{"id":902,"date":"2008-10-07T22:03:00","date_gmt":"2008-10-07T14:03:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=902"},"modified":"2023-11-07T22:12:08","modified_gmt":"2023-11-07T14:12:08","slug":"cisco-nat","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/902","title":{"rendered":"Cisco NAT"},"content":{"rendered":"\n<p>cisco nat\u5b9a\u7fa9\u76844\u7a2eaddress<br>inside local ip address :<br>\u3000the ip address assigned to a host on the inside network<br>\u3000\u5167\u90e8\u7db2\u8def\u4f7f\u7528\u7684ip,\u4f7f\u7528rfc1918\u7684private ip,\u901a\u5e38\u5728\u542b\u6709ip nat inside\u547d\u4ee4\u7684\u4ecb\u9762<br>inside global ip address :<br>\u3000a legistimate ip address represents one or more inside local ip address to the outside world<br>\u3000\u901a\u5e38\u662f\u7531isp\u5206\u914d\u7684\u5408\u6cd5public ip,\u901a\u5e38\u5728\u542b\u6709ip nat outside\u547d\u4ee4\u7684\u4ecb\u9762,\u7528\u4f86\u4ee3\u8868\u672c\u5730\u5167\u7db2ip\u9023\u5230\u5916\u7db2<br>outside global ip address :<br>\u3000the address was allocated from a globally routable address space and asssigned to a host on the outside network<br>\u3000\u901a\u5e38\u662f\u7531isp\u5206\u914d\u7684\u5408\u6cd5public ip,\u4f46\u4e0d\u5728\u672c\u5730<br>outside local ip address :<br>\u3000the ip address of an outside host as it appears to the inside network<br>\u3000\u5167\u90e8\u7db2\u8def\u4f7f\u7528\u7684ip,\u4f7f\u7528rfc1918\u7684private ip,\u4f46\u4e0d\u5728\u672c\u5730\u7684<\/p>\n\n\n\n<p>\u4e3b\u6a5f\u9001\u51fa\u5c01\u5305\u6642\u900f\u904enat\u7684\u6d41\u7a0b:<br>\u5728\u9032\u5165nat\u4e4b\u524d\u7684\u4f86\u6e90\u4f4d\u7f6e\u7a31\u70bainside local ip,\u76ee\u5730\u4f4d\u7f6e\u7a31\u70baoutside local ip<br>\u5f9enat\u51fa\u4f86\u5f8c\u4f86\u6e90\u4f4d\u7f6e\u7a31\u70bainside global ip,\u76ee\u5730\u4f4d\u7f6e\u7a31\u70baoutside global ip<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p>\u8a2d\u5b9a\u975c\u614bNAT<br>1<br>\u6307\u5b9a\u4e00\u5c0d\u4e00\u7684\u8f49\u63db\u547d\u4ee4<br>(config)#[no] ip nat inside source static &lt; inside local&gt; &lt; inside global&gt;<br>\u6703\u628ainside local ip\u6539\u70bainside global ip<br>[no]\u9078\u64c7\u6027\u53c3\u6578,\u53ef\u79fb\u9664\u975c\u614bnat\u547d\u4ee4<br>ps\uff1a\u8a2d\u5b9a\u4e00\u6b21\u5373\u53ef\u8986\u84cb\u539f\u6709\u7684\u8a2d\u5b9a<br>2<br>\u6307\u5b9a\u6709inside local ip\u7684\u4ecb\u9762\u70ba\u9032\u5165<br>(config-if)#ip nat inside<br>3<br>\u6307\u5b9a\u6709inside global ip\u7684\u4ecb\u9762\u70ba\u51fa\u53bb<br>(config-if)#ip nat outside<br>ex:\u8a2d\u5b9a\u5f9eeth1\u4ecb\u9762192.1.1.1\u7684\u4f4d\u7f6e\u6703\u8f49\u5230eth0\u4ecb\u976210.117.1.1<br>(config)#ip nat inside source static 192.1.1.1 10.117.1.1<br>(config)#int ethernet 1<br>(config-if)#ip addr 192.1.1.1 255.255.255.0<br>(config-if)#ip nat inside<br>(config-if)#int ethernet 0<br>(config-if)#ip addr 10.117.1.1 255.255.255.0<br>(config-if)#ip nat outside<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p>\u8a2d\u5b9a\u52d5\u614bNAT<br>1<br>\u7528acl\u5b9a\u7fa9\u53ef\u63a5\u53d7\u7684\u4f86\u6e90ip<br>(config)#access-list &lt; acl-num&gt; permit &lt; source net&gt; &lt; wildcard&gt;<br>ps:\u4f86\u6e90ip\u7684\u754c\u9762\u8981\u8a2d\u70baip nat inside<br>2<br>\u65b0\u589enat pool\u653e\u7f6e\u53ef\u8f49\u63db\u7684ip<br>(config)#ip nat pool &lt; poolname&gt; &lt; ip range&gt; netmask &lt; mask|prefix-length&gt;<br>ps:\u53ef\u8f49\u63db\u7684ip\u4ecb\u9762\u8981\u8a2d\u70baip nat outside<br>3<br>\u5c07\u4f86\u6e90ip\u8f49\u5230\u53ef\u8f49\u63db\u7684<br>(config)#ip nat inside source list &lt; acl-num&gt; pool &lt; poolname&gt;<br>ex:<br>\u8a2deth0 ip\u70ba10.1.1.1\/24,serial0 ip\u70ba192.16.2.1\/24<br>\u5c0710.1.1.0\/24\u7684ip\u52d5\u614b\u8f49\u63db\u5230192.20.2.0\/24\u7684ip<br>(config)#access-list 1 permit 10.1.1.0 0.0.0.255<br>(config)#ip nat pool dyn-nat 192.20.2.1 192.20.2.254 netmask 255.255.255.0<br>(config)#ip nat inside source list 1 pool dyn-nat<br>(config)#interface Ethernet0<br>(config-if)#ip nat inside<br>(config-if)#interface Serial0<br>(config-if)#ip nat outside<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p>\u8a2d\u5b9aPAT<br>1<br>\u7528acl\u5b9a\u7fa9\u53ef\u63a5\u53d7\u7684\u4f86\u6e90ip<br>(config)#access-list &lt; acl-num&gt; permit &lt; source net&gt; &lt; wildcard&gt;<br>ps:\u4f86\u6e90ip\u7684\u4ecb\u9762\u8981\u8a2d\u70baip nat inside<br>2<br>\u5c07\u4f86\u6e90ip\u8f49\u5230\u53ef\u8f49\u63db\u7684<br>(config)#ip nat inside source list &lt; acl-num&gt; &lt; int &lt; out int&gt;|pool &lt; poolname&gt;&gt; overload<br>ps:\u51fa\u53bb\u7684\u4ecb\u9762\u8981\u8a2d\u70baip nat outside<br>ex:<br>\u5141\u8a31\u5728eth0\u4ecb\u9762\u7684160.10.1.1\/24 ip\u8f49\u63db\u6210175.10.1.1\/24,\u5728\u5f9eserial0\u4ecb\u9762\u8f49\u51fa<br>(config)# access-list 1 permit 160.10.1.0 0.0.0.255<br>(config)# ip nat inside source list 1 interface serial0 overload<br>(config)# interface Ethernet 0<br>(config-if)# ip nat inside<br>(config-if)# interface serial 0<br>(config-if)# ip nat outside<br>\u82e5\u4f7f\u7528pool &lt; poolname&gt;,\u5247\u8981\u5728\u5b9a\u7fa9\u53ef\u8f49\u63db\u7684pool,\u5982\u4e0b<br>(config)#ip nat pool &lt; poolname&gt; &lt; ip range&gt; netmask &lt; mask&gt;<br>ex:<br>\u5141\u8a31\u5728eth0\u4ecb\u9762\u7684192.168.1.0\/24 ip\u8f49\u63db\u6210192.168.2.1\/29-192.168.2.6\/29,\u5728\u5f9eserial0\u4ecb\u9762\u8f49\u51fa<br>(config)#access-list 1 permit 192.168.1.0 0.0.0.255<br>(config)#ip nat inside source list 1 pool natdyn overload<br>(config)#ip nat pool natdyn 192.168.2.1 192.168.2.6 netmask 255.255.255.248<br>(config)#interface ethernet 0<br>(config-if)#ip nat inside<br>(config-if)#interface serial 0<br>(config-if)#ip nat outside<\/p>\n\n\n\n<p><br>ps:cisco 700\u7cfb\u7d71\u652f\u63f4PAT\u662f\u4e00\u7279\u8272<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p>\u8a2d\u5b9anat table\u7684\u903e\u6642\u6642\u9593<br><strong>(config)#ip nat translation timeout &lt; timeout_ seconds&gt;<\/strong><br>\u9810\u8a2d\u662f24\u5c0f\u6642\u6c92\u7528\u4f4d\u5740\u5c31\u6703\u5f9enat table\u4e0a\u6e05\u9664<\/p>\n\n\n\n<p>\u6307\u5b9anat table\u9805\u76ee\u6700\u5927\u503c<br><strong>(config)#ip nat translation max-entries &lt; count&gt;&nbsp;<\/strong><\/p>\n\n\n\n<p>ps:<br>(config)#ip nat<br>inside:Inside address translation<br>\u3000source:Source address translation<br>\u3000\u3000list:Specify access list describing local addresses<br>\u3000\u3000static<br>\u3000destination:destination address translation<br>\u3000\u3000list<br>\u3000\u3000static<br>pool<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p>\u958b\u555fnat\u7684\u9664\u932f\u529f\u80fd<br>#debug ip nat [detail]<br>\u53ef\u5373\u6642\u986f\u793anat\u7684\u904b\u4f5c\u65bc\u6bcf\u500b\u88ab\u8f49\u63db\u7684\u6578\u64da\u5305<br>\u52a0detail\u53ef\u4ee5\u7522\u751f\u5c07\u9032\u884c\u8f49\u63db\u4e4b\u5c01\u5305\u7684\u63cf\u8ff0,\u4e00\u4e9b\u6709\u95dc\u932f\u8aa4,\u4f8b\u5916\u72c0\u6cc1\u76f8\u95dc\u8cc7\u8a0a,\u50cf\u662f\u5206\u914d\u7e3d\u9ad4\u5730\u5740\u5931\u6557\u7684\u4e00\u4e9b\u8cc7\u8a0a\u7b49\u7b49<br>\u756b\u9762\u5927\u81f4\u5982\u4e0b<br>router:NAT : s=192.1.1.1 -&gt; 10.17.1.1, d=10.1.0.1 [10117] \/\/192.1.1.1\u88ab\u8f49\u63db\u621010.17.1.1,\u4e26\u9001\u523010.1.0.1<br>router:NAT* : s=10.1.0.1, d=10.17.1.1-&gt;192.1.1.1 [10117] \/\/\u52a0*\u8868\u793a\u5f9e10.1.0.1\u9001\u56de\u7d6610.17.1.1,\u4e26\u8f49\u6210192.1.1.1<br>ps:[10117]\u8868\u793aip\u7684\u8b58\u5225\u7de8\u865f<\/p>\n\n\n\n<p>\u67e5\u770bnat\u7684\u7d71\u8a08<br>#show ip nat statistics<br>\u6703\u986f\u793aNAT\u7d44\u614b\u7684summary<br>\u756b\u9762\u5927\u81f4\u5982\u4e0b<br>Total active translations: 1 (0 static, 1 dynamic; 1 extended) \/\/active translation\u985e\u578b\u6578\u91cf<br>Outside interfaces: Serial0<br>Inside interfaces: Ethernet0<br>Hits: 5 Misses: 5<br>Expired translations: 5<br>Dynamic mappings:<br>&#8212; Inside Source<br>Access list + 2interface Serial0 refcount 0<\/p>\n\n\n\n<p>\u986f\u793aip nat\u7684\u8f49\u63db\u8868<br>#show ip nat translations *<br>\u756b\u9762\u5927\u81f4\u5982\u4e0b<br>Pro Inside global Inside local Outside local Outside global<br>&#8212; 192.2.2.2 160.1.1.1 &#8212; &#8212;<br>\u8868\u793a\u82e5\u4f86\u6e90\u70ba160.1.1.1\u5247\u70ba\u6539\u70ba\u4f86\u6e90192.2.2.2<\/p>\n\n\n\n<p>\u6e05\u9664ip nat\u7684\u8f49\u63db\u8868<br>#clear ip nat translation *<br>\u50c5\u522a\u9664\u52d5\u614bnat<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p>cisco\u5efa\u8b70\u7684\u9664\u932f\u6b65\u9a5f<br>1<br>\u78ba\u8a8d\u7d44\u614b:<br>Based on the configuration, clearly define what NAT is supposed to achieve<br>\u4ee5\u7d44\u614b\u8a2d\u5b9a\u70ba\u57fa\u790e\uff0c\u6e05\u695a\u5b9a\u7fa9\u4ec0\u9ebc\u662fNAT\u8981\u9054\u5230\u7684<br>2<br>\u78ba\u8a8dnat table:<br>Verify that correct translations exist in the translation table<br>\u78ba\u8a8d\u5728\u8f49\u63db\u8868\u683c\u7576\u4e2d\u8a18\u8f09\u7684\u662f\u6b63\u78ba\u7684\u8f49\u63db\u8cc7\u8a0a<br>3<br>\u7528show\u548cdebug\u78ba\u8a8d:<br>Verify the translation is occurring by using show and debug commands<br>\u7528show\u548cdebug\u547d\u4ee4\u4f86\u78ba\u8a8d\u8f49\u63db\u7684\u9032\u884c<br>4<br>\u6aa2\u67e5\u5c01\u5305\u548c\u8def\u7531:<br>Review in detail what is happening to the packet and verify that routers have the correct routing information to move the packet along<br>\u4ed4\u7d30\u6aa2\u67e5\u5230\u5e95\u5c01\u5305\u767c\u751f\u4e86\u4ec0\u9ebc\u554f\u984c\uff0c\u4e26\u78ba\u8a8d\u8def\u7531\u5668\u6709\u6b63\u78ba\u7684\u8def\u7531\u8cc7\u8a0a\u4f86\u50b3\u9001\u5c01\u5305<\/p>\n\n\n\n<p>cisco IOS NAT\u652f\u63f4\u4e0b\u5217\u7684\u4ea4\u901a\u578b\u614b<br>ICMP<br>FTP, including PORT and PASV commands<br>NetBIOS over TCP\/IP, datagram, name, and session services<br>RealNetworks&#8217; RealAudio<br>White Pines&#8217; CUSeeMe<br>Xing Technologies&#8217; StreamWorks<br>DNS &#8220;A&#8221; and &#8220;PTR&#8221; queries(\u67e5\u8a62)<br>H.323\/Microsoft NetMeeting, IOS versions 12.0(1)\/12.0(1)T and later<br>VDOnet&#8217;s VDOLive, IOS versions 11.3(4)11.3(4)T and later<br>VXtreme&#8217;s Web Theater, IOS versions 11.3(4)11.3(4)T and later<br>IP Multicast, IOS version 12.0(1)T with source address translation only(\u53ea\u5177\u5099\u539f\u59cb\u5730\u5740\u8f49\u63db)<\/p>\n\n\n\n<p>cisco IOS \u7684NAT\u4e0d\u652f\u63f4\u4e0b\u5217\u7684\u4ea4\u901a\u578b\u614b<br>Routing table updates(\u8def\u7531\u8868\u683c\u66f4\u65b0)<br>DNS zone transfers(\u5340\u57df\u8f49\u63db)<br>BOOTP<br>talk and ntalk protocols<br>SNMP<\/p>\n","protected":false},"excerpt":{"rendered":"<p>cisco nat\u5b9a\u7fa9\u76844\u7a2eaddressinside lo &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[32],"tags":[],"class_list":["post-902","post","type-post","status-publish","format-standard","hentry","category-cisco-network"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=902"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/902\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}