CCNA培训课实验总结笔记.doc

CCNA培训课总结笔记-NAT转换实验(十二) 2008-09-28 09:36:18标签：笔记 培训 NAT CCNA 转换推送到技术圈 版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。/192876/102598实验目的理解NAT地址转换的原理,熟悉NAT地址转换的配置命令及过程.理解NAT转换在节省IP地址资源方面的强大作用,理解NAT地址转换过程中是如何将内部地址转换为外部地址的.实验拓扑图一、静态NAT实验内容:原理是先在R1上建立两个环回接口loopback0、loopback1,为每一个loopback口分配一个IP地址,用来模拟2台内部的PC机.R1的S1/0看成外网的接口,而R2即当作是外部的某台服务器.若PC要想与R2通信的话,只能利用NAT来将内部的IP地址转换成R1上的S1/0口的地址来实现.路由器上的配置R1上的配置RouterenRouter#conf t粘贴上基本的路由配置命令Router(config)#enable password ciscoRouter(config)#no ip domain-lookupRouter(config)#line con 0Router(config-line)# exec-timeout 0 0Router(config-line)# logging synchronousRouter(config-line)#Router(config-line)#line aux 0Router(config-line)# exec-timeout 0 0Router(config-line)# logging synchronousRouter(config-line)#line vty 0 4Router(config-line)#Router(config-line)# Router(config-line)# exec-timeout 0 0Router(config-line)# password ciscoRouter(config-line)#Router(config-line)# loginRouter(config-line)#Router(config-line)#Router(config-line)#alias exec a sh ip int briRouter(config)#alias exec b sh ip routeRouter(config)#alias exec c sh ip route ripRouter(config)#alias exec d sh run配置好名称,接口和逻辑接口的IP地址Router(config)#host R1R1(config)#int loopback0R1(config-if)#ip add R1(config-if)#int loopback1R1(config-if)#ip add R1(config-if)#int s1/0R1(config-if)#ip add R1(config-if)#clock rate 64000R1(config-if)#no shutR2上的配置粘贴命令省略掉Router(config)#host R2R2(config)#int s1/1R2(config-if)#ip add R2(config-if)#no shut好了,现在从R1用扩展的ping以、为源地址以为目的地址验证一下R1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of .Success rate is 0 percent (0/5)R1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of .Success rate is 0 percent (0/5)明显是不能通的,因为内部地址无法直接与外部地址通信.那就让我们用下NAT来进行转换看下.在R1的S1/0上启用NAT静态转换R1(config)#int s1/0R1(config-if)#int loopback0R1(config-if)#ip nat insideR1(config-if)#exitR1(config)#int loop1R1(config-if)#ip nat insideR1(config-if)#exitR1(config)#int s1/0R1(config-if)#ip nat outsideR1(config-if)#exitR1(config)#ip nat inside source static (将内部的loop0地址静态的一对一转换为)R1(config)#ip nat inside source static (将内部的loop1地址静态的一对一转换为)好了,现在用内部的逻辑地址扩展pingR2的目的为地址R1#debug ip nat (开放debug进行发送ping)包时抓包转换测试)IP NAT debugging is onR1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 48/76/96 msR1#*Mar 1 00:11:13.227: NAT: s=-, d= 10(这里很清楚地看到逻辑的源地址已经进行了转换,将转换后的地址与目的地址通信)*Mar 1 00:11:13.319: NAT*: s=, d=- 10*Mar 1 00:11:13.319: NAT: s=-, d= 11*Mar 1 00:11:13.415: NAT*: s=, d=- 11*Mar 1 00:11:13.415: NAT: s=-, d= 12*Mar 1 00:11:13.463: NAT*: s=, d=- 12*Mar 1 00:11:13.463: NAT: s=-, d= 13*Mar 1 00:11:13.535: NAT*: s=, d=- 13*Mar 1 00:11:13.535: NAT: s=-, d= 14R1#*Mar 1 00:11:13.607: NAT*: s=, d=- 14R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 68/76/96 msR1#*Mar 1 00:13:47.739: NAT: s=-, d= 15*Mar 1 00:13:47.807: NAT*: s=, d=- 15*Mar 1 00:13:47.807: NAT: s=-, d= 16*Mar 1 00:13:47.879: NAT*: s=, d=- 16*Mar 1 00:13:47.879: NAT: s=-, d= 17*Mar 1 00:13:47.975: NAT*: s=, d=- 17*Mar 1 00:13:47.975: NAT: s=-, d= 18*Mar 1 00:13:48.047: NAT*: s=, d=- 18*Mar 1 00:13:48.047: NAT: s=-, d= 19R1#*Mar 1 00:13:48.119: NAT*: s=, d=- 19经过ping的结果可以知道,现在内部PC能够和外部的服务器进行通信了.再加上debug命令调试,可以清楚地看到NAT地址转换的进行.静态NAT转换是最简单的地址转换.如果有大量的地址转换的话要根据地址一对一地去转换,输入命令很多,配置起来很麻烦.二、动态NAT首先给R1的loopback0定义多个逻辑地址来模仿多个PC机R1(config)#int loop0R1(config-if)#ip add R1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondaryR1(config-if)#ip add secondary接下来定义外部转换的地址池R1(config)#ip nat pool outpool netmask (定义一个转换地址池名称为outpool,内部地址转换后的地址都是从这个outpool里面的地址的)R1(config)#access-list 10 permit host (这里即是定义内部转换的地址)R1(config)#access-list 10 permit host R1(config)#access-list 10 permit host R1(config)#access-list 10 permit host R1(config)#access-list 10 permit host 定义转换R1(config)#ip nat inside source list 10 pool outpool (定义了内部地址转换要通过accesslist 10的验证控制,转换后的地址即是从outpool里面挑选)好了,配置好动态NAT转换了,下面让我们来验证一下转换的效果如何用扩展的ping以和为源地址,以为目的地址,注意观察转换效果R1#ping Protocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of *Mar 1 00:21:56.091: NAT: s=-, d= 25*Mar 1 00:21:56.183: NAT*: s=, d=- 25.!*Mar 1 00:21:58.087: NAT: s=-, d= 26*Mar 1 00:21:58.199: NAT*: s=, d=- 26*Mar 1 00:21:58.199: NAT: s=-, d= 27*Mar 1 00:21:58.295: NAT*: s=, d=- 27.!*Mar 1 00:22:00.199: NAT: s=-, d= 28*Mar 1 00:22:00.239: NAT*: s=, d=- 28*Mar 1 00:22:00.239: NAT: s=-, d= 29*Mar 1 00:22:00.311: NAT*: s=, d=- 29.Success rate is 40 percent (2/5), round-trip min/avg/max = 40/76/112 msR1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/120 msR1#*Mar 1 00:24:04.467: NAT: s=-, d= 35*Mar 1 00:24:04.559: NAT*: s=, d=- 35*Mar 1 00:24:04.559: NAT: s=-, d= 36*Mar 1 00:24:04.631: NAT*: s=, d=- 36*Mar 1 00:24:04.631: NAT: s=-, d= 37*Mar 1 00:24:04.727: NAT*: s=, d=- 37*Mar 1 00:24:04.727: NAT: s=-, d= 38*Mar 1 00:24:04.847: NAT*: s=, d=- 38*Mar 1 00:24:04.847: NAT: s=-, d= 39R1#*Mar 1 00:24:04.919: NAT*: s=, d=- 39R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 48/76/120 msR1#*Mar 1 00:27:24.771: NAT: s=-, d= 65*Mar 1 00:27:24.815: NAT*: s=, d=- 65*Mar 1 00:27:24.815: NAT: s=-, d= 66*Mar 1 00:27:24.887: NAT*: s=, d=- 66*Mar 1 00:27:24.887: NAT: s=-, d= 67*Mar 1 00:27:25.007: NAT*: s=, d=- 67*Mar 1 00:27:25.007: NAT: s=-, d= 68*Mar 1 00:27:25.079: NAT*: s=, d=- 68*Mar 1 00:27:25.079: NAT: s=-, d= 69R1#*Mar 1 00:27:25.151: NAT*: s=, d=- 69可以看到转换的外部地址是变化着的,即是动态的转换.R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of *Mar 1 00:27:37.035: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:39.031: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:41.031: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:43.031: NAT: translation failed (E), dropping packet s= d=.*Mar 1 00:27:45.031: NAT: translation failed (E), dropping packet s= d=.Success rate is 0 percent (0/5)到这里要留意一下了,当用三个地址连续地ping的时候,到第三个地址时提示出现在了错误.NAT放弃了地址的转换.细心的你可能发现了我们的外部转换地址只有2个,所以即使是动态转换也只能转换两个内部地址.如果要进行第3个地址转换的话,就只能等到前面的2个地址转换有一个转换停止.由此可看出这样的转换也有很大的局限性.如果想要实现多个地址去转换一个地址的话,就要用到新的转换方法了,也就下面所说的NAT超载转换.三、NAT超载转换(PAT转换)NAT超载的配置其实很简单,只需要在动态NAT配置命令的后面多加一个“overload”即可R1(config)#ip nat inside source list 10 pool outpool overload (overload表示重复地选取地址池中的地址进行转换.其实是采用了逻辑地址的多个端口来进行映射交换,也就是一个被用来转换的外部地址可以取不同的端口对应内部的地址,这种技术称作PAT)现在连续地用地址、、、、扩展地去ping对端R2的S1/1(),看一下能否连续地进行转换?会不会又像上面的动态NAT转换出现错误的信息?R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/120 msR1#*Mar 1 00:10:58.127: NAT: s=-, d= 15*Mar 1 00:10:58.243: NAT*: s=, d=- 15*Mar 1 00:10:58.243: NAT: s=-, d= 16*Mar 1 00:10:58.339: NAT*: s=, d=- 16*Mar 1 00:10:58.339: NAT: s=-, d= 17*Mar 1 00:10:58.435: NAT*: s=, d=- 17*Mar 1 00:10:58.435: NAT: s=-, d= 18*Mar 1 00:10:58.531: NAT*: s=, d=- 18*Mar 1 00:10:58.531: NAT: s=-, d= 19R1#*Mar 1 00:10:58.627: NAT*: s=, d=- 19R1#pingProtocol ip: Target IP address: % Bad IP addressR1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 72/96/120 msR1#*Mar 1 00:11:12.671: NAT: s=-, d= 20*Mar 1 00:11:12.787: NAT*: s=, d=- 20*Mar 1 00:11:12.787: NAT: s=-, d= 21*Mar 1 00:11:12.859: NAT*: s=, d=- 21*Mar 1 00:11:12.859: NAT: s=-, d= 22*Mar 1 00:11:12.955: NAT*: s=, d=- 22*Mar 1 00:11:12.955: NAT: s=-, d= 23*Mar 1 00:11:13.075: NAT*: s=, d=- 23*Mar 1 00:11:13.075: NAT: s=-, d= 24R1#*Mar 1 00:11:13.147: NAT*: s=, d=- 24R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:Packet sent with a source address of !Success rate is 100 percent (5/5), round-trip min/avg/max = 72/100/120 msR1#*Mar 1 00:11:30.719: NAT: s=-, d= 25*Mar 1 00:11:30.811: NAT*: s=, d=- 25*Mar 1 00:11:30.811: NAT: s=-, d= 26*Mar 1 00:11:30.931: NAT*: s=, d=- 26*Mar 1 00:11:30.931: NAT: s=-, d= 27*Mar 1 00:11:31.003: NAT*: s=, d=- 27*Mar 1 00:11:31.003: NAT: s=-, d= 28*Mar 1 00:11:31.099: NAT*: s=, d=- 28*Mar 1 00:11:31.099: NAT: s=-, d= 29R1#*Mar 1 00:11:31.219: NAT*: s=, d=- 29R1#pingProtocol ip: Target IP address: Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20