1.1.2/3
Destination IP/port: 198.1.1.6/0
DS-Lite tunnel peer: -
