NAT Network Address Translation 网络地址转换,
作用:用来修改IP 数据包中的源、目标地址
将多个私有地址,转换成一个公有地址(重要)
Private IP Addresses,私有IP地址,不允许出现在互联网上
A类:10.0.0.0 to 10.255.255.255 B类:172.16.0.0 to 172.31.255.255 C类:192.168.0.0 to 192.168.255.255
为何使用NAT 技术?
1.节约IP 地址(NAT+VLSM/CIDR)
2.安全考虑,隐藏内部真实IP
3.NAT TCP 负载均衡
4.解决地址冲突问题(公司合并,网络合并)
NAT技术所带来的问题
1.影响路由器的转发性能(修改IP地址、计算校验和等)
2.破坏了IP的端到端特性
3.与很多安全相关协议不兼容(IPSec/VPN的一种等)
NAT的分类
1.静态NAT IP一般较多,手工去配置映射很麻烦,所以很少用到
①手工配置NAT映射表
②一对一转换
2.动态NAT 没有那么多公网IP,所以很少用到
①定义地址池,动态创建NAT映射表
②一对一转换
3.PAT(NAT overload)主要
①多对一转换
②通过端口号识别不同数据流
静态NAT和动态NAT都是一对一的转换,可能是私有对公有的转换,也可能是公有对公有,私有对私有的转换,不是用来节约IP地址的,所以基本上不使用。一般所说的NAT转换都是PAT port addresses translation,端口地址转换,多对一转换
NAT 实验配置
1.Configuring and Verifying Static Translation
静态转换时手工配置一对一的转换
①Establishes static translation between and inside local address and an inside global address
Router(config) #ip nat inside source static local-ip global-ip
②Marks the interface as connected to the inside
Router(config-if) #ip net inside
③Marks the interface as connected to the outside
Router(config-if) #ip nat outside
④Displays active translation
Router #show ip nat translations
扩展:网关的原理就是配置一条到网关的缺省路由,如网关为192.168.1.254
Router(config) #ip route 0.0.0.0 0.0.0.0 192.168.1.254
2.Configuring and Verifying Dynamic Translation
①Defines a pool of global addresses to be allocated as needed,创建地址池
Router(config) #ip nat pool name start-ip end-ip {netmask netmask} | prefix-length prefix-length
②Defines a standard IP ACL permitting those inside local addresses that are to be translated,创建一个标准的访问控制列表,来规定哪些地址是可以转换的
Router(config) # access-list access-list-number permit source [source-wildcard]
③Establishes dynamic source translation, specifying the ACL that was defined in the previous step,将前两步结合在一起
Router(config) #ip nat inside source list access-list-number pool name
此处省略两步在端口上分别挂载内部(inside)和外部(outside)
④Displays active translations
Router(config) #show ip nat translation
清除之前的静态NAT配置:直接no掉
网上搜的clear ip nat translation * 针对静态不好用,在动态NAT配置中可以使用。
动态NAT 配置中,仅清空配置列表是不行的。还需要把绑定的动态NAT 池给no掉
Route(config) #no ip nat inside source list access-list-number pool pool-name
提示
Dynamic mapping in use, do you want to delete all entries?[no]
默认是no,此时需要输入yes,按回车,就可以解绑动态NAT 池
关闭动态NAT 池
Router(config) #no ip nat pool iteredu
以上两种方法在生产环境中很少使用,仅测试用
3.Configuring Overloading
①Defines a standard IP ACL that will permit the inside local addresses that are to be translated
Router(config) #access-list access-list-number permit source source-wildcard
②Establishes dynamic source translation, specifying the ACL that was defined in the previous step
Router(config) #ip nat inside source list access-list-number interface interface overload
此处省略两步在端口上分别挂载内部(inside)和外部(outside)
③Displays active translation
Router #show ip nat translations
Clearing the NAT Translation Table
①Clears all dynamic address translation entries 清除所有动态NAT信息
Router # clear ip nat translation *
②Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation
Router # clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]
③Clears a simple dynamic translation entry that contains an outsdie translation
Router #clear ip nat translation outside local-ip global-ip
④Clears an extended dynamic translation entry(PAT entry)
Router #clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]
查看消息
1.查看数据包信息:
可以放在目标路由器上,用来测试为开通NAT 时,显示的源地址IP
Router #debug ip packet
2.查看NAT服务器转换信息
Router #debug ip nat