interface Ethernet0/0 ip nat inside # 将接口配置为地址转换的内部接口 interface Ethernet0/1 ip nat outside # 将接口配置为地址转换的外部接口 ip nat inside source static 192.168.12.1 23.23.23.1 # 如果内部接口源IP地址是192.168.12.1就转换为23.23.23.1出去 # 如果外部接口收到目的地是去往23.23.23.1,就转为192.168.12.1发往内部接口 R2#show ip nat translations # 查看nat的映射表 Pro Inside global Inside local Outside local Outside global --- 23.23.23.1 192.168.12.1 --- ---
动态NAT地址池
网关有一个公网IP地址池可供内网私有IP地址使用
公网IP地址池先到先得,后到的没有地址的就无法通信
配置示例
1 2 3 4 5 6 7 8 9 10 11
interface Ethernet0/0 ip nat inside interface Ethernet0/1 ip nat outside # inside和outside必须要定义,并且别写错了 ip nat pool nat_pool 23.23.23.100 23.23.23.103 prefix-length 24 # 设置一个地址池名字叫nat_pool,池里面放着公网IP范围 access-list 1 permit 192.168.12.0 0.0.0.255 # 配置一个ACL用来匹配流量中的源IP地址 ip nat inside source list 1 pool nat_pool # 当流量的源IP地址符合ACL 1,就将其替换为pool nat_pool中的地址
clear ip nat translation *
# 在清理上面实验环境的时候,遇到地址池无法删除,可以先输入上面的命令来清理nat表
1 2 3 4 5 6 7
interface Ethernet0/0 ip nat inside interface Ethernet0/1 ip nat outside access-list 1 permit 192.168.12.0 0.0.0.255 ip nat inside source list 1 interface Ethernet0/1 overload # 加上overload参数,可以将一个IP地址分配给多个内网主机使用
检查配置结果
1 2 3 4 5
R2#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 23.23.23.2:47793 192.168.12.3:47793 23.23.23.3:23 23.23.23.3:23 tcp 23.23.23.2:30927 192.168.12.4:30927 23.23.23.3:23 23.23.23.3:23 tcp 23.23.23.2:30058 192.168.12.5:30058 23.23.23.3:23 23.23.23.3:23
R1 ip domain lookup ip name-server 23.23.23.3 interface Ethernet0/0 ip address 192.168.12.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.12.2 ======================================= R2 interface Ethernet0/0 ip address 192.168.12.2 255.255.255.0 ip nat inside interface Ethernet0/1 ip address 23.23.23.2 255.255.255.0 ip nat outside
ip nat inside source list 1 interface Ethernet0/1 overload ip route 0.0.0.0 0.0.0.0 Ethernet0/1 access-list 1 permit 192.168.12.0 0.0.0.255 ======================================= R3 ip dns server ip host baidu.com 36.36.36.6
interface Ethernet0/0 ip address 23.23.23.3 255.255.255.0 interface Ethernet0/1 ip address 36.36.36.3 255.255.255.0 ======================================= R4 interface Ethernet0/0 ip address 192.168.1.4 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.1.6 line vty 0 4 password cisco login transport input telnet ======================================= R5 interface Ethernet0/0 ip address 192.168.1.5 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.1.6 line vty 0 4 password cisco login transport input telnet ======================================= R6 interface Ethernet0/0 ip address 36.36.36.6 255.255.255.0 ip nat outside interface Ethernet0/1 ip address 192.168.1.6 255.255.255.0 ip nat inside
ip nat pool inside_pool 192.168.1.4 192.168.1.5 prefix-length 24 type rotary ip nat inside source list 1 interface Ethernet0/0 overload ip nat inside destination list 2 pool inside_pool ip route 0.0.0.0 0.0.0.0 Ethernet0/0 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 permit 36.36.36.6
检验结果
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
R1#telnet baidu.com Translating "baidu.com"...domain server (23.23.23.3) [OK] Trying baidu.com (36.36.36.6)... Open
User Access Verification
Password: R5>q
[Connection to baidu.com closed by foreign host] R1#telnet baidu.com Trying baidu.com (36.36.36.6)... Open