NAT là kĩ thuật cho phép ánh xạ một hoặc 1 dãy IP từ một miền sang một hoặc 1 dãy IP ngoại miền.
Static NAT.
Cho phép router chuyển đổi one-to-one từ địa chỉ inside local sang outside global.
Xây dựng đồ hình.
R2(config)#hostname client
client(config)#int f0/0
client(config-if)#ip add 10.10.10.1 255.255.255.0
client(config-if)#no shut
client(config-if)#int f1/0
client(config-if)#ip add 192.168.0.1 255.255.255.0
client(config-if)#no shut
Phía ISP
ISP(config)#int f0/0
ISP(config-if)#ip add 20.20.20.1 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#int f1/0
ISP(config-if)#ip add 192.168.0.2 255.255.255.0
ISP(config-if)#no shut
Đặt IP cho 2 PC1-2
PC-1> ip 10.10.10.2/24 10.10.10.1
----------Cấu hình NAT trên router client
client(config-if)#int f0/0
client(config-if)#ip nat inside
client(config-if)#int f1/0
client(config-if)#ip nat outside
client(config)#ip nat inside source static 10.10.10.2 113.161.160.15
--------Cấu hình route cho Client và ISP
client(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.2
ISP(config)#ip route 113.161.160.15 255.255.255.255 192.168.0.1
Phía Client trước khi ping ta bật chế độ debug,
Phía ISP, khi ping về client ta phải ping IP public, nếu ping IP private thì Destination host unreachable vì bảng route của ISP chỉ có route về client bằng IP public
Tiến hành kiểm tra kết quả,
Tiến hành kiểm tra kết quả,
ISP#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override Gateway of last resort is not set
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.20.20.0/24 is directly connected, FastEthernet0/0
L 20.20.20.1/32 is directly connected, FastEthernet0/0
113.0.0.0/32 is subnetted, 1 subnets
S 113.161.160.15 [1/0] via 192.168.0.1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, FastEthernet1/0
L 192.168.0.2/32 is directly connected, FastEthernet1/0
client#debug ip nat
IP NAT debugging is on
PC-1> ping 20.20.20.2
84 bytes from 20.20.20.2 icmp_seq=1 ttl=62 time=36.002 ms
84 bytes from 20.20.20.2 icmp_seq=2 ttl=62 time=40.003 ms
84 bytes from 20.20.20.2 icmp_seq=3 ttl=62 time=29.002 ms
84 bytes from 20.20.20.2 icmp_seq=4 ttl=62 time=29.001 ms
84 bytes from 20.20.20.2 icmp_seq=5 ttl=62 time=29.001 ms
client#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 113.161.160.15:23975 10.10.10.2:23975 20.20.20.2:23975 20.20.20.2:23975
icmp 113.161.160.15:24487 10.10.10.2:24487 20.20.20.2:24487 20.20.20.2:24487
icmp 113.161.160.15:24999 10.10.10.2:24999 20.20.20.2:24999 20.20.20.2:24999
icmp 113.161.160.15:25255 10.10.10.2:25255 20.20.20.2:25255 20.20.20.2:25255
icmp 113.161.160.15:25511 10.10.10.2:25511 20.20.20.2:25511 20.20.20.2:25511
client#
*Dec 24 16:11:50.859: NAT: Entry assigned id 22
*Dec 24 16:11:50.859: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [41687]
*Dec 24 16:11:52.859: NAT: Entry assigned id 23
*Dec 24 16:11:52.859: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [41688]
*Dec 24 16:11:53.891: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [41687]
*Dec 24 16:11:53.891: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [41688]
*Dec 24 16:11:54.859: NAT: Entry assigned id 24
*Dec 24 16:11:54.859: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [41689]
*Dec 24 16:11:54.891: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [41689]
PC-2> ping 10.10.10.2
*20.20.20.1 icmp_seq=1 ttl=255 time=39.002 ms (ICMP type:3, code:1, Destination host unreachable)
*20.20.20.1 icmp_seq=2 ttl=255 time=9.000 ms (ICMP type:3, code:1, Destination host unreachable)
*20.20.20.1 icmp_seq=3 ttl=255 time=9.001 ms (ICMP type:3, code:1, Destination host unreachable)
*20.20.20.1 icmp_seq=4 ttl=255 time=9.001 ms (ICMP type:3, code:1, Destination host unreachable)
*20.20.20.1 icmp_seq=5 ttl=255 time=9.000 ms (ICMP type:3, code:1, Destination host unreachable)
PC-2> ping 113.161.160.15
84 bytes from 113.161.160.15 icmp_seq=1 ttl=62 time=28.001 ms
84 bytes from 113.161.160.15 icmp_seq=2 ttl=62 time=29.001 ms
84 bytes from 113.161.160.15 icmp_seq=3 ttl=62 time=21.001 ms
84 bytes from 113.161.160.15 icmp_seq=4 ttl=62 time=29.002 ms
84 bytes from 113.161.160.15 icmp_seq=5 ttl=62 time=29.002 ms
client#
Dec 24 16:21:35.211: NAT: Entry assigned id 32
*Dec 24 16:21:35.211: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [42272]
*Dec 24 16:21:35.215: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [42272]
*Dec 24 16:21:36.239: NAT: Entry assigned id 33
*Dec 24 16:21:36.239: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [42273]
*Dec 24 16:21:36.247: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [42273]
*Dec 24 16:21:37.263: NAT: Entry assigned id 34
*Dec 24 16:21:37.263: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [42274]
*Dec 24 16:21:37.267: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [42274]
*Dec 24 16:21:38.291: NAT: Entry assigned id 35
*Dec 24 16:21:38.291: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [42275]
*Dec 24 16:21:38.295: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [42275]
*Dec 24 16:21:39.323: NAT: Entry assigned id 36
*Dec 24 16:21:39.323: NAT*: s=20.20.20.2, d=113.161.160.15->10.10.10.2 [42276]
*Dec 24 16:21:39.327: NAT*: s=10.10.10.2->113.161.160.15, d=20.20.20.2 [42276]
Cấu hình cho các PC,
NAT overload with public pool
Nat pool: cho phép chuyển đổi các IP nội bộ thành 1 IP trong dãy IP public.
Xây dựng đồ hình lab
Cấu hình cho các PC,
PC-1> ip 20.20.20.2/24 20.20.20.1
PC-2> ip 10.10.10.2/24 10.10.10.1
PC-3> ip 30.30.30.2/24 30.30.30.1
Trên router R1,
Trên router R2,
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.18.0 255.255.255.0 192.168.1.1
PC-2> ip 10.10.10.2/24 10.10.10.1
PC-3> ip 30.30.30.2/24 30.30.30.1
Trên router R1,
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat outside
duplex full
!
interface FastEthernet1/0
ip address 20.20.20.1 255.255.255.0
ip nat inside
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 30.30.30.1 255.255.255.0
ip nat inside
duplex full
!
ip nat pool NATPOOL 172.16.18.12 172.16.18.16 netmask 255.255.255.0
ip nat inside source list 1 pool NATPOOL overload //thực hiện NAT overload với NAT pool.
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 1 permit any //định nghĩa ACL cho phép tất cả các subnet 10,20,30.
!
!
Trên router R2,
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.18.0 255.255.255.0 192.168.1.1
Thực hiện debug trên R1,
R1#debug ip nat
Tiến hành ping -t các PC 1,2,3 đến IP 192.168.1.2
R1#
*Jan 28 20:28:13.507: NAT: Entry assigned id 1254
*Jan 28 20:28:13.507: NAT*: ICMP id=27907->1024
*Jan 28 20:28:13.507: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [877]
*Jan 28 20:28:13.535: NAT*: ICMP id=1024->27907
*Jan 28 20:28:13.535: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [877]
R1#
*Jan 28 20:28:14.563: NAT: Entry assigned id 1255
*Jan 28 20:28:14.563: NAT*: ICMP id=28163->1025
*Jan 28 20:28:14.563: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [878]
*Jan 28 20:28:14.587: NAT*: ICMP id=1025->28163
*Jan 28 20:28:14.587: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [878]
R1#
*Jan 28 20:28:15.643: NAT: Entry assigned id 1256
*Jan 28 20:28:15.643: NAT*: ICMP id=28419->1026
*Jan 28 20:28:15.643: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [879]
*Jan 28 20:28:15.659: NAT*: ICMP id=1026->28419
*Jan 28 20:28:15.659: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [879]
R1#
*Jan 28 20:28:16.699: NAT: Entry assigned id 1257
*Jan 28 20:28:16.699: NAT*: ICMP id=28931->1027
*Jan 28 20:28:16.699: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [880]
*Jan 28 20:28:16.727: NAT*: ICMP id=1027->28931
*Jan 28 20:28:16.727: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [880]
R1#
*Jan 28 20:28:17.767: NAT: Entry assigned id 1258
*Jan 28 20:28:17.767: NAT*: ICMP id=29187->1028
*Jan 28 20:28:17.767: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [881]
*Jan 28 20:28:17.803: NAT*: ICMP id=1028->29187
*Jan 28 20:28:17.803: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [881]
R1#
*Jan 28 20:28:24.591: NAT: Entry assigned id 1259
*Jan 28 20:28:24.591: NAT*: ICMP id=30723->1029
*Jan 28 20:28:24.591: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [888]
*Jan 28 20:28:24.623: NAT*: ICMP id=1029->30723
*Jan 28 20:28:24.623: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [888]
R1#
*Jan 28 20:28:25.667: NAT: Entry assigned id 1260
*Jan 28 20:28:25.667: NAT*: ICMP id=31235->1030
*Jan 28 20:28:25.667: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [889]
*Jan 28 20:28:25.695: NAT*: ICMP id=1030->31235
*Jan 28 20:28:25.695: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [889]
R1#
*Jan 28 20:28:26.735: NAT: Entry assigned id 1261
*Jan 28 20:28:26.735: NAT*: ICMP id=31491->1031
*Jan 28 20:28:26.735: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [890]
*Jan 28 20:28:26.767: NAT*: ICMP id=1031->31491
*Jan 28 20:28:26.767: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [890]
R1#
*Jan 28 20:28:27.803: NAT: Entry assigned id 1262
*Jan 28 20:28:27.803: NAT*: ICMP id=31747->1032
*Jan 28 20:28:27.803: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [891]
*Jan 28 20:28:27.835: NAT*: ICMP id=1032->31747
*Jan 28 20:28:27.835: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [891]
R1#
*Jan 28 20:28:28.871: NAT: Entry assigned id 1263
*Jan 28 20:28:28.871: NAT*: ICMP id=32003->1033
*Jan 28 20:28:28.871: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [892]
*Jan 28 20:28:28.903: NAT*: ICMP id=1033->32003
*Jan 28 20:28:28.903: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [892]
R1#
*Jan 28 20:28:57.855: NAT: Entry assigned id 1264
*Jan 28 20:28:57.855: NAT*: ICMP id=39427->1034
*Jan 28 20:28:57.855: NAT*: s=10.10.10.2->172.16.18.12, d=192.168.1.2 [922]
*Jan 28 20:28:57.883: NAT*: ICMP id=1034->39427
*Jan 28 20:28:57.883: NAT*: s=192.168.1.2, d=172.16.18.12->10.10.10.2 [922]
R1#debug ip nat
Tiến hành ping -t các PC 1,2,3 đến IP 192.168.1.2
R1#
*Jan 28 20:28:13.507: NAT: Entry assigned id 1254
*Jan 28 20:28:13.507: NAT*: ICMP id=27907->1024
*Jan 28 20:28:13.507: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [877]
*Jan 28 20:28:13.535: NAT*: ICMP id=1024->27907
*Jan 28 20:28:13.535: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [877]
R1#
*Jan 28 20:28:14.563: NAT: Entry assigned id 1255
*Jan 28 20:28:14.563: NAT*: ICMP id=28163->1025
*Jan 28 20:28:14.563: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [878]
*Jan 28 20:28:14.587: NAT*: ICMP id=1025->28163
*Jan 28 20:28:14.587: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [878]
R1#
*Jan 28 20:28:15.643: NAT: Entry assigned id 1256
*Jan 28 20:28:15.643: NAT*: ICMP id=28419->1026
*Jan 28 20:28:15.643: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [879]
*Jan 28 20:28:15.659: NAT*: ICMP id=1026->28419
*Jan 28 20:28:15.659: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [879]
R1#
*Jan 28 20:28:16.699: NAT: Entry assigned id 1257
*Jan 28 20:28:16.699: NAT*: ICMP id=28931->1027
*Jan 28 20:28:16.699: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [880]
*Jan 28 20:28:16.727: NAT*: ICMP id=1027->28931
*Jan 28 20:28:16.727: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [880]
R1#
*Jan 28 20:28:17.767: NAT: Entry assigned id 1258
*Jan 28 20:28:17.767: NAT*: ICMP id=29187->1028
*Jan 28 20:28:17.767: NAT*: s=20.20.20.2->172.16.18.12, d=192.168.1.2 [881]
*Jan 28 20:28:17.803: NAT*: ICMP id=1028->29187
*Jan 28 20:28:17.803: NAT*: s=192.168.1.2, d=172.16.18.12->20.20.20.2 [881]
R1#
*Jan 28 20:28:24.591: NAT: Entry assigned id 1259
*Jan 28 20:28:24.591: NAT*: ICMP id=30723->1029
*Jan 28 20:28:24.591: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [888]
*Jan 28 20:28:24.623: NAT*: ICMP id=1029->30723
*Jan 28 20:28:24.623: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [888]
R1#
*Jan 28 20:28:25.667: NAT: Entry assigned id 1260
*Jan 28 20:28:25.667: NAT*: ICMP id=31235->1030
*Jan 28 20:28:25.667: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [889]
*Jan 28 20:28:25.695: NAT*: ICMP id=1030->31235
*Jan 28 20:28:25.695: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [889]
R1#
*Jan 28 20:28:26.735: NAT: Entry assigned id 1261
*Jan 28 20:28:26.735: NAT*: ICMP id=31491->1031
*Jan 28 20:28:26.735: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [890]
*Jan 28 20:28:26.767: NAT*: ICMP id=1031->31491
*Jan 28 20:28:26.767: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [890]
R1#
*Jan 28 20:28:27.803: NAT: Entry assigned id 1262
*Jan 28 20:28:27.803: NAT*: ICMP id=31747->1032
*Jan 28 20:28:27.803: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [891]
*Jan 28 20:28:27.835: NAT*: ICMP id=1032->31747
*Jan 28 20:28:27.835: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [891]
R1#
*Jan 28 20:28:28.871: NAT: Entry assigned id 1263
*Jan 28 20:28:28.871: NAT*: ICMP id=32003->1033
*Jan 28 20:28:28.871: NAT*: s=30.30.30.2->172.16.18.12, d=192.168.1.2 [892]
*Jan 28 20:28:28.903: NAT*: ICMP id=1033->32003
*Jan 28 20:28:28.903: NAT*: s=192.168.1.2, d=172.16.18.12->30.30.30.2 [892]
R1#
*Jan 28 20:28:57.855: NAT: Entry assigned id 1264
*Jan 28 20:28:57.855: NAT*: ICMP id=39427->1034
*Jan 28 20:28:57.855: NAT*: s=10.10.10.2->172.16.18.12, d=192.168.1.2 [922]
*Jan 28 20:28:57.883: NAT*: ICMP id=1034->39427
*Jan 28 20:28:57.883: NAT*: s=192.168.1.2, d=172.16.18.12->10.10.10.2 [922]
No comments:
Post a Comment