三、配置步驟

設(shè)備從左到右分別為1-3

1、配置每個(gè)設(shè)備的名稱和接口的ip地址

cisco1(config)#interface serial 0

cisco1(config-if)#ip address 192.168.12.1 255.255.255.0

cisco1(config-if)#ip address 192.168.12.2 255.255.255.0 secondary

注：配置輔助ip地址。

cisco1(config-if)#ip address 192.168.12.3 255.255.255.0 secondary

cisco1(config-if)#no sh

cisco2(config)#interface serial 0

cisco2(config-if)#ip address 192.168.12.254 255.255.255.0

cisco2(config-if)#no shutdown

cisco2(config-if)#clock rate 64000

cisco2(config)#interface serial 1

cisco2(config-if)#ip add 192.168.23.2 255.255.255.0

cisco2(config-if)#no shutdown

cisco2(config-if)#clock rate 64000

cisco2(config-if)#exit

cisco3(config)#interface serial 1

cisco3(config-if)#ip add 192.168.23.3 255.255.255.0

cisco3(config-if)#no shutdown

cisco3(config-if)#exit

2、在cisco2上完成靜態(tài)NAT的配置。

cisco2(config)#ip nat inside source static 192.168.12.1 192.168.23.4

注：Inside關(guān)鍵字指定內(nèi)部源本地ip地址轉(zhuǎn)換成內(nèi)部全局ip地址。當(dāng)數(shù)據(jù)由內(nèi)向外是轉(zhuǎn)換是源地址。回應(yīng)時(shí)轉(zhuǎn)換的是目標(biāo)地址。靜態(tài)NAT轉(zhuǎn)換一對(duì)一。內(nèi)部局部地址：在內(nèi)部網(wǎng)絡(luò)使用的地址。內(nèi)部全局地址：用來(lái)代替一個(gè)或多個(gè)本地地址的，對(duì)外的，向NIC注冊(cè)過的地址。

cisco2(config)#interface serial 0

cisco2(config-if)#ip nat inside-----------指定了s0接口在內(nèi)部。

cisco2(config-if)#int s 1

cisco2(config-if)#ip nat out--------------指定s1接口在外部。

cisco2(config-if)#end

cisco2#debug ip nat

IP NAT debugging is on

cisco1#ping 192.168.23.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

注：用本地地址192.168.12.1 Ping 192.168.23.3,結(jié)果沒有ping通，為什么？

cisco2#show ip nat translations

注：查看cisco2上是否有地址轉(zhuǎn)換的NAT表。

cisco1(config)#ip route 192.168.23.0 255.255.255.0 serial 0

cisco1(config)#end

注：為cisco1上加上去往cisco3的路由。

cisco1#ping 192.168.23.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

!!!!!

注：可以ping 通說明加上了路由可以讓數(shù)據(jù)發(fā)出去也能回來(lái)。

Success rate is 100 percent (5/5), round-trip min/avg/max = 68/74/88 ms

cisco1#ping---------------使用擴(kuò)展ping。

Protocol [ip]:

Target IP address: 192.168.23.3

Repeat count [5]: 50----------發(fā)送50數(shù)據(jù)包。

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: ----------------這里不使用擴(kuò)展的命令，直接回車。表示使用主ip地址192.168.12.1來(lái)ping192.168.23.3。

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 50, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!

Terminal-Server#2-----------快速切換到cisco2上。來(lái)查看具體的轉(zhuǎn)換過程。

[Resuming connection 2 to cisco2 ... ]

00:18:28: NAT*: s=192.168.12.1->192.168.23.4, d=192.168.23.3 [38]

00:18:28: NAT*: s=192.168.23.3, d=192.168.23.4->192.168.12.1 [38] 省略…

注：第一個(gè)條目是將源地址進(jìn)行轉(zhuǎn)化。那第二個(gè)條目是將目的地址進(jìn)行轉(zhuǎn)化。

cisco2#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 192.168.23.4 192.168.12.1 --- ---

注：建立了NAT表，當(dāng)有流量符合這個(gè)匹配規(guī)則時(shí)就會(huì)兩個(gè)地址進(jìn)行轉(zhuǎn)換。

2、在cisco2上完成動(dòng)態(tài)NAT的配置。

cisco2(config)#no ip nat inside source static 192.168.12.1 192.168.23.4------------將原來(lái)的靜態(tài)NAT的條目刪除。

若不能刪除請(qǐng)執(zhí)行命令：clear ip nat tran *

cisco2(config)#access-list 1 permit 192.168.12.0 0.0.0.255

注：通過使用用戶訪問控制列表來(lái)定義本地地址池。

cisco2(config)#ip nat pool cisco 192.168.34.1 192.168.34.2 p 24

注：通過使用用戶訪問控制列表來(lái)定義本地地址池。

cisco2(config)#ip nat inside source list 1 pool cisco

注：定義公有地址池，命名為cisco。地址的范圍是192.168.34.1到192.168.34.2，子網(wǎng)掩碼用前綴表示24。也可以使用關(guān)鍵字network+具體的網(wǎng)段。

3、用192.168.12.1 ping 192.168.23.3

cisco1#ping 192.168.23.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

注：當(dāng)數(shù)據(jù)包到達(dá)cisco2時(shí)會(huì)將192.168.12.1轉(zhuǎn)化成192.168.34.1，這時(shí)cisco3會(huì)收到這個(gè)數(shù)據(jù)包，因?yàn)槟康牡刂窙]變。但cisco3給cisco1回應(yīng)時(shí)，將以192.168.34.1為目的地址，這是在cisco3上沒有相關(guān)的路由條目。

cisco3(config)#ip route 192.168.34.0 255.255.255.0 s 1

注：在cisco3上配置去往cisco1上公有地址的路由。

cisco1#ping

Protocol [ip]:

Target IP address: 192.168.23.3

Repeat count [5]: 50

Sending 50, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

!!!!!!!!!!!!!!! ------------------Ping通說明路由添加正確。

Terminal-Server#2

[Resuming connection 2 to cisco2 ... ]

01:16:55: NAT*: s=192.168.12.1->192.168.34.1, d=192.168.23.3 [134]

01:16:55: NAT*: s=192.168.23.3, d=192.168.34.1->192.168.12.1 [134]

省略…

cisco2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

--- 192.168.34.1 192.168.12.1 --- ---

4、用192.168.12.2 ping 192.168.23.3

cisco1#ping

Protocol [ip]:

Target IP address: 192.168.23.3

Repeat count [5]: 20

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.12.2

Sending 20, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.2

!!!!!!!!!!

注：要求使用擴(kuò)展的命令。可以選擇詳細(xì)的參數(shù)。比如這里可以使用輔助的ip地址。使用cisco1接口s0的輔助ip地址來(lái)作為源地址。

Terminal-Server#2

[Resuming connection 2 to cisco2 ... ]

01:35:02: NAT*: s=192.168.12.2->192.168.34.2, d=192.168.23.3 [22]

01:35:02: NAT*: s=192.168.23.3, d=192.168.34.2->192.168.12.2 [22]

省略…

注：源地址192.168.12.2轉(zhuǎn)換成192.168.34.2。很明顯調(diào)用了第2個(gè)公有地址。

cisco2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

--- 192.168.34.1 192.168.12.1 --- ---

--- 192.168.34.2 192.168.12.3 --- ---

5、用192.168.12.3 ping 192.168.23.3

cisco1#ping

Protocol [ip]:

Target IP address: 192.168.23.3

Repeat count [5]: 20

Extended commands [n]: y

Source address or interface: 192.168.12.3-------------用第3個(gè)私有地址來(lái)ping192.168.23.3。

Sending 20, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.3

U.U.U.U.U.--------------結(jié)果不能ping通到目的。

Terminal-Server>2

[Resuming connection 2 to cisco2 ... ]

00:22:02: NAT: translation failed (A), dropping packet s=192.168.12.3 d=192.168.23.3

00:22:02: NAT: translation failed (A), dropping packet s=192.168.12.3 d=192.168.23.3

省略…

注：從調(diào)試的信息中可以查找出不能ping通的原因。是因?yàn)榈刂忿D(zhuǎn)換的失敗而丟包。

cisco2#show ip nat tr--通過顯示NAT表也可以發(fā)現(xiàn)沒有192.168.12..3的條目。

Pro Inside global Inside local Outside local Outside global

--- 192.168.34.1 192.168.12.1 --- ---

--- 192.168.34.2 192.168.12.2 --- ---

解決的方法： 1、清除NAT表中的條目，將公有地址池中的公有地址釋放出來(lái)。

2、將NAT超時(shí)時(shí)間改小，讓被轉(zhuǎn)換的目標(biāo)地址能在短時(shí)間內(nèi)得到釋放。請(qǐng)大家自己研究

cisco2#clear ip nat tr *

cisco2#show ip nat tr

Terminal-Server>1

[Resuming connection 1 to r4 ... ]

cisco1#ping

Protocol [ip]:

Target IP address: 192.168.23.3

Extended commands [n]: y

Source address or interface: 192.168.12.3

Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.3

!!!!!-------又可以ping通對(duì)端。

Terminal-Server>2

[Resuming connection 2 to cisco2 ... ]

00:46:21: NAT: s=192.168.12.3->192.168.34.2, d=192.168.23.3 [55]

00:46:21: NAT*: s=192.168.23.3, d=192.168.34.2->192.168.12.3 [55]

省略…

注：調(diào)試所顯示的轉(zhuǎn)換過程。

cisco2#sh ip nat tr

Pro Inside global Inside local Outside local Outside global

--- 192.168.34.2 192.168.12.3 --- ---

注：NAT表中有了轉(zhuǎn)換的條目。

6、配置PAT

cisco2(config)#no ip nat pool cisco 192.168.34.1 192.168.34.2 prefix-length 24

cisco2(config)#ip nat pool cisco 192.168.34.1 192.168.34.1 prefix-length 24

cisco2(config)#no ip nat inside source list 1 pool cisco

cisco2(config)#ip nat inside source list 1 pool cisco overload

7、在cisco1用192.168.12.1上ping 192.168.23.3

cisco1#ping 192.168.23.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 68/71/80 ms

Terminal-Server>2

[Resuming connection 2 to cisco2 ... ]

01:01:55: NAT*: s=192.168.12.1->192.168.34.1, d=192.168.23.3 [74]

01:01:55: NAT*: s=192.168.23.3, d=192.168.34.1->192.168.12.1 [74]

省略…

cisco2#sh ip nat tr

Pro Inside global Inside local Outside local Outside global

Icmp 192.168.34.1:6 192.168.12.1:6 192.168.23.3:6 192.168.23.3:6

注：由于發(fā)送的ping包，所以顯示轉(zhuǎn)換的是icmp協(xié)議。隨機(jī)產(chǎn)生端口號(hào)6。

cisco2#

01:02:55: NAT: expiring 192.168.34.1 (192.168.12.1) icmp 6 (6)

注：約1分鐘的時(shí)間釋放地址轉(zhuǎn)換的空間。

cisco2# sh ip nat translations----查找NAT，表中沒有任何的轉(zhuǎn)換條目。

cisco2#

8、在cisco1用192.168.12.2上ping 192.168.23.3

cisco1#ping

Protocol [ip]:

Target IP address: 192.168.23.3

Extended commands [n]: y

Source address or interface: 192.168.12.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.2

!!!!!

Terminal-Server>2

[Resuming connection 2 to r5 ... ]

01:03:37: NAT: s=192.168.12.2->192.168.34.1, d=192.168.23.3 [75]

01:03:37: NAT*: s=192.168.23.3, d=192.168.34.1->192.168.12.2 [75]

省略…

cisco2#sh ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.34.1:7 192.168.12.2:7 192.168.23.3:7 192.168.23.3:7

注：端口號(hào)已改為7。

cisco2#

01:04:37: NAT: expiring 192.168.34.1 (192.168.12.2) icmp 7 (7)