问题
随着接入Internet的计算机数量的不断猛增,IP地址资源也就愈加显得捉襟见肘。事实上,除了中国教育和科研计算机网(CERNET)外,一般用户几乎申请不到整段的C类IP地址。在其他ISP那里,即使是拥有几百台计算机的大型局域网用户,当他们申请IP地址时,所分配的地址也不过只有几个或十几个IP地址。显然,这样少的IP地址根本无法满足网络用户的需求。
方案
借助于NAT,私有(保留)地址的"内部"网络通过路由器发送数据包时,私有地址被转换成合法的IP地址,一个局域网只需使用少量IP地址(甚至是1个)即可实现私有地址网络内所有计算机与Internet的通信需求。
在R1上配置静态NAT使192.168.1.1转换为61.159.62.131,192.168.1.2转换为61.159.62.132,实现外部网络访问。
这种通过使用少量的公有IP 地址代表较多的私有IP 地址的方式,将有助于减缓可用IP地址空间的枯竭。而且还能够有效地避免来自网络外部的攻击,隐藏并保护网络内部的计算机。
拓扑图
步骤
通用配置
配置R1端口IP地址,以及默认路由
tarena-R1(config)#interface f0/0
tarena-R1(config-if)#ip address 192.168.1.254 255.255.255.0
tarena-R1(config-if)#no shutdown
tarena-R1(config-if)#interface f0/1
tarena-R1(config-if)#ip address 61.159.62.129 255.255.255.248
tarena-R1(config-if)#no shutdown
tarena-R1(config-if)#exit
tarena-R1(config)#ip route 0.0.0.0 0.0.0.0 f0/1
配置R2端口IP地址
不需要在R2上配置到企业内网的静态路由,因为NAT的存在,企业内部的地址都将被转换、隐藏。
tarena-R2(config)#interface f0/0
tarena-R2(config-if)#ip address 61.159.62.130 255.255.255.248
tarena-R2(config-if)#no shutdown
tarena-R2(config-if)#interface f0/1
tarena-R2(config-if)#ip address 192.168.2.254 255.255.255.0
tarena-R2(config-if)#no shutdown
静态NAT配置
在R1上将192.168.1.1映射到61.159.62.131,将192.168.1.2映射到61.159.62.132
静态映射有唯一对应的关系。
通过静态NAT,可以把内网服务器发布到外网。
tarena-R1(config)#ip nat inside source static 192.168.1.1 61.159.62.131
tarena-R1(config)#ip nat inside source static 192.168.1.2 61.159.62.132
在R1上配置NAT内、外端口
tarena-R1(config)#interface f0/0
tarena-R1(config-if)#ipnat inside /内
tarena-R1(config-if)#interface f0/1
tarena-R1(config-if)#ipnat outside /外
分别在两台PC机上测试到外网主机的通信
PC1测试如下所示:PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2D0:FFFF:FE45:CACC
IP Address......................: 192.168.1.1
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.254
PC>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=1ms TTL=126
Reply from 192.168.2.1: bytes=32 time=0ms TTL=126
Reply from 192.168.2.1: bytes=32 time=0ms TTL=126
Reply from 192.168.2.1: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC2的测试如下所示:PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::200:CFF:FEEA:DE30
IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.254
PC>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.1: bytes=32 time=0ms TTL=126
Reply from 192.168.2.1: bytes=32 time=0ms TTL=126
Reply from 192.168.2.1: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
在R1上查看NAT转换表
tarena-R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 61.159.62.131:10 192.168.1.1:10 192.168.2.1:10 192.168.2.1:10
icmp 61.159.62.131:11 192.168.1.1:11 192.168.2.1:11 192.168.2.1:11
icmp 61.159.62.131:12 192.168.1.1:12 192.168.2.1:12 192.168.2.1:12
icmp 61.159.62.131:9 192.168.1.1:9 192.168.2.1:9 192.168.2.1:9
icmp 61.159.62.132:27 192.168.1.2:27 192.168.2.1:27 192.168.2.1:27
icmp 61.159.62.132:28 192.168.1.2:28 192.168.2.1:28 192.168.2.1:28
icmp 61.159.62.132:29 192.168.1.2:29 192.168.2.1:29 192.168.2.1:29
icmp 61.159.62.132:30 192.168.1.2:30 192.168.2.1:30 192.168.2.1:30
网友评论